Change log for CISCO_SWITCH

Date Changes
2024-11-27 Enhancement:
- Added new Grok patterns to parse failing syslog logs.
- Mapped "username3" to "principal.user.userid".
- Mapped "login_status" to "security_result.summary".
2024-11-20 Enhancement:
- Added support for new pattern of SYSLOG logs.
2024-11-06 Enhancement:
- Mapped "ecs.version" to "metadata.product_version".
- Mapped "fileset.name", "flow.locality", "flow.id", "input.type", "netflow.exporter.source_id", and "netflow.exporter.uptime_millis" to "additional.fields".
- Mapped "network.transport" to "network.ip_protocol".
- Mapped "netflow.post_nat_source_ipv4_address" to "principal.ip".
- Mapped "netflow.source_transport_port" to "principal.port".
- Mapped "network.direction" to "network.direction".
2024-10-22 Enhancement:
- Added a Grok pattern to parse unparsed logs.
- Mapped "intermediary_ip" to "intermediary.ip"
- Mapped "intermediary_hostname" to "intermediary.hostname"
2024-10-03 Enhancement:
- Added support for new pattern of SYSLOG logs.
2024-09-24 Enhancement:
- Added support for a new format of syslog logs.
2024-08-26 Enhancement:
- When "principal_host" is empty, then only mapped "device" to "principal.hostname".
2024-07-01 Enhancement:
- Added a Grok pattern to parse valid dropped logs with a new pattern.
- In addition, added a Grok pattern to retrieve "target_ip" from the "header_data" field.
2024-05-29 Enhancement:
- Added a Grok pattern to parse valid dropped logs with a new pattern.
- Added a Grok pattern to retrieve "principal_host" from the field "header_data".
- Added a Grok pattern to retrieve "destination_ip", "src_mac", and "hostname" from the field "description".
- Mapped "principal_host" to "principal.hostname".
- Mapped "src_mac" to "principal.mac".
- Mapped "eventSummary" to "metadata.product_event_type".
- Mapped "description" to "security_result.description".
- Mapped "error_msg" to "security_result.detection_fields".
2024-05-22 Enhancement:
- Added a Grok pattern to retrieve hostname.
2024-05-08 Enhancement:
- Added a Grok pattern to support uparsed SYSLOG format logs.
- Mapped "pid" to "principal.process.pid".
- Mapped "srcPort" to "principal.port".
- Mapped "device_ip" to "principal.ip" and "principal.asset.ip".
- Mapped "srcUser" to "principal.user.userid".
- Mapped "username1" to "target.user.userid".
- Mapped "command" to "target.process.command_line".
- Mapped "PWD" to "target.process.file.full_path".
- Mapped "host_name" to principal.hostname" and "principal.asset.hostname".
- Mapped "node_id", "cluster_id", "exception", "UniqueId", and "app_id" to "additional.fields".
2023-12-08 Enhancement:
- Added support for the new pattern of SYSLOG logs and Key-Value logs.
- Mapped "DEVICE" to "principal.mac".
- Mapped "SRC" to "principal.ip".
- Mapped "SPT" to "principal.port".
- Mapped "DST" to "target.ip".
- Mapped "DPT" to "target.port".
- Mapped "ID" to "network.session_id".
- Mapped "LEN" to "network.session_duration.seconds".
- Mapped "PROTO" to "network.ip_protocol".
- Mapped "IN", "OUT", "PHYSIN", "WINDOW", "RES, "TOS", "PREC", "TTL" ,"URGP", "MAC", "radio", "vap", "auth_type", "sugg_band", "ssid_id", "ssid_profile_name" and "protocol" to "additional.fields".
- Mapped "client_mac" to "principal.mac".
- Mapped "aid" to "network.session_id".
- Mapped "rssi" to "intermediary.asset.product_object_id".
- Mapped "channel" to "security_result.detection_fields".
2023-11-05 Enhancement:
- Modified and added new Grok patterns to parse failing syslog logs.
- Added KV filter to parse KV logs.
- Mapped "eventSummary", "dhcp_ip", "client_mac", "aid" and "ip_src" to "metadata.product_event_type", "target.ip", "network.dhcp.chaddr", "network.session_id" and "principal.ip", respectively.
- Mapped "mac", "src", "sport", "dst", "dport", "action", "protocol", "url" and "signature" to "principal.mac", "principal.ip", "principal.port", "target.ip", "target.port", "security_result.action", "network.ip_protocol", "principal.url" and "additional.fields, respectively.
- For eventSummary "splash_auth" mapped "metadata.event_type" and "extensions.auth.type" to "USER_LOGIN" and "MACHINE", respectively.
- For eventSummary "association" mapped "eventSummary", "aid", "rssi", "channel", "last_known_client_ip" and "event_type" to "security_result.summary", "network.session_id", "intermediary.asset.product_object_id", "security_result.detection_fields", "principal.ip" and "STATUS_UPDATE", respectively.
2023-04-27 Enhancement:
- Reduced generic percentage.
- Removed unnecessary Grok patterns.
- Added Grok pattern to parse syslog logs.
- Added conditional check for "source_ip", "destination_ip".
- If "source_ip" and "destination_ip" is present then map "event_type" to "NETWORK_CONNECTION".
- If "source_ip" is present and "destination_ip" is not present then map "event_type" to "STATUS_UPDATE".
- Mapped "pid" to "target.process.pid".
- Mapped "app_name" to "target.application".
2023-03-24 Customer Issue:
- Added Grok pattern and mapping for logs where message types are either "FILECPY", "REJECT", "CONNECT", or "DISCONNECT".
2023-01-24 Enhancement:
- Modified Grok patterns to support logs having timezone.
- Mapped 'ip_address' to 'principal.ip'.
- When "mnemonic" is "NBR_RESET" and ip_address is present , then "metadata.event_type" is set as "STATUS_UPDATE".
2022-07-21 Enhancement
- Added grok pattern and enhanced the parser to parse the logs that were getting dropped (logs without "%--).
- Mapped 'hostname' to 'principal.hostname'
- Mapped 'source_ip' to 'principal.ip'
- Mapped 'destination_ip' to 'target.ip'
- Mapped 'ip_protocol' to 'network.ip_protocol'.
- Mapped 'summary' to 'security_result.summary'.
- Mapped 'header_data' to 'metadata.product_log_id'.