Change log for OSSEC
| Date | Changes |
|---|---|
| 2024-04-24 | Added support of "ossec-testrule" and "ossec-analysisd" application logs not having "event_source" path. |
| 2024-02-14 | Updated UDM mapping of the "logName" and "protoPayload.response.selfLinkWithId" raw log fields. |
| 2023-11-29 | Aligned 'principal/target.hostname' and 'principal/target.asset.hostname' mapping. |
| 2023-06-14 | Updated the parser to include "parse_network_http_user_agent" to use "Parsed User Agent" and "User Agent". |
| 2022-09-28 | Migrated parser to default parser. Below are the field mapping differences: 1. For event source /var/log/syslog: - updated mappings for commad_line from src.process.command_line to principal.process.command_line. - updated mappings for pid from src.process.pid to principal.process.pid. 2. For event source /var/log/apache2/error.log: - updated mappings for pid from target.process.pid to target.process.parent_process.pid. - updated mappings for tid from target.resource.product_object_id to target.process.pid. 3. For event source /var/log/nginx/access.log: -updated mappings for path from target.url to principal.resource.name. 4. For event source /var/log/nginx/error.log: - updated mappings for resource_name from target.url to principal.resource.name. 5. For event source /var/ossec/logs/ossec.log: - updated mappings for hostname from principal.hostname to target.hostname. 6. For event source /var/log/auth.log: - updated mappings for description from metadata.description to security_result.description. 7. For event source /var/log/audit.log: - Removed conditional stanza to map metadata.event_type with USER_UNCATEGORIZED, if principal.ip is not present for type USER_ACCT. 8. For event source /var/log/audit.log: - Removed conditional stanza to map metadata.event_type with USER_RESOURCE_ACCESS, if principal.ip is not present for type SERVICE_START,SERVICE_STOP. |