Announcing Graylog Illuminate v3.2

• New processing content included with Illuminate 3.2:
  • Bind DNS logs (#1098)
  • Ubiquiti Unifi (#1038)
  • Microsoft DHCP (#797)
  • Symantec Endpoint Protection Manager (#578)
  • Apache Web Server (#1081)
• The following Spotlight content packs have been updated since Graylog Illuminate 3.1:
  • Graylog Illuminate 3.2.0:Cisco ASA Spotlight
  • The “DNS Transaction” GIM subcategory has been replaced with a multi-subcategory mapping of both “DNS Request” and “DNS Answer” (#361)
  • This release includes an updated message summary template content pack “Message Summaries” (#1054)

Download Links

• Graylog Standard
  • graylog_illuminate_standard.v3.2.0.zip
  • Sha256sum: 3e34589a82fe7c4cfe737ed30190b58a5b44ba223851a85459bbdc95fed48282
• Graylog Cloud
  • graylog_illuminate_cloud.v3.2.0.zip
  • Sha256sum: 7190add448d1a3af2b141d9344a52cacda3d4934191b387733e9975bdf2677a8

Please report bugs and any other issues in our GitHub issue tracker. Thank you!

GRAYLOG ILLUMINATE 3.1

Released: 2023-03-02

Fixes

• Illuminate Core:
  • Fixed severity mapping issue (#1078)
  • Make lookup file names unique (#1090)
  • Field alert_severity not statically mapped to data type (#1153)
• Office 365:
  • Lookup file formatting error (#1091)
• Okta:
  • Lookup file formatting error (#1092)
• Fortigate:
  • Fixed severity mapping for level ‘notice’ (#1104)
• Watchguard:
  • Not all DHCP events are being parsed (#1148)
• Cisco ASA:
  • Fixed issue with Denied Connections widget search (#1186)

Enhancements

• GIM: 
  • Added network.open and network.close subcategories (#635)
• Illuminate Core:
  • Added MAC address (source_mac/host_mac/destination_mac) as candidate for reference field (source_reference/host_reference/destination_reference) (#1105)
  • Fixed selection order for destination_reference candidate fields (#1170)
  • Enforced IP field format for schema IP fields source_ip, host_ip, destination_ip (#1132)
  • Added “input routing” lookup to help with proper message identification & selection (#1149)
  • Improved IP processing rule criteria efficiency (#1155)
• Cisco ASA:
  • Added mapping for vendor_event_severity to provide text severity corresponding to the numeric field vendor_event_severity level
  • Added support for events: 338001, 338002, 338003, 338004, 338005, 338006, 338007, 338008, 338101, 338102, 338103, 338104, 338201, 338202, 338203, 338204 (#973)
  • Added support for events: 302014, 302016, 302018, 302022, 302023, 302024, 302025, 302026, 302027, 302036, 302303, 302304, 302306 (#1161)
  • Updated categorization for events: 302013, 302015 (#1161)
• Cisco Meraki:
  • Parse URLs in Meraki events (#469)
• Sonicwall:
  • Categorized network open/close events (#1162)

Known Issues

• Auditbeat cannot process events with multiple values assigned to `vendor_event_action’ (#622)

Let us know what you’d like to have included in our GitHub issue tracker.