Webinar: What's New in Graylog 7.1 | Watch On-demand >>

Contact Us

Announcing Graylog Illuminate v7.1.1

Announcing Graylog Illuminate v7.1.1

Release Date: June 8th, 2026

In this release, we introduce new spotlights and processing packs as well as enhancements to existing content.

ADDED

  • AWS S3: Added new content pack for CloudTrail S3 data events and S3 server access logs. (3601)
    • Added a new AWS S3 content pack with Security Core support. The pack processes AWS CloudTrail S3 data events and S3 server access logs, normalizes them into file., audit., and detection GIM codes, and flags CloudTrail CopyObject events as potential cross-bucket data exfiltration.
  • Bind DNS: Added Security Core support. (3390)
    • Added Security Core GIM event type code assignments for all BIND DNS log channels including queries, query errors, security, zone transfers, dynamic updates, DNSSEC, notify, and general logs. Query error logs now selectively categorize negative DNS responses (NXDOMAIN, SERVFAIL, REFUSED) separately from infrastructure errors (timeouts, connection failures). Added event_action and event_outcome mappings for denied and failed DNS outcomes.
  • New Content Pack: Microsoft WinRM. Processes WinRM Operational event logs from NXLog and Winlogbeat 7/8 with GIM authentication and network categorization. (3501)
    • Processes Microsoft-Windows-WinRM/Operational event logs and supports all 32 documented event IDs in the channel. Includes a Microsoft WinRM Spotlight dashboard.
  • Microsoft SQL Server: New content pack. (3176)
    • Adds a Microsoft SQL Server content pack that parses and categorizes SQL Server audit logs delivered via Winlogbeat or NXLog. Parses Transact-SQL statements into vendor-specific fields, categorizes events (login succeeded/failed, logout, impersonate, password reset, password policy, DDL/DML), and assigns GIM codes for authentication, IAM, database, and audit events.
  • AWS WAF: New content pack that normalizes AWS WAF web ACL logs delivered via Kinesis. (1059)
    • AWS WAF is Amazon’s managed web application firewall that inspects HTTP/HTTPS requests reaching Application Load Balancers, CloudFront, API Gateway, and AppSync, applying ALLOW, BLOCK, COUNT, CAPTCHA, or CHALLENGE actions based on managed or custom rule sets.
  • Red Hat Enterprise Linux 10: Added a new content pack for RHEL 10 system logs. (3887)
    • Added a Red Hat Enterprise Linux 10 content pack that parses and normalizes RHEL 10 system logs collected via Filebeat. Coverage includes systemd, kernel, NetworkManager, systemd-logind sessions, authorization events (PolicyKit, SELinux denials), package management (dnf, packagekit, rhsm-service), threat-hunting operational signals (firewalld, chronyd clock-step, ABRT crash dumps, rsyslog rate-limit drops), container and service activity (systemd-machined, cups, dbus, udisks), remote access (gnome-remote-desktop RDP), and shell command execution errors.
  • Suricata: Added comprehensive Suricata EVE JSON content pack. (363)
    • Added a new Suricata content pack that ingests Suricata EVE JSON logs and normalizes 30+ event types (IDS/IPS alerts, network flows, DNS, HTTP, TLS, SMB, RDP, Kerberos, and more) into the Graylog Information Model.
  • Bitdefender Telemetry: Added support for ~30 additional EDR event types with SDM-normalized field names and ten new GIM categorizations. (3881)
    • New EDR event types (process injection, WMI, BITS, scheduled tasks, service lifecycle, driver load, hardware mount/unmount, DNS, email, audit policy, user account, AMSI, shell/PowerShell) are now parsed, normalized to their SDM-canonical field names, and categorized. Saved searches or dashboards referencing the prior vendor_*-only field names may need updating.
  • Redis: Added content pack with Security Core support, covering Redis open-source and Valkey via Filebeat. (3598)
    • Added a Redis content pack with Security Core support for Redis open-source and Valkey (the open-source Redis fork). Initial release supports log delivery via Filebeat with the Graylog sidecar.

FIXED

  • Security Core: Fixed query string for some instances of detection_query usage that were missing a trailing colon resulting in indexing errors. (3843)
  • Cisco ISE: Updated processing to extract wifi_ssid and wifi_bssid when available. Spotlight updated with additional wifi_bssid widget. (3841)
  • Security Core: De-dupe Search Filters (3556)
    • Collapses 4 sets of duplicated Search Filters into single filters with appropriate updates to Event Definitions and Dashboards where duplicates were being used.
  • Check Point Firewall: Fixed event_action mapping and added missing action values. (3635)
    • Fixed event_action being set to EVENT_ACTION_NOT_DEFINED for Check Point events where the action is present in the log. Added missing action mappings for VPN and authentication events (Key Install, Log In, Log Out). Fixed Detect action incorrectly mapped to “allowed” instead of “detected”. Added user identity field extraction for VPN and Identity Awareness events.
  • Cisco ISE: Messages with negative UTC offsets fail to parse; incorrect wifi_bssid/wifi_ssid field assignment. (14180)
    • Fixed the base field extraction regex to accept both positive and negative UTC offsets (e.g., -04:00), resolving a parsing failure for messages from environments west of UTC. Split the single wifi SSID extraction rule into two rules to correctly handle all vendor_SSID value formats.
  • Apache HTTPD: Fixed AH01384 rule incorrectly mapping the request path to http_uri; corrected to http_request_path. (2434)
  • Security Core: Fixed spelling of sigma_rule_tag in the ‘Successful RDP Logon from External Source’ event definition. (3820)
  • Sophos Firewall: Corrected http_uri and http_request_path field semantics, WAF event subtype, and event_outcome lookup. (3855)
    • Additionally, added vendor_event_subtype = ‘Access’ for all WAF logs.

CHANGED

  • Linux: Converted multiple grok() calls to multi_grok() across Linux pipeline rules; cron error logs rename vendor_cron_error -> event_error_description; iptables logs without a log prefix label are now classified as network.default (129999). (2670)
    • Cron error logs now write to event_error_description instead of vendor_cron_error; update any saved searches, alerts, or dashboards referencing this old field. Cron CMDEND events are now classified as process.end (190100), and iptables logs without a log prefix are now classified as network.default (129999). The sshd_common pipeline was missing from pipeline_groups.toml, preventing GIM auth and connection categorization from executing; now fixed.
  • Fortinet FortiGate: DNS resolved IP now maps to the SDM-canonical query_response field. (3873)
    • Renamed the FortiGate DNS resolved-IP field from dns_value to query_response
  • pfSense: Updated processing to use multi_grok function rather than multiple groks. (2672)

 

Let us know what you’d like to have included in our GitHub issue tracker.

The Graylog Product Team

View More Posts By The Graylog Product Team

Categories

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.

Blog Graphic
Read Now