Announcing Graylog Illuminate v7.0.8

Announcing Graylog Illuminate v7.0.8

Release Date: July 6th, 2026

KNOWN ISSUES

  • Illuminate: deprecation and eventual removal of some stream categories (3575)
    • Illuminate will now assign stream categories based upon the GIM Categories assigned to logs stored in the associated streams. The following stream categories are deprecated, and will be removed in Illuminate version 8.0.0: “webserver”, “firewall”, “network_traffic”, “windows_logs”, “webserver”, “linux”, “system”, “compliance”, “endpoint”, “hids”.

ADDED

  • Security Core: Add Event Procedures (3886)
    • Add base event procedures to the event definitions in the Security Core content. This also updates event definitions to align the custom fields with the associated event procedure steps.

FIXED

  • FortiWeb: Spotlight is now available on Operations editions. (3945)
    • The FortiWeb Spotlight is now available under Graylog Operations editions, matching the FortiWeb processing pack. Previously it was restricted to Security editions and reported “requires a license” on an Operations/Enterprise license.
  • WatchGuard Firebox: fix source/destination IP and port extraction for Application Control traffic events that lead with an fqdn_dst_match field. (3901)
    • WatchGuard Application Control “Application identified” events (msg_id 3000-0149) can prepend an fqdn_dst_match or fqdn_src_match field before the action, which would lead to improper processing. Updated the extraction pattern and the matched value is captured as source_hostname or destination_hostname.
  • Cisco ASA: Fixed user-identity FQDN resolution events (746014, 746015, 746016) that mapped the resolved DNS address to source_ip. (3910)
    • The resolved name and address are now query_request and query_response, and the events are classified as name resolution (dns answer or dns error).

CHANGED

  • Apache HTTPD: Pack review correcting error/TLS match logic and normalizing field names, resolving SSL server and proxy-backend identifiers to destination_ip or destination_hostname, deriving GIM event_action/event_outcome, and adding error-log coverage for authentication/authorization denials, SSL/TLS security events, and malformed-request rejections. Also updates GIM categorization (Authentication, HTTP, Service). (3756)
    • Field changes: vendor_backend_ip > destination_ip, tls_version > vendor_tls_version, process_parent_id > process_id, crypto_algorithm > vendor_crypto_algorithm, vendor_http_timestamp > vendor_event_created. SSL server and proxy-backend identifiers now resolve to destination_ip or destination_hostname, and GIM event_action and event_outcome are populated where the log supports it. New error-log coverage was added for access-control denials, Basic/LDAP authentication failures, SSL/TLS verification, renegotiation, OCSP and SNI/Host policy events, and malformed-request rejections.

 

Let us know what you’d like to have included in our GitHub issue tracker.

 

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.