FREE User Conference | Oct 4-5 | REGISTER NOW >​

The Graylog blog

Announcing Graylog Illuminate v3.4

Announcing Graylog Illuminate 3.4

  • This version of Illuminate requires Graylog Server version 5.0.3 or later
  • Added new Illuminate packs
    • Zeek Network Security Monitor (#1257)
    • PowerShell logging support (#640)
  • Snort 3 IDS
    • It is required to update your filebeat configuration prior to the next release of Illuminate
    • The filebeat configuration change will add a prefix to fields extracted from structured data
    • This release will function with the existing and updated configuration
    • The next release of Illuminate will require the updated filebeat configuration with the prefix change
    • The next release of Illuminate will only process Snort events sent with the updated filebeat configuration


Released: 2023-06-29


  • Checkpoint: Fixed checkpoint vendor severity mapping to event_severity/event_severity_level (#1325)
  • Symantec Endpoint Protection: Missing quote in lookup causes issues with event_action (#1348)
  • Winlogbeat: winlogbeat_event_original message size causes indexing errors (#1355)
    • When the field is detected it will be deleted
  • Schema: Updated documentation field name http_method to use the correct field name http_request_method (graylog-schema #107)
  • Apache: Timestamp format causes indexing errors (#1385)
  • Sonicwall: VPN Saved search aggregation limits set to 0 (#1386)
  • Core: User investigation dashboard widget misalignment on Graylog 5.1.x (#1419)
  • Snort 3: AppID dashboard world map widget misalignment on Graylog 5.1.x (#1412)
  • Fortigate: Overview dashboard widget misalignment on Graylog 5.1.x (#1411)
  • Stormshield: Saved search severity syntax incorrect (#1414)



  • Cisco ASA: Added processing of messages relayed by RSYSLOG where the event code is placed in the APP-NAME field (#1356)
    • All ASA logs will now trim everything up to and including the vendor event code value from the message field
  • Cisco Meraki: Added processing of airmarshal events (#1084)
  • Cisco Meraki: Added Spotlight content (#467)
  • Checkpoint: Added Spotlight content (#1263)
  • Snort 3 IDS: Add Filebeat ndjson target (prefix) for Snort processing (#1365)
    • This will mitigate the possibility of field naming collisions when extracting structured data
  • pfSense: http_referrer_host now extracted from http_referrer (#1301)
  • Symantec Endpoint Protection: Added Spotlight content (#1330)
  • Apache2: Added parsing of additional error logs (#1372)
  • Stormshield Firewall: Improved event saved search, added alert saved search (#1392)


Known Issues

  • Auditbeat cannot process events with multiple values assigned to vendor_event_action (#622)


Let us know what you’d like to have included in our GitHub issue tracker.

Graylog GO white logo

Learn more at Graylog GO

FREE User Conference, Oct 4-5, Virtual | Houston, TX
Register Now - It's FREE

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog Blog delivered to your inbox once a month.