Announcing Graylog 7.1.0-beta.2

This is a bug-fix release that improves Graylog’s functionality. Please read on for information on what has changed.

Special Note: It is not possible to upgrade Graylog Datanode beta 1 to Graylog Datanode beta 2.

Downloads

Release date: 2026-03-30

• Upgrade notes
• DEB and RPM packages are available in our repositories
• Docker Compose
• Container images:
  • Graylog Open
  • Graylog Enterprise
  • Graylog Data Node
• Tarballs for manual installation:
  • Graylog Server
  • Graylog Server (bundled JVM, linux-x64)
  • Graylog Server (bundled JVM, linux-aarch64)
  • Graylog Enterprise Server
  • Graylog Enterprise Server (bundled JVM, linux-x64)
  • Graylog Enterprise Server (bundled JVM, linux-aarch64)
  • Graylog Data Node (bundled JVM, linux-x64)
  • Graylog Data Node (bundled JVM, linux-aarch64)

 

Graylog 7.1.0-beta.2

Release date: 2026-04-09

Added

• Cloud Trail input improvements: Added setup wizard, improved processing, and support for automatic authentication. graylog-plugin-enterprise#11664 graylog-plugin-enterprise#12591 graylog2-server#23711 graylog2-server#24355
• Improved Inputs Overview Page: The page has been revamped with pagination and various UI enhancements to improve navigation. graylog2-server#12248 graylog-plugin-enterprise#24421 graylog2-server#24245 graylog-plugin-enterprise#12538
• Added support for JSON arrays when bulk receiving is enabled on the GELF HTTP and Raw HTTP inputs graylog-plugin-enterprise#12599 graylog2-server#24514
• Add secondary authorization token support to HTTP-based inputs. graylog-plugin-enterprise#13702 graylog2-server#25544
• Add size parameter to /api/search/aggregate endpoint graylog2-server#18838 graylog2-server#24867
• Allow sorting saved searches & dashboards based on favorite state graylog2-server#21659 graylog2-server#24809
• Added the ability to reorder columns in entity tables (alerts overview, streams overview, etc.) via drag and drop. graylog2-server#23935 graylog2-server#24191
• Dynamic shard sizing based on search nodes operating system memory. graylog2-server#23947 graylog2-server#24372
• Warning user when saving search if there are unconfirmed changes. graylog2-server#23967 graylog2-server#25178
• Add option to customize axis labels. graylog2-server#24289 graylog2-server#24306
• Added the ability to resize flexible width columns in entity tables (alerts overview, streams overview, etc.). graylog2-server#23934 graylog2-server#24362
• Added multiple PagerDuty Notification improvements: custom incident title, fully customizable incident key, and use Replay Search URL for link instead of generic stream search. graylog2-server#24328 graylog2-server#24504
• Set the default timerange to 30-day for filtering Alerts Entity Table graylog2-server#24361 graylog2-server#24950
• Run replay search for events on separate page. Add extra information about the event to sidebar on replay search page. graylog2-server#24554 graylog2-server#24589 graylog-plugin-enterprise#12847
• Run bulk replay search for events on separate page. Add extra information about the event and option to switch between selected events to sidebar on replay search page. graylog2-server#24845 graylog2-server#24767 graylog-plugin-enterprise#12990
• Added an ‘Info’ Events priority level. graylog2-server#24889 graylog2-server#25240 graylog-plugin-enterprise#13456 graylog2-server#25313 graylog-plugin-enterprise#13506
• add Password Complexity Configuration graylog2-server#5283 graylog2-server#24644
• Added new Palo Alto Networks UDP (PAN-OS v11+) input. graylog-plugin-enterprise#9582 graylog2-server#24617
• When creating an Alert definition, show the fields compatible to an aggregation like we do in the Search aggregation wizard (grey for incompatible). graylog2-server#23778
• Update REST API documentation from Swagger 2.x to OpenAPI 3.1. graylog2-server#13578 graylog2-server#23872 graylog-plugin-enterprise#12256
• Added metrics-provider for output-type frequency. graylog-plugin-enterprise#12203 graylog2-server#23940
• Create metrics supplier for inputs. graylog-plugin-enterprise#12201 graylog2-server#23942
• Add Inputs state dot badge to System and Inputs menu. graylog2-server#23989
• Add support for separately opening and closing code blocks. Use context-aware Markdown escaping. graylog-plugin-enterprise#12306 graylog2-server#24011
• Adds a deprecated label to rules and pipelines which shows deprecated functions used in those. graylog2-server#23924 graylog2-server#24018
• Create metrics supplier for shards. graylog-plugin-enterprise#12221 graylog-plugin-enterprise#12223 graylog2-server#24035
• Create metrics supplier for lookup tables. graylog-plugin-enterprise#12226 graylog2-server#24038
• Create metrics supplier for event notifications. graylog-plugin-enterprise#12225 graylog2-server#24048
• Create metrics supplier for streams. graylog-plugin-enterprise#12220 graylog2-server#24068
• Create metrics supplier for event definitions. graylog-plugin-enterprise#12227 graylog2-server#24081
• Create metrics supplier for dashboards. graylog-plugin-enterprise#12222 graylog2-server#24082
• Added ‘rename_fields’ pipeline function that supports bulk renaming message fields. graylog-plugin-enterprise#9558 graylog2-server#24083
• Create metrics supplier for users. graylog-plugin-enterprise#12207 graylog2-server#24090
• Create metrics supplier for MongoDB. graylog-plugin-enterprise#12206 graylog2-server#24091
• Added support for favorite fields in streams, controllable from message expansion. graylog2-server#24058 graylog-plugin-enterprise#12391 graylog-plugin-enterprise#12290 graylog-plugin-enterprise#12291 graylog-plugin-enterprise#12292 graylog2-server#21131 graylog2-server#23990 graylog2-server#24096
• Create metrics supplier for nodes system. graylog-plugin-enterprise#12212 graylog2-server#24160
• Add GET /api/system/cluster/nodes/paginated endpoint for obtaining server nodes in the standardized entity/pagination way. graylog2-server#24163
• Create metrics supplier for sidecars version. graylog-plugin-enterprise#12213 graylog2-server#24180
• Add aggregation key/values to event for notifications. graylog2-server#23500 graylog2-server#24199
• Add JVM and CPU metrics to cluster telemetry data. graylog-plugin-enterprise#12212 graylog2-server#24234
• Add server node lifecycle field to system/cluster/nodes/paginated API graylog2-server#24239
• Add option in MCP config for disabling schema output in responses. graylog2-server#23980 graylog2-server#24308
• Make maximum event age of cluster events configurable. graylog2-server#24441
• Add new system job scheduler to replace the legacy system job infrastructure. architecture#61 graylog2-server#24497 graylog-plugin-enterprise#12727
• Throw custom exception with help text on parent circuit breaking exception. graylog-plugin-enterprise#7917 graylog2-server#24518
• Add support for Azure blob storage in datanode graylog2-server#24551 graylog2-server#24567
• Added support for customizing titles of events with new configuration option in Event Definitions. graylog2-server#24578 graylog2-server#24757 graylog-plugin-enterprise#12830
• Add autofill for index prefix from title in index set creation graylog2-server#24568 graylog2-server#24608
• Enable opensearch 3 client by default, via feature flag opensearch3_client graylog2-server#24626
• Provide information on input launch failures. graylog-plugin-enterprise#10701 graylog2-server#24754
• Add new Full Message JSON field to the AWS Cloud Trail input to support custom pipeline parsing graylog2-server#24786
• Adding Quick Jump Feature – In-product search right at your fingertips graylog2-server#24812
• Add Graylog Collector management system. graylog2-server#24815
• Add more metrics to used journals. graylog-plugin-enterprise#12466 graylog2-server#24912
• Adding slicing functionality for easier grouping/searching on the Alerts and Events table for the alert and priority column. graylog-plugin-enterprise#12910 graylog-plugin-enterprise#12912 graylog2-server#24958
• Added MongoDB cluster nodes overview to the System / Cluster Configuration page graylog-plugin-enterprise#13215 graylog2-server#24990
• Add support for handling input failures received from the forwarder. graylog2-server#25025
• Add range aggregation to ScriptingApi. graylog2-server#25103
• Improve structure and documentation of the Events/Alerts table slicing functionality. graylog2-server#25142
• Changing delimiter char for decorators in ScriptingApi from ‘.’ to ‘#’ to avoid parsing problems when querying a nested field. graylog2-server#25155
• Added caching and fallback response for mongodb cluster nodes responses graylog2-server#25379

Changed

• Suppress non-actionable system notifications in cloud installs. graylog2-server#15645 graylog2-server#25130
• Updated content pack creation wizard to no longer include stream titles for manual content selection. graylog2-server#24166 graylog2-server#24186
• Change internal storage format for sessions. graylog2-server#21857
• Cluster Configuration Page: Add separate tables for each node type graylog-plugin-enterprise#12351 graylog-plugin-enterprise#12353 graylog-plugin-enterprise#12354 graylog2-server#24029
• Restructure layout of users edit and details view. graylog-plugin-enterprise#12002 graylog2-server#24116
• Backend telemetry is now sent only by the leader node. graylog2-server#24145
• Updated the Event Definition condition type selector to only include types that are supported by the available license(s). graylog-plugin-enterprise#11798 graylog2-server#24209 graylog-plugin-enterprise#12502
• Add auth service config setting for user’s default time zone. (see upgrade notes) graylog2-server#24381 graylog-plugin-enterprise#12641
• JadConfig updated to 1.0.0, adapted paths validation graylog2-server#24424 graylog-plugin-enterprise#12679
• Pin actions column in entity tables (streams overview, event definitions overview, etc.) graylog2-server#24507
• Improve performance of pipeline processing for large pipeline stage ranges. graylog2-server#24528
• Updated the security event details event definition name to link to summary view instead of edit page. graylog-plugin-enterprise#12718 graylog2-server#24557
• Update opensearch and its plugins in datanode to 2.19.4 graylog2-server#24630
• Changed format of event aggregation conditions to use underscores instead of parentheses, e.g. ‘count(source)’ is now ‘count_source’ graylog2-server#24703
• Switch four index maintenance jobs to the system job scheduler. graylog2-server#24763 graylog-plugin-enterprise#12986
• Removing perspectives frontend plugin and perspective-based navigation handling. graylog-plugin-enterprise#13194 graylog2-server#25002
• Migrated the storage module from the deprecated OpenSearch Rest High-Level Client to the OpenSearch Java Client. This ensures compatibility with newer OpenSearch versions and removes reliance on deprecated APIs. graylog2-server#25390
• Upgrade data node’s bundled OpenSearch to 2.19.5. graylog2-server#25550
• Remove Beta badge from MCP configuration page. graylog-plugin-enterprise#13761 graylog2-server#25566

Removed

• Removed support for remote-reindex migration to data node graylog2-server#24910

Fixed

• Fix Beats Kafka input to correctly determine field prefix when @metadata is missing by falling back to agent.type or beat.type fields. graylog-plugin-enterprise#10282 graylog2-server#24225
• Skip system notifications polling for users without notifications:read permission graylog-plugin-enterprise#10902 graylog2-server#25387
• Fixed Teams Notification V2 to display timestamps in the user’s local timezone. graylog2-server#13181 graylog2-server#25324
• Gracefully handle StackOverflowError in all grok pattern matching code paths instead of crashing. graylog-plugin-enterprise#13717 graylog2-server#25510
• Fix grouping direction radio button losing visual state during reorder. graylog2-server#20261 graylog2-server#25169
• Fixed error message when content packs are successfully uninstalled. graylog2-server#22059 graylog2-server#25448
• Fix browser navigation not restoring the previous search graylog2-server#22105 graylog2-server#18484 graylog2-server#24583
• Fix visual issue where the date picker showed the wrong active month based on the selected date due to a time zone problem. graylog2-server#22273 graylog2-server#23918
• Fixed input diagnosis page shows UDP for OpenTelemetry (gRPC) Input graylog2-server#22691 graylog2-server#24646
• Avoid exceeding buffer size when fetching index fields. graylog2-server#22743
• Fix user losing timezone when role or start page is updated. graylog2-server#22769 graylog2-server#24699
• Fix duplicate names and descriptions of regex extraction functions in Rule Builder. graylog2-server#23016 graylog2-server#25220
• Use timezone of current user for time bucketing in aggregations. graylog2-server#23091 graylog2-server#23133
• Fix hidden confirmation prompt when assigning sidecar collector configurations. graylog2-server#23253 graylog2-server#24792
• Fixed custom field form button always showing “Add custom field” even when editing an existing field. graylog2-server#23528 graylog2-server#25441
• Fix parsing of field values >999 in Rule Builder conditional. graylog2-server#23541 graylog2-server#25218
• Fix issue when click on pie chart shows in popover NaN instead of value. graylog2-server#23853 graylog2-server#24413
• Fix resource leaking in indices parser, referenced from datanode preflight check. graylog2-server#23870 graylog2-server#24933
• Fix issue when thresholds shows only partially. graylog2-server#23981 graylog2-server#23982
• Fix issue when running add to query action for multiple values from chart creates wrong query. graylog2-server#24002 graylog2-server#24003
• Fixed issue in Aggregation event definitions where ‘Field’ value selections were not cleared correctly. graylog2-server#24007 graylog2-server#24221
• Fix Index Stats by extracting shard metrics properly. graylog2-server#24040 graylog2-server#24061
• Fixed error preventing content pack creation when selecting Stream title entities. graylog2-server#24106 graylog2-server#24124
• Fix issue with left button position by moving it to the left. graylog2-server#24110 graylog2-server#24111
• Fix issue when modal overlays dropdown when it inside the modal. graylog2-server#24112 graylog2-server#24115
• Fixed issue preventing installing Stream entities from Content Packs. graylog2-server#24154 graylog2-server#24150
• Honor character literals in pipeline rules. graylog2-server#24247 graylog2-server#24295
• Make modal footer sticky to always show modal action buttons. graylog2-server#24370 graylog2-server#24303
• Fix an issue where clicking on the checkbox title doesn’t change the checkbox state in aggregation widget edit form. graylog2-server#24385 graylog2-server#24386
• Allow Sidecar Manager role to manage sidecar tokens. graylog2-server#24470 graylog2-server#24526
• Fixed issue where the email notification edit page displayed the default email body templates instead of user configured ones. graylog2-server#24515 graylog2-server#24657
• Fix compatibility issue with MongoDB >=8.2. graylog2-server#24581 graylog2-server#24733
• Fix overly strict parsing of escaped characters in pipeline function parse_json. graylog2-server#24781 graylog2-server#24785
• Error handling for trailing comma in map and array literals. graylog2-server#24864 graylog2-server#25304
• Queries modified via ‘Add to query’ or ‘Exclude from query’ widget actions now appear in query history. graylog2-server#24894 graylog2-server#24932
• Use GiB units for defining traffic limits in the chart. Add a label indicating that limits are calculated in UTC. graylog2-server#24982 graylog2-server#24983
• Fix saved search URL query overrides to execute with URL values on initial search execution. graylog2-server#25028 graylog2-server#25051
• Fix scrolling to newly created widgets by checking visibility of the correct elements. graylog2-server#25237 graylog2-server#25257
• Honor the max_event_age configuration for cluster event cleanup. Default reduced from 24h to 12h. graylog2-server#25259 graylog2-server#25265
• Fix absolute time range picker highlighting current day based on UTC instead of user timezone. graylog2-server#25282 graylog2-server#25305
• Correcting permission to replay search for alerts. graylog2-server#25369 graylog2-server#25406
• Fix mongodb connection in mongodb metrics supplier graylog2-server#25410 graylog2-server#25424
• show Graylog Node Version in Cluster Configuration page graylog2-server#25463 graylog2-server#25500
• Fix issue when default favorite fields disappear after adding favorite field. graylog2-server#25517 graylog2-server#25530
• Improve find query for index ranges: remove indices that are actually out of range but were selected as deflector indices by mistake. Also, throw exception if end time is before begin time in query. graylog2-server#21592
• Fixing handling of very large integers in frontend. graylog2-server#23220 graylog2-server#23432
• fixing/adding bucketing/scaling to date type fields in aggregations in the scripting API graylog2-server#23952
• Fix world map visualization when used in reports. graylog-plugin-enterprise#12304 graylog2-server#23985
• Fix sometimes missing fields and missing filtering for selected fields in message table CSV export in reports. graylog-plugin-enterprise#12308 graylog-plugin-enterprise#12236 graylog2-server#24010 graylog-plugin-enterprise#12368
• Enable opensearch certificate hot reloading in datanode graylog2-server#23606 graylog2-server#24062
• Open items in “Recent Activity” in same tab. graylog2-server#24078
• Fixing recent activity for non-admins: Including update events to accessible entities. graylog-plugin-enterprise#12427 graylog2-server#24080
• Fix that Index Set Warm Tier couldn’t be activated for some existing indices. graylog-plugin-enterprise#12430 graylog2-server#24114
• Add endpoint for data node / OpenSearch metrics. graylog-plugin-enterprise#12464 graylog2-server#24263
• Fixed issue that could cause some AWS inputs to fail when used with used with temporary STS credentials. graylog2-server#24155
• Reducing memory usage of suggest endpoint through better field type fetching. graylog2-server#24231
• Fixing field value suggestions for large numbers of indices. graylog2-server#24242
• Rolled back to view type forms for Lookup Tables, Caches and Data Adapters graylog2-server#24246
• Limiting runtime of field value suggestions aggregation. graylog2-server#24263
• Fixing issue on system overview page with missing initial value for reduce. graylog2-server#24338
• Fixing Traffic Graph to handle empty traffic data. graylog2-server#24339
• Keep highlighting rules in saved searches in order. graylog2-server#24347
• Add node_id between searchable fields in paginated server nodes endpoint graylog-plugin-enterprise#12632 graylog2-server#24369
• Make index directory parser more resilient, handling state files as optional graylog2-server#24358 graylog2-server#24397
• Better error handling regarding consistency between MongoDB and OpenSearch if errors during index rotation after changing custom type mappings happen. graylog2-server#24474
• Fixes back-end problems with sorting by percentile in pivots. Before this change, default sorting was used even if sorting by percentile was requested. graylog2-server#8863 graylog2-server#24524
• Return 404 instead of HTML for non-existent API methods. graylog2-server#24590
• Fix y10k problem in certificates signing graylog2-server#24604
• Fix legacy public notifications missing variant field created in previous versions breaking login screen. graylog2-server#24645
• Input stop/start button UX fixes graylog2-server#24235 graylog-plugin-enterprise#12659 graylog2-server#24659
• Allow owner of stream to delete it. graylog-plugin-enterprise#12743 graylog2-server#24670
• Fix metrix datastream creation in situations where opensearch in datanode starts too slowly graylog2-server#24671
• By default the future timestamp normalization should always be disabled. graylog2-server#23025 graylog2-server#24686
• Add graceful handling for invalid pipeline rules in the CreatePipelineMetadata migration. graylog2-server#24692
• Fix Unable to set new illuminate packs after previously setting illuminate packs on an input of the same type. graylog2-server#24668 graylog2-server#24715
• Fix protocol version negotiation for MCP server. graylog2-server#24701 graylog2-server#24717
• Clean up documents for failed job triggers. graylog2-server#23884 graylog2-server#24755
• Removed unnecessary automatic disabling of system event definitions during editing operations. graylog2-server#22946 graylog2-server#24780
• Fix Sidecars Not allowed to view user graylog-sidecar. graylog2-server#24132 graylog2-server#24407 graylog2-server#24848
• Fix App Owner: Acknowledging a restored archive job shows error. graylog-plugin-enterprise#10888 graylog2-server#24860
• Allow users to edit index field types without needing access to Failure Processing. graylog-plugin-enterprise#12765 graylog2-server#24890
• Fix thread leak in datanode opensearch removal process graylog2-server#24940
• Prevent URL length overflow in archive restore. graylog-plugin-enterprise#12681 graylog2-server#25031
• Improved cleanup during datanode preflight restart graylog2-server#25061
• Fixed STS assume-role error for the AWS CloudTrail input when using a configured HTTP proxy. graylog2-server#25072
• Fix memory-leak when updating data-adapters and caches. graylog2-server#25077 graylog2-server#25078
• Fix documentation link for MCP Server configuration graylog2-server#25107
• Fix memory leak for syslog input via TCP. graylog2-server#24336 graylog2-server#25120
• Showing neutral trend in number widget when delta is zero. graylog2-server#25138
• Use the 1-minute moving average for inputs throughput, instead of the total average. graylog-plugin-enterprise#13190 graylog2-server#25170
• Fix deserialization error when editing GreyNoise Quick IP Lookup data adapter. graylog2-server#25244
• Fix issue when entidy data table filter suggestions list take more place than screen height. graylog-plugin-enterprise#13131 graylog2-server#25286
• Fixed excessive MongoDB queries caused by uncacheable TimeStampConfig. graylog2-server#25344
• Fix datanode jvm.options for java 21 graylog2-server#25403
• Fixed event search extra filters being incorrectly applied as ANDed together. graylog-plugin-enterprise#13434 graylog2-server#25447
• Fix an incorrect ISO 8601 duration example in the token invalidation help text. graylog2-server#25457
• Fixed error on CIDR lookups in a data adapter with only one type of address. graylog-plugin-enterprise#13729 graylog2-server#25520
• Show event definition ID instead of throwing errors in the Events Overview widget when the event definition has been deleted graylog-plugin-enterprise#13756 graylog2-server#25548
• Fix creating output from Data Routing page for Stream results in empty output configuration. graylog2-server#23793 graylog2-server#25552

Security

• Update lz4-java library to 1.10.2 to fix CVE-2025-12183. graylog2-server#24687 graylog-plugin-enterprise#12940
• The suggestions endpoint could allow admin users to retrieve information about MongoDB collections not exposed in the UI. Additionally, users with certain roles, while working with MongoDB collections they are allowed to see, could use this endpoint to access additional field values beyond those intended to be visible. These security vulnerabilities have been fixed. graylog2-server#25404 graylog-plugin-enterprise#13618

Graylog Enterprise 7.1.0-beta.2

Release date: 2026-04-09

Added

• Add ability for Asset Risk Threshold Event Definitions to filter based on Asset Category and Priority. graylog-plugin-enterprise#12276 graylog-plugin-enterprise#12318 graylog-plugin-enterprise#12319 graylog-plugin-enterprise#12320 graylog-plugin-enterprise#12322 graylog-plugin-enterprise#12335 graylog-plugin-enterprise#12397 graylog-plugin-enterprise#12600 graylog-plugin-enterprise#12767
• Added the ability to connect to and import Sigma rules from private GIT repositories. graylog-plugin-enterprise#12277 graylog-plugin-enterprise#12380
• Allow parallel archive restore jobs in cluster. graylog-plugin-enterprise#12282 graylog-plugin-enterprise#12301
• Added support for favorite fields in streams, controllable from message details in log view widget. graylog-plugin-enterprise#12422 graylog-plugin-enterprise#12424
• Added missing Additional Fields to expanded Security Event details. graylog-plugin-enterprise#12452 graylog-plugin-enterprise#12501
• Make associated investigations column on security event list default, sortable and filterable graylog-plugin-enterprise#12531 graylog-plugin-enterprise#12932
• Added audit logging for individual entities created/deleted during content pack installation/uninstallation. graylog-plugin-enterprise#12614 graylog2-server#24641 graylog-plugin-enterprise#12890
• Add filterable Associated Assets column on Security Events table. graylog-plugin-enterprise#12699 graylog-plugin-enterprise#12945
• Add support for the filtering alerts and events by risk score range. graylog-plugin-enterprise#12700 graylog-plugin-enterprise#12808
• Added risk score badge to associated events in the asset drawer. graylog-plugin-enterprise#12701 graylog-plugin-enterprise#12993
• Added option to allow updating the status of all evidence events for an investigation when its status is updated. graylog-plugin-enterprise#12702 graylog-plugin-enterprise#12963
• Use event title, status and owner as initial values to create a new investigation, when adding the event as evidence. graylog-plugin-enterprise#12703
• Add Azure blob storage archiving backend. graylog-plugin-enterprise#12750 graylog-plugin-enterprise#12849
• Expand Active Directory Data Adapter to support configurable custom user attributes. graylog-plugin-enterprise#13065 graylog-plugin-enterprise#13340 graylog-plugin-enterprise#13606
• Add new Impossible Travel Anomalies detector. graylog-plugin-enterprise#13145 graylog-plugin-enterprise#13342 graylog-plugin-enterprise#13520
• Added new Investigation view for merged evidence event procedures. graylog-plugin-enterprise#13172 graylog-plugin-enterprise#13429 graylog2-server#25468 graylog-plugin-enterprise#13205
• Added the ability to add existing stream categories to streams. graylog-plugin-enterprise#13179 graylog-plugin-enterprise#13458
• Added Replay Search action for Sigma event definitions on the Event Definitions page. graylog-plugin-enterprise#13184 graylog-plugin-enterprise#13700 graylog2-server#25488
• Add Security overview link to Security dropdown in general perspective. graylog-plugin-enterprise#13193 graylog-plugin-enterprise#13267
• Add scope support to saved search filters. graylog-plugin-enterprise#13253 graylog-plugin-enterprise#13479
• Added associated_asset_priorities field to messages when adding associated assets. graylog-plugin-enterprise#13466 graylog-plugin-enterprise#13774 graylog2-server#25553
• Add bulk action to add selected logs to an investigation from the Log View widget. graylog-plugin-enterprise#13471 graylog-plugin-enterprise#13472
• Added new SQS Message Batch Size configuration field for the AWS Security Lake input. graylog-plugin-enterprise#12163
• Add ability to configure the default text and html email bodies for new Email Notifications. graylog-plugin-enterprise#12295
• Add list_vulnerabilities MCP tool graylog-plugin-enterprise#12306 graylog-plugin-enterprise#12372
• Add describe_security_events, and describe_event_procedures MCP tools. graylog-plugin-enterprise#12305 graylog-plugin-enterprise#12386
• Create metrics supplier for investigations. graylog-plugin-enterprise#12205 graylog-plugin-enterprise#12433
• Create metrics supplier for Illuminate. graylog-plugin-enterprise#12218 graylog-plugin-enterprise#12445
• Dynamic shard count for restored indices. graylog2-server#23932 graylog-plugin-enterprise#12446 graylog2-server#24126
• Create metrics supplier for external data lake connectors. graylog-plugin-enterprise#12208 graylog-plugin-enterprise#12562
• Create metrics supplier for data-tiering. graylog-plugin-enterprise#12210 graylog-plugin-enterprise#12589
• Add support for the Security Incidents endpoint in the Microsoft Graph input. graylog-plugin-enterprise#12607
• Add average time_to_detect and time_to_resolve to investigations metrics. graylog-plugin-enterprise#12204 graylog-plugin-enterprise#12608
• Create metrics supplier for internal data lake. graylog-plugin-enterprise#12211 graylog-plugin-enterprise#12609
• Display Asset Priority on the asset details drawer. graylog-plugin-enterprise#12663
• Add Asset Priority column on the main Assets list page. graylog-plugin-enterprise#12716
• Improve graceful handling of Office 365 Log Events input timeouts with a new Timeout Grace Period option. graylog-plugin-enterprise#12568 graylog-plugin-enterprise#12782
• Added support for automatic tracking of Asset Event Threshold events in investigations. graylog-plugin-enterprise#12819 graylog-plugin-enterprise#12831 graylog-plugin-enterprise#12965 graylog-plugin-enterprise#13001 graylog-plugin-enterprise#13046 graylog-plugin-enterprise#13229 graylog-plugin-enterprise#13739
• Add support for Azure Blob Storage warm tier repositories. graylog-plugin-enterprise#12744 graylog-plugin-enterprise#12827
• Add Azure Blob Storage backend support for Data Lake. graylog-plugin-enterprise#13008
• Added new CrowdStrike asset source and vulnerability scanner. graylog-plugin-enterprise#12842 graylog-plugin-enterprise#12981 graylog-plugin-enterprise#13077 graylog-plugin-enterprise#13124 graylog-plugin-enterprise#13185
• Added license usage tracking and reporting. graylog-plugin-enterprise#13133 graylog2-server#24943
• Introduced native anomaly detection capability. graylog-plugin-enterprise#13206 graylog-plugin-enterprise#13271 graylog-plugin-enterprise#13321 graylog-plugin-enterprise#13387 graylog-plugin-enterprise#13430 graylog-plugin-enterprise#13459 graylog-plugin-enterprise#13677
• Adding slicing functionality for easier grouping/searching on the Alerts and Events table for the following columns: alert type, priority, owner, status, investigations, assets graylog-plugin-enterprise#12909 graylog-plugin-enterprise#12911 graylog-plugin-enterprise#12913 graylog-plugin-enterprise#12915 graylog-plugin-enterprise#12916 graylog-plugin-enterprise#13207
• Handle forwarder input failures. graylog-plugin-enterprise#13282
• Add new Log Volume Anomalies detector. graylog-plugin-enterprise#13175 graylog-plugin-enterprise#13343
• Adding slice-by in Alerts/Events table for the risk score column. graylog-plugin-enterprise#13384
• Improve forwarder input metrics. graylog-plugin-enterprise#13190 graylog-plugin-enterprise#13391 graylog2-server#25170
• Display Forwarder input state errors in Graylog. graylog-plugin-enterprise#12483 graylog-plugin-enterprise#13509 forwarder#204
• Add bulk action to add selected logs to an investigation from the Message Table widget. graylog2-server#25347 graylog-plugin-enterprise#13514 graylog2-server#25318
• Added optional data_lake_journal_directory configuration option, which controls where the data lake journal will be stored. graylog-plugin-enterprise#11082 graylog-plugin-enterprise#13710

Changed

• Changed Investigation Bulk Assign action into separate Assign, Set Priority, and Set Status actions. graylog-plugin-enterprise#12165 graylog-plugin-enterprise#12532
• Updated Investigation archiving to automatically set the status to ‘Closed’. Removed the ability to edit or delete the ‘Closed’ status. graylog-plugin-enterprise#12166 graylog-plugin-enterprise#12366
• Changed default sort for Security > Assets to descending Risk Score. graylog-plugin-enterprise#12361 graylog-plugin-enterprise#12362
• Updated the Asset create API endpoint to use a provided ID if included in payload. graylog-plugin-enterprise#12398 graylog-plugin-enterprise#12690
• Removed automatic filtering of system events from the security events page. graylog-plugin-enterprise#13081 graylog-plugin-enterprise#13226
• Merged the Security perspective into the General perspective to simplify the UI. All Security pages are now available in the General perspective, and the perspective switch has been removed from navigation. graylog-plugin-enterprise#13194 graylog-plugin-enterprise#13269
• Removed link to Security Events page from Security dropdown. Security Events now uses the core Alerts pages and routes. graylog-plugin-enterprise#13266 graylog-plugin-enterprise#13275
• Implement paginated events list, which allows assigning owner and status, for investigation details page. graylog-plugin-enterprise#13346 graylog-plugin-enterprise#13426
• Implement paginated message table which lists complete messages, for investigation details page. graylog-plugin-enterprise#13347 graylog-plugin-enterprise#13522
• Allow adding more than 150 pieces of evidence to an Investigation at a time. graylog-plugin-enterprise#10589
• Restructure layout of teams edit and details view. graylog-plugin-enterprise#12002 graylog-plugin-enterprise#12435
• Changed Illuminate packs marked as updated to only those that are currently enabled. graylog-plugin-enterprise#12696
• Renamed Security Overview to Threat Coverage and updated the page header, navigation labels, and related documentation links to be threat-coverage specific. graylog-plugin-enterprise#13382

Removed

• Removed option to reset Security Event status to New since backend disallows it. graylog-plugin-enterprise#12278 graylog-plugin-enterprise#12363
• Removed the Investigations, Assets, and Events & Alerts tabbed lists from the Security overview page. graylog-plugin-enterprise#13336 graylog-plugin-enterprise#13337

Fixed

• Display the selected time zone on the report cover page again. graylog-plugin-enterprise#10044 graylog-plugin-enterprise#13054
• Security Events timestamp filtering now based on event.timestamp field instead of updated_at field, which fixes filtering bugs in Security Events table. graylog-plugin-enterprise#10119 graylog-plugin-enterprise#13211
• Fixed incorrect color assignments for investigations priority badges. graylog-plugin-enterprise#10136 graylog-plugin-enterprise#12323
• Correct Data Lake retrieval license usage help text to clarify that all retrieved messages count towards license usage. graylog-plugin-enterprise#10405 graylog-plugin-enterprise#13588
• Fixed creating a header badge with more than five characters problem graylog-plugin-enterprise#10782 graylog-plugin-enterprise#12888
• Changed license status for future start dates to “inactive”. graylog-plugin-enterprise#11369 graylog-plugin-enterprise#13406
• Fixed Sigma rule’s ‘Search Logs’ preview query to include added search filters. graylog-plugin-enterprise#11523 graylog-plugin-enterprise#13103
• Fix issue when exported to PDF Alerts & Events Metrics looks incomplete. graylog-plugin-enterprise#11675 graylog-plugin-enterprise#13225
• Fixed errors in Events Overview widget when adding filters on certain fields. graylog-plugin-enterprise#12117 graylog-plugin-enterprise#12480
• Refresh data lake archive config cache after dwh renaming. graylog-plugin-enterprise#12264 graylog-plugin-enterprise#12329
• Added missing migration of retrieval jobs stored in scheduler_triggers collection, so that existing retrieval jobs are properly read in 7.0. graylog-plugin-enterprise#12284 graylog-plugin-enterprise#12328
• Fixed events with no associated assets showing as having associated assets on the Security Overview page. graylog-plugin-enterprise#12364 graylog-plugin-enterprise#12365
• Added support for Gov/DoD subscription types in the Microsoft Defender for Endpoint input. graylog-plugin-enterprise#12379 graylog-plugin-enterprise#12392
• Hide AI context menu item on non-aggregation widgets graylog-plugin-enterprise#12381 graylog-plugin-enterprise#13601
• Resolved issue where Graylog proxy settings were not applied during Microsoft Defender token requests. graylog-plugin-enterprise#12403 graylog-plugin-enterprise#12481
• Fixed premature validation of Asset vulnerability scanner forms that resulted in errors. graylog-plugin-enterprise#12417 graylog-plugin-enterprise#12602
• Fixed issue that could cause some AWS inputs to fail when used with used with temporary STS credentials. graylog-plugin-enterprise#12440 graylog-plugin-enterprise#12463
• Fixes event logging for adding/removing users in roles. graylog-plugin-enterprise#12455 graylog-plugin-enterprise#12738 graylog2-server#24510
• Migrate leftover data from old data-warehouse-journal directory into new data-lake-journal graylog-plugin-enterprise#12461 graylog-plugin-enterprise#12496 graylog2-server#24202
• Do not show error related to AI terms acceptance on search page on airgapped installations. graylog-plugin-enterprise#12468 graylog-plugin-enterprise#12469
• Fix periodic “no active stream session found” error in the CrowdStrike input. graylog-plugin-enterprise#12892 graylog-plugin-enterprise#12566
• Fixed Okta group sync: Edit form does not load persisted API token. graylog-plugin-enterprise#12596 graylog-plugin-enterprise#12934 graylog2-server#24675
• Fix Data Lake file system backend validation for directories shared over NFS. graylog-plugin-enterprise#12598 graylog-plugin-enterprise#12634
• Fix: Retrieval doesn’t work from External Lake Connectors page graylog-plugin-enterprise#12665 graylog-plugin-enterprise#12823
• Fixing issue with horizontal scrolling of table on illuminate hub and security events page. graylog-plugin-enterprise#12666
• Add support for the short Azure Event Hubs timestamp format to allow MicrosoftServicePrincipalSignInLogs to be ingested. graylog-plugin-enterprise#12671 graylog-plugin-enterprise#12674
• Fixed filtering for threat coverage Illuminate packs. graylog-plugin-enterprise#12764 graylog-plugin-enterprise#12949
• Fixed report delete button being visible to users with only read permission. graylog-plugin-enterprise#12843
• Fixed a problem of Page not found error shown when trying to enter create/edit modals for Search Filters. graylog-plugin-enterprise#12860 graylog-plugin-enterprise#12861
• Fix permissions issue with owner title in security events overview. graylog-plugin-enterprise#12927 graylog-plugin-enterprise#12956
• Fixed Security Event Owner filters options search not always yielding the correct results. graylog-plugin-enterprise#12928 graylog-plugin-enterprise#13028
• HTTP 500 error on Security Events page’s alert endpoint has been fixed. graylog-plugin-enterprise#12966 graylog-plugin-enterprise#13200
• Enable widget summary feature for enterprise licenses. graylog-plugin-enterprise#12970 graylog-plugin-enterprise#13376
• Fixed MongoDB query performance degradation on assets collection by adding indexes on frequently queried asset lookup fields (ip_addresses, hostnames, mac_addresses, usernames, user_ids, email_addresses). graylog-plugin-enterprise#12984 graylog-plugin-enterprise#12983
• Prevented lingering executor threads after parallelized archive creation. graylog-plugin-enterprise#13039 graylog-plugin-enterprise#13040
• Fix issue where all event details were hidden when the user did not have permission to view the event definition. graylog-plugin-enterprise#13041 graylog-plugin-enterprise#13495
• Fixed DataLakeJournalWriter retrying indefinitely on ClosedChannelException during shutdown. graylog-plugin-enterprise#13186
• Fix assets endpoint throwing errors on security events page. graylog-plugin-enterprise#13202 graylog-plugin-enterprise#13203
• Avoids excessive heap allocation when loading large CSV files. graylog-plugin-enterprise#13264 graylog-plugin-enterprise#13280
• Sort asset vulnerabilities tab by CVSS score descending. graylog-plugin-enterprise#13319 graylog-plugin-enterprise#13716
• Forwarder inputs and outputs are no longer force-stopped on license violation. They will now continue running until the server is restarted. graylog-plugin-enterprise#10617 graylog-plugin-enterprise#13451
• Fix spotlight migration failure for custom local admin user usernames. graylog-plugin-enterprise#13543 graylog-plugin-enterprise#13546
• Fixed issue where Sigma rule events lost key fields. graylog-plugin-enterprise#13566 graylog-plugin-enterprise#13598
• Fix 1Password input not ingesting item_usages events due to checkpoint advancing on empty API responses. graylog-plugin-enterprise#13785 graylog-plugin-enterprise#13800
• Fix DATE column parsing in AthenaClientDataLakeTypeMapper for External Data Lake input to return a date instead of string object. graylog-plugin-enterprise#13817 graylog-plugin-enterprise#13820
• Fixed issue preventing usage of arrow keys in Sigma rule editor. graylog-plugin-enterprise#6608 graylog-plugin-enterprise#12523
• Fixed aggregation events breaking if ‘alert_severity_level’ field was mapped improperly in any index. graylog-plugin-enterprise#7588 graylog-plugin-enterprise#12471
• Add link to related dashboard and dashboard widget in report widget overview. graylog-plugin-enterprise#9120 graylog-plugin-enterprise#11548
• Use local browser timezone when creating new Okta users. graylog-plugin-enterprise#9452 graylog-plugin-enterprise#13436 graylog2-server#25233
• Fixed issue preventing HTTP proxy configuration settings from being used in AWS S3 and Security Lake inputs. graylog-plugin-enterprise#9816 graylog-plugin-enterprise#12342
• Fix archive thread count to only consider data nodes. graylog-plugin-enterprise#9971 graylog-plugin-enterprise#13277
• Fix sometimes missing fields and missing filtering for selected fields in message table CSV export in reports. graylog-plugin-enterprise#12308 graylog-plugin-enterprise#12236 graylog2-server#24010 graylog-plugin-enterprise#12368
• Fix defaults for list_illuminate_content_packs params graylog-plugin-enterprise#12376 graylog-plugin-enterprise#12382
• Properly reorder existing asset and investigation priority numbers after one is deleted. graylog-plugin-enterprise#12389 graylog-plugin-enterprise#12418
• Updates the Asset History Index set to ensure editing is allowed. graylog-plugin-enterprise#12431
• Fixing PDF rendering when running behind a reverse proxy and using different context paths. e.g. ‘/graylog’ on external URI/reverse proxy vs serving GL from ‘/’ graylog-plugin-enterprise#12507
• Fixed multiple instances of modals opening behind one another rendering them inaccessible. graylog-plugin-enterprise#11980 graylog-plugin-enterprise#12043 graylog-plugin-enterprise#12504 graylog-plugin-enterprise#12515
• Fixed error when trying to share Sigma rules while importing all from repository. graylog-plugin-enterprise#12527
• Fixed incorrect usage of Sigma Rules name on Create Event Procedure page. graylog-plugin-enterprise#12564
• Fixed Office 365 input error indicating that both a start and end time must be specified. graylog-plugin-enterprise#12577 graylog-plugin-enterprise#12578
• Handle errors while fetching AI terms acceptance for investigation reports. graylog-plugin-enterprise#11794 graylog-plugin-enterprise#12564
• Fixing field types in reports. graylog-plugin-enterprise#12592
• Fixing search if AI Terms service considers license invalid. graylog-plugin-enterprise#12631
• Removed automatic download of latest Illuminate content upon license install when illuminate_hub_new_version_check_interval server config value is 0. graylog-plugin-enterprise#12592
• Fix forwarder user token management with the Forwarders Manager role. graylog-plugin-enterprise#12695
• Fixed issue causing proper Low default asset priority from being used for new assets. graylog-plugin-enterprise#12728
• Fixes dropdown parameter – field value is suggested even if parameter is not yet used in the search. graylog-plugin-enterprise#8345 graylog-plugin-enterprise#12779
• Fix license status cluster udates. graylog-plugin-enterprise#12814
• Fix telemetry data lake traffic if data lake is not enabled. graylog-plugin-enterprise#12832
• Fixes inability to view Sigma rules created by content pack or Illuminate for some users. glc-bd-documents#97 graylog-plugin-enterprise#12844
• Added missing security license checks for Asset Event Definitions. graylog-plugin-enterprise#12866
• Filter mitre tactics with no name so those are shown by ID instead and do not break the Threat Coverage Widget. graylog-plugin-enterprise#12896
• Properly associate multiple assets to aggregation events with group by fields. graylog-plugin-enterprise#12937
• Fixed custom event definition fields not being added to triggered Sigma rule events. graylog-plugin-enterprise#12962
• Fixed “configuration field ‘content_types’ is missing” error for the Azure Event Hubs input. graylog-plugin-enterprise#13017
• Fixed alert details errors for users missing asset permissions. graylog-plugin-enterprise#13042
• Fix snapshot repository listing in os3 storage module graylog-plugin-enterprise#13033 graylog-plugin-enterprise#13067
• Redact Data Lake backend credentials from Iceberg catalog logs. graylog-plugin-enterprise#13118 graylog-plugin-enterprise#13120
• Prevent double qualification of anomaly detector edit link. graylog-plugin-enterprise#13281
• Fixed Office 365 input error indicating that both a start and end time must be specified. graylog-plugin-enterprise#13293 graylog-plugin-enterprise#13301
• Fixed STS assume-role error for the AWS S3 and Security Lake inputs when using a configured HTTP proxy. graylog-plugin-enterprise#9816 graylog-plugin-enterprise#13314
• Fix deserialization error when editing LDAP and GreyNoise Full IP Lookup data adapters. graylog-plugin-enterprise#13445
• Prevent unbounded event bus registrations in Sigma rule handling. graylog-plugin-enterprise#13526
• Bind MongoDBDataAdapterService as singleton to avoid event handler calls piling up over time. graylog-plugin-enterprise#13533
• Improve the Investigation details evidence sections by turning Dashboards into a section, reordering the evidence layout, and replacing modal-based add flows for Dashboards, Events, and Logs with direct navigation actions. graylog-plugin-enterprise#13635 graylog-plugin-enterprise#13758
• Fixed Security Event Reader/Manager Roles permissions issues. graylog-plugin-enterprise#13547 graylog-plugin-enterprise#13752 graylog-plugin-enterprise#13784
• Fix issue where editing a widget on a security dashboard visually resulted in an empty search page. graylog-plugin-enterprise#10147 graylog-plugin-enterprise#13794

 

Please report bugs and any other issues in our GitHub issue tracker. Thank you!