Change log for OSSEC

Date Changes
2024-04-24 Added support of "ossec-testrule" and "ossec-analysisd" application logs not having "event_source" path.
2024-02-14 Updated UDM mapping of the "logName" and "protoPayload.response.selfLinkWithId" raw log fields.
2023-11-29 Aligned 'principal/target.hostname' and 'principal/target.asset.hostname' mapping.
2023-06-14 Updated the parser to include "parse_network_http_user_agent" to use "Parsed User Agent" and "User Agent".
2022-09-28 Migrated parser to default parser.
Below are the field mapping differences:
1. For event source /var/log/syslog:
- updated mappings for commad_line from src.process.command_line to principal.process.command_line.
- updated mappings for pid from src.process.pid to principal.process.pid.
2. For event source /var/log/apache2/error.log:
- updated mappings for pid from target.process.pid to target.process.parent_process.pid.
- updated mappings for tid from target.resource.product_object_id to target.process.pid.
3. For event source /var/log/nginx/access.log:
-updated mappings for path from target.url to principal.resource.name.
4. For event source /var/log/nginx/error.log:
- updated mappings for resource_name from target.url to principal.resource.name.
5. For event source /var/ossec/logs/ossec.log:
- updated mappings for hostname from principal.hostname to target.hostname.
6. For event source /var/log/auth.log:
- updated mappings for description from metadata.description to security_result.description.
7. For event source /var/log/audit.log:
- Removed conditional stanza to map metadata.event_type with USER_UNCATEGORIZED, if principal.ip is not present for type USER_ACCT.
8. For event source /var/log/audit.log:
- Removed conditional stanza to map metadata.event_type with USER_RESOURCE_ACCESS, if principal.ip is not present for type SERVICE_START,SERVICE_STOP.