Webinar: What's New in Graylog 7.1 | Register Now >>

Contact Us

Announcing Graylog Illuminate v7.1.0

Announcing Graylog Illuminate v7.1.0

Release Date: May 4th, 2026

KNOWN ISSUES

  • Illuminate: Deprecation and eventual removal of some stream categories. (3575)
    • Illuminate will now assign stream categories based upon the GIM Categories assigned to logs stored in the associated streams. The following stream categories are deprecated, and will be removed in Illuminate version 8.0.0: “webserver”, “firewall”, “network_traffic”, “windows_logs”, “webserver”, “linux”, “system”, “compliance”, “endpoint”, “hids”.

ADDED

  • Symantec ProxySG: Added Security Core support. (3430)
    • Added GIM categorization for all TCP and UDP proxy event types with expanded vendor_event_action support. Changed http_category field to use proper schema field http_uri_category. Updated extraction pattern for vendor_event_action.
  • Sendmail: Added Security Core support. (3432)
    • Added Security Core support for Sendmail with authentication, network connection, service lifecycle, and detection categorization.
  • OSSEC HIDS: Added Security Core support and extended alert categorization. (3439)
    • Added Security Core support for OSSEC HIDS with authentication, network connection, IAM, audit, and extended detection categorization.
  • AWS Security Hub: Added Security Core support. (3437)
    • Added Security Core support for AWS Security Hub with refined GuardDuty network detection categorization and fixed Macie S3 field extraction.
  • WatchGuard Firebox: Added Security Core support. (3427)
    • Added Security Core support for WatchGuard Firebox with network connection, detection, authentication, service, and audit categorization.
  • Google Workspace: Added Security Core support. (3419)
    • Added GIM codes to Login and Token logs. Added lookup for event_outcome (success/failure) derived from vendor_event_name for Login and Token logs. Added application_name field to Google Workspace logs.
  • Okta: Added Security Core support. (3421)
    • Added Security Core support for Okta with detection event processing, logoff event categorization, and token revoke tracking. Updated Okta event catalog to cover all current Okta event types.
  • Stormshield Firewall: Added Security Core support. (3428)
    • Added GIM 120200 (network connection initiated) for filter event. Added GIM 120200 (network connection initiated) for connection event. Added GIM 120200 (network connection initiated) and 300001 (network_detection) for alarm event. Added GIM 130000 (email sent) for smtp event. Added GIM 180300 (http proxied communication) for web event. Added GIM 100000 (authentication.logon) for xvpn “SSL tunnel created” events. Added GIM 102500 (authentication.logoff) for xvpn “SSL tunnel destroyed”. Set application_name = “stormshield” for all Stormshield messages. Updated field mapping for source_port, destination_port, source_nat_port, vendor_data_pri, and event_duration to capture valid values.
  • ProFTPD Server: Added Security Core support. (3438)
    • Added Security Core support for ProFTPD with authentication, network connection, and file operation categorization.
  • Packetbeat: Added Security Core support. (3425)
    • Added Security Core support for Packetbeat. Fixed typo in spelling of spotlight file.
  • GitLab: Added Security Core support. (3422)
    • Added Security Core support for GitLab with authentication, IAM, HTTP communication, audit policy, and vulnerability detection categorization.
  • FortiWeb: Added Security Core support. (3436)
    • Added Security Core support for FortiWeb with HTTP communication, authentication, service, audit, and detection categorization.
  • Security Core: Assets and DNS Processing packs are not dependencies. (3618)
  • Symantec Endpoint Security: Added Security Core support. (3431)
    • File Activity events (subtype 8003) are now assigned to the FILE GIM category (file.default). Registry Key Activity events (subtype 8005) are now assigned to the REGISTRY GIM category (registry.default). Registry Value Activity events (subtype 8006) are now assigned to the REGISTRY GIM category (registry.default). Host Network Activity events (subtype 8007) are now assigned to the NETWORK GIM category (network.default). System Activity 8001 events without a Process Launch context are now assigned to the PROCESS GIM category (process.default).
  • Linux: Added support for iptables logs without –log-prefix configuration. (2652)
  • Symantec EDR: Added Security Core support. (3429)
    • Added GIM categorization for Process Launch, Process Termination, User Session expired, and Intrusion Prevention log types. Fixed application_name field mapping for audit and diagnostic log types. Refactored MITRE array deduplication and registry path construction for improved reliability.

FIXED

  • Cisco ASA: source_reference no longer set to a static sentinel for management-plane auth/identity events (113006, 113007, 502101, 502102). (3300)
    • Cisco ASA event codes 113006 (user lockout / logoff), 113007 (account unlocked), 502101 (account created), and 502102 (account deleted) previously had source_reference hardcoded to the literal “SOURCE_NOT_DEFINED“. This collapsed every ASA device’s management-plane auth event into the same source_reference bucket and could trigger false positives in detections that group by source_reference (for example password-spray rules counting many auth failures from one source). The static value has been removed.
  • Mimecast: Modified pipeline rule that would re-write the message field to a more digestible format since the input currently doesn’t support writing the full_message field. (3689)
    • For log sources that contain a large message and utilize an input that allows writing the full_message field, Illuminate will re-write the message field to reduce indexing cost and allow digesting logs by providing key information in a re-written message field. The current Mimecast input doesn’t allow writing the full_message so removing the message re-write to provide the vendor’s full log message.
  • Squid Proxy: Fixed HTTPS parsing and added http_host, destination_port, http_scheme fields. (3731)
    • Squid Proxy access log parsing now extracts the requested hostname (http_host), the destination port for both HTTP URLs and HTTPS CONNECT tunnels (destination_port), and the URL scheme (http_scheme). HTTPS CONNECT requests no longer pollute http_request_path with the host:port string, and TCP_DENIED HTTPS messages now parse correctly.
  • Fortigate: DNS logs now categorized by specific name resolution subcategory when vendor_eventtype is present. (3685)
    • Fortigate DNS events that include an eventtype field are now categorized with specific name resolution GIM codes: dns-query events receive dns request (GIM 140000) and dns-response events receive dns answer (GIM 140200). Previously, all DNS events defaulted to name resolution default (GIM 149999) regardless of whether the log distinguished a query from a response.
  • Mimecast: Fixed pipeline errors and warnings caused by unmapped vendor event types. (3793)
    • Fixed pipeline logic that may have produced errors and warnings that occurred when Mimecast audit events contained an unmapped vendor_event_type. The vendor_event_action field could previously be set to the literal string “null” for unknown event types, and a missing field guard could produce runtime warnings for directory sync events.

CHANGED

  • 1Password: Expanded field extraction, GIM authentication and IAM categorization, and Security Core support. (3408)
    • Significantly expanded the 1Password content pack with comprehensive schema field extraction across all three event types (sign_in_attempts, audit_events, item_usages). Added specific GIM authentication categorization for sign-in events by outcome, IAM categorization for six audit_events identity lifecycle actions, source_user_* actor fields for all audit_events, and destination_reference for sign-in authentication events. Replaced the broad vendor_subtype GIM lookup with purpose-built categorization rules. Improvements to spotlight to support changes.
  • Metricbeat: Enabled GIM code assignment and expanded metric normalization coverage. (3440)
    • Enabled processing for 5 additional metric types and expanded field normalization coverage.
  • Check Point Firewall: Refined Security Core detection categorization. (3393)
    • Refined SmartDefense/IPS detection events from generic detection to specific IDS detection categorization.
  • Microsoft IIS: Added Security Core support and HTTPERR log parsing. (3418)
    • Added HTTPERR (HTTP.sys error) log parsing, GIM categorization for all log types as 180200 (http communication), and Security Core enforcement fields.
  • Mimecast: Added Security Core support with GIM categorization across authentication, IAM, audit, and messaging events. (3417)
    • Improved event categorization for Mimecast logs to support Security Core dashboards and alerting. Login, MFA, and access policy events are now categorized as authentication events. User account and group management events are categorized as IAM events. Policy and configuration changes are categorized as audit events. Archive message views and searches are categorized as messaging events. Added normalized event_action and event_outcome fields for all event types.
  • AWS VPC (Kinesis): Refined GIM event type code from network connection to flow record. (3435)
    • Refined GIM categorization for AWS VPC Flow Logs from generic network connection to specific flow record.
  • Symantec Endpoint Protection: Added Security Core support with refined GIM categorization. (3423)
    • Added Security Core support for Symantec Endpoint Protection. Refined GIM categorization: AV and SONAR detections are now host_detection, browser/IPS events are ids_detection, firewall packet and traffic events are categorized as network connection, and SEPM policy changes are audit.policy events.
  • F5 BIG-IP: Added Security Core support with GIM enforcement fixes and new event parsing. (3433)
    • Added Security Core support for F5 BIG-IP with expanded GIM coverage, reference field derivation for network enforcement, mcpd service event categorization, and LTM connection event parsing.
  • Anomaly Detection: Define replacement anomaly detection event definitions. (3479)
    • This update removes the legacy anomaly detection event definitions and replaces them with definitions designed to work with the native anomaly detection. It also removes the legacy anomaly detection pack and the anomaly detection processing pack, which are no longer needed with native anomaly detection functionality.
  • Sophos Firewall: Added Security Core support with refined GIM categorization. (3416)
    • Added Security Core support for Sophos Firewall with refined GIM categorization for IPS detection events and HTTP content filtering. Fixed detection events incorrectly defaulting to event_action=allowed.
  • Cisco 350: Added Security Core support. (3434)
    • Added Security Core support for Cisco Business 350 Series switches with authentication, service, audit, and detection categorization.
  • Illuminate: Assign updated stream categories. (3575)
  • Bitdefender Telemetry: Added missing event mappings and DocGen documentation. (3412)
    • Added missing file_access event categorization, expanded event action mappings, and fixed several processing bugs.
  • Zeek: Added Security Core support with GIM code refinements and event normalization. (3424)
    • Refined GIM event type code assignments for the Zeek content pack. NTLM authentication events are now categorized as credential validation (100500). SSL, DCE/RPC, NTP, and weird events are now categorized as network.default (129999) instead of uncategorized (000000). Added event_action normalization for conn (via conn_state lookup) and HTTP log types. Added event_outcome normalization for conn and DNS log types. Removed trailing spaces from rename field destinations across multiple rules. Converted test files to raw codec for boolean field support.
  • Illuminate: Update pack titles. (3602)
    • Processing and Spotlight packs will have the “Illuminate {VERSION}:” prefix removed from the pack title. A pack version, comprised of the year, month, and day the pack was updated, will be appended to the pack title instead.
  • Juniper SRX: Added Security Core support. (3413)
    • Added Security Core support for Juniper SRX with authentication, network, and detection categorization. Updated pack title format.
  • Caddy Web Server: Added Security Core support. (3414)
    • Added Security Core support for Caddy Web Server. Both access logs and error logs are categorized as 180200 (http communication) with network_protocol=http.
  • Bitdefender GravityZone: Refined Security Core categorization for new-incident events. (3399)
    • EDR new-incident events from Bitdefender GravityZone are now categorized as detection.host_detection (GIM 301000) on both push (CEF) and on-prem syslog transports, replacing the prior detection.default (309999) assignment. Security Core dashboards and content that filter on detection.host_detection now surface GravityZone correlated incidents alongside anti-exploit and advanced-threat-control detections.

REMOVED

  • Windows Security: Removed unused ObjectClass/OperationType GIM enrichment lookup. (3616)

Let us know what you’d like to have included in our GitHub issue tracker.

The Graylog Product Team

View More Posts By The Graylog Product Team

Categories

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.

Blog Graphic
Read Now