What's New in Graylog 6.0? | WED, MAY 22, 11am ET | Webinar >> ​

Graylog 5.1 – We Did It Again!

We are excited to announce the release of Graylog 5.1! A follow-up to our 5.0 release, Graylog 5.1 brings updates across our entire product line, including changes to infrastructure, Security, Operations, and our Open offerings.


Features & Capabilities

Incident Investigations Workspace

Security analysts need an easy way to collect and organize datasets, reports, and other context while investigating a potential incident or issue. A new option in Graylog Security, titled Investigations,is a dedicated workspace to track the status/progress of any new or existing investigations from start to finish within Graylog. Analysts will be able to 


  • Compile thoughts and notes discovered during an investigation
  • Upload supporting evidence (dashboards, search queries, screenshots, etc.)  
  • Assign investigations to/collaborate with colleagues
  • Track investigation end-to-end status (creation to closure)
  • Save investigation information for future use/investigations, etc.


Sigma Rules – Bulk Notification Assignment

With Graylog Security, analysts can now add or import multiple Sigma Rules at once. So, for example, if an analyst were to import 15 rules from the Sigma repository, and wanted to configure them all to send an e-mail notification when an event fires, this can be done directly from the import screen (as opposed to manually editing all 15 notification definitions). In addition, a new “Bulk Action” capability is available when selecting multiple Sigma rules from the list that will allow analysts to assign a notification to one or more existing Sigma rules.

Automated Download and installation of Illuminate Content

Illuminate is a Graylog-provided collection of content comprising pipelines, parsing rules, lookup tables, and more. This content enables various event logs to be processed using a standard methodology, leveraging the Graylog schema and Graylog Information Model (GIM) to make searching and analyzing common log sources more efficient. The original goal for Illuminate was to help customers get value and insights from their log data without requiring each customer to build their own analytics content. 

When a new Illuminate bundle is released today, our self-managed customers need to get the latest ZIP file from their CSM to apply to their cluster.  With the 5.1 release, customers will be able to download the ZIP directly from the product instead!

At a high-level, the system will run a license check, and provided it is valid, will provide a link to download the new Illuminate version.  Graylog will then prompt the user with system notifications to alert them that new Illuminate content is available.

Create and Customize Anomaly Detectors

Graylog Security provides numerous out-of-the-box anomaly detectors through the Illuminate content pack that can be run simultaneously so security analysts can easily analyze data from different sources for unusual behavior. In addition to the out-of-the-box anomaly detectors, security analysts can now optimize detection capabilities by customizing anomaly detectors in OpenSearch that can be shared with the Graylog Community.

Want to learn more about what’s new in Graylog 5.1?

Graylog 5.1 is bursting at the seams with capabilities and enhancements designed to help strengthen security and performance for your organization while making your life easier. Check out our “What’s New Video” to experience Graylog 5.1 for yourself. 

Download Links



Please report bugs and any other issues in our GitHub issue tracker. Thank you!

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.