Change log for CITRIX_NETSCALER

Date Changes
2024-11-21 Enhancement:
- Added support to parse new format of syslog logs.
2024-11-21 Enhancement:
- Added support to parse new format of syslog logs.
2024-11-07 Enhancement:
- Mapped "SubjectName" to null.
- Added support to parse logs where "message_type" is "REMOVE_SESSION_DEBUG".
- Mapped "Errmsg" to "metadata.description".
- Mapped "Sessionid" to "network.session_id".
- Mapped "User" to "principal.user.userid".
- Mapped "Client_ip" to "principal.ip" and "principal.asset.ip".
- Mapped "Vserver_ip" to "target.ip" and "target.asset.ip".
2024-10-15 Enhancement:
- When "message_type" is equal to "LOGIN" then mapped "user_name" and "user" to "target.user.userid".
- When "message_type" is equal to "LOGIN_FAILED" then mapped "User" to "principal.user.userid".
2024-10-11 Enhancement:
- Added "gsub" to parse the unparsed syslogs.
2024-09-25 Enhancement:
- Added support to parse the new format of unparsed syslogs.
2024-09-05 Enhancement:
- Mapped "VserverServiceIP" field to "target.ip" UDM field.
- Mapped "VserverServicePort" field to "target.port" UDM field.
- Mapped "ClientVersion" field to "network.tls.version_protocol" UDM field.
- Mapped "CipherSuite" field to "network.tls.cipher" UDM field.
2024-08-14 Enhancement:
- Added a Grok pattern to extract "hostname" and mapped it to "intermediary.hostname".
- Added a Grok pattern to extract "userid" and added conditional checks before mapping it to "target.user.userid".
2024-08-12 Enhancement:
- Added a Grok pattern to extract "userid" and mapped it to "principal.user.userid".
- Added a Grok pattern to extract "principal_ip" and mapped it to "principal.ip".
- Added a Grok pattern to extract "target_ip" and mapped it to "target.ip".
- Added a Grok pattern to extract "principal_hostname" and mapped it to "principal.hostname".
- Added a Grok pattern to extract "target_hostname" and mapped it to "target.hostname".
- Modified the Grok pattern to parse "Authentication details", "userid" and "error message".
- Mapped "Authentication details" to "security_result.description", "userid" to "principal.user.userid", and "error message" to "security_result.detection_fields"
2024-07-02 Enhancement:
- Modified a Grok pattern to parse dropped logs.
- Mapped the "Client_IP" to "additional.fields".
2024-05-21 Enhancement:
- Modified a Grok pattern to parse dropped logs.
2024-05-20 Enhancement:
- Added new Grok pattern to parse unparsed logs.
2024-05-08 Enhancement:
- Updated mapping of the duration information from "security_results" to "network.session_duration".
2024-04-29 Enhancement:
- Added conditional check for "Browser_type" and mapped it to "network.http.parsed_user_agent".
- Added conditional check for "userId" and "user_email".
- Mapped "Browser" to "network.http.parsed_user_agent".
2024-02-23 Enhancement:
- Updated Grok pattern to parse hostname as expected in the UDM field.
2024-01-25 Enhancement:
- Added new Grok patterns to parse logs where "message_type" is "Message", "NONHTTP_RESOURCEACCESS_DENIED", "UDPFLOWSTAT", and "EXTRACTED_GROUPS".
- Added support to parse logs where "feature" is "GUI" and "EVENT".
- Mapped "principal_port" to "principal.port".
- Mapped "ClientIP" to "principal.asset.ip".
- Mapped "principal_ip" to "principal.ip" and "principal.asset.ip".
- Mapped "target_ip" to "target.ip" and "target.asset.ip".
- Mapped "target_port" to "target.port".
- Mapped "description" to "metadata.description".
- Mapped "type", "aaa_trans_id", "pcb_trans_id", "pcb_state", "pcb_label", "trans_id", "authPolicyLen", "login_attempts", "PromptLen", "partitionLen", "cmdPolicyLen", and "ssh_pubkey_len" to "security_result.detection_fields".
- Mapped "principal_hostname" to "principal.hostname" and "principal.asset.hostname".
- Mapped "hostname" to "intermediary.asset.hostname".
- Mapped "hostname" to "observer.asset.hostname".
- Mapped "cip", "ServerIP", "VIP", "VserverServiceIP", and "Remote_ip" to "target.asset.ip".
- When "message_type" is "Message", then mapped "User" to "principal.user.userid".
- When "principal_ip" and "target_ip" is present, then set "metadata.event_type" to "NETWORK_CONNECTION".
- When "Client_ip" and "target_ip" is present, then set "metadata.event_type" to "NETWORK_CONNECTION".
- When "message_type" is "NONHTTP_RESOURCEACCESS_DENIED" and "UDPFLOWSTAT", then set "metadata.event_type" to "USER_STATS".
- When "message_type" is "Message" and "User" is present, then set "metadata.event_type" to "USER_UNCATEGORIZED".
- When "principal_ip" is present, then set "metadata.event_type" to "STATUS_UPDATE".
2023-11-26 Enhancement-
- Added new Grok patterns to parse logs where "message_type" is "Message".
2023-07-21 Enhancement - Updated the parser to correctly parse the logs containing feature - 'CLI'.
2022-09-26 Enhancement - Migrated custom parsers to default parser.
2022-06-09 Enhancement- Added requested mappings:
-Mapped "startTime", "endTime", "Duration" to "security_result.detection_fields".
-Updated the parser to parse the logs containing message_type - "CHANNEL_UPDATE", "NETWORK_UPDATE", "AAATM Message".
2022-05-09 Bug-fix - Updated the parser to correctly parse the logs containing message_type - "TCPCONNSTAT".
-Updated the grok to include the full domain name in "principal.administrative_domain".
-Parsed the logs failing during Validation API testing.
2022-04-27 Enhancement- Added requested mappings
-Mapped intermediary.hostname field
-Parsed Api failed logs