Announcing Graylog Illuminate v7.0.6

Release Date: May 8th, 2026

KNOWN ISSUES

Illuminate: Deprecation and eventual removal of some stream categories (3575)
- Stream categories will now be assigned based on GIM Categories from associated log streams
- Deprecated categories to be removed in 8.0.0: webserver, firewall, network_traffic, windows_logs, linux, system, compliance, endpoint, hids

ADDED

Symantec ProxySG: Security Core support (3430)
- GIM categorization for all TCP and UDP proxy event types with expanded vendor_event_action support
- Changed http_category to use proper schema field http_uri_category
- Updated extraction pattern for vendor_event_action
OSSEC HIDS: Security Core support and extended alert categorization (3439)
- Authentication, network connection, IAM, audit, and extended detection categorization
AWS Security Hub: Security Core support (3437)
- Refined GuardDuty network detection categorization
- Fixed Macie S3 field extraction
WatchGuard Firebox: Security Core support (3427)
- Network connection, detection, authentication, service, and audit categorization
Google Workspace: Security Core support (3419)
- Added GIM codes to Login and Token logs
- Added event_outcome lookup (success/failure) derived from vendor_event_name for Login and Token logs
- Added application_name field to Google Workspace logs
Okta: Security Core support (3421)
- Detection event processing, logoff event categorization, and token revoke tracking
- Updated Okta event catalog to cover all current event types
Stormshield Firewall: Security Core support (3428)
- GIM 120200 (network connection initiated) for filter, connection, and alarm events
- GIM 300001 (network_detection) for alarm events
- GIM 130000 (email sent) for smtp events; GIM 180300 (http proxied) for web events
- GIM 100000 (authentication.logon) for xvpn “SSL tunnel created”; GIM 102500 (logoff) for “SSL tunnel destroyed”
- Updated field mapping for source_port, destination_port, source_nat_port, vendor_data_pri, and event_duration
Bind DNS: Security Core support (3390)
- GIM event type assignments for all BIND DNS log channels: queries, query errors, security, zone transfers, dynamic updates, DNSSEC, notify, and general
- Query error logs now separately categorize negative DNS responses (NXDOMAIN, SERVFAIL, REFUSED) from infrastructure errors
- Added event_action and event_outcome mappings for denied and failed DNS outcomes
ProFTPD Server: Security Core support (3438)
- Authentication, network connection, and file operation categorization
Packetbeat: Security Core support (3425)
- Fixed typo in spelling of spotlight file
GitLab: Security Core support (3422)
- Authentication, IAM, HTTP communication, audit policy, and vulnerability detection categorization
FortiWeb: Security Core support (3436)
- HTTP communication, authentication, service, audit, and detection categorization
Symantec Endpoint Security: Security Core support (3431)
- File Activity (subtype 8003) → FILE GIM category (file.default)
- Registry Key Activity (8005) and Registry Value Activity (8006) → REGISTRY GIM category
- Host Network Activity (8007) → NETWORK GIM category (network.default)
- System Activity 8001 events without Process Launch context → PROCESS GIM category (process.default)
Symantec EDR: Security Core support (3429)
- GIM categorization for Process Launch, Process Termination, User Session expired, and Intrusion Prevention log types
- Fixed application_name field mapping for audit and diagnostic log types
- Refactored MITRE array deduplication and registry path construction

FIXED

Cisco ASA: source_reference no longer set to static sentinel for management-plane auth/identity events (3300)
- Event codes 113006, 113007, 502101, 502102 previously hardcoded source_reference to “SOURCE_NOT_DEFINED“
- This caused false positives in detections grouping by source_reference (e.g., password-spray rules)
- The static value has been removed
Security Core: Fixed query string for some detection_query instances missing a trailing colon that caused indexing errors (3843)
Check Point Firewall: Fixed event_action mapping and added missing action values (3635)
- Fixed event_action being set to EVENT_ACTION_NOT_DEFINED when action was present in the log
- Added missing action mappings for VPN and authentication events (Key Install, Log In, Log Out)
- Fixed Detect action incorrectly mapped to “allowed” instead of “detected”
- Added user identity field extraction for VPN and Identity Awareness events
Mimecast: Removed pipeline rule that rewrote the message field since the input doesn’t support writing the full_message field (3689)
Fortigate: DNS logs now categorized by specific name resolution subcategory when vendor_eventtype is present (3685)
- dns-query events → GIM 140000 (dns request); dns-response events → GIM 140200 (dns answer)
- Previously all DNS events defaulted to name resolution default (GIM 149999)
Mimecast: Fixed pipeline errors and warnings caused by unmapped vendor event types (3793)
- vendor_event_action could previously be set to the literal string “null” for unknown event types
- A missing field guard produced runtime warnings for directory sync events
Security Core: Fixed spelling of sigma_rule_tag in the ‘Successful RDP Logon from External Source’ event definition (3820)
Cisco ISE: Fixed negative UTC offset parsing and incorrect wifi_bssid/wifi_ssid field assignment (14180)
- Fixed base field extraction regex to accept negative UTC offsets (e.g., -04:00)
- Split single wifi SSID extraction rule into two rules to handle all vendor_SSID value formats

CHANGED

1Password: Expanded field extraction, GIM authentication and IAM categorization, and Security Core support (3408)
- Expanded schema field extraction across sign_in_attempts, audit_events, and item_usages
- Added GIM authentication categorization for sign-in events by outcome
- Added IAM categorization for six audit_events identity lifecycle actions
- Added source_user_* actor fields for audit_events; destination_reference for sign-in events
- Replaced broad vendor_subtype GIM lookup with purpose-built categorization rules
Metricbeat: Enabled GIM code assignment and expanded metric normalization coverage (3440)
- Enabled processing for 5 additional metric types
- Expanded field normalization coverage
Check Point Firewall: Refined Security Core detection categorization (3393)
- Refined SmartDefense/IPS detection events from generic detection to specific IDS detection categorization
Microsoft IIS: Security Core support and HTTPERR log parsing (3418)
- Added HTTPERR (HTTP.sys error) log parsing
- GIM 180200 (http communication) categorization for all log types
- Added Security Core enforcement fields
Mimecast: Security Core support with GIM categorization across authentication, IAM, audit, and messaging events (3417)
- Login, MFA, and access policy events → authentication events
- User account and group management → IAM events
- Policy and configuration changes → audit events
- Archive message views and searches → messaging events
- Added normalized event_action and event_outcome fields for all event types
AWS VPC (Kinesis): Refined GIM event type code from network connection to flow record (3435)
Symantec Endpoint Protection: Security Core support with refined GIM categorization (3423)
- AV and SONAR detections → host_detection
- Browser/IPS events → ids_detection
- Firewall packet and traffic events → network connection
- SEPM policy changes → audit.policy events
F5 BIG-IP: Security Core support with GIM enforcement fixes and new event parsing (3433)
- Expanded GIM coverage and reference field derivation for network enforcement
- Added mcpd service event categorization and LTM connection event parsing
Sophos Firewall: Security Core support with refined GIM categorization (3416)
- Refined GIM categorization for IPS detection events and HTTP content filtering
- Fixed detection events incorrectly defaulting to event_action=allowed
Cisco 350: Security Core support (3434)
- Authentication, service, audit, and detection categorization for Cisco Business 350 Series switches
Illuminate: Updated stream categories assigned (3575)
Bitdefender Telemetry: Added missing event mappings and DocGen documentation (3412)
- Added missing file_access event categorization
- Expanded event action mappings and fixed several processing bugs
Zeek: Security Core support with GIM code refinements and event normalization (3424)
- NTLM authentication events → credential validation (100500)
- SSL, DCE/RPC, NTP, and weird events → network.default (129999) instead of uncategorized (000000)
- Added event_action normalization for conn and HTTP log types
- Added event_outcome normalization for conn and DNS log types
- Removed trailing spaces from rename field destinations; converted test files to raw codec
Illuminate: Pack title format updated (3602)
- “Illuminate {VERSION}:” prefix removed from processing and spotlight pack titles
- A date-based version (year, month, day of update) is now appended to each pack title
Juniper SRX: Security Core support (3413)
- Authentication, network, and detection categorization; updated pack title format
Caddy Web Server: Security Core support (3414)
- Both access and error logs categorized as GIM 180200 (http communication) with network_protocol=http
Bitdefender GravityZone: Refined Security Core categorization for new-incident events (3399)
- EDR new-incident events now categorized as detection.host_detection (GIM 301000) on both push (CEF) and on-prem syslog transports
- Replaces prior detection.default (309999) assignment
- GravityZone incidents now surface alongside anti-exploit and advanced-threat-control detections in Security Core dashboards