FREE User Conference | Oct 4-5 | REGISTER NOW >​

The Graylog blog

Announcing Graylog Illuminate v3.2

  • New processing content included with Illuminate 3.2:
    • Bind DNS logs (#1098)
    • Ubiquiti Unifi (#1038)
    • Microsoft DHCP (#797)
    • Symantec Endpoint Protection Manager (#578)
    • Apache Web Server (#1081)
  • The following Spotlight content packs have been updated since Graylog Illuminate 3.1:
    • Graylog Illuminate 3.2.0:Cisco ASA Spotlight
    • The “DNS Transaction” GIM subcategory has been replaced with a multi-subcategory mapping of both “DNS Request” and “DNS Answer” (#361)
    • This release includes an updated message summary template content pack “Message Summaries” (#1054)

 

GRAYLOG ILLUMINATE 3.1

Released: 2023-03-02

Fixes

  • Illuminate Core:
    • Fixed severity mapping issue (#1078)
    • Make lookup file names unique (#1090)
    • Field alert_severity not statically mapped to data type (#1153)
  • Office 365:
    • Lookup file formatting error (#1091)
  • Okta:
    • Lookup file formatting error (#1092)
  • Fortigate:
    • Fixed severity mapping for level ‘notice’ (#1104)
  • Watchguard:
    • Not all DHCP events are being parsed (#1148)
  • Cisco ASA:
    • Fixed issue with Denied Connections widget search (#1186)

 

Enhancements

  • GIM: 
    • Added network.open and network.close subcategories (#635)
  • Illuminate Core:
    • Added MAC address (source_mac/host_mac/destination_mac) as candidate for reference field (source_reference/host_reference/destination_reference) (#1105)
    • Fixed selection order for destination_reference candidate fields (#1170)
    • Enforced IP field format for schema IP fields source_ip, host_ip, destination_ip (#1132)
    • Added “input routing” lookup to help with proper message identification & selection (#1149)
    • Improved IP processing rule criteria efficiency (#1155)
  • Cisco ASA:
    • Added mapping for vendor_event_severity to provide text severity corresponding to the numeric field vendor_event_severity level
    • Added support for events: 338001, 338002, 338003, 338004, 338005, 338006, 338007, 338008, 338101, 338102, 338103, 338104, 338201, 338202, 338203, 338204 (#973)
    • Added support for events: 302014, 302016, 302018, 302022, 302023, 302024, 302025, 302026, 302027, 302036, 302303, 302304, 302306 (#1161)
    • Updated categorization for events: 302013, 302015 (#1161)
  • Cisco Meraki:
    • Parse URLs in Meraki events (#469)
  • Sonicwall:
    • Categorized network open/close events (#1162)

 

Known Issues

  • Auditbeat cannot process events with multiple values assigned to `vendor_event_action’ (#622)

 

Let us know what you’d like to have included in our GitHub issue tracker.

Graylog GO white logo

Learn more at Graylog GO

FREE User Conference, Oct 4-5, Virtual | Houston, TX
Register Now - It's FREE

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog Blog delivered to your inbox once a month.