Outgrown Your Free Graylog? | 6 Reasons to Upgrade | Learn more >>>

Free Tools
See Demo
Free Tools
See Demo

Announcing Graylog Illuminate v3.5

GRAYLOG ILLUMINATE 3.5

Released: 2023-08-24

Fixed

  • Windows default log processing is not normalizing base Windows event log fields for all Windows event log messages (#1441)
  • Normalized Sysmon Event ID 10 GrantedAccess as vendor_granted_access (#806)
  • Fixed Meraki authentication logs not parsing (#591)
  • Added placeholder user_name for Windows Kerberos 4769 events with 0x20 error codes and empty usernames (#729)
    • Windows will sometimes log Security event ID 4769 (A Kerberos service ticket was requested) with an empty user and the error 0x20. These are of no security value according to Microsoft and simply indicate that the TGS has exired. These also trigger GIM errors when GIM enforcement is enabled. Adding a placeholder value (USER_NAME_NOT_DEFINED) will prevent the GIM enforcement pack from marking these as errors.
  • Fixed Checkpoint dashboard, alert level and severity is inverted (#1390)
  • Potential criteria logic issue with Windows auth failure anomaly detection rule (#1101)
    • This is potentially a breaking change, it may lead to a temporary change in the frequency of authentication failure anomaly detections.
  • The user_domain field is not being extracted from some Windows Security event logs (#1369)
  • Multiple Meraki MX device log types not parsing correctly (#1405)
  • Watchguard Firebox content enhancements (#904)
    • An event severity lookup was added, pattern updates and additions (vpn_pattern, signature_pattern, etc.).
  • Stormshield event_severity mapping assigns incorrect value (#1397)
  • Parsed the O365 client IP when the client port is not defined (#736)

 

Added

  • Updated WatchGuard Firebox Spotlight, adding new saved search and a status tab in the WatchGuard Firebox Overview dashboard (#1486)
  • Added normalization for Sysmon Event IDs 28 and 29 (#1313)
  • Mapped network_icmp_type when only network_icmp_type_number exists (#1447)
  • Added agent.activity event type antivirus and malware scan, gim_event_type_code 280001. (#1512)
  • Added logic to extract and normalize agent SIGD update events 2E02-0065/0066/0067/0069 and to categorize these events as agent activity (#1477)
  • Added a saved search to the Zeek spotlight that allows you to pivot from any UID type field to a log view showing all logs with that specific UID. (#1413)
  • Added new technology pack for Juniper SRX Series Firewalls (#1069)
    • This pack is developed for Juniper SRX devices running Junos OS 17.4 and above. This commit adds a new content pack.
  • Added new content pack for Sophos Firewall (SFOS) (#1403)
    • This pack is developed with SFOS version 19.5 for Sophos Firewall. It is expected that software version 18.x and higher work, but not fully tested. General parsing for 17.x and lower may work, but some field names have changed and correct GIM assignment may not work. This Commit adds a new content pack.
  • Support for new Cisco Meraki MX event types firewall, vpn_firewall, and cellular_firewall (#1446)
    • Meraki devices as of MX18.101 no longer use the “flows” datatype and now instead have the events “firewall”, “vpn_firewall”, and “cellular_firewall”. Illuminate will support both the legacy “flows” event type and the new event type.

 

Changed

  • Modified GIM event type code for http and conn back to a lookup (#1377)
    • Rather than looking for the existence or non-existence of a field to assign an event type code, rely on a lookup – any missing fields are anomalies.
  • removed event_action field requirement for category Agent, status and default subcategories (#1497)
  • Updated Meraki processing of security_events security_filtering_file_scanned to add event_severity, making it compliant with the Alerts category. (#1424)
  • Extract event_created from Cisco Meraki logs (#1379)
    • This will convert the field currently extracted as event_epoch_time, converts it to millisecond format, and will now extract it as event_created.
  • The dashboard for pfSense had a too complicate name. (#1445)
    • Changed the name from Illuminate:pfSense/OPNsense Filterlog_Alert_Device_Authentication to Illuminate:pfSense/OPNsense Firewall, Device and Alert.
  • Normalize event_action and network_direction from Cisco Meraki network messages (#1448)
  • Defined event_action possible values as blocked, allowed, started, completed, stopped, disabled, enabled, modified, deleted, paused, resumed (graylog-schema#122)
  • Split Windows Security group membership (4627), privileges changes (4703), and instances of privilege lists into separate values (#1374)

 

Let us know what you’d like to have included in our GitHub issue tracker.

The Graylog Product Team

View More Posts By The Graylog Product Team

Categories

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.

Blog Graphic
Read Now

Products

Graylog Security
Graylog Enterprise
Graylog Open
Graylog API Security
Graylog Cloud
Graylog Illuminate
Graylog Small Business
Pricing

Features

Access Control & Audit Logs
UEBA Anomaly Detection
Graylog Content: Illuminate
Data Collection
Data Enrichment
Data Management
Events & Alerts
Investigations
Reports & Dashboards
Risk Management
Scalable Architecture
Search
SOAR

LEARN

Resource Hub
Blog
Videos
Events
Community

SUPPORT

Customer Support
Documentation
Graylog Academy
Open Community

Company

About
Leadership
Partners
Careers
News & Awards
Contact

[email protected]

Follow Us:

Linkedin Reddit-alien Youtube Github Facebook-f
Graylog Available in AWS Marketplace

GRAYLOG HEADQUARTERS

1301 Fannin St, Ste. 2000
Houston, TX 77002

GRAYLOG COLORADO

1919 14th Street, Suite 700, Office 18
Boulder, CO 80302

GRAYLOG UNITED KINGDOM

34-37 Liverpool Street, 7th Floor
London, EC2M 1PP
United Kingdom

GRAYLOG GERMANY GMBH

Poolstraße 21
20355 Hamburg, Germany

© 2025 Graylog, Inc. All rights reserved

Privacy Policy | Legal | Sitemap