Change log for CISCO_IOS
| Date | Changes |
|---|---|
| 2025-06-23 | - Modified Grok pattern to parse additional information like `process_name` and `pid` from a new format of syslog logs.
- Modified variable name of IP address coming in the header from `source_facility` to `device_os` to map it to `event.idm.read_only_udm.additional.fields` UDM field instead of `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM fields. This is done because the value `CISCO-IOS-XR` is name of a device OS and not a hostname. - event.idm.read_only_udm.additional.fields: Newly mapped `device_os` and `device_component` log fields with `event.idm.read_only_udm.additional.fields` UDM field. - Added gsub and a date pattern to parse `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - Modified variable name of IP address coming in the header from `src_ip` to `inter_host` to map it to `event.idm.read_only_udm.intermediary.ip` UDM field instead of `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields. This is done because IP Address/ Hostname data in the header belongs to `intermediary` UDM field instead of `principal` UDM field. |
| 2025-05-29 | Bug-Fix:
- event.idm.read_only_udm.intermediary.ip, event.idm.read_only_udm.intermediary.asset.ip: Removed mapping of `target_ip` from `event.idm.read_only_udm.intermediary.ip` and `event.idm.read_only_udm.intermediary.asset.ip` UDM field and mapped `target_host` instead. - event.idm.read_only_udm.security_result.action: Newly mapped `sec_action` raw log field with `event.idm.read_only_udm.security_result.action` UDM field. - if `sec_action` is `denied` then set to `BLOCK`. - if `sec_action` is `permitted` then set to `ALLOW`. - event.idm.read_only_udm.network.sent_bytes: Newly mapped `session_packet` raw log field with `event.idm.read_only_udm.network.sent_bytes` UDM field. - Added support to parse a new format of syslog logs. - event.idm.read_only_udm.additional.fields: Newly mapped `missed_packets` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. |
| 2025-05-14 | Enhancement:
- Added support to handle timezone like `SGT`, `JST`, `HKG`, and `CN` for `event.idm.read_only_udm.metadata.event_timestamp` UDM field mapping by including timezone. |
| 2025-05-08 | Enhancement:
- event.idm.read_only_udm.security_result.severity: Removed mapping of "ALERT" from "event.idm.read_only_udm.security_result.severity" UDM field and mapped "LOW" instead. |
| 2025-04-29 | Enhancement:
- event.idm.read_only_udm.intermediary.hostname: Removed mapping of `inter_host`, `target_host`, `intermediary_host` from `event.idm.read_only_udm.intermediary.hostname` UDM field, when `inter_host`, `target_host`, `intermediary_host` are valid IP's. - event.idm.read_only_udm.intermediary.ip: Mapped `inter_host`, `target_host`, `intermediary_host` raw log fields with `event.idm.read_only_udm.intermediary.ip` UDM field when `inter_host`, `target_host`, `intermediary_host` are valid IP's. - Added a Grok pattern to parse a new format of syslog logs. - event.idm.read_only_udm.principal.hostname: Removed mapping of `source_facility` from `event.idm.read_only_udm.principal.hostname` UDM field by modifying Grok pattern. - event.idm.read_only_udm.intermediary.hostname: Mapped `inter_host` raw log field with `event.idm.read_only_udm.intermediary.hostname` UDM field by modifying Grok pattern. |
| 2025-04-24 | Enhancement:
- Added support to handle `event.idm.read_only_udm.metadata.event_timestamp` UDM field mapping by including timezone. |
| 2025-04-10 | Enhancement:
- Added a Grok patterns to parse a new format of SYSLOG logs. - event.idm.read_only_udm.metadata.event_timestamp: Added a new date pattern to map "ts" to "event.idm.read_only_udm.metadata.event_timestamp" UDM field. |
| 2025-03-18 | Enhancement:
- Added a grok pattern to parse a new format of syslog logs. |
| 2025-03-17 | Enhancement:
- Added a grok pattern to extract user name, and source port from the cisco_message field. - Mapped the extracted user name to principal.user.userid. - Based on existing mapping src_port will be mapped to principal.port. |
| 2025-03-14 | Enhancement:
- Added grok patterns to parse a new format of syslog logs. |
| 2025-03-12 | Enhancement:
- Added Grok patterns to parse new format of logs. - Mapped "tls_cipher" to "network.tls.cipher". - Mapped "tls_client" to "network.tls.client.supported_ciphers". - Mapped "Chassis_data" to "additional.fields". - Mapped "timezone" to "additional.fields". - Mapped "cisco_message" to "network.application_protocol". |
| 2025-03-11 | Enhancement:
- Added new Grok patterns to parse new format of syslogs. - Matched "date_time" to "ISO8601". - Mapped "metadata.event_type" to "USER_LOGIN" and "USER_LOGOUT" for successful authentication and logout events, respectively. - Mapped "extensions.auth.type" to "AUTHTYPE_UNSPECIFIED" |
| 2025-03-04 | Enhancement:
- Added support for a new format of (SYSLOG + KV) logs. - Mapped "type" to "metadata.product_event_type". - Mapped "client_mac" to "principal.mac" and "principal.asset.mac". - Mapped "sequence_id","vap", "band", "channel", "rssi", "aid" and "radio" to "additional.fields". |
| 2025-02-11 | Enhancement:
- Added support for a new syslog log format. |
| 2025-01-23 | Enhancement:
- Added support for a new syslog log format. |
| 2025-01-02 | Enhancement:
- Added support for a new syslog log format. |
| 2024-12-27 | Enhancement:
- Added support for a new syslog log format. |
| 2024-11-25 | Enhancement:
- Added a Grok pattern to parse new logs. - Mapped hostname in syslog header to "intermediary.hostname" from "target.hostname". |
| 2024-11-19 | Enhancement:
- Added support for a new format of syslog logs. |
| 2024-10-28 | Enhancement:
- Added a Grok pattern to parse new logs. |
| 2024-10-24 | Enhancement:
- Added a Grok pattern to parse new logs. |
| 2024-10-01 | Enhancement:
- Added a Grok pattern to parse new logs. |
| 2024-07-04 | Enhancement:
- Added support for a new pattern of syslog logs. |
| 2024-04-02 | Enhancement:
- Added a new Grok pattern to parse new log type. - Mapped the new fields to corresponding UDM fields. |
| 2023-10-04 | Enhancement:
- Added a new Grok pattern to parse new log type. - Mapped "source_facility" to "principal.hostname". |
| 2023-08-11 | Enhancement:
- Mapped "intermediary.ip" when message contains "HOST=". - Mapped "principal.user.userid" when message contains "User:". - Mapped "principal.process.command_line" when message contains "command:". - Mapped "target.user.userid" when message contains "username". - Mapped "metadata.event_type" to a more specific "metadata.event_type". |