Change log for ORACLE_DB
| Date | Changes |
|---|---|
| 2025-12-29 | Enhancement:
- "event.idm.read_only_udm.metadata.product_event_type": Newly mapped "action_name" raw log field with "event.idm.read_only_udm.metadata.product_event_type" UDM field. - "event.idm.read_only_udm.security_result.action_details": Removed "action_name" field mapping from "event.idm.read_only_udm.security_result.action_details". - "event.idm.read_only_udm.security_result.action_details": Newly mapped "action_det" field with "event.idm.read_only_udm.security_result.action_details" UDM field. - An intermediate field "action_det" is now conditionally populated with the value of the "ACTION" field. |
| 2025-12-08 | Enhancement:
- event.idm.read_only_udm.principal.process.pid: Newly mapped os_process raw log field with event.idm.read_only_udm.principal.process.pid UDM field. - event.idm.read_only_udm.network.session_id: Newly mapped sessionid raw log field with event.idm.read_only_udm.network.session_id UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped username raw log field with event.idm.read_only_udm.principal.user.userid UDM field. - event.idm.read_only_udm.target.hostname: Newly mapped db_host raw log field with event.idm.read_only_udm.target.hostname UDM field. - event.idm.read_only_udm.target.asset.hostname: Newly mapped db_host raw log field with event.idm.read_only_udm.target.asset.hostname UDM field. - event.idm.read_only_udm.principal.user.user_display_name: Newly mapped os_username raw log field with event.idm.read_only_udm.principal.user.user_display_name UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped rls_info, current_user, logoff_lread, obj_edition_name, logoff_lwrite, obj_privilege, logoff_pread, global_uid, session_cpu, ses_actions, logoff_time, logoff_dlock, extended_timestamp, audit_option, admin_option, owner, new_owner, new_name, sql_text, comment_text, timestamp raw log field(s) with event.idm.read_only_udm.additional.fields UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped econtext_id, sql_bind, grantee, scn, instance_number, statementid raw log field(s) with event.idm.read_only_udm.target.resource.attribute.labels UDM field. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped instance_name raw log field with event.idm.read_only_udm.principal.resource.attribute.labels UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped action, proxy_sessionid, sys_privilege raw log field(s) with security_result.detection_fields UDM field. - event.idm.read_only_udm.principal.process.command_line: Newly mapped terminal raw log field with event.idm.read_only_udm.principal.process.command_line UDM field. - A new grok pattern was added to parse a new key-value log format. - Added logic to set has_target_user to true based on the presence of t_hostname or client_id. - Added logic to dynamically process and add a set of fields to event.idm.read_only_udm.additional.fields using a for-each loop construct. - Added on_error for sys_privilege, priv_used, transactionid, scn, instance_number, statementid, userhost, obj_name, terminal, sessionid, client_id, rls_info, current_user, entryid, db_host, os_username, action, econtext_id, os_process, sql_bind, username, instance_name, proxy_sessionid, grantee, obj_edition_name, logoff_lread, logoff_lwrite, logoff_pread, global_uid, session_cpu, ses_actions, logoff_time, logoff_dlock, extended_timestamp, audit_option, admin_option, owner, new_owner, new_name, sql_text, comment_text, timestamp. - Added conditional check for sys_privilege, priv_used, transactionid, scn, instance_number, statementid, userhost, obj_name, terminal, sessionid, client_id, rls_info, current_user, entryid, db_host, os_username, action, econtext_id, os_process, sql_bind, username, instance_name, proxy_sessionid, grantee. - Updated conditional logic for the RETURNCODE field to include 0.0 in the success condition. |
| 2025-11-11 | Enhancement:
- Added support for a new key-value format for logs starting with "SESSIONID:", including pre-processing the raw log with gsub transformations before parsing with the kv filter. - 'event.idm.read_only_udm.principal.process.command_line': Mapped 'TERMINAL' raw log field with 'event.idm.read_only_udm.principal.process.command_line' UDM field. |
| 2025-10-15 | Enhancement:
- Added a new grok pattern to support a new syslog format from Oracle Unified Audit. - Enhanced the date filter to support the additional timestamp format. - 'event.idm.read_only_udm.principal.process.pid': Newly mapped 'pid' raw log field with 'event.idm.read_only_udm.principal.process.pid' UDM field. |
| 2025-08-20 | Enhancement:
- event.idm.read_only_udm.metadata.collected_timestamp: Newly mapped ingestionTime raw log field with event.idm.read_only_udm.metadata.collected_timestamp UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped Extended_Timestamp raw log field with event.idm.read_only_udm.metadata.event_timestamp UDM field. - event.idm.read_only_udm.metadata.product_event_type: Newly mapped log_type raw log field with event.idm.read_only_udm.metadata.product_event_type UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped Audit_Type, DB_User, EntryId, eventId, Ext_Name, logStreamName, OSPrivilege, Sql_Text, StatementId raw log field(s) with event.idm.read_only_udm.additional.fields UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped Current_User raw log field with event.idm.read_only_udm.principal.user.userid UDM field. - event.idm.read_only_udm.principal.hostname: Newly mapped Userhost raw log field with event.idm.read_only_udm.principal.hostname UDM field. - event.idm.read_only_udm.principal.asset.hostname: Newly mapped Userhost raw log field with event.idm.read_only_udm.principal.asset.hostname UDM field. - event.idm.read_only_udm.principal.ip: Newly mapped Userhost raw log field with event.idm.read_only_udm.principal.ip UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly mapped Userhost raw log field with event.idm.read_only_udm.principal.asset.ip UDM field. - event.idm.read_only_udm.principal.process.pid: Newly mapped OS_Process raw log field with event.idm.read_only_udm.principal.process.pid UDM field. - event.idm.read_only_udm.principal.process.command_line: Newly mapped Terminal raw log field with event.idm.read_only_udm.principal.process.command_line UDM field. - event.idm.read_only_udm.src.user.userid: Newly mapped OS_User raw log field with event.idm.read_only_udm.src.user.userid UDM field. - event.idm.read_only_udm.target.cloud.project.id: Newly mapped aws_account_id raw log field with event.idm.read_only_udm.target.cloud.project.id UDM field. - event.idm.read_only_udm.target.cloud.availability_zone: Newly mapped aws_region raw log field with event.idm.read_only_udm.target.cloud.availability_zone UDM field. - event.idm.read_only_udm.target.resource.name: Newly mapped log_group_name raw log field with event.idm.read_only_udm.target.resource.name UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped arn_log_group, Instance_Number raw log field(s) with event.idm.read_only_udm.target.resource.attribute.labels UDM field. - event.idm.read_only_udm.security_result.summary: Newly mapped Returncode raw log field with event.idm.read_only_udm.security_result.summary UDM field. - event.idm.read_only_udm.network.session_id: Newly mapped Session_Id raw log field with event.idm.read_only_udm.network.session_id UDM field. |
| 2025-08-12 | Enhancement:
- Added a grok pattern to parse `inter_ip` and `inter_port`. - Added a conditional check for `kv_data2`. - `event.idm.read_only_udm.intermediary.ip`: Newly mapped `inter_ip` raw log field with `event.idm.read_only_udm.intermediary.ip` UDM field. - `event.idm.read_only_udm.intermediary.port`: Newly mapped `inter_port` raw log field with `event.idm.read_only_udm.intermediary.port` UDM field. - `event.idm.read_only_udm.intermediary.hostname`: Newly mapped `HOST_ID` raw log field with `event.idm.read_only_udm.intermediary.hostname` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `SYS_PRIVILEGE` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `PRIV_USED` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.principal.process.pid`: Newly mapped `OS_PROCESS` raw log field with `event.idm.read_only_udm.principal.process.pid` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `TRANSACTIONID` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `SCN` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `INSTANCE_NUMBER` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `ENTRY_ID` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `STATEMENTID` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. |
| 2025-05-20 | Enhancement:
- `event.idm.read_only_udm.intermediary_hostname` : Newly mapped `intermediary_hostname` raw log field with `event.idm.read_only_udm.intermediary_hostname` UDM field. - Added a new grok pattern in order to parse the logs with `intermediary_hostname` raw log field. |
| 2025-03-18 | Enhancement:
- Added Grok pattern to parse SYSLOG logs. - Mapped "org_id" and "comp_id" to "additional.fields". - Mapped "host_addr" to "principal.ip" and "principal.asset.ip". - Mapped "host_id" to "principal.hostname" and "principal.asset.hostname". - Mapped "level" to "security_result.severity_details". |
| 2025-02-12 | Enhancement:
- Added date filter to support new pattern of syslog logs. |
| 2025-01-15 | Enhancement:
- Mapped "ID" to "metadata.event_timestamp". |
| 2024-12-19 | Enhancement:
- Added support for new pattern of syslog logs. |
| 2024-12-12 | Enhancement:
- Added "gsub" pattern to handle new format of KV logs. - Added a new Grok pattern to handle new format of KV logs. - Mapped "ORACLE_DB" to "metadata.log_type". |
| 2024-10-25 | Enhancement:
- If "ACTION" is "GRANT", then set "metadata.event_type" to "USER_RESOURCE_UPDATE_PERMISSIONS". - If "ACTION" is "DROP" or "DELETE", then set "metadata.event_type" to "USER_RESOURCE_DELETION". - If "ACTION" is "CREATE", then set "metadata.event_type" to "USER_RESOURCE_CREATION". - If "ACTION" is "ALTER" or "INSERT", then set "metadata.event_type" to "USER_RESOURCE_UPDATE_CONTENT". |
| 2024-09-25 | Enhancement:
- Added support for new pattern of KV logs. |
| 2024-07-24 | Enhancement:
- Mapped "AUDIT_POLICY" as a single string to "additional.fields" instead of splitting it into multiple values. |
| 2024-06-06 | - Minor change in "principal.user.user_display_name".
|
| 2024-05-30 | - Added support for exadata fields.
|
| 2024-04-03 | - Added support for some attributes which were not covered.
|
| 2023-10-25 | Enhancement:
- Mapped "LENGTH", "LOGOFFDEAD", "LOGOFFLREAD", "LOGOFFLWRITE", "LOGOFFPREAD", "SESSIONCPU", "CLIENT_TERMINAL" to "target.resource.attribute.labels". - Mapped "ACTION" to "security_result.summary". - Set "security_result.description" to "Success" when "RETURNCODE" is 0 or "STATUS" is 0. - Set "security_result.description" to "Failure" when "RETURNCODE" is either 1 or -1, or "STATUS" is either 1 or -1. - Mapped "principal.ip" and "principal.port" from "CLIENT_ADDRESS". |
| 2022-10-13 | Enhancement:
- Added grok pattern to handle SYSLOG and KV logs. |
| 2022-08-01 | Enhancement: Added mapping for following fields:
- "hostname" mapped to "principal.hostname". - if "returncode" is "0" then security_result.action mapped to "ALLOW" else if it is "-1" then mapped to "BLOCK" - "ACTION" mapped to "metadata.product_event_type". - "DATABASE USER" mapped to "principal.user.user_display_name". - "PRIVILEGE" mapped to "principal.user.attribute.permissions". - "CLIENT USER" mapped to "target.user.user_display_name". - "file_name" mapped to "target.file.full_path". - "event_name" mapped to "metadata.product_event_type". - "ACTION_NUMBER" mapped to "event.idm.read_only_udm.additional.fields". - "length" mapped to "event.idm.read_only_udm.additional.fields". - "DBID" mapped to "metadata.product_log_id". |