Announcing Graylog Illuminate v3.4

Announcing Graylog Illuminate 3.4

  • This version of Illuminate requires Graylog Server version 5.0.3 or later
  • Added new Illuminate packs
    • Zeek Network Security Monitor (#1257)
    • PowerShell logging support (#640)
  • Snort 3 IDS
    • It is required to update your filebeat configuration prior to the next release of Illuminate
    • The filebeat configuration change will add a prefix to fields extracted from structured data
    • This release will function with the existing and updated configuration
    • The next release of Illuminate will require the updated filebeat configuration with the prefix change
    • The next release of Illuminate will only process Snort events sent with the updated filebeat configuration

GRAYLOG ILLUMINATE 3.4

Released: 2023-06-29

Fixes

  • Checkpoint: Fixed checkpoint vendor severity mapping to event_severity/event_severity_level (#1325)
  • Symantec Endpoint Protection: Missing quote in lookup causes issues with event_action (#1348)
  • Winlogbeat: winlogbeat_event_original message size causes indexing errors (#1355)
    • When the field is detected it will be deleted
  • Schema: Updated documentation field name http_method to use the correct field name http_request_method (graylog-schema #107)
  • Apache: Timestamp format causes indexing errors (#1385)
  • Sonicwall: VPN Saved search aggregation limits set to 0 (#1386)
  • Core: User investigation dashboard widget misalignment on Graylog 5.1.x (#1419)
  • Snort 3: AppID dashboard world map widget misalignment on Graylog 5.1.x (#1412)
  • Fortigate: Overview dashboard widget misalignment on Graylog 5.1.x (#1411)
  • Stormshield: Saved search severity syntax incorrect (#1414)

 

Enhancements

  • Cisco ASA: Added processing of messages relayed by RSYSLOG where the event code is placed in the APP-NAME field (#1356)
    • All ASA logs will now trim everything up to and including the vendor event code value from the message field
  • Cisco Meraki: Added processing of airmarshal events (#1084)
  • Cisco Meraki: Added Spotlight content (#467)
  • Checkpoint: Added Spotlight content (#1263)
  • Snort 3 IDS: Add Filebeat ndjson target (prefix) for Snort processing (#1365)
    • This will mitigate the possibility of field naming collisions when extracting structured data
  • pfSense: http_referrer_host now extracted from http_referrer (#1301)
  • Symantec Endpoint Protection: Added Spotlight content (#1330)
  • Apache2: Added parsing of additional error logs (#1372)
  • Stormshield Firewall: Improved event saved search, added alert saved search (#1392)

 

Known Issues

  • Auditbeat cannot process events with multiple values assigned to vendor_event_action (#622)

 

Let us know what you’d like to have included in our GitHub issue tracker.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.