Case Study: How Kaizen Gaming Cut Log Latency 10x | See Full Story >>

Contact Us
Free Tools
See Demo
Graylog logo blue

Announcing Graylog Illuminate v7.0.4

Announcing Graylog Illuminate v7.0.4

Release Date:  March 17th, 2026

 

FIXED

  • SonicWall NGFW: Fixed VPN login over-counting and missing VPN user list after SonicOS 7.3.1 upgrade (3279)
    • VPN login events were being over-counted on dashboards following the SonicOS 7.3.1 firmware upgrade. Event 139 (SSL VPN zone session setup) was incorrectly classified as an authentication logon event alongside event 1080 (SSL VPN user login), causing both to be counted per login. Event 139 is now classified as an access notice (GIM code 101001) consistent with event 141, so only the primary login event is counted.
    • VPN dashboard user lists were blank after the SonicOS 7.3.1 upgrade because the firmware changed the SSL VPN session type from sslvpnc to GMS. All VPN dashboard queries have been updated to include GMS in the application_name filter alongside the existing vpnc, sslvpnc, l2tpc, and Portal values.
    • Fixed typos in Security Services event category labels (events 1270-1274).
    • Event 1681 (IKEv2 Packet sent/received) was missing from the event lookup table, causing gim_event_type_code to be empty for these events. It is now mapped to the VPN IKEv2 event group.
  • Apache HTTPD: Fixed parsing failure when username is a UPN (contains @). (3447)

 

CHANGED

  • Postfix: Relay-forwarded log support, field rename, and GIM categorization (3460)
    • Relay-forwarded logs (e.g. from amavis or SpamAssassin) are now correctly identified and parsed. Previously these were silently dropped because the relay sets application_name to mail instead of postfix.
    • The field vendor_daemon has been renamed to service_name to better reflect its meaning (the Postfix sub-process that generated the message, e.g. smtpd, smtp, cleanup).
    • GIM event type codes are now assigned to all Postfix messages: email delivery (130000), rejection (131000), quarantine (131500), network connections (120200/120300), SASL authentication (100500), and service lifecycle events (210000/210100/211000).
    • Network fields destination_reference, source_reference, destination_port, source_port, and network_transport are now populated for connection events (connect, TLS, disconnect, timeout) to satisfy GIM field enforcement.
    • Authentication events now populate source_reference from the authenticating server IP and set user_name to avoid GIM field enforcement errors.

 

 

 

Let us know what you’d like to have included in our GitHub issue tracker.

The Graylog Product Team

View More Posts By The Graylog Product Team

Categories

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.

Blog Graphic
Read Now