A major log improvement has been introduced in the 6.5 version. The Security Logs view and format has been improved to provide a more complete and comprehensive set of information (HTTP request, business context, security events). All these information are provided in a standard JSON format and can be easily exported into an external SIEM for example.
In versions before, any event detected by a security engine was sent as a single log by the Log Alert node, so each HTTP request could generate multiple logs. For example a single attack payload could generate few logs, especially when few engines were activated.
Now, all events detected in a request are merged and sent through a single log. For that, we decided to break our format to provide a more structured log. The new log format has been documented in the page JSON Logs format. This decision has led to a migration issue: we could not keep the compatibility between the previous format and the new one. Therefore, the R&D team developed a migration tool to transform security logs from 6.3 or 6.4 versions to the new 6.5 format.
Run the migration
ICX logs from 6.3
The log migration assistant is located in the menu Tools > Security Logs Migration 6.5. The assistant will launch a background task that will browse every security log index from the database. One index represents a day of logs, meaning that 30 days of logs will represent 30 indices. The progress bar will restart from 0% on each index.
The task is running in background, so the windows can closed and reopened through the same menu.
During the migration "new" logs will appear in the Security logs view. Migrated logs are keeping their original detection date.
If their is no log to migrate, the task will directly end (100% progress).