Announcing Graylog Illuminate v3.2

  • New processing content included with Illuminate 3.2:
    • Bind DNS logs (#1098)
    • Ubiquiti Unifi (#1038)
    • Microsoft DHCP (#797)
    • Symantec Endpoint Protection Manager (#578)
    • Apache Web Server (#1081)
  • The following Spotlight content packs have been updated since Graylog Illuminate 3.1:
    • Graylog Illuminate 3.2.0:Cisco ASA Spotlight
    • The “DNS Transaction” GIM subcategory has been replaced with a multi-subcategory mapping of both “DNS Request” and “DNS Answer” (#361)
    • This release includes an updated message summary template content pack “Message Summaries” (#1054)

 

GRAYLOG ILLUMINATE 3.1

Released: 2023-03-02

Fixes

  • Illuminate Core:
    • Fixed severity mapping issue (#1078)
    • Make lookup file names unique (#1090)
    • Field alert_severity not statically mapped to data type (#1153)
  • Office 365:
    • Lookup file formatting error (#1091)
  • Okta:
    • Lookup file formatting error (#1092)
  • Fortigate:
    • Fixed severity mapping for level ‘notice’ (#1104)
  • Watchguard:
    • Not all DHCP events are being parsed (#1148)
  • Cisco ASA:
    • Fixed issue with Denied Connections widget search (#1186)

 

Enhancements

  • GIM: 
    • Added network.open and network.close subcategories (#635)
  • Illuminate Core:
    • Added MAC address (source_mac/host_mac/destination_mac) as candidate for reference field (source_reference/host_reference/destination_reference) (#1105)
    • Fixed selection order for destination_reference candidate fields (#1170)
    • Enforced IP field format for schema IP fields source_ip, host_ip, destination_ip (#1132)
    • Added “input routing” lookup to help with proper message identification & selection (#1149)
    • Improved IP processing rule criteria efficiency (#1155)
  • Cisco ASA:
    • Added mapping for vendor_event_severity to provide text severity corresponding to the numeric field vendor_event_severity level
    • Added support for events: 338001, 338002, 338003, 338004, 338005, 338006, 338007, 338008, 338101, 338102, 338103, 338104, 338201, 338202, 338203, 338204 (#973)
    • Added support for events: 302014, 302016, 302018, 302022, 302023, 302024, 302025, 302026, 302027, 302036, 302303, 302304, 302306 (#1161)
    • Updated categorization for events: 302013, 302015 (#1161)
  • Cisco Meraki:
    • Parse URLs in Meraki events (#469)
  • Sonicwall:
    • Categorized network open/close events (#1162)

 

Known Issues

  • Auditbeat cannot process events with multiple values assigned to `vendor_event_action’ (#622)

 

Let us know what you’d like to have included in our GitHub issue tracker.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.