The Graylog Blog

Announcing Graylog v2.3.0-alpha.2

Today we are releasing Graylog v2.3.0-alpha.2. This is the first public alpha release on our journey to Graylog v2.3!

For Graylog v2.3, we are focusing on two main features: support for Elasticsearch 5 and Lookup Tables. If you are interested in trying the first version with these new features, please download this alpha release. We love your feedback so please report bugs or any other issues in our GitHub issue tracker.

Please note, as this is an alpha release, there might be bumps along the way and additional changes before the final release.

Download links

Download Graylog v2.3.0-alpha.2:

Elasticsearch 5 Support

Starting with this release, Graylog is switching from the Elasticsearch node client (using the version-specific binary protocol) to a lightweight HTTP client. This enables Graylog to use all major versions of Elasticsearch which are currently available, including 5.x.

If you want to know more about the differences and implications of the different ways to access an Elasticsearch cluster, you can read more about it in Elasticsearch’s documentation.

For detailed advice on how to configure the Elasticsearch part of a new Graylog installation or migrate from an existing configuration, you can view our upgrade notes.

If you would like to read up on the technical details, you can inspect the relevant changes.

Lookup Tables

Enriching messages with data from external sources, such as CSV files, Geo IP data, or results from remote HTTP sources is a common pattern in today's log management. Graylog now supports a core framework for lookup tables, making it easy to work with external data sources.

Lookup Tables are fully pluggable and always consist of a combination of a data adapter, which is providing the data and a cache. Out of the box Graylog ships with three data adapters:

  • a local CSV file adapter for static mappings
  • a HTTP JSON + JSONPath adapter to retrieve results from HTTP APIs
  • a GeoIP2/GeoLite2 adapter for MaxMind databases

There are various ways to interact with lookup tables in Graylog, allowing to build powerful workflows. After a lookup table is created, it is accessible from:

  • Extractors
  • Converters
  • Processing pipeline rules (both for ingestion and decorator usage)

Data adapters in Graylog can return both single values as well as complex data structures. For example, the GeoIP data adapter returns the latitude/longitude pair as its simple value, but the entire GeoIP database entry for the multi value case. This offers you the flexibility in pipeline rules to enrich as much or as little data as required.

Test lookup

Extractor using lookup table

The same is true for the other data sources like HTTP. This means you could decorate search results with data from your customer database, including information such as contact addresses, SLA levels, or host names.

Creating data adapter

Since you can choose the caching strategy for each lookup table individually, you can tailor them to the specific requirements, such as heavy caching for incoming messages to maintain a high performance ingestion or very short caching on search result decoration.

Creating cache

Changes

Below are the changes we made in v2.3.0-alpha.2 since Graylog v2.2:

Core

  • Allow version '0' for structured syslog messages. #3503
  • Ignore Content-Type in HttpTransport. #3508 #3477
  • Ensure that index_prefix is lower case. #3509 #3476
  • Make map in MessageInput#asMap() mutable. #3521 #3515
  • Fix pagination for alert conditions. #3529 #3528
  • Wait until alert notification types are loaded. #3537 #3534
  • Upgrade development environment to Webpack v2. #3460
  • Add an option to repeat alert notifications again. #3536 #3511
  • Fix accidentally changed exports of UsersStore #3560 #3556
  • Properly escape username/roles in web interface. #3570 #3569
  • Improved dashboard grid system. #3575
  • Add support for sorting by count to Search#terms(). #3540 (@billmurrin)
  • Fix for copy query button. #3548 (@billmurrin)
  • Fix issue with cloning streams. #3615 #3608
  • Prevent session extension when polling system messages. #3632 #3628
  • Prevent session extension when polling system jobs. #3625 #3587
  • Prevent NPE due to race between rotation and retention threads. #3637 #3494
  • Fix problem with message decorators and field selection. #3585 #3584
  • Fix issue with loading indicator on an empty search result page. #3652 #3650
  • Fix navigation in LDAP users UI. #3651 #3485
  • Ensure that plugin RPMs will be built for Linux. #3658 #3657
  • Fix reloading problem with content packs and GROK patterns. #3621 #3610
  • Add support for Cisco and FortiGate Syslog messages. #3599
  • Fix permission problem for inputs API. #3681
  • Restore removal of role permissions upon roles update. #3683
  • Comply with grace condition when repeat alert notifications is enabled. #3676 #3579
  • Invalidate dashboards data after logout. #3700 #3693
  • Fix OptionalStringValidator and validations for extractors. #3633 #3630
  • Better time range for "Show Received Messages" button on inputs page. #3725
  • Remove deprecated rotation/retention configuration resources. #3724
  • Introduce lookup tables feature. #3748
  • Creating dashboard from search page does now select the right ID #3786 #3785
  • Fix importing of dashboards from content packs #3766 #3765

Collector Plugin

  • Prevent unwanted session extension. (Graylog2/graylog-plugin-collector#49)

Map Widget Plugin

  • Update to a new GeoIP2 release.
  • Add lookup tables data adapter for the GeoIP2 database. #40

Pipeline Processor Plugin

  • Use uppercase timezone in TimezoneAwareFunction and fix default value. #169 #168
  • Add lookup and lookup_value pipeline functions for lookup table support. #177

Community Contributions

  • @billmurrin contributed two pull requests to improve search. (#3540, #3548)
comments powered by Disqus