FREE User Conference | Oct 4-5 | REGISTER NOW >​

The Graylog blog

Announcing Graylog Illuminate v3.3

Announcing Graylog Illuminate 3.3

  • Updated default user and device priority level assignments in static_accounts.csv (#1248)
    • Severity and priority levels have been changed to be aligned
    • Account and device prioity levels are: 1=low, 2=medium, 3=high, 4=critical
    • All severity levels are now 1=informational, 2=low, 3=medium, 4=high, 5=critical
  • This release requires Graylog 5.0.0 or later system with a valid Security or Operations license
  • New Illuminate content included with Illuminate 3.3.0:
    • Snort 3 IDS Processing and Spotlight Packs (#1204)
    • Checkpoint Firewalls Processing Pack (#1053)
    • pfSense/OPNsense Firewall Processing and Spotlight Packs (#1208)
  • Spotlight files are now included in the Illuminate bundle
  • The following Graylog Illuminate Spotlight packs have changed:
    • Core: Added Network Traffic dashboard (#148)


Released: 2023-05-18


  • Core
    • Added checks to verify proper values assigned to user and device priority levels (#1248)
    • Entity enrichment lookup allows unsafe value entries (#1245)
  • Microsoft Defender
    • Extraction pattern breaking when encountering empty User field (#1278)
  • Microsoft Windows Security
    • Parsing breaking due to localization of keywords fields (#1212)
  • Meraki
    • Fixed parsing of flow logs when hostname present in log header (#1239)
  • Cisco ASA
    • “vendor_event_outcome” used where it should be “vendor_event_action” (#1187)
    • Fixed logic issues destination_reference selection rule criteria (#1299)
  • Apache HTTPD:
    • Added support for CentOS/Redhat/FreeBSD default log filenames (#1271)
    • vendor_event_severity_level should be vendor_event_severity (#1272)


  • Added Winlogbeat version 8.x support for Windows Security, Sysmon, and Microsoft Defender content (#755)
  • Core
    • Added src_ip, src_port, dst_ip, dst_port mappings to Sigma mapping table (#1218)
    • Added automatic mappings for event_severity to event_severity_level and visa versa (#1222)

Known Issues:

  • Auditbeat cannot process events with multiple values assigned to vendor_event_action (#622)


Let us know what you’d like to have included in our GitHub issue tracker.

Graylog GO white logo

Learn more at Graylog GO

FREE User Conference, Oct 4-5, Virtual | Houston, TX
Register Now - It's FREE

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog Blog delivered to your inbox once a month.