Enhanced parser with comprehensive ECS field mappings for all ZPA log types

Added support for app connector metrics logs

Improved field normalization with proper source/destination/client/server mappings

Enhanced network traffic analysis with ingress/egress byte tracking

Added comprehensive event categorization and outcome determination

Improved timestamp handling across all log types

Enhanced user and authentication event processing

Added proper host infrastructure monitoring fields

Improved security inspection rule mapping

Enhanced geographic location tracking for all components

Updated ECS version to 9.1.0

Removed timezone parameter from parseTimestamp function

Added support for private cloud controller status logs

Improved log type detection for logs without sourcetype field

Enhanced log format detection for various ZPA log types

Migrated from manual array element declaration (e.g. event.category[0] := "value") to use the array:append() function (e.g. array:append(array="event.category[]", values=["values"])). This ensures that manual array element declarations won't collide with each other.

Deprecation and removal of several legacy ZScaler Private Access parsers in favor of the unified zscaler-private-access parser, including:

Improves the field extraction and performance.

Moves all x509.* fields under the tls.client namespace to comply with ECS.

Bumps ecs.version to 8.16.0.

Adds support for parsing and processing logs in the default ZPA format.

Drops the observer.type field.

zscaler-zpa-app-connector-status-json

zscaler-zpa-app-protection-json

zscaler-zpa-audit-json

zscaler-zpa-browser-access-json

zscaler-zpa-user-activity-json

zscaler-zpa-user-status-json

are deprecated and all future changes will only go into the new zscaler-privateaccess parser. The new parser requires a change on the Zscaler side in the log format for Zscaler Private Access sources.

Follow the steps outlined below for the migration process:

Create new ingest token and associate it with the new zscaler-privateaccess parser

In the ZPA administration console:

Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

Improves the field extraction and performance.

Improves the field extraction and performance.

Sets the event.category, event.type and the event.outcome fields based on the source data.

Adds observer.type, package.version, server.bytes, event.action fields and more.

Adds new event.module and Cps.version fields

Removes the Product, related.user, related.hosts and related.ip fields

Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type

Changes the parsers to normalise event data to common schema.

Removes dashboards from the package. To keep those, stay on the old version of the package.

Bumps the minimum supported version of LogScale from 1.20 to 1.82.