Graylog Enterprise Changelog

Please note this changelog is for Graylog Enterprise. For the core Graylog changelog, please see the following article.

Graylog Enterprise 6.1.2

Released: 2024-11-06

Added

  • Added Bitdefender GravityZone input.

Fixed

  • Fixed issue where cloned Sigma rules originally provided by Illuminate could not be modified.

  • Fixed issue with downloading audit log CSV and JSON export.

  • Fixing output class name for prometheus exporter.

  • Fixing implicit browser sharing during PDF rendering.

  • Fixing up inclusion of report id in audit log entry.

  • Improve performance of Data Warehouse data file deletion when expiring snapshots.

  • Fix incorrect asset factor when calculating event and asset risk scores.

Graylog Enterprise 6.1.1

Released: 2024-10-23

Fixed

  • Improve error handling for loading assets for events and investigations.

  • Fix issue where duplicate events/messages are listed after being added to an investigation.

  • Fix erroneous reduction in asset risk score variance factor after assets are edited.

  • Support draw-down licenses in AI Service calls.

  • Fix SSO login link display issue.

Graylog Enterprise 6.1.0

Released: 2024-10-21

Added

  • Added the ability to export saved search filters in content packs. Also adds handling of saved search filter dependencies for all content pack entities that can contain search filters.

  • Adds assign to myself option to investigations.

  • Auto-select the investigation created when adding evidence.

  • Add vulnerabilities modal view to machine assets.

  • Add export widget feature to enterprise.

  • Highlight which investigation evidence in timeline chart is visible as card in carousel below.

  • Display message permalink button for message evidence cards in investigation timeline.

  • Add XLSX file format widget export feature.

  • Added new pipeline functions to add and remove a categories from an asset.

  • Added a new drawer to view the assets details and vulnerabilities.

  • Add PDF file format widget export feature.

  • Add option in System/Configurations to enable or disable the AI report feature.

  • Added Microsoft Defender as an Asset vulnerability import source.

  • Added Microsoft 365 as an Asset source.

  • New Asset source connection form for Entra ID.

  • Added configuration setting license_manager_url for new License Manager component.

  • Add support for deleting failed snapshots in warm tier.

  • Update icon for the AI Report.

  • Add new disclaimer to the AI report.

  • Added new Assets widget to Security Welcome page.

  • Added configuration data_tiering_ignore_repositories to optionally hide internal repositories.

  • Added ability to schedule asset imports at a user defined intervals.

  • Added ability to ingest vulnerability scan results from Nessus and update asset database.

  • Added new AWS S3 log message input.

  • Added additional export formats to reports: csv, xlsx, xml, json, yml.

  • Added evidence timeline view for investigation details page.

  • Added TLS and mTLS support to Raw/Plaintext and Syslog TCP outputs.

  • Add Data Warehouse feature.

  • Added ability to synchronize asset sources on a scheduled interval.

  • Added GELF Outbound Payload Formatter to Enterprise Output Framework outputs.

  • Added ability to set and modify asset source syncing schedule.

  • Added risk scoring capability for Assets.

  • Add ability to calculate risk score for Security Anomaly Detection events.

  • Added Asset Source Mapping cards display for security perspective.

  • Added toggle for turning scheduled sync on/off for vulnerability scanners.

  • Add export to events and investigations overview widgets. Add PDF export option for messages widget.

  • Added links to associated investigations in security events.

  • Added new Google Workspace input.

  • Showing owner, creation and update dates of reports in frontend.

  • Render report with owner permissions if an owner exists. Every user can create his own reports.

  • Introducing support for draw-down licenses, in conjunction with a new License Manager component.

  • Adds display of associated assets in security event details.

  • Added support for an Open Illuminate bundle type.

  • Adds display of associated security events in asset details drawer.

  • Added immediate rollover retry for failed data tiering snapshots.

  • Adds display of risk score for user assets.

  • Add link to documentation in license traffic violation notification.

  • Using CDP on low-level to render PDF.

  • Calculate and display normalized risk score instead of raw score.

  • Adds import forms for MS365 machine and user assets.

  • Refreshed report creation/editing UI to streamline user flow.

Changed

  • Indicate in report that referenced widget was removed from dashboard.

  • Added identification and handling of search filter usages for event definitions and sigma rules.

  • Updated machine Asset IP configuration to allow IPv6 addresses.

  • Support draw-down licenses in telemetry license status response.

  • Highlight target card on investigation timeline page when clicking on ‘Show similar’ button.

  • Enabled turning on debug metrics for Illuminate Pipelines.

  • Added optional Illuminate pack search query parameter to return pack dependencies with returned packs.

  • Omit system events in the Security Events list.

  • Display license related graph and metrics on system overview page.

Removed

  • Remove output path variables tooltip.

Fixed

  • Fixing confirmation when cancelling report editing.

  • Restore index with index mappings from archive metadata.

  • Fixes replay search action for edited events in search events widget.

  • Fixes issue where Illuminate Spotlight Packs would silently fail to install.

  • Fixes navigation error when a user with only the Reader role tries to access system/forwarders.

  • Do not require security events permissions for plain events widget.

  • Do not use all time range for investigations widget.

  • Reset investigations widget pagination when executing search.

  • Fixes inability to remove older log and event evidence from investigations.

  • Avoid fetching report history constantly.

  • Display message summary for message titles on investigation timeline page.

  • Fix warm tier rollover for indices with closing date older than 1 month.

  • Consider field types when rendering message fields in investigation timeline evidence cards.

  • Fixing report scheduling to consider the timezone set in the frequency configuration.

  • Removing warm infix keyword when archiving indices.

  • Removed security side nav and updated assets list on security UI perspective.

  • Prefix links in Security product consistently when path prefix is present.

  • Fixed incomplete GCP Log Events input header description.

  • Fixing error in report widget preview for message table widget.

  • Fixed issue where investigations fail to retrieve messages from rotated/archived indices.

  • Prevents widgets in reports overlapping by fixing height of widgets with uncontrolled height.

  • Improve handling of multiple parameters with the same name in report configuration form.

  • AI report new GET endpoint.

  • Fixed issue with Replay Search button on event definitions.

  • Fixed issue where empty values were not properly being handled in event associated_assets field.

  • Preventing charts in reports being cut off.

  • Data Warehouse - Fixed retrieval tooltip overlays retrieval modal.

  • Fix excessively large Event risk score when multiple assets are associated with event.

  • Using incognito mode for report rendering to avoid race conditions.

  • Fix displaying null - null as time range when deleting the entire archive.

  • Fixed Symantec EDR Events input issue causing invalid Content Types options on edit.

  • Eliminates meaningless error log message when creating a Salesforce Input.

  • Fixing up tooltips in public notification creation dialog.

  • Removed extraneous Sigma Events event definition condition type option.

  • Fix issue where Graylog Security specific migration fails to run on Elasticsearch.

  • Using the user’s timezone as the default for the report frequency configuration.

  • Fix darkmode text color for lookup table name in search bar paramter preview.

  • Adding a link to the install documentation, if we show errors instead of a report.

  • Removing error boundary around widgets in reports so that errors in a widget propagate to the logs.

  • Fixing up tooltip styling on reports, forwarder and search filter page.

  • Fixed index collision issues with Investigation Log Evidence.

  • Fixed issue where event risk scores would calculate incorrectly if any associated assets no longer existed.

  • Fixed issue where Illuminate lookup tables caused heavy stress on MongoDB due to customization lookups.

  • Fixed issue where on exported PDF widget stream ids were shown instead of stream names.

  • Fix license validation of license audiences without email and name.

  • Reporting trigger self-removes if the linked report is no longer available. (Probable cause: race condition, trigger is running while report is deleted).

  • Fixed issue where Sigma rules imported from Git would fail to export to content packs.

  • Fixed AI report disclaimer.

  • Fixed issue where Illuminate bundle dropdown would display deleted bundle version after deletion.

  • Fixed issue where updating an Investigation would silently fail validation without a UI error message.

  • Fixed issue where investigations being undefined would throw an error in the ListHeader in Investigations page.

  • Fixed issue where assets and rules being undefined would throw an error in the ListHeader in Assets and SigmaRules page.

  • Fixed issue where clicking on an event from the welcome page would lead to events page showing no events.

  • Fixed styling of displaying a long list of associated assets in security event details.

  • Fixed handling of 404s on fetches for specific entities.

  • Prevent created_at asset field from being updated when asset edits occur.

  • Fix calendar time input controls not aligned.

Graylog Enterprise 6.0.8

Released: 2024-11-06

Fixed

  • Fixed issue where cloned Sigma rules originally provided by Illuminate could not be modified.

  • Improve error handling for loading assets for Investigation Details page.

  • Fixed issue where duplicate events/messages are listed after being added to an Investigation.

  • Fixed issue with downloading audit log CSV and JSON export.

Graylog Enterprise 6.0.7

Released: 2024-10-02

Fixed

  • Fixed incomplete GCP Log Events input header description.

  • Fix excessively large event risk score when multiple assets are associated with event.

  • Fixed issue where updating an Investigation would silently fail validation without a UI error message.

Graylog Enterprise 6.0.6

Released: 2024-09-04

Fixed

  • Prevents widgets in reports overlapping by fixing height of widgets with uncontrolled height.

Graylog Enterprise 6.0.5

Released: 2024-08-07

Fixed

  • Fixing error in report widget preview for message table widget.

  • Fixed index collision issues with investigation log evidence.

  • Fixed issue where event risk scores would calculate incorrectly if any associated assets no longer existed.

  • Fixed issue where Illuminate lookup tables caused heavy stress on MongoDB due to customization lookups.

Graylog Enterprise 6.0.4

Released: 2024-07-03

Added

  • Add ability to calculate risk score for Security Anomaly Detection events.

Changed

  • Updated machine Asset IP configuration to allow IPv6 addresses.

Fixed

  • Eliminates meaningless error log message when creating a Salesforce Input.

  • Fixing up tooltips in public notification creation dialog.

  • Fixing URLs on archiving pages when path prefix is present.

Graylog Enterprise 6.0.3

Released: 2024-06-05

Fixed

  • Fixes issue where Illuminate Spotlight Packs would silently fail to install.

  • Fixing report scheduling to consider the timezone set in the frequency configuration.

  • Fixing URLs in security product when path prefix is present.

  • Fix issue where Graylog Security specific migration fails to run on Elasticsearch.

Graylog Enterprise 6.0.2

Released: 2024-05-22

Fixed

  • Fix warm tier rollover for indices with closing date older than 1 month.

Graylog Enterprise 6.0.1

Released: 2024-05-13

Changed

  • Omit system events in the Security Events list.

Fixed

  • Fixes inability to remove older log and event evidence from investigations.

  • Fixed Symantec EDR Events input issue causing invalid Content Types options on edit.

Graylog Enterprise 6.0.0

Released: 2024-04-17

Added

  • Adds pipeline function fromForwarderInput(<id>, <name>).

  • Added ability to bulk add categories to assets.

  • Introduced warm tier configuration for data tiering functionality, enabling automatic data rollover and providing the option to configure the repository where the data is stored.

  • New Security Welcome page (secuirty dashboard)

  • Added new Symantec SES log message input.

  • Display assets associated with evidence attached to an Investigation.

  • Added new Symantec EDR log message input

  • Fixed content pack instalation of reports with scheduling configured

  • New Security Investigations List view

  • Added associated asset categories to messages processed by the SetAssociatedAssets pipeline function

  • Add additional details for Okta input API errors.

  • Added Illuminate installation status page.

  • Added more detailed asset history tracking.

  • Added Security App metrics and Investigations metrics dashboard

  • Add ability to use enterprise Search Filters on Event Definitions and Sigma rules.

  • Add Risk Scoring for Graylog Security Events.

  • Added security perspective investigations details page.

  • Add multithreading support for Archive creation.

  • New UI for Events in Security

  • Add ability to export Sigma rules to content packs

  • Added investigations search type, allowing to include current investigations in searches

  • Adding investigations widget, which displays current investigations

  • Aggregation based risk calculation for events

  • New page for all security dashboards

  • Added ability to specify Remediation Steps for Anomaly Detectors, Event Definitions, and Sigma rules.

  • Added ability to collect Graylog Security metrics, and added dashboard for Investigations metrics.

  • Investigations - Add Modals to add evidence.

  • New UI/UX in security perspective for Event Definitions

  • New Event Notificaitons list view on Security UI.

Changed

  • Added warning message when enabling many Sigma rules in bulk.

  • Sort Anomaly Detectors list alphabetically

  • Adds a ‘Sigma:’ prefix to the title of Event Definitions created for Sigma rules.

  • Changed Anomaly Detector initialization to run sequentially instead of in parallel.

  • OIDC custom claims can also be passed in the ID token (not just via the userinfo endpoint).

  • Enable failure processing features by default on new installations.

  • Changed Active Directory User Asset import mapping configurations to only allow ‘objectSid’ as the Unique ID mapping value.

  • Make license warning and info text generic

  • Adjusted field parsing for F5 BIG-IP Log Events input in preparation for Illuminate content.

  • Removed redundant use of the Asset word on navigation tabs

  • Updated Perspective Switcher style to not include the logo and a shorter title.

  • Updates Illuminate Event Definitions to allow adding Notifications and Notification settings.

  • An optional query parameter is added to licenses/status/for-subject to avoid race conditions.

  • Update spacing on hub bundle list of illuminate bundles

  • Improved Office 365 Input error handling.

  • Adjusted field parsing for AWS Security Lake input in preparation for Illuminate content.

  • Adjusted field parsing for Office 365 input in preparation for Illuminate content.

  • Adjusted field parsing for Okta Log Events input in preparation for Illuminate content.

  • Enable condition form in event definitions for Illuminate events

Removed

  • Remove service and vendor_event_description fields from the F5 input.

Fixed

  • Fix columns selector capitalization

  • Eliminate archiving error notification when the affected index has been deleted.

  • Fix F5 BIG-IP Log Events input verify connection issue

  • Fixed filtering by dates for Sigma Rules and Investigations to account for user’s timezone.

  • Fixed issue where assets were assigned new IDs on reimport from a source.

  • Only show the release notes for the selected Illuminate Bundle

  • Improve error message when importing assets fails in asset sources.

  • Fixed issue where entities shipped in Illuminate Spotlight Packs would be unnecessarily disabled when enabling a new bundle.

  • Make sure to update license status immediately after adding or removing security license.

  • Fixed issue: traffic violation email should display last day output traffic (not input traffic).

  • Fix an edge case, where an index gets deleted, despite not having been completely archived.

  • Don’t show toast notifications when page loads or state changes to ‘Running’

  • Fixed validation gap in Office 365 Inputs that allows for polling intervals less than 1 minute.

  • Handle missing widgets graceful when returning report widget values.

  • Added mitigation fix to F5 BIG-IP Log Events Input to avoid intermittent 401 Unauthorized errors.

  • Fixing report rendering bug where it times out if it takes longer than 30 seconds.

  • Eliminate exception when deleting a public notification in enterprise customizations.

  • Add reader permissions for forwarder inputs to READER role

  • Fixes replay search action for edited events in search events widget.

  • Do not require security events permissions for plain events widget.

  • Do not use all time range for investigations widget.

  • Reset investigations widget pagination when executing search.

  • Fix inability to sort by the User IDs User Assets column.

  • Fix F5 BIG-IP Log Events input expired token error.

  • Fix AWS Security Lake Log Events input verify connection issue

  • Fixed issue where Investigation Event and Message indices could not be customized

  • Fail gRPC health check for Forwarders if Graylog server LB status is “throttled”.

  • Fixed incorrect documentation link on Anomaly Detection pages.

  • Fix investigation widget to include user timezone and new details view URL

  • Improve CrowdStrike input error handling for server-side errors.

  • Fixed error when attempting to save edits for Illuminate Streams.

  • Enhance Investigations permissions checks.

  • Fix instant archiving ui broken because of menu component.

  • Fix sorting issue with indices created by Illuminate versions before 3.0.

  • Fix Cannot assign input profile to Forwarder.

  • Fix forwarder creation in UI doesn’t show config snippet.

Graylog Enterprise 5.2.11

Released: 2024-09-04

Fixed

  • Prevents widgets in reports overlapping by fixing height of widgets with uncontrolled height.

Graylog Enterprise 5.2.10

Released: 2024-08-07

Fixed

  • Fixed index collision issues with investigation log evidence.

  • Fixed issue where Illuminate lookup tables caused heavy stress on MongoDB due to customization lookups.

Graylog Enterprise 5.2.9

Released: 2024-07-03

Changed

  • Updated machine Asset IP configuration to allow IPv6 addresses.

Graylog Enterprise 5.2.8

Released: 2024-06-05

Fixed

  • Fixes issue where Illuminate Spotlight Packs would silently fail to install.

  • Fixing report scheduling to consider the timezone set in the frequency configuration.

Graylog Enterprise 5.2.7

Released: 2024-04-30

No changes in Graylog Enterprise for 5.2.7.

Graylog Enterprise 5.2.6

Released: 2024-04-03

Fixed

  • Add reader permissions for forwarder inputs to READER role.

Graylog Enterprise 5.2.5

Released: 2024-03-06

Added

  • Fixed content pack installation of reports with scheduling configured.

Fixed

  • Improve CrowdStrike input error handling for server-side errors.

  • Fixed error when attempting to save edits for Illuminate streams.

  • Enhance Investigations permissions checks.

  • Fix archiver startup.

Graylog Enterprise 5.2.4

Released: 2024-02-07

Fixed

  • Added mitigation fix to F5 BIG-IP Log Events Input to avoid intermittent 401 Unauthorized errors.

  • Fixing report rendering bug where it times out if it takes longer than 30 seconds.

Graylog Enterprise 5.2.3

Released: 2024-01-03

Changed

  • Adjusted field parsing for F5 BIG-IP Log Events input in preparation for Illuminate content.

  • Improved Office 365 input error handling.

  • Adjusted field parsing for Office 365 input in preparation for Illuminate content.

  • Adjusted field parsing for Okta Log Events input in preparation for Illuminate content.

Fixed

  • Eliminate archiving error notification when the affected index has been deleted.

Graylog Enterprise 5.2.2

Released: 2023-12-06

Changed

  • Changed Active Directory User Asset import mapping configurations to only allow objectSid as the Unique ID mapping value.

Fixed

  • Improve error message when importing assets fails in asset sources.

  • Fixed issue: traffic violation email should display last day output traffic (not input traffic).

  • Fix an edge case, where an index gets deleted, despite not having been completely archived.

  • Fixed validation gap in Office 365 Inputs that allows for polling intervals less than 1 minute.

  • Handle missing widgets graceful when returning report widget values.

  • Fixed issue where Investigation Event and Message indices could not be customized.

Graylog Enterprise 5.2.1

Released: 2023-11-15

Added

  • Add additional details for Okta input API errors.

Changed

  • Adds a ‘Sigma:’ prefix to the title of Event Definitions created for Sigma rules.

  • Update spacing on hub bundle list of illuminate bundles

Fixed

  • Fix F5 BIG-IP Log Events input verify connection issue

  • Fixed issue where entities shipped in Illuminate Spotlight Packs would be unnecessarily disabled when enabling a new bundle.

  • Fix inability to sort by the User IDs User Assets column.

  • Fix F5 BIG-IP Log Events input expired token error.

  • Fix Machine and User Asset forms. Improves validations.

Graylog Enterprise 5.2.0

Released: 2023-11-01

Added

  • Added support for region selection for GCP Log Events input dataset creation.

  • Added Event Notification to auto generate Investigations and add Events.

  • Added ability for anomaly detectors to trigger events/alerts.

  • Added Asset Enrichment module.

  • Add claim-based team sync support for OIDC backends.

  • Show investigation after adding evidence to it and keep it open when navigating to a new tab or window.

  • Added ability to filter users when assigning investigations.

  • Adds ability to upload sigma rule files.

  • Added proper support for F5 BIG-IP webui log parsing

  • Added the ability to run the AWS Security Lake Input in cloud.

  • Added AWS Security Lake Input (Thanks: @Srinidhi-Saravanan)

  • Added Salesforce Input (Thanks: @Srinidhi-Saravanan)

  • adds gl2_forwarder_input field to messages coming in through the forwarder inputs.

  • Added search capability when importing a Sigma rule from a git repository

  • Adds Markdown support to investigations notes.

  • Added automated email notification for Investigations assignments.

  • On cloud migrate IndexSetDefault configuration to new time size based rotation strategy in case it is not the configured default

  • Add endpoint for looking up forwarder input by id.

  • Adds new plugin component for asset list in log messages

  • Added ability to download and bulk download sigma rules.

  • Added ability to upload Sigma Rule files.

  • Added ability to export Graylog messages to GELF (Newline-delimited) format.

  • Forwarder heartbeat interval is now adjustable to arbitrary duration.

  • Added separate tabs for viewing machine and user assets.

  • Enable the Microsoft Defender for Endpoint input in Graylog Cloud.

  • Added ability to map User First, Last, and Full Name for asset imports.

  • Added the ability to run the CrowdStrike Input in Graylog Cloud.

Changed

  • Give to the user the option to convert a relative search into an absolute search before adding it as evidence in an Investigation.

  • Changed the minimum allowed Anomaly Detector interval to 10 minutes.

  • Write an audit log entry when deleting an aged-out archive.

  • Changed some field parsing for the Microsoft Defender for Endpoint input.

  • Added ability to skip background Anomaly Detection jobs

  • Re-enable “CSV File (Upload)” lookup data adapter.

  • Using composable index templates instead of legacy templates for failure index/illuminate indices.

  • Changed Illuminate processor so that it no longer needs CSV files for data adapters written to disk.

  • Merged enterprise integrations plugin into the enterprise plugin.

  • Adjusted Microsoft Defender for Endpoint input to populate the evidence field inside the full_message.

  • Adjusted F5 BIG-IP input log fields

Fixed

  • Fixes GCP Log Events input large memory usage.

  • Fix Exception being thrown in browser console when logging out

  • Fixed Illuminate activation errors for non default root users

  • Fixes race condition in range calculation when restoring small indices

  • Fix log view messages export, when there search result does not contain messages

  • Fix archive backend configuration not updated on archives page

  • Fix forwarder input only loading 10 items.

  • Fixed bug where Illuminate Spotlight Packs marked as core did not have their content packs installed

  • Fix anomaly layout padding issue.

  • Fix archiving with Snappy compression on Java 17.

  • Fix navigation in plugins when the web app is using a path prefix

  • Allow selecting all enumerable fields in values of field select in the parameter declaration form.

  • Fix invalid index prefix options in anomaly detector creation menu

  • Fix anomaly detector audit log messages not displaying IDs/names.

  • Fixed handling of backslashes in Sigma rule queries that caused OpenSearch errors.

  • Fixes a bug where OIDC and Okta errors were not handled on the login page

  • Update Investigation log evidence link to use saved message copy.

  • Fix team sync not supported message for OIDC authentication backend.

  • Retry index action for already archived indices.

  • Fix instant archiving stream list filtering in configuration creation

  • Fix Google Workspace Log Events create auditEventType description.

  • Fixed evidence not being added to all investigations when added to multiple invesitagtions at once.

  • Fixed issue where assets were assigned new IDs on reimport from a source.

  • Fixed indefinite error loop in Office 365 Input.

  • Fix failure to load the New Report page when invalid search ID is referenced

  • Fixing cases where the session got extended when fetching data in the UI periodically.

  • Fix unknown email_attributes error when using AD team sync; honor user-configured LDAP attribute names.

  • Fix event definition enable UI state for Event Correlation.

  • Improved free license warning on Illuminate install page.

  • Fixed error when adding Sigma Git repo rule directories with the default branch.

  • Fix several CrowdStrike input issues and adjusted parsing.

  • Fix broken pagination for archives with multiple streams.

  • Fixed API browser sort direction parameter functionality on several Security endpoints.

  • Improve error handling for CrowdStrike input startup.

  • Display specific input failure message when Salesforce API request limit is exceeded.

  • Alphabetically sort Illuminate packs and spotlights by title.

  • Take timezone of report into consideration when scheduling the trigger.

  • Fixed several F5 Input runtime issues.

Graylog Operations 5.1.13

Released: 2024-04-03

Fixed

  • Add reader permissions for forwarder inputs to READER role.

Graylog Operations 5.1.12

Released: 2024-03-06

Fixed

  • Fixed error when attempting to save edits for Illuminate streams.

  • Enhance Investigations permissions checks.

  • Improve CrowdStrike input error handling for server-side errors.

Graylog Enterprise 5.1.11

Released: 2024-02-07

Fixed

  • Prevent possible field type errors in reports.

  • Fix issue preventing the lookup_all pipeline function from working with json arrays.

  • Added mitigation fix to F5 BIG-IP Log Events Input to avoid intermittent 401 Unauthorized errors.

Graylog Enterprise 5.1.10

Released: 2024-01-03

Added

  • Added proper support for F5 BIG-IP webui log parsing.

Changed

  • Adjusted field parsing for F5 BIG-IP Log Events input in preparation for Illuminate content.

  • Improved Office 365 Input error handling.

  • Adjusted field parsing for Office 365 input in preparation for Illuminate content.

  • Adjusted field parsing for Okta Log Events input in preparation for Illuminate content.

Fixed

  • Eliminate archiving error notification when the affected index has been deleted.

  • Fix issue preventing the array_contains pipeline function from working with JSON arrays.

Graylog Enterprise 5.1.9

Released: 2023-12-06

Added

  • Add additional details for Okta input API errors.

Changed

  • Adds a ‘Sigma:’ prefix to the title of Event Definitions created for Sigma rules.

Fixed

  • Fixed issue where entities shipped in Illuminate Spotlight Packs would be unnecessarily disabled when enabling a new bundle.

  • Fix an edge case, where an index gets deleted, despite not having been completely archived.

  • Fixed issue where Investigation Event and Message indices could not be customized.

  • Fixed validation gap in Office 365 Inputs that allows for polling intervals less than 1 minute.

  • Fix F5 BIG-IP Log Events input expired token error.

Graylog Enterprise 5.1.8

Released: 2023-11-01

Fixed

  • Retry index action for already archived indices.

  • Take timezone of report into consideration when scheduling the trigger.

Graylog Enterprise 5.1.7

Released: 2023-10-12

No changes in Graylog Enterprise for 5.1.7.

Graylog Enterprise 5.1.6

Released: 2023-10-04

Fixed

  • Fixed Illuminate activation errors for non default root users.

  • Fix event definition enable UI state for Event Correlation.

  • Fix several CrowdStrike input issues and adjusted parsing.

Graylog Enterprise 5.1.5

Released: 2023-09-06

Added

  • Added ability to filter users when assigning investigations.

  • Added the ability to run the CrowdStrike Input in Graylog Cloud.

Fixed

  • Fixed error when adding Sigma Git repo rule directories with the default branch.

Graylog Enterprise 5.1.4

Released: 2023-08-02

Changed

  • Changed the minimum allowed Anomaly Detector interval to 10 minutes.

Fixed

  • Fixes race condition in range calculation when restoring small indices.

  • Fixed handling of backslashes in Sigma rule queries that caused OpenSearch errors.

  • Fix unknown email_attributes error when using AD team sync; honor user-configured LDAP attribute names.

Graylog Enterprise 5.1.3

Released: 2023-07-05

Added

  • Add claim-based team sync support for OIDC backends.

Fixed

  • Fix invalid index prefix options in anomaly detector creation menu.

  • Fix anomaly detector audit log messages not displaying IDs/names.

  • Fixed indefinite error loop in Office 365 Input.

Graylog Enterprise 5.1.2

Released: 2023-06-07

Changed

  • Added ability to skip background Anomaly Detection jobs

  • Adjusted F5 BIG-IP input log fields

Fixed

  • Fix Archving with Snappy compression on Java 17.

  • Fix for issue with plugin routes when web server sets a path prefix

  • Fixed several F5 Input runtime issues.

Graylog Enterprise 5.1.1

Released: 2023-05-25

Changed

  • On cloud migrate the IndexSetDefault configuration to new time size based rotation strategy.

Graylog Enterprise 5.1.0

Released: 2023-05-11

Added

  • Added the ability to set TTLs for MongoDB Data Adapter entries.

  • Added configuration values for hiding widget query and description in reports

  • Added support for importing Sigma rules from multiple Git repositories.

  • Add ability to create and edit custom anomaly detectors.

  • Added support for Sigma rules with Regular Expressions (’re’ modifier).

  • Added support for CIDR lookups in MongoDB data adapters

  • Dynamic Startup Page Backend additions for Recent Activity, Pinned Items, Last Opened

  • Adding shortcut to create search filters from query input with Ctrl+Enter.

  • Added ability to import all and refresh all rules from a Sigma rule repository.

  • Added investigations module.

  • Added ability to assign notifications to Sigma rule Alerts from Sigma pages.

  • Added filters on Sigma Rules List.

  • Added the ability to download and install Illuminate from within Graylog.

  • Added Illuminate hub UI.

  • Added extra error logging for empty OpenSearch Anomaly Detection error responses

  • Added info message to bundle page showing there is a new illuminate bundle

  • Added proxy support to Azure Event Logs input (Thanks: @Srinidhi-Saravanan)

  • Allow running Azure Event Hubs input in cloud.

  • Enable “Office 365 Log Events” input in cloud.

  • Added Microsoft Defender for Endpoint input (Thanks: @Srinidhi-Saravanan)

  • Added multi-node support for the Azure Event Logs input.

Changed

  • Improved error message for enabling Anomaly Detectors

  • Prevent creation of incompatible inputs on Forwarders.

  • Traffic violation emails will now create an audit log entry.

  • Unify fields configuration in log view builder with fields configuration in other aggregation builder.

  • Change date format on Sigma Rules and Investigations lists

  • Changed Sigma Rule roles to Sigma Rule Manager and Sigma Rule Reader

  • Changed decommissioned link in O365 Input wizard to updated link.

  • Created new plugin for CrowdStrike logs (Thanks: @Srinidhi-Saravanan)

  • Created new plugin for F5 BIG-IP logs (Thanks: @Srinidhi-Saravanan)

  • Consistent use of message identifiers in strings.

  • Rename Azure Log Events input to Azure Event Hubs.

Fixed

  • Hide Team source information on cloud

  • Fix Enterprise UI badge validation state

  • Also include query/timerange/filter(s)/streams when switching message table to log view.

  • Fixed failure to synchronize Anomaly Detectors that are active in Opensearch but marked as inactive in Graylog.

  • Fix page size selector on archives page is a bit off.

  • Fix validation logic by adding an additional debounced validation.

  • Fix sigma rules and repos page not having Graylog footer.

  • Fix incorrect deprecated Illuminate warning check.

  • Fix Illuminate data adapters being unusable from user space without a server restart.

  • Allow configuration of retention time of archives in cloud ui interface.

  • Fixed failure to load Anomaly Detection Configuration page.

  • Fixed bug where Illuminate lookup table data adapters were being populated with incorrect values

  • Fixed bug where disabling Illuminate processing packs displayed an error.

  • Fixed issue with Lookup Entity Mappings migration that prevented the server from starting on 5.0 if deprecated Illuminate content packs were installed.

  • Fixed Sigma Rule query creation to correctly handle lists of maps.

  • Fix broken audit log documention link.

  • Moved default save location of temporary Sigma Git data to a temp directory

  • Fix list of priorities not displaying in order of priority in New Investigation modal

  • Fix handling of unknown input types on Forwarder Input Profiles page.

  • Fixed issue where Illuminate bundle could not be upgraded if a lookup entity inside had a naming collision with an existing entity.

  • Fixed slow archive restore.

  • Fixed bug where Illuminate Spotlight Packs marked as core did not have their content packs installed

  • Fix incorrect Graylog Security Network dashboard widget name.

  • Fix breaking change in api/plugins/org.graylog.plugins.archive/config API.

  • Fixed error causing Illuminate bundle install timeouts.

  • Fixed error when enabling anomaly detectors in OpenSearch 2.x.

  • Handle deprecated short time zone IDs in report definitions.

  • Allow disabling of retention strategies

  • Avoid exception thrown during report rendering being swallowed.

  • Closes the add rule modal after sigma rule is created.

  • Executing reporting widgets in chunks when rendering report.

  • Fixed bug where MongoDB data adapter entries were not removed when the owning data adapter was deleted.

  • Fixed unneccessary anomaly detector sync queries causing Opensearch errors.

  • Avoid erroneous warning message on archive restore.

  • Fixed problem with concurrently running report jobs

  • Fixes error on decoding Google Workspace Logs with some types of parameters.

  • Fix credential check for Gmail Log Events input.

  • Fix verbose failure of journaled outputs due to license issues.

  • Show available log types in edit form for Google inputs.

  • Fixed F5 Big IP input bug causing inability to load API browser components.

  • Improved informational logging when partition ownership changes occur.

  • Fix broken on-screen validation of Azure EventHubs Maximum Wait Time field.

  • Fixed outputs stopping to output messages after messages were dropped, i.e. due to missing pipeline_output or full_message field.

  • Fix buffering to journal when TCP based outputs experience connection issues.

  • Fixed issue where users could not create O365 Log Event inputs with GCC High or DOD subscription types.

  • Fix unclean shutdown of ouput journal under high load.

  • Run GCP, Gmail, Google Workspace, and Office 365 Inputs on the leader node instead of a random cluster node by default.

Graylog Enterprise 5.0.13

Released: 2023-10-12

No changes in Graylog Enterprise for 5.0.13.

Graylog Enterprise 5.0.12

Released: 2023-10-04

Fixed

  • Fixed Illuminate activation errors for non default root users.

Graylog Enterprise 5.0.11

Released: 2023-09-06

No changes in Graylog Enterprise for 5.0.11.

Graylog Enterprise 5.0.10

Released: 2023-08-02

Changed

  • Changed the minimum allowed Anomaly Detector interval to 10 minutes.

Fixed

  • Fixed handling of backslashes in Sigma rule queries that caused OpenSearch errors.

Graylog Enterprise 5.0.9

Released: 2023-07-05

Fixed

  • Fix anomaly detector audit log messages not displaying IDs/names.

  • Fixed indefinite error loop in Office 365 Input.

Graylog Enterprise 5.0.8

Released: 2023-06-07

Changed

  • Adjusted F5 BIG-IP input log fields

Fixed

  • Fixed bug where Illuminate Spotlight Packs marked as core did not have their content packs installed

  • Fix Archving with Snappy compression on Java 17.

  • Fix for issue with plugin routes when web server sets a path prefix

  • Fixed problem with concurrently running report jobs

  • Fixed several F5 Input runtime issues.

Graylog Enterprise 5.0.7

Released: 2023-05-03

Added

  • Added extra error logging for empty OpenSearch Anomaly Detection error responses.

Fixed

  • Fixed slow archive restore.

  • Fixed broken Message Summary and Indicator Templates.

Graylog Enterprise 5.0.6

Released: 2023-04-05

Fixed

  • Fixed issue where Illuminate bundle could not be upgraded if a lookup entity inside had a naming collision with an existing entity.

  • Fixed bug where MongoDB data adapter entries were not removed when the owning data adapter was deleted.

  • Fixed unnecessary anomaly detector sync queries causing OpenSearch errors.

  • Fix broken on-screen validation of Azure EventHubs Maximum Wait Time field.

Graylog Enterprise 5.0.5

Released: 2023-03-06

Fixed

  • Fixed F5 Big IP input bug causing inability to load API browser components.

Graylog Enterprise 5.0.4

Released: 2023-03-01

Added

  • Added proxy support to Azure Event Logs input. (Thanks: @Srinidhi-Saravanan)

  • Added multi-node support for the Azure Event Logs input.

Changed

  • Changed decommissioned link in O365 Input wizard to updated link.

  • Created new plugin for F5 BIG-IP logs. (Thanks: @Srinidhi-Saravanan)

  • Rename Azure Log Events input to Azure Event Hubs.

Fixed

  • Also include query/timerange/filter(s)/streams when switching message table to log view.

  • Fixed issue with Lookup Entity Mappings migration that prevented the server from starting on 5.0 if deprecated Illuminate content packs were installed.

  • Fixed Sigma Rule query creation to correctly handle lists of maps.

  • Handle deprecated short time zone IDs in job scheduler definitions.

  • Avoid exception thrown during report rendering being swallowed.

  • Fixes error on decoding Google Workspace Logs with some types of parameters.

Graylog Enterprise 5.0.3

Released: 2023-02-01

Fixed

  • Fixed failure to synchronize Anomaly Detectors that are active in OpenSearch but marked as inactive in Graylog.

  • Allow configuration of retention time of archives in cloud UI interface.

  • Fixed bug where Illuminate lookup table data adapters were being populated with incorrect values

  • Fixed bug where disabling Illuminate processing packs displayed an error.

  • Fixed error causing Illuminate bundle install timeouts.

Graylog Enterprise 5.0.2

Released: 2023-01-04

Fixed

  • Fixed failure to load Anomaly Detection Configuration page.

  • Fixed incorrect Graylog Security Network dashboard widget name.

  • Fixed error when enabling anomaly detectors in OpenSearch 2.x.

  • Fix buffering to journal when TCP based outputs experience connection issues.

Graylog Enterprise 5.0.1

Released: 2022-12-14

Fixed

  • Fix incorrect deprecated Illuminate warning check.

  • Fix Illuminate data adapters being unusable from user space without a server restart.

  • Fixed issue where users could not create O365 Log Event inputs with GCC High or DOD subscription types.

Graylog Enterprise 5.0.0

Released: 2022-12-07

Added

  • Illuminate Lookup tables are now available in user space.

  • Allow defining multiple scheduling frequencies for report delivery

  • Adding search filter feature.

  • Add a config option to automatically delete archive files that are older than a defined age

  • Added Illuminate Spotlight content packs to Illuminate bundle installation.

  • Added deprecated warning and status metrics reporting.

  • Support restoring archives in bulk

  • Added backend support for storing timerange overrides for each report frequency configuration

  • Add gRPC health check endpoints.

  • Added support for Sigma rules.

  • Added a Store Full Message field option to the Azure Logs input, which stores the entire message payload received from Azure Logs.

Changed

  • Display parameter inputs inside search bar.

  • Report deliveries use generic scheduler instead of periodical task

  • Index archive names are now guaranteed to be unique by appending the index ID.

Graylog Enterprise 4.3.15

Released: 2023-05-03

Added

  • Added extra error logging for empty OpenSearch Anomaly Detection error responses.

Graylog Enterprise 4.3.14

Released: 2023-04-05

Fixed

  • Fixed bug where MongoDB data adapter entries were not removed when the owning data adapter was deleted.

  • Fixed unnecessary anomaly detector sync queries causing OpenSearch errors.

  • Fix broken on-screen validation of Azure EventHubs Maximum Wait Time field.

  • Fixed issue with Palo Alto Global Protect logs parsing last 5 fields incorrectly. (Thanks: @giveen)

Graylog Enterprise 4.3.13

Released: 2023-03-01

Changed

  • Changed decommissioned link in O365 Input wizard to updated link.

Fixed

  • Handle deprecated short time zone IDs in job scheduler definitions.

Graylog Enterprise 4.3.12

Released: 2023-02-01

Fixed

  • Fixed failure to synchronize Anomaly Detectors that are active in OpenSearch but marked as inactive in Graylog.

Graylog Enterprise 4.3.11

Released: 2023-01-04

Fixed

  • Fixed failure to load Anomaly Detection Configuration page.

  • Fixed error when enabling anomaly detectors in OpenSearch 2.x.

  • Fixed buffering to journal when TCP based outputs experience connection issues.

Graylog Enterprise 4.3.10

Released: 2022-12-14

Fixed

  • Fix LDAP group membership matching by memberUid attribute.

  • Fixed issue where users could not create O365 Log Event inputs with GCC High or DOD subscription types.

Graylog Enterprise 4.3.9

Released: 2022-11-02

Added

  • Add default_archive_retention_time and max_archive_retention_time config file settings for the archive auto-removal feature. 

Fixed

  • Fix team sync for Okta authentication backends. 

  • Fix S3 archive backend creation form. 

  • Fix license traffic violation error triggering one day too early. 

Security

  • Update Okta UI widget to version 7.0.0 to fix CVE-2020-11023. 

Graylog Enterprise 4.3.8

Released: 2022-10-05

Changed

  • Reduce log level for noisy log messages in the Office365 input. 

Fixed

  • Fix problem with archive retention configuration form. 

  • Fix file handle leak in HTTP-based lookup table adapters. 

Graylog Enterprise 4.3.7

Released: 2022-09-16

Added

  • Add optional archive retention to automatically delete old archives after a configurable time. (This is disabled by default.)   

Fixed

  • Fix archive Overview page to remain operational when one or more cluster nodes are missing.   

Graylog Enterprise 4.3.6

Released: 2022-09-07

Added

  • Add gRPC health check endpoint to the forwarder input.

Fixed

  • Fix inconsistent sorting and other smaller issues on the archiving overview page.
  • Gracefully handle unclean shutdown of the forwarder health status manager.
  • Fix infinite loop problem in the error handling of the Office365 input.

Graylog Enterprise 4.3.5

Released: 2022-08-09

Added

  • Add custom OIDC claims in the OIDC authentication backend configuration. 

Graylog Enterprise 4.3.4

Released: 2022-08-03

Added

  • Addreport_accept_insecure_certsconfig file option to make reporting work for setups withself-signed TLS certificates.

Fixed

  • Fix license check for external actions.
  • Fix timing issue for the Forwarder status display on the Forwarder overview page.

Security

  • No longer displays (short-lived) session token in-error messages when reporting fails.

Graylog Enterprise 4.3.3

Released: 2022-07-06

Fixed

  • Fix state detection of anomaly detector status in the UI.
  • Fix license check on reports page.
  • Fix duplicate message ingest for the Office365 input by only running the input on the leader node.
  • Fix thread leak in TCP Enterprise Outputs.

Graylog Enterprise 4.3.2

Released: 2022-06-15

Fixed

  • Fix problem with UI code that prevented a user session to time out.
  • Fix parameter handling for parameters that are not used in queries.

Graylog Enterprise 4.3.1

Released: 2022-06-01

Fixed

  • Fix copying of Security dashboards.
  • Fix system overview page for non-admin users.

Graylog Enterprise 4.3.0

Released: 2022-05-25

Added

  • Display roles from assigned teams on the user details page.
  • Support multiple values in watchlist functions.
  • Allow users to override built-in Illuminate lookup tables.
  • Display a warning in the UI for upcoming license violations and export a related backend metric.
  • Add a configurable notification in the UI when an archiving operation fails.
  • Add hourly interval for automatic report generation.
  • Add support for OpenSearch.
  • Add support for reports creation on ARM64 platforms.
  • Add validation for search query parameters.
  • Add Graylog Security application.
  • Add minimal team sync backend for OIDC authentication service.
  • Send notification emails for license violations to a configurable list of subscribers.
  • Add edit links for dashboards, dashboard pages, and widgets to report content pages.
  • Show forwarder version in the UI. forwarder#53
  • Add time zone support for report scheduling.
  • Show the license limit on the daily traffic graph.
  • Add anomaly detection for Graylog Security.

Changed

  • Group widgets by dashboard pages in reports content selection.
  • Send error notifications to report subscribers when report generation fails.

Fixed

  • Improve license messages for Illuminate.
  • Avoid unnecessary index updates for Illuminate.
  • Fix Illuminate bundle upload from browsers running on Microsoft Windows.
  • Improve notifications for missing or expired licenses on the forwarder pages.
  • Several improvements for reports creation and update.
  • Warn users when they delete a dashboard or widget that is referenced in a report.
  • Improve log output for the reporting backend in case of errors.
  • Fix logo display in report configuration with large images.
  • Don't allow report creation or modification when parameter values are missing.
  • Improve Illuminate processor restart handling.
  • Improve Illuminate processing restart resiliency.
  • Improve message failure handler to continue processing if MongoDB is unreachable.
  • Improve error handling for reports.
  • Fix log view message export to honor query time limits.
  • Fix report generation when a report has no widgets configured.
  • Fix timing issue with logo rendering in reports.
  • Allow report creation in landscape format.
  • Disable team deletion when no valid license is installed.

Graylog Enterprise 4.2.11

Released: 2022-07-06

Fixed

  • Fix thread leak in TCP Enterprise Outputs.

Graylog Enterprise 4.2.10

Released: 2022-06-15

Enterprise

No changes since 4.2.9.

Enterprise Integrations Plugin

Fixed

  • Add option to store the full message for the Azure Logs plugin.

Graylog Enterprise 4.2.9

Released: 2022-05-04

Enterprise

No changes since 4.2.8.

Enterprise Integrations Plugin

Fixed

  • Treatazure_connection_stringfield in the Azure Logs input as password to conceal it in the UI.

Graylog Enterprise 4.2.8

Released: 2022-04-12

Enterprise

Changed

  • Convert built-in forwarder user to service account.

Graylog Enterprise 4.2.7

Released: 2022-03-02

Enterprise

Fixed

  • Fix report history status icon.

Graylog Enterprise 4.2.6

Released: 2022-02-02

Enterprise

Fixed

  • Fix a report generation issue with widgets that don’t have a configured time range.
  • Remove unused log4j 1.x dependency.

Enterprise Integrations Plugin

No changes since 4.2.5.

Graylog Enterprise 4.2.5

Released: 2022-01-05

Enterprise

  • Add right-click action for GreyNoise IP lookup
  • Added loading indicator when performing Illuminate bundle operations

Enterprise Integrations Plugin

Graylog Enterprise 4.2.4

Released: 2021-12-16

Enterprise

No changes since 4.2.3.

Enterprise Integrations Plugin

No changes since 4.2.3.

Graylog Enterprise 4.2.3

Released: 2021-12-10

Enterprise

No changes since 4.2.2.

Enterprise Integrations Plugin

No changes since 4.2.2.

Graylog Enterprise 4.2.2

Released: 2021-12-01

Enterprise

Fixed

  • Increase reliability of the failure handler feature.
  • Fix index set upgrade problem with Illuminate bundles.
  • Don’t render optional fields in message summary if related value doesn’t exist.

Enterprise Integrations Plugin

Changed

  • Include more data fields from the NOISE response in the GreyNoise lookup data adapter.

Graylog Enterprise 4.2.1

Released: 2021-11-03

Enterprise

Added

  • Add ability to delete a disabled Illuminate bundle.

Fixed

  • Allow archive S3 backend to work without thes3:CreateBucketpermission when the bucket alreadyexists.
  • Fix misleading log warning regarding index updates on Illuminate installation.
  • Fix issue with watchlist key creation.

Enterprise Integrations Plugin

Fixed

  • Fix exception in Gmail input if there are no logs for the current day.
  • Fix default value for the polling interval setting for Google Cloud inputs.

Graylog Enterprise 4.2.0

Released: 2021-10-13

Enterprise

Added

  • Display message summaries based on message event types.
  • Add external value actions for message field values.
  • Allow horizontal scrolling in log view widget.
  • Add generic OIDC authentication backend.
  • Add Illuminate bundle support.
  • Add Illuminate message processor.
  • Support lookup tables in search parameters.
  • Store indexing and processing failures in a separate stream and index set to simplify debugging.
  • Add watchlist lookup table.
  • Add watchlist indicator to message details.
  • Add “Add to watchlist” and “Remove from watchlist” value actions for message fields.
  • Support custom authentication server for Okta backend.

Changed

  • Create system notifications for archiving errors to improve visibility.

Fixed

  • Fix formatting for forwarder related audit log entries.
  • Add default spool directory for S3 archiving backend.
  • Improve Okta authentication error reporting.
  • Improve error handling for S3 archiving.
  • Fix issue with switchting forwarder input profiles.
  • Fix search parameter problem when copying widget from search to dashboard.
  • Improve sorting on forwarders page.
  • Support an empty archive output path for S3 backends.

Enterprise Integrations Plugin

Added

  • Add Raw UDP Enterprise output.
  • Add Google Cloud input to pull VPC, firewall, and audit logs.
  • Add Google Workspace input to pull admin, drive, login, calendar, token, and message tracking logs.
  • Add Gmail input to pull mail logs from BigQuery.

Graylog Enterprise 4.1.14

Released: 2022-04-12

Enterprise

Changed

  • Convert built-in forwarder user to service account.

Graylog Enterprise 4.1.13

Released: 2022-03-02

Enterprise

Fixed

  • Fix report history status icon.

Graylog Enterprise 4.1.12

Released: 2022-02-02

Enterprise

Fixed

  • Remove unused log4j 1.x dependency.

Enterprise Integrations Plugin

No changes since 4.1.11.

Graylog Enterprise 4.1.11

Released: 2022-01-05

Enterprise

No changes since 4.1.10

Enterprise Integrations Plugin

No changes since 4.1.10

Graylog Enterprise 4.1.10

Released: 2021-12-16

Enterprise

No changes since 4.1.9.

Enterprise Integrations Plugin

No changes since 4.1.9.

Graylog Enterprise 4.1.9

Released: 2021-12-10

Enterprise

No changes since 4.1.8.

Enterprise Integrations Plugin

No changes since 4.1.8.

Graylog Enterprise 4.1.8

Released: 2021-12-01

Enterprise

No changes since 4.1.7.

Enterprise Integrations Plugin

No changes since 4.1.7.

Graylog Enterprise 4.1.7

Released: 2021-11-03

Enterprise

No changes since 4.1.6.

Graylog Enterprise 4.1.6

Released: 2021-10-06

Enterprise

Added

  • Add support for custom auth servers in Okta authentication backend.

Graylog Enterprise 4.1.5

Released: 2021-09-13

Enterprise

Fixed

  • Fix an issue when adding a widget with an option dropdown parameter in reports.
  • Fix Graylog Forwarder documentation URLs.

Graylog Enterprise 4.1.4

Released: 2021-09-01

Enterprise

Fixed

  • Fixed an issue when adding a widget with an option dropdown parameter in reports. (Graylog2/)

Graylog Enterprise 4.1.3

Released: 2021-08-04

Enterprise

No changes since 4.1.2.

Graylog Enterprise 4.1.2

Released: 2021-07-28

Enterprise

Security

Session ID leak in Graylog DEBUG log file and audit log.

We recently discovered a session ID leak in the Graylog DEBUG log file as well as the audit log. A user can use a session ID to authenticate against Graylog and then this user has access to all the permissions associated with the owner of the session ID.

The ID was printed in DEBUG level log messages (DEBUG is not enabled by default) as well as the Graylog Enterprise Audit Log. By default, the Graylog Audit Log is only logging to the local database and only accessible by Graylog administrators.

We would like to thank David Herbstmann for discovering and responsibly disclosing this vulnerability.

The following CVE IDs have been assigned: CVE-2021-37759, CVE-2021-37760

Fixed

Graylog Enterprise 4.1.1

Released: 2021-07-07

Enterprise

Fixed

  • Add default value for the spool directory in the UI configuration for the S3 archiving backend.
  • Improve Forwarder request/response handling when server has high load.

Enterprise Integrations Plugin

Added

  • Add lookup data adapter for abuse.ch ThreadDox IOC.

Graylog Enterprise 4.1.0

Released: 2021-06-23

Enterprise

Added

  • Add theme customization options to allow the usage of custom colors.
  • Add support for global notifications to display announcements and other messages to all users or a selectedgroup of users.
  • Add authentication and team-sync support for the Okta indentity provider.
  • Add support for the Graylog Forwarder. The Graylog Forwarder is a standalone agent for sending log data toGraylog Cloud or an on-premise Graylog Server cluster.
  • Add Log View widget including file export. This allows users to read log messages in a way similar to readingplain text log files.
  • Add support for exporting messages in JSON, NDJSON and plain text formats.
  • Add S3 archiving backend to store archives in AWS S3 compatible object stores.
  • Add option to make archive batch size configurable for performance tuning.
  • Extend search and dashboard parameters to allow pre-defined values based on static lists or available messagefield values.
  • Add pagination for reports overview.

Fixed

  • Improve archiving multiple indices.
  • Fix rendering world map visualization in reports.
  • Improved search and dashboard parameter validation and styling.
  • Use case-insensitive matching for LDAP/AD group sync.
  • Disable confusing traffic warning log messages by default.

Enterprise Integrations Plugin

Added

  • Add ActiveDirectory user lookup data adapter.
  • Add Enterprise Greynoise lookup data adapter.
  • Add URLhaus lookup data adapter.

Graylog Enterprise 4.0.17

Released: 2022-07-06

Fixed

  • Fix thread leak in TCP Enterprise Outputs.

Graylog Enterprise 4.0.16

Released: 2022-04-12

Enterprise

Changed

  • Convert built-in forwarder user to service account.

Graylog Enterprise 4.0.15

Released: 2021-12-16

Enterprise

No changes since 4.0.14.

Enterprise Integrations Plugin

No changes since 4.0.14.

Graylog Enterprise 4.0.14

Released: 2021-12-10

Enterprise

No changes since 4.0.13.

Enterprise Integrations Plugin

No changes since 4.0.13.

Graylog Enterprise 4.0.13

Released: 2021-09-13

Enterprise

No changes since 4.0.11.

Graylog Enterprise 4.0.12

Released: 2021-09-01

Enterprise

No changes since 4.0.11.

Graylog Enterprise 4.0.11

Released: 2021-08-04

Enterprise

No changes since 4.0.10.

Graylog Enterprise 4.0.10

Released: 2021-07-28

Enterprise

Security

Session ID leak in Graylog DEBUG log file and audit log.

We recently discovered a session ID leak in the Graylog DEBUG log file as well as the audit log. A user can use a session ID to authenticate against Graylog and then this user has access to all the permissions associated with the owner of the session ID.

The ID was printed in DEBUG level log messages (DEBUG is not enabled by default) as well as the Graylog Enterprise Audit Log. By default, the Graylog Audit Log is only logging to the local database and only accessible by Graylog administrators.

We would like to thank David Herbstmann for discovering and responsibly disclosing this vulnerability.

The following CVE IDs have been assigned: CVE-2021-37759, CVE-2021-37760

Graylog Enterprise 4.0.9

Released: 2021-07-07

No changes since 4.0.8.

Graylog Enterprise 4.0.8

Released: 2021-06-02

Enterprise

Fixed

  • Lower log level for irregular traffic record check.

Graylog Enterprise 4.0.7

Released: 2021-05-05

Enterprise

Fixed

  • Fix rendering of the world map visualization in reports.

Graylog Enterprise 4.0.6

Released: 2021-04-07

Enterprise

Fixed

  • Change LDAPGroupResolver to use case-insensitive matching

Enterprise Integrations Plugin

Added

  • Add “drop sensitive data” option to Microsoft365 input

Graylog Enterprise 4.0.5

Released: 2021-02-22

Enterprise

No changes since 4.0.4.

Graylog Enterprise 4.0.4

Released: 2021-02-22

Enterprise

No changes since 4.0.3.

Graylog Enterprise 4.0.3

Released: 2021-02-16

Enterprise

No changes since 4.0.2.

Enterprise Integrations Plugin

Added

  • Add full-message transformer to Enterprise Output Framework.

Graylog Enterprise 4.0.2

Released: 2021-01-27

Enterprise

Added

  • Allow modification of timezone in report scheduling settings.

Fixed

  • Fix report preview styling when dark mode is active.

Enterprise Integrations Plugin

Fixed

  • Reduce noise of legacy script alarm callback notification.
  • Fix timing issue with old checkpoints in Office365 plugin.
  • Properly shut down TCP connections when stopping Enterprise outputs.

Graylog Enterprise 4.0.1

Released: 2020-11-25

Enterprise

No changes since 4.0.0.

Enterprise Integrations Plugin

  • Do not shut down Okta input on errors.
  • Let Office 365 plugin use configured proxy settings.

Graylog Enterprise 4.0.0

Released: 2020-11-18

Enterprise

Added

  • Add support for grouping users in teams.
  • Add support for managing access to streams, searches and dashboards through teams.
  • Add support for syncing groups from LDAP and Active Directory into Graylog teams.
  • Add configurable header badge.
  • Create notification for failed Enterprise outputs.
  • Add cluster resources for archiving to allow archiving to be managed from all server nodes.

Fixed

  • Don’t fail reports migration if a widget is missing.
  • Improve error logging for report generation.

Enterprise Integrations Plugin

Added

  • Script event notification plugin to replace the legacy script alarm callback plugin.

Graylog Enterprise 3.3.17

Released: 2022-04-12

Enterprise

Changed

  • Convert built-in forwarder user to service account.

Graylog Enterprise 3.3.16

Released: 2021-12-16

Enterprise

No changes since 3.3.15.

Enterprise Integrations Plugin

No changes since 3.3.15.

Graylog Enterprise 3.3.15

Released: 2021-12-10

Enterprise

No changes since 3.3.14.

Enterprise Integrations Plugin

No changes since 3.3.14.

Graylog Enterprise 3.3.14

Released: 2021-07-28

Enterprise

Security

Session ID leak in Graylog DEBUG log file and audit log.

We recently discovered a session ID leak in the Graylog DEBUG log file as well as the audit log. A user can use a session ID to authenticate against Graylog and then this user has access to all the permissions associated with the owner of the session ID.

The ID was printed in DEBUG level log messages (DEBUG is not enabled by default) as well as the Graylog Enterprise Audit Log. By default, the Graylog Audit Log is only logging to the local database and only accessible by Graylog administrators.

We would like to thank David Herbstmann for discovering and responsibly disclosing this vulnerability.

The following CVE IDs have been assigned: CVE-2021-37759, CVE-2021-37760

Graylog Enterprise 3.3.13

Released: 2021-05-05

Enterprise

Fixed

  • Fix rendering of the world map visualization in reports.

Graylog Enterprise 3.3.12

Released: 2021-04-14

No changes since 3.3.11.

Graylog Enterprise 3.3.11

Released: 2021-02-16

No changes since 3.3.10.

Graylog Enterprise 3.3.10

Released: 2021-01-27

Enterprise

Added

  • Allow modification of timezone in report scheduling settings.

Graylog Enterprise 3.3.9

Released: 2020-11-25

Enterprise

Fixed

  • Fix audit formatting for file resource.
  • Fix permission issue with reports.
  • Fix logo images in reports.
  • Fix issue with rendering help buttons.

Enterprise Integrations Plugin

Fixed

  • Do not shut down Office 365 input on errors.
  • Do not shut down Okta input on errors.
  • Fix issue with Office 365 logon data parsing.
  • Let Office 365 plugin use configured proxy settings.

Graylog Enterprise 3.3.8

Released: 2020-10-12

Enterprise Integrations Plugin

Fixed

  • Fixed an issue with the O365 codec where it was not handling the event timestamp correctly.

Graylog Enterprise 3.3.7

Released: 2020-10-08

Enterprise Integrations Plugin

Fixed

  • Ensure cleanup of on-disk journal when Enterprise Output is deleted.

Graylog Enterprise 3.3.6

Released: 2020-09-28

Enterprise

Fixed

  • Improve error logging during report generation.

Enterprise Integrations Plugin

Added

  • Add Google BigQuery output to the Enterprise output framework.

Fixed

  • FixNullPointerExceptionand thread-safety issues in the Enterprise outputframework.
  • Fix retry logic and overall robustness of the office365 input.
  • Improve error detection and error handling in the Enterprise output framework.

Graylog Enterprise 3.3.5

Released: 2020-08-17

Fixed

  • Fix NullPointerException when deleting an output, which caused the on-disk journal to not get cleaned up.

Graylog Enterprise 3.3.4

Released: 2020-08-06

Changed

  • Fix pipeline selection on output creation to make the pipeline optional rather than required.

Fixed

  • Fixed a bug which occurred during the setup of the O365 Input.
  • Fix error when starting the Forwarder with the Enterprise Integrations plugin.

Graylog Enterprise 3.3.3

Released: 2020-07-29

Added

  • Add office365 input plugin.
  • Add reliable output framework and TCP and TCP Syslog outputs.

Graylog Enterprise 3.3.2

Released: 2020-06-24

Fixed

  • Fix message table headers in reports.

Graylog Enterprise 3.3.1

Released: 2020-06-10

Fixed

  • Fix issue with reports database migration when widgets are missing.
  • Add a cluster resource for the archiving API and use it in the UI. All endpoints in the cluster resourceare routed to the regular endpoints on the master node to avoid the need for custom proxy configuration.

Graylog Enterprise 3.3.0

Released: 2020-05-20

Added

  • Input for Okta log events.
  • Create detailed audit log messages for search jobs.
  • Create detailed audit log messages for message exports.
  • Automatically install trial licenses requested from the UI.
  • Add 1 day mute option to trial license reminders.

Changed

  • Implement message list limit in reports.

Fixed

  • Fix archive catalog response with different backends having the same archive.
  • Improve keyboard input for search/dashboard parameter fields.
  • Improve error messages with missing parameters in reports.
  • Fix problem with non-ascii characters in correlation field names.
  • Fix unintended selection of multiple widgets in report widget selection.
  • Fix detection of value-less parameters in reports.
  • Hide license warning on search/dashboard page if no license is installed.
  • Use user defined chart colors in reports.

Graylog Enterprise 3.2.6

Released: 2020-06-10

No changes since 3.2.5.

Graylog Enterprise 3.2.5

Released: 2020-05-19

No changes since 3.2.4.

Graylog Enterprise 3.2.4

Released: 2020-03-19

Fixed

  • Fix issue with search parameter input fields.
  • Fix error exporting a correlation event definition in content packs.

Graylog Enterprise 3.2.3

Released: 2020-03-11

Fixed

  • Fix issue with custom fields and correlation event definitions.

Graylog Enterprise 3.2.2

Released: 2020-02-20

Fixed

  • Fix missing rows in message table widget in reports.
  • Don’t try to archive indices which have already been archived.

Graylog Enterprise 3.2.1

Released: 2020-02-04

Fixed

  • Gracefully handle missing dashboards and widgets when collecting parameters for reports.

Graylog Enterprise 3.2.0

Released: 2020-01-14

Added

  • Dynamic list support for events and alert definition queries.
  • Search parameter support for reports.
  • MongoDB lookup data adapter.

Fixed

  • Remove incomplete archive directory when archiving process fails.
  • Fix race condition with archive catalog writing.

Graylog Enterprise 3.1.4

Released: 2020-01-14

Fixed

  • Only write archive metadata if the archiving process succeeded.
  • Improve resiliency of widgets in reports.

Graylog Enterprise 3.1.3

Released: 2019-11-06

Fixed

  • Fix problem with correlating events created by aggregation event definitions.
  • Remove incomplete archive directory when archive job fails or is stopped.

Graylog Enterprise 3.1.2

Released: 2019-09-12

No changes since 3.1.1.

Graylog Enterprise 3.1.1

Released: 2019-09-04

No changes since 3.1.0.

Graylog Enterprise 3.1.0

Released: 2019-08-16

Added

  • Add correlation engine and UI for new alerts and events system.
  • Add Enterprise job scheduler implementation.

Removed

  • Moved views feature to open-source. (except parameter support)

Fixed

  • Fix report service memory leak.
  • Fix auto-completion in drop-down fields.
  • Fix rendering of archive configuration page

Graylog Enterprise 3.0.2

Released: 2019-05-03

Integrations Plugin

  • Improve Graylog Forwarder configuration defaults.
  • Improve Graylog Forwarder error handling.
  • Update Graylog Forwarder dependencies.

Graylog Enterprise 3.0.1

Released: 2019-04-01

  • Fix missing authorization checks in the license management.
  • Fix view sharing issue for regular users.
  • Fix memory leak in the reporting system.

Integrations Plugin

  • Add Graylog Forwarder feature.

Graylog Enterprise 3.0.0

Released: 2019-02-14

A detailed changelog is following soon!

Integrations Plugin

  • Add Script Alert Notification

Graylog Enterprise 2.5.2

Released: 2019-03-15

Plugin: License

  • Add missing permissions to license API resources.
  • Only show upcoming license expiration warning to admin users.

Graylog Enterprise 2.5.1

Released: 2018-12-19

No changes since 2.5.0.

Graylog Enterprise 2.5.0

Released: 2018-11-30

No changes since 2.4.6.

Graylog Enterprise 2.4.7

Released: 2019-03-01

Plugin: License

  • Add missing authorization checks to license resources.

Graylog Enterprise 2.4.6

Released: 2018-07-16

No changes since 2.4.5.

Graylog Enterprise 2.4.5

Released: 2018-05-28

No changes since 2.4.4.

Graylog Enterprise 2.4.4

Released: 2018-05-02

No changes since 2.4.3.

Graylog Enterprise 2.4.3

Released: 2018-01-24

No changes since 2.4.2.

Graylog Enterprise 2.4.2

Released: 2018-01-24

No changes since 2.4.1.

Graylog Enterprise 2.4.1

Released: 2018-01-19

No changes since 2.4.0.

Graylog Enterprise 2.4.0

Released: 2017-12-22

No changes since 2.4.0-rc.2.

Graylog Enterprise 2.4.0-rc.2

Released: 2017-12-20

No changes since 2.4.0-rc.1.

Graylog Enterprise 2.4.0-rc.1

Released: 2017-12-19

No changes since 2.4.0-beta.4.

Graylog Enterprise 2.4.0-beta.4

Released: 2017-12-15

Plugin: License

  • The license page now shows more details about the installed licenses.

Graylog Enterprise 2.4.0-beta.3

Released: 2017-12-04

No changes since 2.4.0-beta.2.

Graylog Enterprise 2.4.0-beta.2

Released: 2017-11-07

No changes since 2.4.0-beta.1.

Graylog Enterprise 2.4.0-beta.1

Released: 2017-10-20

Plugin: Archive

  • Add support for Zstandard compression codec.

Graylog Enterprise 2.3.2

Released: 2017-10-19

Plugin: Archive

  • Fix archive creation for indices with lots of shards.

Graylog Enterprise 2.3.1

Released: 2017-08-25

Plugin: Archive

  • Lots of performance improvements (up to 7 times faster)
  • Do not delete an index if not all of its documents have been archived

Graylog Enterprise 2.3.0

Released: 2017-07-26

Plugin: Archive

  • Record checksums for archive segment files
  • Add two archive permission roles “admin” and “viewer”
  • Allow export of filenames from catalog search

Graylog Enterprise 2.2.3

Released: 2017-04-04

Plugin: Archive

  • Metadata is now stored in MongoDB
  • Preparation for storage backend support

Graylog Enterprise 2.2.2

Released: 2017-03-02

Plugin: Audit Log

  • Extend integration with the Archive plugin

Graylog Enterprise 2.2.1

Released: 2017-02-20

Plugin: Archive

  • Improve stability and smaller UI fixes

Graylog Enterprise 2.2.0

Released: 2017-02-09

Plugin: Archive

  • Improve index set support

Graylog Enterprise 1.2.1

Released: 2017-01-26

Plugin: Archive

  • Prepare the plugin to be compatible with the new default stream.

Plugin: Audit Log

  • Add support for index sets and fix potential NPEs.
  • Smaller UI improvements.

Graylog Enterprise 1.2.0

Released: 2016-09-14

https://www.graylog.org/blog/70-announcing-graylog-enterprise-v1-2

Plugin: Archive

  • Add support for selecting which streams should be included in your archives.

Plugin: Audit Log

New plugin to keep track of changes made by users to a Graylog system by automatically saving them in MongoDB.

Graylog Enterprise 1.1

Released: 2016-09-01

  • Added support for Graylog 2.1.0.

Graylog Enterprise 1.0.1

Released: 2016-06-08

Bugfix release for the archive plugin.

Plugin: Archive

Fixed problem when writing multiple archive segments

There was a problem when exceeding the max segment size so that multiple archive segments are written. The problem has been fixed and wrongly written segments can be read again.

Graylog Enterprise 1.0.0

Released: 2016-05-27

Initial Release including the Archive plugin.

Plugin: Archive

New features since the last beta plugin:

  • Support for multiple compression strategies. (Snappy, LZ4, Gzip, None)