Announcing Graylog Illuminate 3.4

• This version of Illuminate requires Graylog Server version 5.0.3 or later

• Added new Illuminate packs
  • Zeek Network Security Monitor (#1257)
  • PowerShell logging support (#640)
• Snort 3 IDS
  • It is required to update your filebeat configuration prior to the next release of Illuminate
  • The filebeat configuration change will add a prefix to fields extracted from structured data
  • This release will function with the existing and updated configuration
  • The next release of Illuminate will require the updated filebeat configuration with the prefix change
  • The next release of Illuminate will only process Snort events sent with the updated filebeat configuration

GRAYLOG ILLUMINATE 3.4

Released: 2023-06-29

Fixes

• Checkpoint: Fixed checkpoint vendor severity mapping to event_severity/event_severity_level (#1325)
• Symantec Endpoint Protection: Missing quote in lookup causes issues with event_action (#1348)
• Winlogbeat: winlogbeat_event_original message size causes indexing errors (#1355)
  • When the field is detected it will be deleted
• Schema: Updated documentation field name http_method to use the correct field name http_request_method (graylog-schema #107)
• Apache: Timestamp format causes indexing errors (#1385)
• Sonicwall: VPN Saved search aggregation limits set to 0 (#1386)
• Core: User investigation dashboard widget misalignment on Graylog 5.1.x (#1419)
• Snort 3: AppID dashboard world map widget misalignment on Graylog 5.1.x (#1412)
• Fortigate: Overview dashboard widget misalignment on Graylog 5.1.x (#1411)
• Stormshield: Saved search severity syntax incorrect (#1414)

Enhancements

• Cisco ASA: Added processing of messages relayed by RSYSLOG where the event code is placed in the APP-NAME field (#1356)
  • All ASA logs will now trim everything up to and including the vendor event code value from the message field
• Cisco Meraki: Added processing of airmarshal events (#1084)
• Cisco Meraki: Added Spotlight content (#467)
• Checkpoint: Added Spotlight content (#1263)
• Snort 3 IDS: Add Filebeat ndjson target (prefix) for Snort processing (#1365)
  • This will mitigate the possibility of field naming collisions when extracting structured data
• pfSense: http_referrer_host now extracted from http_referrer (#1301)
• Symantec Endpoint Protection: Added Spotlight content (#1330)
• Apache2: Added parsing of additional error logs (#1372)
• Stormshield Firewall: Improved event saved search, added alert saved search (#1392)

Known Issues

• Auditbeat cannot process events with multiple values assigned to vendor_event_action (#622)

Let us know what you’d like to have included in our GitHub issue tracker.