Graylog Illuminate for Authentication

Shine a light on who is accessing what, where, and when

Functioning and secure authentication is critical to every business and this is why monitoring  authentication activities is an ongoing task for organizations of every size. Automating this task requires complex foundational logic that includes data normalization, parsing rules, data enrichment, correlation alerts, dashboards, and alerts, etc. 

Every IT team wants the task of monitoring authentication automated and most IT teams don't have the time to build it. And that is why we built it for you.

Authentication is the first module in the Illuminate application. It creates a foundation to normalize all authentication data, regardless of source. As a result, you get consistency in reporting, alerting, and analysis plus the power to easily correlate authentication data across different types of data sources.

Authentication Log Data Monitoring and Analysis Made Easy

Built by Graylog’s Enterprise Intelligence team, Graylog Illuminate for Authentication benefits everyone on the IT team, and by extension the entire company. It eliminates the manual set up necessary to detect, monitor, and analyze authentication issues across your IT infrastructure.

Initially, Illuminate for Authentication will spotlight Windows authentication issues and activities. Since Windows authentication data is by far the most common and the most voluminous source of authentication log messages throughout the world, starting there is how Graylog delivers the most value to our Enterprise customer base.

How It Works

Graylog Illuminate for Authentication comes with Windows focused data normalization, parsing rules, data enrichment, correlation alerts, dashboards, and alerts. Once deployed, Graylog Enterprise customers will save hundreds of hours, be able to leverage our in-house expertise and gain visibility into who is trying to log into what throughout your IT environment.

Enterprise Auth Dashboard

Graylog Illuminate relies on log delivery agents such as Winlogbeat or NXLog, which can be deployed and managed with Graylog Sidecar. Sidecar connects these agents to Graylog in a centralized and stackable configuration. Illuminate then parses and normalizes that data so that fields can be processed in the same way, regardless of what the original data source calls them, and numeric fields or date fields are handled appropriately.

From there data enrichment such as geolocation or tagging an IP address as internal or external is applied. With data fields aligned, properly classified, and useful information added to the log messages all authentication data can then be analyzed consistently. This enables you to see all your authentication data in one chart, run traces of user activity across different types of endpoints and apps, and build “universal” alerts and dashboards.

Windows Auth Dashboard

The Data Is In The Dashboards

The Dashboards are where Graylog’s Illuminate for Authentication shines, giving light to key log events in aggregate on four dashboards, three of which are specifically for Windows Authentication, account investigation drill down, and device investigation drilldown. All the dashboards are designed with widgets so you can drill down into authentication activities that you want to investigate.

User Drilldown Dashboard

For example, the Enterprise Dashboard includes several widgets for monitoring successful and failed authentication counts and trending across your entire IT environment. If there is an increase in failed logins on the Failed Authentication widget from the last time the search was run, you will see it in a color-coded bar. To investigate the anomalous activity, click the that bar in the chart and begin exploring.

Device Drilldown Dashboard


  • Kerberoasting (identifying unsecure authentication requests) has been around for a while but it still happens regularly. Illuminate’s Windows Authentication Dashboard comes with a widget specifically designed for detecting Kerberoasting. It displays the number of weak encryption Kerberos ticket requests so that you can update them to prevent attacks.

  • Increased visibility into authentication activities usually uncovers performance and operational issues that you need to resolve. Expired service account passwords, which cause process failures and service account outages are the most common and these can go undetected for weeks or longer. Graylog Illuminate for Authentication includes Windows Authentication and Enterprise Dashboards with an Error Codes by Count widget for detecting service account password expirations in record time. For example, service accounts experiencing failed logins can cause outages and/or data errors. You want to know right away when this happens, ideally before users are impacted.

  • Password sprays are another common event that occurs on a regular basis. Illuminate for Authentication gives you insight into your environment in order to identify events and respond as appropriate. If you want to monitor these events over time, we give you an alert that triggers when one source is responsible for 15 or more failed password attempts for 3 or more different user accounts in a 10 minute period of time, and from there you can take the necessary investigative steps to prevent a security breach.

Frequently Asked Questions

What are the prerequisites for deploying Graylog Illuminate for Authentication?

Graylog Illuminate for Authentication requires Graylog Enterprise v3.3+. (v3.2 will also work in a limited capacity.), Active Directory, and works with Winlogbeat 6.4 (included with Sidecar), Winlogbeat 7.6, or NXLog 2.1.

How many dashboards are in Illuminate’s Windows Auth Spotlight?

Relying on years of experience in the field and user feedback, Graylog’s Enterprise Intelligence Team created four dashboards that include a number of widgets that target key authentication activities. These widgets also make it possible for you to create detailed reports on a regular and on-off basis for key stakeholders throughout your organization.

Can I customize Graylog schema?

No, the schema is foundational to ensuring that data enrichment, alerts, search templates, dashboards, and reports all work across all data sources so that you can combine, correlate, and analyze authentication data across endpoints, apps, and networking equipment. You are welcome to make a copy and customize it, but future Illuminate updates will not be applied and may not work.

Can I customize the Alerts and Dashboards widgets?

If you want Dashboards and Alerts that are different from what comes with the app, we recommend you create copies and make changes from there to ensure future updates do not overwrite your customizations.

Get Graylog

Contact Sales
Contact sales