Change log for IBM_DATAPOWER
| Date | Changes |
|---|---|
| 2023-11-09 | Enhancement:
- Added new Grok patterns to parse the new type of unparsed logs. - Added new Grok patterns to parse "summary" from the log. - Mapped "principal_host" to "principal.hostname". - Changed the mapping of "user_id" from "principal.user.userid" to "target.user.userid". - For successful login events, "event_type" is mapped to "USER_LOGIN" and "security_result.action" to "ALLOW". - For failed login events, "event_type" is mapped to "USER_LOGIN" and "security_result.action" to "BLOCK". |
| 2023-10-18 | Enhancement:
- Added a Grok pattern to parse the unparsed failed user login logs. - Added a Grok pattern to parse the fields "ip" and "user_id" from the logs. - Mapped "user_id" to "principal.user.userid". - If a log contains the value "failed to log in" in the description: Set "metadata.event_type" to "USER_UNCATEGORIZED". Set "extensions.auth.type" to "AUTHTYPE_UNSPECIFIED". |
| 2022-12-26 | Enhancement:
- Added GROK pattern to parse the unparsed SYSLOG logs. - If log contains the Logged out and Logged fields, then "metadata.event_type" is set to either "USER_LOGOUT" or "USER_LOGIN". |
| 2022-06-30 | Enhancement:
- Added a Grok pattern for retrieving "src_ip". |
| 2022-06-10 | Enhancement - The newly ingested SYSLOG format logs have been handled and parsed..
- If Log contains any response code value such as 200, 201,203 are mapped to 'network.http.response_code'. - If Log contains application protocols such as HTTP, FTP etc, are mapped to 'network.application_protocol'. - If Target IP and Principal Hostname are not null then metadata.event_type mapped to 'NETWORK_UNCATEGORIZED'. - If Source Ip and Principal Hostname are not null then metadata.event_type mapped to 'STATUS_UPDATE'. |