Announcing Graylog Illuminate 6.4

Special Note:

To upgrade to this Illuminate V6.4 Release, you must be already running minimum Graylog-Enterprise V6.1 first.

ADDED

• Caddy Webserver: Caddy Webserver Content Pack (2772)
  Caddy is a modern, open-source web server that automatically manages HTTPS certificates using Let’s Encrypt. It serves static files, proxies requests, and supports advanced configurations with minimal effort.
• pfSense: Added support for Kea DHCP logs (2572)
• Bitdefender: Added support for Syslog Telemetry and Syslog On Premise events. (2774)
• Windows Security: Added parsing and categorization for Event ID 5136 (2763)
• Linux AuditD: Added pack to process Linux AuditD events. (2775)
  This pack adds support for processing Linux AuditD events.
• Apache HTTP: Added a dashboard for Access and Error logs. (2846)
• Linux Auditbeat: Added a lookup that maps the vendor_network_direction field to the standardized network_direction field. (2243)
  This update aligns with the Graylog schema to ensure consistency in field naming across content packs. The spotlight has also been updated to reflect this change, making it easier to search and filter by normalized network direction values.
• Sophos Central: Added a spotlight. (2783)
  This spotlight supports endpoint events. It includes Overview and Threat Event tabs for quick visibility into diagnostic, application control, DLP, and threat detection events.
• Fortigate: Add categorization for event_id 32044 (delete event logs) (2795)
• Linux System Logs: Add support for additional pam/sshd authentication logs (2808)
• Mimecast Content Pack (2242)
  Mimecast is a cloud-based cybersecurity provider specializing in email security, offering protection against phishing, malware, spam, and data leaks. It also delivers services for archiving, continuity, and threat intelligence to help organizations secure their communications and ensure compliance.

FIXED

• Illuminate: Assets processing doesn’t work (2641)
• Sophos Central: Fixed the event_severity level mapping values. (2812)
• Fortigate: Changed field renaming. (2864)
  Changed the following field names: vendor_destination_device_mac to destination_mac.
• Crowdstrike: Fixed the alert_severity_level from 3 to 2 in the Low Severity Detections widget in the Detections tab. (2794)
• Core: Reserved IP address ranges out of date/missing ranges (2653)
• Linux System Logs: Unhandled empty username in some SSH connection logs (2793)
  SSH connection logs containing empty usernames now assign the user_name field the value _NULL_. In addition, relevant connection messages are now GIM categorized as 109999 (authentication.default). These messages could indicate intent to authenticate that failed or scanning activity where the connection was cut short by the client before authentication was prompted. Both cases are useful for monitoring.

CHANGED

• Core DNS Processing: Updated DNS Messages by Approval Over Time dashboard widget to use static color assignments for clarity. (2656)
• Fortigate: Changed field names and remove empty fields (2778)
  Changed the following field names: vendor_policyname to policy_name, vendor_dstserver to vendor_destination_server vendor_dsthwvendor to vendor_destination_hw_interface, vendor_dstintfrole to vendor_destination_interface_role, vendor_srchwvendor to vendor_source_hw_interface, vendor_srcintfrole to vendor_source_interface_role, vendor_dstserver to vendor_destination_server and vendor_poluuid to policy_uid. Remove vendor_destination_server and vendor_source_server if they are 0.
• Bitdefender: Migrate from the deprecated alert category to the detection category. (2840)
• Bitdefender: Using the correct more specific hash field names e.g. hash_md5 is now file_hash_md5. (2551)

Let us know what you’d like to have included in our GitHub issue tracker.