What’s New in Illuminate V2.0

First, we’ve added a new menu under Enterprise called Illuminate, and we’ve now got a much easier way to deploy Illuminate packages through a drag and drop installation interface. Auto creation of index sets for Illuminate packages requiring those new indexes are now being done within the same area, so you don’t have to create your indexes any longer manually. We’re also introducing a new Graylog schema, which includes something called the GIM, which is the Graylog information model, and what that will do is categorize your logs by type of log, not by source type, but by message type, So the type of message coming in. We’ll go through that here in a moment. And finally, we have included some favorite vendor products in a new listing and our content pack. So you’ve got some of your new favorite products in Graylog, and we’ll go through those momentarily.

The Graylog Enterprise Illuminate manual will bring a new page for the user interface that will allow you to drag and drop. The Illuminate bundle provided by Graylog will be easily dropped into your cluster. This new feature will make it much faster and easier so that when you deploy the files, you don’t need to copy them to the servers directly manually, and you’ll be able just to use this guide and drag and drop, which will push the files out to the notes in your cluster. Once the zip bundle is dropped into the user interface, it’ll expand the available content packs, and it’s here where you can select which Illuminate packs are relevant to you, or it can install them all if you wish.

The creation of the index sets takes the manual configuration away from this activity. Also, it helps you ensure that there’s no potential configuration issues in the future with your streams and your indexes. Additions to Graylog Schema that are released in this called the Graylog Information Model would enable all logs from any sources or any type to be categorized. Categorizing the logs will enable feature-rich searches and dashboards based on your logs’ many different types of events. All information indicating authentication events, identity, and access management specific information, endpoint specific logs, network, and events, as well as name resolution, enhancing your visibility to information, and finally, alerts to notify you of your specific needs and immediate response.

And Graylog Illuminate is here to highlight the pulse of your entire ecosystem, giving you the oversight in everything happening in your applications, network, and security. So as you’ll see here on our screen, we are many things, and this is a great way to start bringing in value into Graylog. And finally, many new content packs have been announced, including some of these, you see on the screen here now. Let’s go through some basic upgrading notes prior to doing the upgrade. You must have already upgraded to Illuminate 1.7. So if you are on a release of Graylog that supports up to 1.7, you must ensure that you are on version 1.7 Illuminate. At that point, then you can upgrade to Graylog release 4.2. Once you’ve upgraded to release 4.2, your current version of Illuminate 1.7 will function on 4.2. The key is you do have to have an Enterprise license, so you still need to have an Enterprise license for this functionality.

To walk through some of the version two upgrade steps, it is important to follow this order. Record a list of all of the Illuminate 1.7 content you have, as you will need to uninstall it later. You’ll need to verify and or change the message processor order for the configuration, which I’ll show you in a moment. You’ll need to extract the Graylog Illuminate release archive file to your management PC, and you’ll see some file structures in there. Next, what we’ll do is we’ll need to upload the Illuminate bundle zip file with the new Enterprise Illuminate, and activate the bundle packs required for your organization, and activate the technology packs as required. Once these have been completed, the messaging processing order previously mentioned will be processing your logs right away, and there’ll be no interruption in your service. Next, you can go to the extracted folder and make a note of your previous versions of Illuminate version 1.7 under your system content packs menu and start installing your version two content packs. Lastly, you can uninstall your version one content packs and review your notes now that you have done that.

Now, let’s bring in our Illuminate and what we’re going to do first is look at system and configurations. And we’re going to talk about the message processing stream you see right here. The key with installing Illuminate version 2.0 is the Illuminate processor needs to be bumped ahead of the GYP resolver and the pipeline processor. So prior to doing this operative version two Illuminate, you have to ensure that you update it by clicking update, and then in the above window, you can just grab what you need and move it where it needs to be. This has to be done right in the very beginning before you upgrade.

Once you’ve done this and want to upgrade, we’ll look here quickly under Enterprise and Illuminate, and I have actually already uploaded the actual content packs. And I will show you really quickly here under our version two Illuminate. You will have a folder that gets extracted that looks like this. You’ll have the release notes, the Illuminate bundle zip pack, and the spotlights. So what you see on the screen here is the result of this bundle pack being installed. And to install it, you go to the top here under install a bundle. And in this area, you’ll drag the actual Illuminate bundle right into this screen, and it will then extract it and get you the installation screen as shown. Will not install it manually and automatically. You will have to select all or select which ones you want to install and click enable selected.

Once this happens, if there’s new content here that you don’t have, new indexes and streams will be processed for these individual items. You don’t have to go in there and do that yourself. So now that you’ve got your new content pack installed, you will need to go to the system menu under content packs. And here is where you will then go into the folder we talked about under spotlights, and these spotlights will need to be installed. So the spotlight packs that I have with this version two are the Illuminate Core, the Illuminate Events, which we have a bunch of new events set up so you can take advantage of alerts. We also have a Linux Autitbeat, 0365, Okta, Palo Alto, SysMan, and Windows Spotlight on top of that.

So once that’s installed, you will see, if you look up Graylog, you’ll see the version two spotlights in here. Your prior releases will have the 1.7. Once these have been installed, you’ll need to verify which pack is installed. So, for example, I’ll go to this event definition here. And currently, I have version four installed, which is the latest revision that’s just come out. You can view the details of it. And as you’ll see here, these are the event definitions that have been included in this particular pack. So what you can do is you can now go to these other versions, and you can actually uninstall them or delete them. If they are installed below in this bottom section, you would then click on them and uninstall them. So as long as the installations are uninstalled here on the bottom screen, it’ll be fine. They can be left in the versions of the top. However, your versioning will go up each time you get a new edition here and install them. So this will give you the alerts.

Now, going back to all the others, any of the other content packs that show up with version 1.7, you can do the same thing. You can go into each one of these, and you can uninstall them. And from here and the main menu, you can actually delete the versions when you’re done. So after you’ve installed the individual pack, you can go and delete it here as well. So now that you’ve got your version two Illuminate installed, you have your 1.7 uninstalled. Now you can look at your processing order, and you can reorder your processing order. Depending on how you’re processing your logs may determine what you’ll need to do, whether you’ll stay this way or whether you’ll want to go back to your other processing order. So, in this case, I am staying right where I am with what I’ve got in my log environment. You might be required to do this in yours, and you can work with support on ensuring that you’ve got yours set to your optimal settings. And that finishes off our demo for today for the new version Illuminate. As always, happy logging with Graylog. Have a great day.