New Functionality
-
New pipeline rule functions for manipulating maps:
map_setandmap_remove.
Breaking Changes
-
If you use the DataNode, the system clocks of the nodes have to be synchronized with an external source for JWT usage (within a margin of a couple of seconds).
Migrating from Legacy Index Templates to Composable Index Templates
Starting with Graylog 5.2, we are migrating from using legacy index templates to [composable index template] (https://www.elastic.co/guide/en/elasticsearch/reference/7.17/index-templates.html). While this gives us more flexibility and predictability for field types in index mappings, this also requires that existing custom legacy index templates need to be migrated to composable index templates manually as well.
Removed Support for Legacy "Collector Sidecars"
Graylog 3.0 introduced "Graylog Sidecars" as a replacement for the old Collector Sidecars (version 0.1.x).
With Graylog 5.2, support for the legacy Collector Sidecars is finally removed.
Please refer to the migration guide Upgrading from the Collector Sidecar if you are still using the old Sidecars before upgrading Graylog to 5.2.
Deprecation and Change in Functionality of GreyNoise Data Adapters
-
GreyNoise Community IP Lookup Data Adapters have been marked as deprecated. Existing Data Adapters can no longer be started or lookups performed.
-
GreyNoise Full IP Lookup [Enterprise] Data Adapter can no longer be used with a free GreyNoise Community API tokens.
-
GreyNoise Quick IP Lookup Data Adapter can no longer be used with a free GreyNoise Community API tokens.
Shutdown of Graylog on OutOfMemoryError
Because of an error in HttpCore 4.4.12, which is required by Elasticsearch and older versions of Opensearch, OutOfMemoryError errors were not properly handled. The Reactor was stopped, which prevented proper Graylog operation and the reason (OutOfMemoryError) was not clearly visible. From now on, Graylog will shutdown on OutOfMemoryError, trying to log some basic information about the thread and memory consumption during this event.
CrowdStrike Input Log Parsing Changes
Several log parsing changes have been made to the CrowdStrike input.
Added Fields
-
event_created: Contains themetadata.eventCreationTimelog value. -
vendor_subtype: Contains themetadata.eventTypelog value. -
vendor_version: Contains themetadata.versionlog value. -
event_source_product: Contains the static valuecrowdstrike_falcon.
Changed Fields
-
message: Now contains the JSON content of the log event value, effectively the message payload.
The message timestamp field is now set to the current Graylog system date/time instead of the previously used log metadata.eventCreationTime value.
Removed Fields
event_endevent_sourceevent_startuser_domainuser_idvendor_event_descriptionFILE_NAMEFILE_PATHOBJECTIVETECHNIQUE
Note that additional CrowdStrike message parsing is expected to be released in a future release of Graylog Illuminate.
Microsoft Defender for Endpoint Input Log Parsing Changes
Several log parsing changes have been made to the Microsoft Defender for Endpoint input.
Added Fields
-
event_source_product: Contains the static valuemicrosoft_defender_endpoint.
Changed Fields
-
message: Now contains the full message payload. -
source: Now contains thedetectionSourcelog value.
Removed Fields
alert_signaturealert_signature_idevent_startevent_endfull_message
Note that additional Microsoft Defender for Endpoint message parsing is expected to be released in a future release of Graylog Illuminate.
REST API Endpoint Changes
The following REST API changes have been made.
| Endpoint | Description |
|---|---|
GET /contentstream/settings/{username}
|
Retrieve Content Stream settings for specified user. |
PUT /contentstream/enable/{username}
|
Enable Content Stream for specified user. |
PUT /contentstream/disable/{username}
|
Disable Content Stream for specified user. |
PUT /contentstream/topics/{username}
|
Update per user Content Stream topic list. |
GET /contentstream/tags
|
Retrieve Content Stream tags based on license. |
