The Graylog blog


We are excited to announce a new release candidate for Graylog v4.3. Now that we’re in this phase of the release, we encourage you to participate. Download the binary. If you need to report issues or offer feedback, please post on Github Issues or our Community Discourse.

Note to Grayloggers: This post was updated with links to a new version of Graylog’s release candidate (version 4.3)









  • This is our third release candidate. Do not install it in your production environment.
  • We caution you not to install or upgrade Elasticsearch to 7.11 and later! It is not supported. If you do so, it will break your instance!
  • We now support OpenSearch v1.1 and later.


Pre-flight checks for Elasticsearch/OpenSearch and MongoDB versions

When Graylog starts up, it now performs connectivity and version checks for MongoDB and Elasticsearch/OpenSearch. This prevents problems when users upgrade to a new Graylog release without upgrading the required services, but also on fresh installations.

By default, Graylog will wait indefinitely until it can reach MongoDB and Elasticsearch/OpenSearch. Once the connections are established, it will assert the versions for compatibility. If those fail, Graylog aborts the startup without running any further actions, e.g. migrations, periodicals, etc.

This change introduces two configuration flags:

  • skip_preflight_checks which is false by default
  • mongodb_version_probe_attempts which is 0 (indefinitely) by default.

The preflight check will also assert that the message_journal_dir is writable and has enough space to contain message_journal_max_size for the on-disk journal. It will also apply a check to prevent the journal from using a network filesystem.

Processing pipeline improvements

We added several enhancements to Graylog’s processing pipelines:

JSON Arrays in processing pipelines

Configurable time zones for event notifications

So far Graylog has used the UTC timezone for timestamps used in email event notifications, which caused confusion for some users. We now allow you to choose a custom timezone when configuring email notifications.

Manually stopped inputs will no longer restart automatically

Prior to 4.3, a server restart will automatically restart all inputs, even those that had been manually stopped. This is undesirable for several reasons.

We now persist the desired state of an input in the DB, and avoid restarting inputs where desired state is STOPPED.

Users can choose the legacy behavior by setting a flag in the graylog.conf: auto_restart_inputs = true.

Early warnings for license violations (Enterprise)

A Graylog enterprise license is allowed to be exceeded a few times before it gets disabled. But it is better to know immediately when a violation happens.

We now provide early license violation warnings by showing a clear notification in the UI. In addition, you can choose to receive license violation warnings via email.

Last but not least, the traffic graph in System / Overview now shows the license limit as a line, to easily compare it with the amount of data being used.


Search query validation

In the Graylog UI, you can now validate the search query before a user submits the search. Before this change they would only get feedback after submitting the search. Now, warnings and errors appear in real time as you enter characters in the search bar. In addition, a box appears with a note identifying the respective warning or error.

Search Query Validation

Search query field name suggestions

The search query auto-completion offers suggestions in different scenarios. For example, if you write a field name in the search bar like http_method related suggestions appear, e.g. GET, POST, etc.

Search Query Field Name Suggestions

Multi-line search query

Search queries strings can be lengthy. Now it’s possible to define multi-line search queries. The update search bar breaks into a second line when reaching a maximum character limit on the first. Also, you can use a keyboard combination of SHIFT and ENTER to enable line breaks.

Multi-line search query

Search API Versioning

Making breaking changes to our Search API is not easy. It requires all clients to be updated in order to use the latest version. To improve this we implemented a versioning for our search API. A different version can be used by changing the `Accept/Content-Type` header of a request. Currently we have not released a new version and there is no need for users to change their API scripts.

Reporting Improvements (Enterprise)

  • Changes to `report_render_engine_port` setting – Prior to this 4.3 this report value was set to 9515, by default. Starting with 4.3, the engine will bind to any random free port. If you prefer port 9515, you’re required to set it explicitly.
  • Time zone option – Before this update, timestamps in reports were displayed based on the time zone of the system reporting user. Now it is possible to define a time zone for a report.
  • Edit links for entities in reports – A link is now available for each dashboard, page, and widget which redirects you to the related edit page.

  • Hourly interval – You can now schedule Graylog to send reports every hour.


Geolocation Processor Updates

The Geolocation processor is now faster with a couple updates.  First, you now have the ability to set the processor to use both MaxMind and IPInfo databases for greater flexibility to your environment.  Second, you can enable it for only fields in our Graylog Schema and Graylog Illuminate. This maintains enriched geolocation data usability across all content created by Graylog in the future. The speed improvements are found by only looking at the known IP fields, and not every field in a log message.

Geolocation processor updates

User Lookup Table Overrides (Enterprise)

Through Illuminate, Graylog distributes content and in some cases assigns values to items.  For example, an item like a risk score can be attributed to a user identified as “administrator”. When you made edits to these key-values prior to 4.3 you had to modify the distributed file. Furthermore, the changes were overwritten on the next install of Illuminate. With the lookup table overrides in 4.3, you can now make the changes you want via the Web UI, and it does not affect the distributed content. The lookup tables first check the user-defined data, then falls back if not found in distributed lookup values. Now you can change the risk score, or add new values in the tables without having to update it for a new release.


Detailed changelogs will be made available closer to the final release.

Let us know what you’d like to have included in our GitHub issue tracker.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog Blog delivered to your inbox once a month.