New Features:
- Remote endpoint logging over network
- cmdReporter can now log directly to log aggregation servers
- Kafka remote endpoint logging (Public Beta)
- Logstash and REST API remote endpoint logging (Public Beta)
- Spool remote endpoint logs to special log file when network unavailable and retry on an interval
- Process parent/child mapping fields in exec events
"exec_chain_child":
{
"parent_pid": 1105,
"parent_uuid": "82044823-FD77-4553-919A-58B368E106A5"
},
"exec_chain_parent":
{
"uuid": "BABA5C42-2963-4F28-83A4-8C0DD7DFD96F"
} |
- Return and Arguments text fully parsed into field mappings
- Logic changed for
<key>AuditEventExcludedProcesses</key>to only match the full path of the process, no regex interpretation - Verbose events logging preference added to enable/disable cmdReporter's smart logging filters
Bug Fixes:
- Resolved preferences caching issue: In rare cases preferences were cached too long
- Optimized events and event fields
- Add version information to
cmdReporter -Toutput - Tokenwatcher checks backed off to every 30 seconds to resolve duplicate check errors
New Preference Keys:
<key>AuditEventLogVerboseMessages</key>
<!-- # General Endpoint Logging -->
<key>LogRemoteEndpointEnabled</key>
<key>LogRemoteEndpointURL</key>
<key>LogRemoteEndpointType</key>
<!-- # REST-specific -->
<key>LogRemoteEndpointREST</key>
<dict>
<key>PublicKeyHash</key>
</dict>
<!-- # Kafka-specific -->
<key>LogRemoteEndpointKafka</key>
<dict>
<key>TLSServerCertificate</key>
<key>TLSClientPrivateKey</key>
<key>TLSClientCertificate</key>
<key>TopicName</key>
</dict> |