The following Illuminate Spotlight content packs have been updated since Illuminate 3.0.2:
- Graylog Illuminate 3.1.0:Cisco ASA Spotlight
- Graylog Illuminate 3.1.0:Core Spotlight
- Graylog Illuminate 3.1.0:Fortinet Fortigate Spotlight
- Graylog Illuminate 3.1.0:SonicWall NGFW Spotlight
- Graylog Illuminate 3.1.0:Watchguard Firebox Spotlight
- Illuminate indices field mapping changes (#424):
- The default mapping type for strings is now “keyword”
- This will take effect after the index rotation that follows the installation of Illuminate 3.1
- There will be no change to the Graylog schema field mappings and content but it may impact some non-schema fields
Please report bugs and any other issues in our GitHub issue tracker. Thank you!
GRAYLOG ILLUMINATE 3.1
Released: 2023-01-06
Fixes
- Cisco ASA fixes
- Improved ICMP data handling (#820)
- Fixed alert severity not being properly mapped (#819)
- Fixed field mappings for NAT events (#813)
- Fixed field extraction for multiple events (#821, #569, #902, #915, #935, #957)
- Extracted event outcome from some messages (#540)
- Support extracting numeric protocol values (#900)
- Improved port number/service name extraction (#901)
- Assigned correct categorization for 302013, 302015, 302016 events (#940)
- Added support for mapping vendor_event_outcome to event_outcome (#958)
- Core: GIM enforcement for Alert messages is incorrect
- Windows: Fields winlogbeat_winlog_event_data_param1 may cause incorrect dynamic mapping assignment (#884)
- Fortigate: time calculation can lead to indexing error (#1024)
- NXLog support: Keywords field contains numeric value that can overflow mapping type “long” (#987)
- Core: Dashboard widget not using correct sorting (#1042)
- Sonicwall NGFW: Dashboard widget uses incorrect metric (#1040)
Enhancements
- Added Stormshield processing and Spotlight (#802)
- Cisco ASA improvements
- Added support for extracting FQDN fields (#896)
- Simplified processing of Cisco events by using lookup-based parsing (#556)
- Added processing for new events (#898, #918, #641, #936, #937, #938, #939, #942, #944, #947, #948, #952, #954, #959, #960, #964, #965, #966, #967, #968, #971, #990, #993, #994, #1012, #1013, #1023)
- Add processing for DHCP events (#963, #966)
- Watchguard: Added DHCP event processing support (#956, #1018)
- Meraki: Added DHCP event processing support (#1029)
- Fortigate: Added DHCP event processing support (#1021)
- GIM Enforcement: Added DHCP event enforcement (#972)
Known Issues
- Auditbeat cannot process events with multiple values assigned to “vendor_event_action” (#622)
Let us know what you’d like to have included in our GitHub issue tracker.
