Announcing Graylog 3.2
NOTE: Graylog has made many updates to the application since this release. We encourage you to update to the latest version and take advantage of the large number of new features and functionality.
This release unifies views, dashboards, and search for a more flexible and comprehensive approach to threat hunting. The expanded search introduces greater efficiency by making it easier to reuse searches you need to run on a regular basis with saved search and search workflows. Other enhancements such as full screen dashboards, and updates to alerting round out v3.2.
Please read on for detailed descriptions of each feature.
- Deb or RPM packages are available in our repositories. Documentation to follow soon.
- Docker image
- Docker pull
- OVA / Appliance
- Tarball (manual installation)
- Enterprise Plugins
- Enterprise Integrations
Please report bugs and any other issues in our GitHub issue tracker. Thank you!
The threat hunting process just became more efficient with the unification of views, dashboards, and search.
With Graylog’s expanded search you can build and combine multiple searches into one single action and review your delivered results on one screen. Then you can begin the hunt for the information needed to address issues, threats, outages, and customer support calls by drilling into the data on different dashboards, and when necessary, override the parameters and get new results in your dashboard widgets. Using a single or multiple input parameters, initiate common multi-step analyses present the results on dashboard-like widget screen.
Did you see something you want to monitor in those results? Simply click and build a dashboard. Let’s say you want reports on these results delivered to your inbox on a regular basis, quickly build reports from searches and dashboards.
Before you get to building searches, there’s more…
Updated: Saved Searches, Parameterization, and Search Workflows (Enterprise)
Streamline IT Operations, shorten customer service response time, and free up your team to do other things.
Graylog has just made it easier to reuse searches that you need to run on a regular basis by integrating Views and Searches. Enterprise users can take advantage of the new parametrization features that let you enter one or more search criteria for a more comprehensive search. You can combine searches by creating a search workflow, and you can save this workflow so that a broad range of team members can use it on a regular basis. Finally, you can monitor your results with dashboards and you can have your results delivered to your inbox on a regular basis.
For example, you have users calling into IT complaining about slow performance on their computers. IT support may have a playbook that outlines how to troubleshoot performance issues, but because there are so many other problems and issues that arise on a regular basis, having a fast way to identify and resolve standard issues is a real boon. Any team member can fire up that saved Search Workflow, quickly enter the user name or IP address, and immediately get all the data needed to complete their analysis. Performing repetitive tasks is also easier with the new saved search and parameters. It lets you create a search for that task and any other you want to run on a regular basis. When you're ready to run the tasks, simply click, choose from the list of saved searches.
Digging a bit deeper into this new way of using Graylog, every value is a field and this field and has a drop-down menu referring to the entered parameter that you can perform actions on. Let's say the parameter for your field name is “create an aggregation.” You can pick a dashboard or saved search where you want to enter this value. If the field includes a parameter, you can also build workflows. It would go like this: a dashboard shows the flow traffic. You immediately see there’s a problem, you know it’s with a particular system, and now you need to unpack it. How many bytes have been transferred to and from this system. Where is the traffic flowing? What are the top end targets for this system? To find out, you would enter the IP (your parameter) from any saved search or dashboard where see that IP address, and then you can pivot on that dashboard and work your way through the system.
Updated: Alerts (Enterprise)
Two changes to alerts that make a significant and positive impact on your searches.
Alerts now utilize dynamic lists as well as alerting against multiple conditions at once.
The new dynamic lists are a combination of alert parameters and look up tables. (Think searching and correlating across third party databases like active directory or threat intelligence feeds). Automatically update alert criteria based on a dynamically created list in a lookup table.
For example, you maintain a list of former employees in Active Directory or an HR system and want an alert if anyone on the list tries to log in. With this update to alerts, there’s no need to update the alert definition every time someone leaves the organization. This saves time and prevents errors that happen when you have to edit the alert.
Supporting more than one condition for alert events is another way Graylog adds efficiency to your work day.
Let’s say you want to know when a user fails to login more than 10 times within a certain period of time. You can now define an alert condition that checks this. The first condition checks the failed logins, the second one ensures that an alert is only fired if these events happened for a single user.
You can now define an alert condition that checks if a single user failed to login more than 10 times within a certain period of time. Once again, the first condition checks the failed logins and the second one ensures that an alert is only fired if these events happened for a single user.
New: Full-screen Mode Dashboards
Maximize dashboards for Operations Center monitors.
V3.2 gives you full screen mode inside Graylog for viewing dashboards for those times you need all the surrounding elements on your laptops, computers, and/or monitors.
Other Notable Changes
Let us know what you’d like to have included in our GitHub issue tracker.