Change log for OCI_AUDIT
| Date | Changes |
|---|---|
| 2025-10-28 | Enhancement:
- `event.idm.read_only_udm.metadata.description`: Newly mapped `column3` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - `event.idm.read_only_udm.principal.hostname`, `event.idm.read_only_udm.principal.asset.hostname`: Added a Grok pattern to support mapping of Newly mapped `column2` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM fields. - `event.idm.read_only_udm.target.user.email_addresses`: Newly mapped `column2` raw log field with `event.idm.read_only_udm.target.user.email_addresses` UDM field. - `event.idm.read_only_udm.principal.ip`: Newly mapped `column6` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `column6` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.security_result.action`: Newly mapped static value `ALLOW` with `event.idm.read_only_udm.security_result.action` UDM field. - `event.idm.read_only_udm.extensions.auth.type`: Newly mapped static value `AUTHTYPE_UNSPECIFIED` with `event.idm.read_only_udm.extensions.auth.type` UDM field. - `event.idm.read_only_udm.metadata.product_name`: Newly mapped static value `OCI_AUDIT` with `event.idm.read_only_udm.metadata.product_name` UDM field. - `event.idm.read_only_udm.metadata.vendor_name`: Newly mapped static value `Oracle` with `event.idm.read_only_udm.metadata.vendor_name` UDM field. - `event.idm.read_only_udm.metadata.event_type`: If `column3` is `login successful`, updated to `USER_LOGIN`. - `event.idm.read_only_udm.metadata.event_type` is conditionally set to STATUS_UPDATE or GENERIC_EVENT based on the presence of principal information. - The existing JSON parsing logic is now enclosed in an `else` block to handle logs that are not pipe-separated. |
| 2025-03-21 | Enhancement:
- Mapped "data.backendAddr" to "target.ip" and "target.asset.ip", and "target.port". - Mapped "data.clientAddr" to "principal.ip", "principal.asset.ip", and "principal.port". - Mapped "data.forwardedForAddr" to "principal.ip" and "principal.asset.ip". - Mapped "data.host" to "principal.hostname" and "principal.asset.hostname". - Mapped "data.backendConnectTime", "data.backendProcessingTime", "data.listenerName", "data.requestProcessingTime", "data.routingRulesEngineErrors", "data.routingRulesMatchedRule", "data.routingRulesRuleHits", "oracle.loggroupid", "oracle.logid", "oracle.resourceid", "source" and "data.routingRulesRuleMisses" to "additional.fields". - Mapped "data.backendStatusCode" to "network.http.response_code". - Mapped "data.receivedBytes" to "network.received_bytes". - Mapped "data.sentBytes" to "network.sent_bytes". - Mapped "data.sslCipher" to "network.tls.cipher". - Mapped "data.sslProtocol" to "network.tls.version". - Mapped "data.userAgent" to "network.http.user_agent". |
| 2025-01-30 | Enhancement:
- Added support for a new pattern of JSON logs. |
| 2024-11-22 | Enhancement:
- Mapped "data.request.headers.oci-original-url.0" to "principal.url". - Mapped "originalConnection.destinationIp" to "target.ip" and "target.asset.ip". - Mapped "originalConnection.destinationPort" to "target.port". - Mapped "originalConnection.sourcePort" to "principal.port". - Mapped "originalConnection.protocol" to "network.application_protocol". |
| 2024-10-24 | Enhancement:
- Added support to handle JSON logs. |
| 2024-06-14 | Enhancement:
- If "has_principal_user", "has_target_user", or "has_target" is "true", then set "metadata.event_type" to "USER_UNCATEGORIZED". |
| 2023-09-29 | Bug-Fix:
- Added a Grok pattern before mapping "data.identity.ipAddress" to UDM fields. - Mapped "ip1" to "principal.ip". - Mapped "ip2" to "principal.ip". |
| 2023-05-23 | Newly created parser.
|