Change log for CISCO_SWITCH
Date | Changes |
---|---|
2024-11-27 | Enhancement:
- Added new Grok patterns to parse failing syslog logs. - Mapped "username3" to "principal.user.userid". - Mapped "login_status" to "security_result.summary". |
2024-11-20 | Enhancement:
- Added support for new pattern of SYSLOG logs. |
2024-11-06 | Enhancement:
- Mapped "ecs.version" to "metadata.product_version". - Mapped "fileset.name", "flow.locality", "flow.id", "input.type", "netflow.exporter.source_id", and "netflow.exporter.uptime_millis" to "additional.fields". - Mapped "network.transport" to "network.ip_protocol". - Mapped "netflow.post_nat_source_ipv4_address" to "principal.ip". - Mapped "netflow.source_transport_port" to "principal.port". - Mapped "network.direction" to "network.direction". |
2024-10-22 | Enhancement:
- Added a Grok pattern to parse unparsed logs. - Mapped "intermediary_ip" to "intermediary.ip" - Mapped "intermediary_hostname" to "intermediary.hostname" |
2024-10-03 | Enhancement:
- Added support for new pattern of SYSLOG logs. |
2024-09-24 | Enhancement:
- Added support for a new format of syslog logs. |
2024-08-26 | Enhancement:
- When "principal_host" is empty, then only mapped "device" to "principal.hostname". |
2024-07-01 | Enhancement:
- Added a Grok pattern to parse valid dropped logs with a new pattern. - In addition, added a Grok pattern to retrieve "target_ip" from the "header_data" field. |
2024-05-29 | Enhancement:
- Added a Grok pattern to parse valid dropped logs with a new pattern. - Added a Grok pattern to retrieve "principal_host" from the field "header_data". - Added a Grok pattern to retrieve "destination_ip", "src_mac", and "hostname" from the field "description". - Mapped "principal_host" to "principal.hostname". - Mapped "src_mac" to "principal.mac". - Mapped "eventSummary" to "metadata.product_event_type". - Mapped "description" to "security_result.description". - Mapped "error_msg" to "security_result.detection_fields". |
2024-05-22 | Enhancement:
- Added a Grok pattern to retrieve hostname. |
2024-05-08 | Enhancement:
- Added a Grok pattern to support uparsed SYSLOG format logs. - Mapped "pid" to "principal.process.pid". - Mapped "srcPort" to "principal.port". - Mapped "device_ip" to "principal.ip" and "principal.asset.ip". - Mapped "srcUser" to "principal.user.userid". - Mapped "username1" to "target.user.userid". - Mapped "command" to "target.process.command_line". - Mapped "PWD" to "target.process.file.full_path". - Mapped "host_name" to principal.hostname" and "principal.asset.hostname". - Mapped "node_id", "cluster_id", "exception", "UniqueId", and "app_id" to "additional.fields". |
2023-12-08 | Enhancement:
- Added support for the new pattern of SYSLOG logs and Key-Value logs. - Mapped "DEVICE" to "principal.mac". - Mapped "SRC" to "principal.ip". - Mapped "SPT" to "principal.port". - Mapped "DST" to "target.ip". - Mapped "DPT" to "target.port". - Mapped "ID" to "network.session_id". - Mapped "LEN" to "network.session_duration.seconds". - Mapped "PROTO" to "network.ip_protocol". - Mapped "IN", "OUT", "PHYSIN", "WINDOW", "RES, "TOS", "PREC", "TTL" ,"URGP", "MAC", "radio", "vap", "auth_type", "sugg_band", "ssid_id", "ssid_profile_name" and "protocol" to "additional.fields". - Mapped "client_mac" to "principal.mac". - Mapped "aid" to "network.session_id". - Mapped "rssi" to "intermediary.asset.product_object_id". - Mapped "channel" to "security_result.detection_fields". |
2023-11-05 | Enhancement:
- Modified and added new Grok patterns to parse failing syslog logs. - Added KV filter to parse KV logs. - Mapped "eventSummary", "dhcp_ip", "client_mac", "aid" and "ip_src" to "metadata.product_event_type", "target.ip", "network.dhcp.chaddr", "network.session_id" and "principal.ip", respectively. - Mapped "mac", "src", "sport", "dst", "dport", "action", "protocol", "url" and "signature" to "principal.mac", "principal.ip", "principal.port", "target.ip", "target.port", "security_result.action", "network.ip_protocol", "principal.url" and "additional.fields, respectively. - For eventSummary "splash_auth" mapped "metadata.event_type" and "extensions.auth.type" to "USER_LOGIN" and "MACHINE", respectively. - For eventSummary "association" mapped "eventSummary", "aid", "rssi", "channel", "last_known_client_ip" and "event_type" to "security_result.summary", "network.session_id", "intermediary.asset.product_object_id", "security_result.detection_fields", "principal.ip" and "STATUS_UPDATE", respectively. |
2023-04-27 | Enhancement:
- Reduced generic percentage. - Removed unnecessary Grok patterns. - Added Grok pattern to parse syslog logs. - Added conditional check for "source_ip", "destination_ip". - If "source_ip" and "destination_ip" is present then map "event_type" to "NETWORK_CONNECTION". - If "source_ip" is present and "destination_ip" is not present then map "event_type" to "STATUS_UPDATE". - Mapped "pid" to "target.process.pid". - Mapped "app_name" to "target.application". |
2023-03-24 | Customer Issue:
- Added Grok pattern and mapping for logs where message types are either "FILECPY", "REJECT", "CONNECT", or "DISCONNECT". |
2023-01-24 | Enhancement:
- Modified Grok patterns to support logs having timezone. - Mapped 'ip_address' to 'principal.ip'. - When "mnemonic" is "NBR_RESET" and ip_address is present , then "metadata.event_type" is set as "STATUS_UPDATE". |
2022-07-21 | Enhancement - Added grok pattern and enhanced the parser to parse the logs that were getting dropped (logs without "% - Mapped 'hostname' to 'principal.hostname' - Mapped 'source_ip' to 'principal.ip' - Mapped 'destination_ip' to 'target.ip' - Mapped 'ip_protocol' to 'network.ip_protocol'. - Mapped 'summary' to 'security_result.summary'. - Mapped 'header_data' to 'metadata.product_log_id'. |