Enhanced audit event processing by moving AUDIT parsing outside main case statement for better categorization

Improved authentication failure parsing with better regex patterns for usernames and client addresses

Added support for HTTP referrer field extraction in authentication events

Enhanced tmm event processing with HTTP status code handling and URL parsing

Fixed conditional logic for appname extraction in RFC 5424 syslog format

Added array deduplication for event.category and event.type fields

Updated LTM catchall to include msgid 0107 and removed redundant categorization

Improved kvParse operations with better separator handling and empty field exclusion

Updated to support RFC 5424 syslog format

Added checks to ensure IPs are valid prior to assignment

Improved parsing around login/logout events

Removed timezone parameter from timestamp parsing functions to use system default timezone handling

Updated ECS version to 9.1.0 and CPS version to 1.1.0

Enhanced audit log parsing to specifically extract cmd_data from Vendor.audit_info for complete command data capture

Added new test case for AUDIT log format with cmd_data field extraction

Enhanced SSH session handling with improved user extraction for login success and failure events

Improved audit log parsing with better key-value pair handling for complex field structures

Fixed regex patterns for SSH connection events to properly handle multiple connection scenarios

Added support for additional OS logger formats including TLS version and cipher information

Enhanced field coalescing for better data extraction from multiple potential sources

Added support for F5 ASM Bot Defense logs

Fixed array handling for host.ip and observer.ip fields

Improved event severity mapping based on Vendor.severity field

Fixed source.ip extraction in APM invalid host header detection

Enhanced event type categorization for APM non-existent session events

Added lowercase normalization for network.transport field

Fixed field mapping to use direct assignment instead of rename function for better performance

Fixed VLAN ID parsing in connection error and SSL handshake failure events

Added support for F5 BIG-IP logs in Splunk format (HTTP traffic, load balancer failures, DNS requests/responses)

Fixed IP address field mapping to correctly populate source.ip, destination.ip, and server.ip fields

Improved timestamp parsing to support additional formats

Enhanced key-value parsing with better handling of empty fields

Added support for F5 Advanced Firewall Module (AFM) logs

Improved ASM event categorization for better threat detection

Updated ECS version to 8.17.0

Updates initial regex to accept events without processid

Improves the field extraction and performance.

Update invalid values for event.type field to comply with ECS.

Bumps ecs.version to 8.16.0.

Now supports all BIG-IP events: ASM, APM, DNS, LTM as well as BIG-IP System and OS logs.

Improves CPS categorization and normalization.

Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

Adds new event.module and Cps.version fields

Removes the Product field

Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type