Change log for CITRIX_NETSCALER
| Date | Changes |
|---|---|
| 2024-02-23 | Enhancement:
- Updated Grok pattern to parse hostname as expected in the UDM field. |
| 2024-01-25 | Enhancement:
- Added Grok patterns to parse logs where "message_type" is "Message", "NONHTTP_RESOURCEACCESS_DENIED", "UDPFLOWSTAT", and "EXTRACTED_GROUPS". - Added support to parse logs where "feature" is "GUI" and "EVENT". - Mapped "principal_port" to "principal.port". - Mapped "ClientIP" to "principal.asset.ip". - Mapped "principal_ip" to "principal.ip" and "principal.asset.ip". - Mapped "target_ip" to "target.ip" and "target.asset.ip". - Mapped "target_port" to "target.port". - Mapped "description" to "metadata.description". - Mapped "type", "aaa_trans_id", "pcb_trans_id", "pcb_state", "pcb_label", "trans_id", "authPolicyLen", "login_attempts", "PromptLen", "partitionLen", "cmdPolicyLen", and "ssh_pubkey_len" to "security_result.detection_fields". - Mapped "principal_hostname" to "principal.hostname" and "principal.asset.hostname". - Mapped "hostname" to "intermediary.asset.hostname". - Mapped "hostname" to "observer.asset.hostname". - Mapped "cip", "ServerIP", "VIP", "VserverServiceIP", and "Remote_ip" to "target.asset.ip". - When "message_type" is "Message", then mapped "User" to "principal.user.userid". - When "principal_ip" and "target_ip" is present, then set "metadata.event_type" to "NETWORK_CONNECTION". - When "Client_ip" and "target_ip" is present, then set "metadata.event_type" to "NETWORK_CONNECTION". - When "message_type" is "NONHTTP_RESOURCEACCESS_DENIED" and "UDPFLOWSTAT", then set "metadata.event_type" to "USER_STATS". - When "message_type" is "Message" and "User" is present, then set "metadata.event_type" to "USER_UNCATEGORIZED". - When "principal_ip" is present, then set "metadata.event_type" to "STATUS_UPDATE". |
| 2023-11-26 | Enhancement-
- Added Grok patterns to parse logs where "message_type" is "Message". |
| 2023-07-21 | Enhancement - Updated the parser to correctly parse the logs containing feature - 'CLI'.
|
| 2022-09-26 | Enhancement - Migrated custom parsers to default parser.
|
| 2022-06-09 | Enhancement- Added requested mappings:
-Mapped 'startTime', 'endTime', 'Duration' to 'security_result.detection_fields'. -Updated the parser to parse the logs containing message_type - 'CHANNEL_UPDATE', 'NETWORK_UPDATE', 'AAATM Message'. |
| 2022-05-09 | Bug-fix - Updated the parser to correctly parse the logs containing message_type - 'TCPCONNSTAT'.
-Updated the grok to include the full domain name in 'principal.administrative_domain'. -Parsed the logs failing during Validation API testing. |
| 2022-04-27 | Enhancement- Added requested mappings
-Mapped intermediary.hostname field -Parsed Api failed logs |