Announcing Graylog Illuminate v3.1

The following Illuminate Spotlight content packs have been updated since Illuminate 3.0.2:

  • Graylog Illuminate 3.1.0:Cisco ASA Spotlight
  • Graylog Illuminate 3.1.0:Core Spotlight
  • Graylog Illuminate 3.1.0:Fortinet Fortigate Spotlight
  • Graylog Illuminate 3.1.0:SonicWall NGFW Spotlight
  • Graylog Illuminate 3.1.0:Watchguard Firebox Spotlight
  • Illuminate indices field mapping changes (#424):
  • The default mapping type for strings is now “keyword”
  • This will take effect after the index rotation that follows the installation of Illuminate 3.1
  • There will be no change to the Graylog schema field mappings and content but it may impact some non-schema fields

Please report bugs and any other issues in our GitHub issue tracker. Thank you!

GRAYLOG ILLUMINATE 3.1

Released: 2023-01-06

Fixes

  • Cisco ASA fixes
  • Improved ICMP data handling (#820)
  • Fixed alert severity not being properly mapped (#819)
  • Fixed field mappings for NAT events (#813)
  • Fixed field extraction for multiple events (#821, #569, #902, #915, #935, #957)
  • Extracted event outcome from some messages (#540)
  • Support extracting numeric protocol values (#900)
  • Improved port number/service name extraction (#901)
  • Assigned correct categorization for 302013, 302015, 302016 events (#940)
  • Added support for mapping vendor_event_outcome to event_outcome (#958)
  • Core: GIM enforcement for Alert messages is incorrect
  • Windows: Fields winlogbeat_winlog_event_data_param1 may cause incorrect dynamic mapping assignment (#884)
  • Fortigate: time calculation can lead to indexing error (#1024)
  • NXLog support: Keywords field contains numeric value that can overflow mapping type “long” (#987)
  • Core: Dashboard widget not using correct sorting (#1042)
  • Sonicwall NGFW: Dashboard widget uses incorrect metric (#1040)

 

Enhancements

  • Added Stormshield processing and Spotlight (#802)
  • Cisco ASA improvements
  • Added support for extracting FQDN fields (#896)
  • Simplified processing of Cisco events by using lookup-based parsing (#556)
  • Added processing for new events (#898, #918, #641, #936, #937, #938, #939, #942, #944, #947, #948, #952, #954, #959, #960, #964, #965, #966, #967, #968, #971, #990, #993, #994, #1012, #1013, #1023)
  • Add processing for DHCP events (#963, #966)
  • Watchguard: Added DHCP event processing support (#956, #1018)
  • Meraki: Added DHCP event processing support (#1029)
  • Fortigate: Added DHCP event processing support (#1021)
  • GIM Enforcement: Added DHCP event enforcement (#972)

 

Known Issues

  • Auditbeat cannot process events with multiple values assigned to “vendor_event_action” (#622)

 

Let us know what you’d like to have included in our GitHub issue tracker.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.