This is a beta for the upcoming release of Graylog v5.0. Please read on for detailed descriptions of everything that is included.
- Docker image
- DEB and RPM packages are available in our repositories
- Docker Compose
- Tarballs (manual installation):
- Tarball (manual installation):
- OS Packages
- Docker image:
- Docker Hub
- docker pull graylog/graylog-forwarder:5.0-beta.1-1
Please report bugs and any other issues in our GitHub issue tracker. Thank you!
GRAYLOG OPERATIONS & PLATFORM 5.0 BETA
OpenSearch 2.x support
Graylog 5.0 adds support for OpenSearch 2.x versions. At this time the latest released version is OpenSearch 2.3. We have removed support for Elasticsearch 6.8, which reached its end-of-life date in February 2022. Support for Elasticsearch 7.10 remains in Graylog 5.0, but we recommend users upgrade to OpenSearch.
Previous versions of Graylog required Java 8, which reached its end-of-life date in March 2022. With Graylog 5.0 we are moving to the latest LTS Java release, which is Java 17 at the time of this release. It will receive updates until September 2026. We aim to ship Graylog 5.0 with bundled JREs for the respective platforms to make it easier to deploy with the correct Java version going forward.
The new minimum baseline version is MongoDB 5.0, but Graylog 5.0 will support MongoDB 5.0 and 6.0, which is the latest current release at this time. Our recommended path is to update your existing Graylog 4.3.x deployment to MongoDB 5.0 and then update to Graylog 5.0. Of course, using backup and restore mechanisms also work great if you want to test this Beta release alongside your production deployment.
The Graylog Sidecar is essential for configuring log collectors. To date, it was not possible to run a collector multiple times. Only one configuration could be selected in the UI per collector. Now, mass deployment of sidecars is enabled by allowing multiple configurations per collector, and tags have been added for organization. The tags can be used to assign configurations freely without having to worry about assigning the same collector twice.
Screenshot of the new Collector Configuration with Tag Support
For Windows users, we have added support for upgrading Sidecars using the installer, which previously could cause it to register itself as a brand new Sidecar, losing configuration.
Graylog 5.0 now allows the bulk restoration of archives for situations where extensive investigations or auditing requires searching across a larger time range. Previously, each archive had to be restored manually, one after the other, but Graylog will now sequentially restore the selected archives, making sure not to cause sudden load spikes by the restore traffic. Similarly, bulk deletion of old archives is now enabled via UI.
During investigations, parts of the search query often need to be enabled, disabled, or inverted. If the queries are complex, especially when there are multiple of these common parts of the query, this process can become very tedious and often involves keeping a separate document of queries that gets copied and pasted. The new search filters greatly reduce the effort involved, by providing the capability to separate these parts out and turn them on and off with a single click. They can even be saved and shared among team members, and that way consistently reused across ad-hoc and saved searches and dashboards.
Two search filters in use during an investigation
GRAYLOG SECURITY 5.0 BETA
New to the 5.0 release is an exciting new feature for Graylog Security – the ability to add and import Sigma rules for security alerts! Sigma is an open standard for SIEM to look for potential security threats within logs. More information can be found on the SigmaHQ repository page. The new Sigma tab in Graylog Security will allow you to create your own rules, or import directly from the Rules database in the Sigma repository
Sigma Rule Editor
SigmaHQ Import Dialog
If logs match a Sigma rule, it will generate an Event on the Alerts page. You will also be able to add Event Fields and Notifications as you would any Event Definition within Graylog. With over 2,000 detection rules in the Sigma repository, and the ability to create your own, this extension to Graylog Security is a great tool for identifying threats to your systems. Each Sigma rule imported into Graylog can also directly be executed as a search, which can help when writing new rules, as well as understanding existing ones.
Search logs directly from a Sigma rule
Let us know what you’d like to have included in our GitHub issue tracker.