Announcing Graylog 5.0 Beta.1

This is a beta for the upcoming release of Graylog v5.0. Please read on for detailed descriptions of everything that is included.

Download Links

• Docker image
• DEB and RPM packages are available in our repositories
• Docker Compose
• Tarballs (manual installation):
  • Graylog Server
  • Graylog Enterprise Server

GRAYLOG FORWARDER

• Tarball (manual installation):
  • Graylog Forwarder
• OS Packages
  • DEB Package
  • RPM Package
• Docker image:
  • Docker Hub
  • docker pull graylog/graylog-forwarder:5.0-beta.1-1

 

Please report bugs and any other issues in our GitHub issue tracker. Thank you!

GRAYLOG OPERATIONS & PLATFORM 5.0 BETA

Released: 2022-10-27

OpenSearch 2.x support

Graylog 5.0 adds support for OpenSearch 2.x versions. At this time the latest released version is OpenSearch 2.3. We have removed support for Elasticsearch 6.8, which reached its end-of-life date in February 2022. Support for Elasticsearch 7.10 remains in Graylog 5.0, but we recommend users upgrade to OpenSearch.

Java 17

Previous versions of Graylog required Java 8, which reached its end-of-life date in March 2022. With Graylog 5.0 we are moving to the latest LTS Java release, which is Java 17 at the time of this release. It will receive updates until September 2026. We aim to ship Graylog 5.0 with bundled JREs for the respective platforms to make it easier to deploy with the correct Java version going forward.

MongoDB 5.0

The new minimum baseline version is MongoDB 5.0, but Graylog 5.0 will support MongoDB 5.0 and 6.0, which is the latest current release at this time. Our recommended path is to update your existing Graylog 4.3.x deployment to MongoDB 5.0 and then update to Graylog 5.0. Of course, using backup and restore mechanisms also work great if you want to test this Beta release alongside your production deployment.

Graylog Sidecar

The Graylog Sidecar is essential for configuring log collectors. To date, it was not possible to run a collector multiple times. Only one configuration could be selected in the UI per collector. Now, mass deployment of sidecars is enabled by allowing multiple configurations per collector, and tags have been added for organization. The tags can be used to assign configurations freely without having to worry about assigning the same collector twice.

 

Screenshot of the new Collector Configuration with Tag Support

For Windows users, we have added support for upgrading Sidecars using the installer, which previously could cause it to register itself as a brand new Sidecar, losing configuration.

Archiving

Graylog 5.0 now allows the bulk restoration of archives for situations where extensive investigations or auditing requires searching across a larger time range. Previously, each archive had to be restored manually, one after the other, but Graylog will now sequentially restore the selected archives, making sure not to cause sudden load spikes by the restore traffic. Similarly, bulk deletion of old archives is now enabled via UI.

Search Filters

During investigations, parts of the search query often need to be enabled, disabled, or inverted. If the queries are complex, especially when there are multiple of these common parts of the query, this process can become very tedious and often involves keeping a separate document of queries that gets copied and pasted. The new search filters greatly reduce the effort involved, by providing the capability to separate these parts out and turn them on and off with a single click. They can even be saved and shared among team members, and that way consistently reused across ad-hoc and saved searches and dashboards.

Two search filters in use during an investigation

GRAYLOG SECURITY 5.0 BETA

Released: 2022-10-27

Sigma Rules

New to the 5.0 release is an exciting new feature for Graylog Security – the ability to add and import Sigma rules for security alerts! Sigma is an open standard for SIEM to look for potential security threats within logs. More information can be found on the SigmaHQ repository page. The new Sigma tab in Graylog Security will allow you to create your own rules, or import directly from the Rules database in the Sigma repository

Sigma Rule Editor

SigmaHQ Import Dialog

If logs match a Sigma rule, it will generate an Event on the Alerts page. You will also be able to add Event Fields and Notifications as you would any Event Definition within Graylog. With over 2,000 detection rules in the Sigma repository, and the ability to create your own, this extension to Graylog Security is a great tool for identifying threats to your systems. Each Sigma rule imported into Graylog can also directly be executed as a search, which can help when writing new rules, as well as understanding existing ones.

 

Search logs directly from a Sigma rule

Let us know what you’d like to have included in our GitHub issue tracker.