Announcing Graylog Illuminate v4.1

Announcing Graylog Illuminate 4.1

  • IMPORTANT VERSION NOTE: The minimum version required for this version of Illuminate is 5.1.10 or 5.2.3. (1808)
    • If you are running a Graylog 5.1.x version prior to 5.1.10, or a Graylog 5.2.x version prior to 5.2.3, DO NOT ENABLE THIS BUNDLE until your Graylog systems are upgraded to one of the supported versions.



Released: 2024-01-04



  • Okta: Switched from using the field vendor_event_action to using the field vendor_event_type (1789)
  • Okta: Extracted user_domain from user_name (1751)
  • Powershell: If the registry gets changed via a reg command, the fields registry_type and registry_path are parsed out and get categorized (633)
    • Logging for event_id 4104 must be enabled (script block logging).
  • Added parsing for Meraki MR logs (788)(1687)
    • Added support for Meraki association, disassociation, wpa_auth, wpa_deauth, 8021x_eap_failure, 8021x_deauth, 8021x_auth, 8021x_eap_success, splash_auth, mac_spoofing, multiple_servers and device_packet_flood MR events. All ports are now numeric values.
  • O365: Added record type enrichment (1806)
    • Added an enrichment which provides a description of the Office 365 record type. This enrichment is only available on the updated Office 365 inputs, available in Graylog after X.X.X, or for prior versions of the Office 365 inputs with the full_message option enabled.



  • BIND: Added support for severity_level mapping and support new log types. (1669)(1725)
    • Mapped all severity levels to our schema and added support for BIND security log type
  • O365: User email field contains the user ID value (1749)
    • This has been addressed in the updated Illuminate Office 365 processing but still exists with the Office 365 integration prior to 5.1.10 without the full_message capability enabled.
  • O365: Updated Illuminate Pack Titles (1704)
  • SEPM: Fixed a client traffic log issue where having a null Remote Host Name broke parsing. (1784)
  • Okta: Problems with policy.evaluate_sign_on processing (1794)
    • Changed categorization of the policy evaluation rule policy.evaluate_sign_on to authentication.default
  • O365: Alerts generating GIM errors (1425)
  • O365: Exchanged ModifyFolderPermissions incorrectly categorized as iam.object modify (1803)
  • Okta: Categorized user.authentication.sso as credential validation event (1752)
  • Ubiquiti Unifi:Dnsmasq events using legacy GIM type multi-code assignment (1746)



  • Removed alert_severity_level mapping functions/lookups. (1718)
    • Removed alert_severity_level mapping functions/lookups. Snort3 pack now relies on core to map alert_severity_level from alert_severity. alert_severity_level should no longer be a string as well.
  • Removed rules that processed logs and fields tied to the initial Snort3 filebeat configuration (1715)
    • The initial release of the Snort3 pack did not set the target field in the Filebeat configuration. Current documentation notes adding ‘target: “snort3″‘ which is required for proper log processing. This release now fully requires that field to be set.
  • Meraki: Renamed WiFi fields to match the schema. (1719)
  • Okta: Updated Illuminate processing to support updates to the Okta input (1789)
    • Parsing of Okta messages will be moved from the Graylog Okta input to Illuminate. This will allow for more rapid response to Okta message processing requests as they can now be provided by Illuminate updates, which can be released more frequently, instead of relying on Graylog Enterprise updates. This pack will maintain support for the legacy Okta inputs until Illuminate 6.0 is released. At that time, the support for the legacy Okta input message format will be removed. Support for the enhanced processing can be enabled on the Okta legacy input by enabling the full_message feature in the Okta input configuration.
  • O365: Added logic to support parsing full message (1769)
    • Parsing of Office 365 messages will be moved from the Graylog Office 365 integration input to Illuminate. Migrating the parsing out of the integration input improves the ability to update the parsing rules on a more frequent basis. Support for the updated Office 365 message processing can be enabled on the Office 365 legacy input by enabling the full_message feature in the Office 365 input configuration.
  • Sophos: Renamed WiFi fields to match the schema. (1721)
  • Modified the Zeek message field construction to only use the even description field which is derived from a lookup (1329)
    • The message field is now only composed of the event description (derived from lookup). The prefix ‘Zeek – ‘ will no longer be appended and ‘vendor_event_log_description’ is removed (now message).
  • Defender EP: Added logic to dedup the user_name field (1693)
    • Previously, the user_name field array could contain the same user_name multiple times. Added logic to dedup similar names.
  • Okta: Improved handling of vendor client geo information (1795)
    • Normalize Okta-provided geolocation enrichment data to fields with the prefix vendor_client_geo. This will prevent the Okta-provided geolocation enrichments from colliding with the Graylog-provided Geolocation enrichments.
  • Fortigate: Renamed WiFi fields to match the schema. (1717)



  • O365:Removed Skype Office 365 tab (1806)
    • Skype For Business was retired in July of 2021


Let us know what you’d like to have included in our GitHub issue tracker.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.