Added support for additional event codes: 106015, 106021, 111009, 302021, 322004, 609001, 609002, 710003, 733100, 746015, 751002, 752003, 752016

Improved timestamp parsing to handle more date formats

Enhanced session categorization by adding "session" to event.category for ICMP connections

Updated parser version to 3.3.0

Updated parser version to 4.1.0

Added support for event codes 106103, 111010, 11300*, 11301*, 317077, 402119, 602101,602303, 602304, 746014, 805002, 805003

Enhanced AAA event parsing with improved user, server, and client address extraction

Improved conditional logic for event type assignment based on message content

Fixed duplicate event code handling for 805002 and 805003

Fixed regex patterns for user and server address extraction in AAA events

Updated parser version to 4.0.0

Added support for multiple syslog header formats including FTD and legacy NGIPS/Sourcefire devices

Added enhanced timestamp parsing with findTimestamp() function for improved date handling

Added message field populated from vendor message content

Added intelligent client/server role detection based on event type, protocol, and port analysis

Added role reversal logic to handle server-initiated connections and reverse proxy scenarios

Added IP address validation using CIDR checks to filter invalid addresses

Added domain field support for non-IP addresses across source, destination, client, and server fields

Added conditional field mappings for network protocols including SIP and DNS

Added DNS record type normalization to standard values (A, AAAA, PTR, MX, CNAME)

Added TLS certificate hash mapping to tls.client.hash.sha1

Added conditional filtering for unknown TLS versions and cipher suites

Added enhanced event categorization with automatic event.type:connection for network tuples

Added array deduplication for event.category[] and event.type[] fields

Changed primary address fields to use source.address and destination.address with IP/domain separation

Changed event outcome logic for connection teardown events based on teardown reason analysis

Changed connection directionality detection to use interface context (inside/outside/DMZ)

Changed user group field to user.group.name for ECS consistency

Changed field coalescing logic to prioritize existing values over vendor-specific fields

Consolidated lowercase operations for address and domain fields

Consolidated interface alias and name field mappings

Fixed field extraction patterns across multiple event types for improved accuracy

Fixed MAC address formatting to use hyphen separators

Fixed source/destination mapping in connection teardown events using interface-based logic

Removed redundant event.type:connection entries from individual event handlers

Updated parser version to 3.3.6

Enhanced key-value parsing for events 430001-430007 to better handle UserAgent field extraction

Improved regex pattern to handle complex field values with commas and special characters

Updated ECS version to 9.2.0

Updated parser version to 3.3.5

Added message field assignment from Vendor.message

Removed timezone parameter from timestamp parsing functions to use system default timezone handling

Updated parser version to 3.3.4

Updated parser version to 3.3.3

Fixed field name from http.response.code to http.response.status_code in event code 607002 for proper ECS compliance

Updated parser version to 3.3.2

Enhanced regex pattern for event code 106015 to better capture flags field with multiple values

Updated CPS version to 1.1.0

Enhanced regex patterns for improved log parsing accuracy

Added support for user domain and username extraction in connection events

Improved multi-event code parsing for SSL VPN events (725001-9, 12, 13, 16, 21, 22)

Added event.outcome field for configuration and connection info events

Enhanced parsing for Group/User/IP patterns in VPN connection logs

Moved syslog severity code mapping to end of parser for better performance

Fixed regex pattern for hop failure messages to handle interface names with spaces

Updated field assignment syntax from rename() to direct assignment

Fixed regex pattern for teardown connections to handle optional fields

Improved lower() function usage for better performance

Fixed regex pattern for session disconnection duration to handle complex duration formats

Improved regex pattern for inbound TCP connections to handle probe connections

Enhanced regex pattern for teardown connections to handle optional fields

Adds additional support to parser logs with event ID 106023, 302013, 302014, 302015, 302016, 302020

Expands event.type for logs with event ID 109201, 109207, 109210

Adds additional support to parser logs with rule 607002

The old parser firepower-syslog is now officially removed from the Cisco Firepower package

Improved array declaration within the parser

Bumps the Parser.version to 3.0.0 and ecs.version to 8.16.0

Improves the field extraction and performance

Removes the event.code field as it does not conform to CPS standard

Further normalisation to ECS fields; observer.ingress.vlan.name , observer.egress.vlan.name , rule.ruleset , rule.category , user_agent.name , user_agent.original , user_agent.version , network.application , http.response.status_code , http.request.referrer

Vendor.AccessControlRuleAction

Vendor.AccessControlRuleAction

Vendor.AccessControlRuleName

Vendor.AccessControlRuleReason

Vendor.ArchiveFileName

Vendor.DNSQuery

Vendor.DNSResponseType

Vendor.DNS_TTL

Vendor.DeviceUUID

Vendor.DstIP

Vendor.DstPort

Vendor.EgressInterface

Vendor.EgressZone

Vendor.EventPriority

Vendor.FileName

Vendor.FirstPacketSecond

Vendor.IngressInterface

Vendor.IngressZone

Vendor.InitiatorBytes

Vendor.InitiatorPackets

Vendor.InstanceID

Vendor.NAT_InitiatorIP

Vendor.NAT_InitiatorPort

Vendor.NAT_ResponderIP

Vendor.NAT_ResponderPort

Vendor.ResponderBytes

Vendor.ResponderPackets

Vendor.SSLCertificate

Vendor.SSLCipherSuite

Vendor.SSLServerName

Vendor.SSLVersion

Vendor.SrcIP

Vendor.SrcPort

Vendor.URL

Vendor.User

Vendor.mnemonic

Sets the dns.answers as an array.

Bug fix: Updates the field name from file.sha256 to file.hash.sha256 to better align with CPS standard.

Corrects a typo in the value of event.outcome field from sucess to success

Exludes the empty fields when parsing events with kvParse() function.

Improves the field extraction and performance.

Sets the event.category , event.type and the event.outcome fields based on the source security event ids.

Adds observer.type , network.protocol , network.transport , event.reason , event.action fields and more.

Now the ClassName and ClassDefintion fields are set without referring to the lookup file.

Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

Fix issue with trailing newlines when ingesting over UDP

Adds new event.module and Cps.version fields

Removes the Product field

Sets following tags: Cps.version , Vendor , ecs.version , event.dataset , event.kind , event.module , event.outcome , observer.type

Extracts optional priority field from the syslog header

Removed the Vendor.key keyspace and flattened it to Vendor.

Enables key-value extraction when fields names contain spaces or underscores

Added normalized fields: rule.name , event.action , network.transport , network.protocol , url.*

Fixed source.ip , source.address , destination.ip and destination.address field extraction