<html lang="en">
<body>
	<p>
	<b>[OOTB] Linux auditd syslog for KUMA 3.2. Version 3</b><br>
  	Change log:
		<ul>
			<li>Extra normalizer "Message parsing" was changed. New regular expression has been added.</li>
			<li>Extra normalizer "Audittools part" was changed. The new field mapping has been added. The field "path" has been mapped to the "S.saddr_path" KUMA field.</li>
			<li>Extra normalizer "Audittools part" was changed. The new field mapping has been added. The field "saddr_fam" has been mapped to the "S.saddr_fam" KUMA field.</li>
			<li>Extra normalizer "Audittools part" was changed. The new field mapping has been added. The field "obj" has been mapped to the "SA.TargetSELinuxContext" KUMA field.</li>
			<li>Extra normalizer "CRED|USER|CRYPTO|SERVICE msg" was changed. The new field mapping has been added. The field "cmd" has been mapped to the "FlexString1" KUMA field.</li>
			<li>Extra normalizer "Audittools" was changed. Mutation with replaceWithRegexp function was added. "(SADDR=\{)\s([^\}]+)\s(\})" value is replaced with " $2".</li>
		</ul>
	</p>
  
 <p>
 <b>[OOTB] Linux auditd syslog for KUMA 3.2. Version 2</b><br>
  	Change log:
	<ul>
		<li>Extra normalizer "CRED|USER|CRYPTO|SERVICE msg" was changed. Mapping of event field "acct" was changed from KUMA field "SourceUserName" to the KUMA field "DeviceCustomString1".</li>
		<li>Extra normalizer "CRED|USER|CRYPTO|SERVICE msg" was changed. The new field mapping has been added. The field "unit" has been mapped to the "DestinationServiceName" KUMA field.</li>
		<li>Extra normalizer "Audittools part" was changed. The new field mapping has been added. The field "} type" has been mapped to the "SA.RecordType" KUMA field.</li>
		<li>Extra normalizer "Audittools part" was changed. Mutation with replace function was added. "proctitle=" value is replaced with " |proctitle=".</li>
		<li>Extra normalizer "Audittools part" was changed. The new field mapping has been added. The field "|proctitle" has been mapped to the "DeviceCustomString5" KUMA field.</li>
	</ul>
 </p>
 
  <b>[OOTB] Linux auditd syslog for KUMA 3.2. Version 1</b><br>
  	Change log:
	<ul>
		<li>Event enrichment with constant "auditd" was added  to the KUMA field DeviceProduct in main normalizer.</li>
		<li>In the extra normalizer "Audittools" event field "syscallArg" mapping was removed from the KUMA field DeviceCustomString5.</li>
		<li>Mapping was changed in the extra normalizer "Audittools part". Event field "proctitle" was mapped from the KUMA field "DeviceAction" to the KUMA field "DeviceCustomString5". Event field "pid" was mapped from the KUMA field "SourceProcessID" to the KUMA field "DestinationProcessID".</li>
		<li>Mapping was changed in the extra normalizer "CRED|USER|CRYPTO|SERVICE". Event field "SourceProcessID" was mapped from the KUMA field "SourceProcessID" to the KUMA field "DestinationProcessID". Event field "auid" was mapped from the KUMA field "SourceUserName" to the KUMA field "SourceUserID". Event field "uid" was mapped from the KUMA field "SourceUserID" to the KUMA field "DestinationUserID".</li>
		<li>Mapping was changed in the extra normalizer "Message parsing". Event field "auditId" was mapped from the KUMA field "DeviceProcessID".</li>
		<li>New mapping was added in the extra normalizer "Audittools part". Event field "ppid" was mapped to the KUMA field "SourceProcessID". Event field "GID" was mapped to the extended data model field "S.GID". Event field "EUID" was mapped to the extended data model field "S.EUID". Event field "SUID" was mapped to the extended data model field "S.SUID". Event field "SGID" was mapped to the extended data model field "S.SGID". Event field "AUID" was mapped to the KUMA field "SourceUserName". Event field "UID" was mapped to the KUMA field "DestinationUserName". Event field "euid" was mapped to the extended data model field "S.euid". Event field "auid" was mapped from the KUMA field "DestinationUserID" to the KUMA field "SourceUserID". Event field "uid" was mapped from the KUMA field "SourceUserID" to the KUMA field "DestinationUserID".</li>
		<li>New mutation was added for "msg" field in the extra normalizer "Message parsing". Symbol "GS" was replaced with space character.</li>
		<li>In the extra normalizer "Audittools part" new event enrichment was added. Replace of symbol "\x00" with space character was added for the data in the KUMA field "DeviceCustomString5".</li>
		<li>In the extra normalizer "Audittools" new event enrichment was added. Replace of two space characters with one space character was added for the data in the KUMA field "DeviceCustomString6".</li>
		<li>Mapping was changed in the extra normalizer "extranormalizer pam_". Event field "euid" was mapped from the field "DeviceCustomString3" to the extended data model field "S.euid".</li>
		<li>New mapping was added in the extra normalizer "CRED|USER|CRYPTO|SERVICE msg". Event field "AUID" was mapped to the KUMA field "SourceUserName". Event field "UID" was mapped to the KUMA field "DestinationUserName".</li>
		<li>In the extra normalizer "CRED|USER|CRYPTO|SERVICE msg" new event enrichment was added. Replace of symbol "'" with empty character was added for the data in the KUMA field "EventOutcome". Replace of the first character " with empty character was added for the data in the KUMA field "EventOutcome".</li>	
		<li>In the extra normalizer "Audittools part" event enrichment was changed. Text "yes" in the KUMA field "EventOutcome" now will be replaced with text "success" instead of "Successful". Text "no" in the KUMA field "EventOutcome" now will be replaced with text "failed" instead of "Failed".</li>
	</ul>
 </p>

</body>
</html>