- New pipeline rule functions for manipulating maps:
map_setandmap_remove.
- If you use the DataNode, the system clocks of the nodes have to be synchronized with an external source for JWT usage (within a margin of a couple of seconds).
Starting with Graylog 5.2, we are migrating from using legacy index templates to [composable index template] (https://www.elastic.co/guide/en/elasticsearch/reference/7.17/index-templates.html). While this gives us more flexibility and predictability for field types in index mappings, this also requires that existing custom legacy index templates need to be migrated to composable index templates manually as well.
Graylog 3.0 introduced "Graylog Sidecars" as a replacement for the old Collector Sidecars (version 0.1.x).
With Graylog 5.2, support for the legacy Collector Sidecars is finally removed.
Please refer to the migration guide Upgrading from the Collector Sidecar if you are still using the old Sidecars before upgrading Graylog to 5.2.
- GreyNoise Community IP Lookup Data Adapters have been marked as deprecated. Existing Data Adapters can no longer be started or lookups performed.
- GreyNoise Full IP Lookup [Enterprise] Data Adapter can no longer be used with a free GreyNoise Community API tokens.
- GreyNoise Quick IP Lookup Data Adapter can no longer be used with a free GreyNoise Community API tokens.
Because of an error in HttpCore 4.4.12, which is required by Elasticsearch and older versions of Opensearch, OutOfMemoryError errors were not properly handled. The Reactor was stopped, which prevented proper Graylog operation and the reason (OutOfMemoryError) was not clearly visible. From now on, Graylog will shutdown on OutOfMemoryError, trying to log some basic information about the thread and memory consumption during this event.
Several log parsing changes have been made to the CrowdStrike input.
Added fields:
event_created: Contains the metadata.eventCreationTime log value.
vendor_subtype: Contains the metadata.eventType log value.
vendor_version: Contains the metadata.version log value.
event_source_product: Contains the static value crowdstrike_falcon.
Changed fields:
message: Now contains the JSON content of the logeventvalue, effectively the message payload.- The message
timestampfield is now set to the current Graylog system date/time, instead of the previously used logmetadata.eventCreationTimevalue.
Removed fields:
event_endevent_sourceevent_startuser_domainuser_idvendor_event_descriptionFILE_NAMEFILE_PATHOBJECTIVETECHNIQUE
Note that additional CrowdStrike message parsing is expected to be released in a future release of Graylog Illuminate.
Several log parsing changes have been made to the Microsoft Defender for Endpoint input.
Added fields:
event_source_product: Contains the static value microsoft_defender_endpoint.
Changed fields:
message: Now contains the full message payload.source: Now contains thedetectionSourcelog value.
Removed fields:
alert_signaturealert_signature_idevent_startevent_endfull_message
Note that additional Microsoft Defender for Endpoint message parsing is expected to be released in a future release of Graylog Illuminate.
The following Java Code API changes have been made.
| File/method | Description |
|---|---|
ExampleClass#exampleFuntion |
TODO placeholder comment |
The following REST API changes have been made.
| Endpoint | Description |
|---|---|
GET /contentstream/settings/{username} |
Retrieve Content Stream settings for specified user |
PUT /contentstream/enable/{username} |
Enable Content Stream for specified user |
PUT /contentstream/disable/{username} |
Disable Content Stream for specified user |
PUT /contentstream/topics/{username} |
Update per user Content Stream topic list |
GET /contentstream/tags |
Retrieve Content Stream tags based on license |