Release Notes - Version 6.32

New Features and Improvements

API Enhancements

• Improved clarity in the badge icon tooltip by updating the description from "Cardinality" to "Badge".
• Integrated Aggregates Container with StorageModule to simplify the setup of multiple storage nodes and enhance scalability.
• Enhanced parser module responsiveness by optimizing the loading of parser rules, which significantly improves processing speed.
• Developed a LogZilla App for AppNeta Event Integration, facilitating improved real-time monitoring, security, and performance optimization through specialized parsing rules and dedicated dashboards.

Usability and Interface

• Improved the search functionality to correctly show the loading icon only during active searches, enhancing user feedback.

Performance and Stability

• Streamlined the LogZilla runtime Docker image by removing unnecessary app log samples and helper scripts, ensuring a leaner deployment package.
• Performed syslog-ng performance tuning to enhance system responsiveness and stability.

Bug Fixes

• Corrected host field data for Cisco Meraki events, ensuring accurate and reliable data representation.
• Addressed a slowdown in search query updates for high traffic environments, improving responsiveness and user experience.
• Fixed issues with the LogZilla restart command and development environment stabilization, resolving operational bugs and enhancing reliability.
• Addressed bug in "logzilla snapshot" command.
• Windows Agent: fixed file locked and uninstallation issues in the Windows Syslog Agent for smoother operation and maintenance.
• Resolved connectivity check issues in the Windows Agent, ensuring proper notifications are provided when communication issues arise.
• Fixed a storage proxy error related to "Address already in use" by ensuring each storage proxy worker has its own zmq context, improving system reliability.

Quality of Life Improvements

• Updated offline installation, making it easier for users to install and upgrade logzilla in air-gapped environments.
• Documented firewall configuration for RHEL 9 in the troubleshooting section, aiding users in ensuring necessary ports are open for LogZilla operations.
• We've released fresh tutorials on crafting and utilizing Lua rules, empowering you to tailor LogZilla precisely to your requirements. For this and more educational content, make sure to explore LogZilla University for a comprehensive collection of training videos.

AI and Chatbot Enhancements

• Fixed issues in chatbot version 0.6.0 and integrated AI chat with Slack, allowing for direct queries and enhanced user interaction through Slack.
• Migrated AI chat to a separate repository, streamlining development processes and focus.
• Implemented Slack notifications for user feedback on AI chat, ensuring immediate awareness and response to user input.

Release Notes - Version 6.31

New Features and Improvements

API Enhancements

• Introducing @Rexler, an advanced AI chatbot designed to assist LogZilla users and developers. Rexler is equipped to answer questions about LogZilla software, provide guidance on features, and help troubleshoot issues. This new addition to the LogZilla team is a significant enhancement to our user support system. We invite you to join our Slack community to experience Rexler's capabilities firsthand and see how it can streamline your LogZilla experience.
• Introduced a new widget type "Badges" for displaying simple counts on dashboards.
• Enhanced the Dashboard Import And Export documentation for better user guidance.
• Improved the Event Enrichment application documentation to facilitate user understanding.
• Updated documentation for the 'logzilla license info' command for license management.
• Updated the 'logzilla config' shell command documentation to reflect the latest options.
• Added stage 1 of our Kubernetes implementation, setting the foundation for future scalability and high availability (HA) capabilities.

UI and Documentation

• Resolved issues with missing images in the user interface documentation.
• Clarified that Lua rules are prioritized over old-style parser rules in the documentation.
• Updated the GeoIP how-to video documentation with a new link: GeoIP How-To Video.
• Reorganized and refactored the module and source code in the repository to improve internal development processes.
• Enhanced the UI Help documentation with the correct command for adding disk space.
• Revised the offline installation and upgrade method documentation for clarity and accuracy.
• Updated the search syntax documentation to assist users with advanced query construction.

Developer Tools

• Replaced all backend scripts with API calls in preparation for Kubernetes integration.
• Created a new LogZilla App Development guide for AppNeta Event Integration.
• Added a Fluent Bit destination option to the LogZilla forwarder.

Triggers and Rules

• Refactored triggers to streamline processing and moved trigger rewrites to the parser module.
• Introduced a Stop flag option in triggers to allow multiple matches on incoming events.
• Documented the application of Lua rules before old-style parser rules for event processing.

Bug Fixes

• Fixed a timeout issue with the 'logzilla rules add' command.
• Addressed a problem where non-Lua parser rules would generate high cardinality tag errors in the logs.
• Resolved a bug in the logzilla triggers update command.
• Eliminated the "Storage Address already in use" error to prevent conflicts.
• Improved search query performance on systems with high traffic volumes.
• Implemented Syslog-ng fixes and performance tuning to enhance system reliability.

Release Notes - Version 6.30

API

Tasks

• Introduced the capability to match on CIDR in event enrichment rules.
• Enhanced the management of custom syslog-ng files.
• Updated the Cisco Meraki app based on customer feedback.
• Rectified the install script to display the host IP instead of the Docker IP.
• Added "Introduction Video on Dashboards" to YouTube and the documentation.

Bug Fixes

• Resolved a TypeError issue in Postgres.
• Fixed the issue where adding email addresses in trigger alerts didn't work if the email wasn't tied to an LZ user account; it now functions correctly.
• Corrected the problem where garbage input sent to module sockets could cause a crash.

UI

• Fixed the user tag filter selector that was broken for names containing spaces.

Release Notes - Version 6.29

API

Task

• Improved error handling for the Event Enrichment app.
• Fixed an issue with improper parsing in the Meraki app. It is now functioning correctly.
• Resolved an issue with Cisco mnemonics parsing.
• The Cisco IOS app is now enabled by default for new installations.
• Developed a standalone client for Cisco eStreamer.
• Implemented improvements to the rule validator.
• Updated the Cisco FirePower Apps.

Bug Fixes

• Upon changing their password, users are now required to confirm their current password.
• Resolved an issue where the Tools dropdown on the Triggers page was only visible to the admin user.
• Fixed an issue where modifications to apps could cause upgrade failures.
• The 'logzilla rules add' command now validates file extensions.
• Updated the Linux Bind app to remove invalid widgets.
• The issue with the 'Mark as non-actionable' feature in triggers has been fixed and is now operational.

Release Notes - Version 6.28

API

• Fixed an issue with our PCI Compliance tool.
• Fixed an issue where some user tag values were not populating in event display.
• Fixed some typos in App Description.

Documentation

• Documented port number to name translation.
• Rewrote docs to use YAML as examples instead of JSON.

Release Notes - Version 6.27

API

Tasks

• Updated the PaloAlto dashboard.

Bugs

• Fixed some missing images from UI docs.
• Fixed an issue where LZ would not start when a user removed a required config file.

Release Notes - Version 6.26

API

Tasks

• Added a link to the LogZilla windows agent to product documentation
• Added a 'Clone trigger' option on the triggers drop down menu.

Release Notes - Version 6.25

API

Tasks

• Added EULA to the LogZilla command line install.
• Added test for internal/reserved words when users use one of them in a dashboard
• Updated Fortigate App to not use internal reserved type name
• When a user navigates away from a search result, the query would continue to run. Now it doesn't.
• Upgraded base images for boost and python libs.
• Added UI documentation for changing the default location of LogZilla Archive files.
• Added search filter for meta tag list when editing widget filters.
• Added an auto-stop for LogZilla when host OS disk is full.
• Added UI docs for rsyslog multiline configuration.
• Added documentation for setting up Avaya Communication Manager.

Bugs

• Improve search button behavior.
• Fixed gunicorn logs format.
• Fixed 'du' celery errors.
• Updated Linux DHCPd Cardinality Tag for DHCP Client ID.
• Fixed send mail test.

Release Notes - Version 6.24

API

Tasks

• Updated TLS documentation.
• Converted logzilla ldap command line options to import a config file rather than multiple command line options.
• Updated LDAP configuration documentation.
• Updated UI Help documentation section 4.17.
• Added UI documentation for receiving events via httpx.
• Added a feature to allow user to configure syslog TLS without custom config.

Bugs

• Fixed UI bug where selected option in admin section wasn't showing the current value

App Store

• Updated Cisco ISE App with new tags
• Added MITRE descriptions and category translations to Trendmicro App.

Release Notes - Version 6.23

API

Tasks

• Added support for Docker cgroups used in Ubuntu 22.04.
• Add README docs for Appstore apps that didn't have them.
• Updated Cisco Mnemonics Database for FirePower Threat Defense events.
• Fixed long message expansion when in duplicate view mode.
• Updated documentation for UI Help section 4.12, 7.2, and 7.4.
• Added support for multiline logs from rsyslog relay agents.
• Updated LogZilla port mappings in UI Help Documentation.
• Allow windows agent to select events by nested event type. Added unicode/foreign character support to the Windows agent.
• Updated the way users add custom syslog-ng rules.
• Added a log replay option to the 'logzilla sniffer' command.
• Added an 'info' option to the 'logzilla license' command to display license expiration and epd limit.

App Store

• Added a README for the Cisco FTD app.
• Added apps for Fortigate FortiOS, TrendMicro, Avaya Call Manager, and HP Procurve and Aruba.
• Added an app for SNARE-based Windows events.

Bugs

• Fixed a bug where dashboard imports from the UI would glitch when the export was done from the console.
• Fixed an issue with Sphinx index names and time zones.
• Changed the 'logzilla install' command to use standard ports where they are not already in use.

Release Notes - Version 6.22

API

Tasks

• Added a filter bar for installed apps.
• Added a feature to send events from syslog instances to LogZilla with http(s) protocol.
• When clicking to the next page in search results, the view will now go to the top of the page.
• Updated Cisco Mnemonic Database for Cisco Nexus gear.

Bugs

• Fixed an issue where long messages wouldn't expand in duplicate view mode.
• Fixed the shell install/upgrade message where the "open http://xxx to get started" was displaying the incorrect interface.

App Store

• Fixed an issue where the Sonicawall dashboard was showing events for non-sonicwall events due to a missing program filter.

Release Notes - Version 6.21

API

Tasks

• Moved all http endpoints to /incoming.
• Added the ability to tag incoming IP addresses with GEOIP information.
• Updated user documentation for syslog-ng network connections.
• Updated LZ Firehose documentation.
• Added the option to set a default dashboard for all users.
• Updated documentation on LogZilla port usage.
• Added option to store events for PCI compliance.
• Added option to enable syslog debug logs
• Added the ability to use custom syslog-ng rules in /etc/logzilla/syslog-ng/conf.d.
• Added user tags columns in search results.
• Changed the 'logzilla config' usage for HTTP and SYSLOG port mappings. See UI Help section 4.15 for details

App Store

• Added dashboard filters for Sonicwall app.
• Added a Date/Time normalizer.
• Added an app readme for Cisco FMC.
• Renamed FMC dashboard to indicate FMC.
• Added Linux dnsmasq rules and dashboard.
• Added Linux dhcpd rules and dashboard.
• Added App for SNARE-based Windows events.
• Added Fortigate FortiOS rules and dashboard.

Release Notes - Version 6.20

API

Tasks

• Added compression for older LogZilla operational logs.
• Removed logzilla kinesis container in lieu of Firehose
• Increased the result limit in query bar dropdown filters for Host, Program, etc.

Bugs

• Fixed a bug where "logzilla reset --events" didn't remove programs or hosts.
• Fixed a bug where, after upgrades, the browser cache required clearing.

Appstore

• Added new apps with rules and dashboards for TrendMicro, Sonicwall, Nginx, Infoblox, Arcsight, Barracuda, Linux PAM, and Linux Iptables.
• Changed AWS VPC Flow icon.
• Improved performance of app install/uninstall.
• Added display of readme/docs to individual apps in the app store to the UI
• Fixed some issues with the Cisco ASA app.
• Added more mnemonic logic for Cisco ASA/FTD app.
• Fixed a bug in the search that would return incorrect results.
• Fixed a bug where the UI did not show mark actionable status on Appstore triggers.

Release Notes - Version 6.19

API

Tasks

• Added documentation for LDAP certificate usage.
• Events dropped in parser rules will no longer count against a license's EPD limit.
• Appstore: Added more triggers to Cisco and Juniper apps.
• Appstore: Added Sonicwall rules and dashboards.
• Appstore: Added rules and dashboards for Zeek security.
• Added a 'logzilla reset' shell command to clear all data, events only, or reset the admin password.

Release Notes - Version 6.18

API

Tasks

• Updated Help section documentation.
• Added additional rules to the MS Windows app.
• Updated UI docs for Windows Syslog Agent.
• Added columns for user tags to search results.
• Added appstore app documentation for Cisco ISE.
• Added appstore documentation for Juniper unstructured data.
• Added appstore documentation for NGinx.
• Added the ability to forward logs from other sources through the Windows agent.
• Upgraded postgres container for security compliance
• Created a visibility attribute for custom appstore apps.
• Updated UI docs for lua rules feature.
• Added a "logzilla config" option to set UI session timeouts (SESSION_COOKIE_AGE). Default is 2 weeks.

Bugs

• Fix Cisco ISE step_info rule bug.

Release Notes - Version 6.17

API

Tasks

• Added a configuration option for ldap tls certificates.
• Upgraded Postfix container to the latest release.
• Scripts have been moved from a container to the host directory /etc/logzilla/scripts.
• Updated the ssh config to allow the UI to connect to older Cisco devices.
• App Store: Added rules and dashboards for Juniper devices.
• Moved logzilla container logs from a container to the host directory /var/log/logzilla.
• Only allow executable and non-hidden scripts in the trigger menu.
• Added the ability to use placeholders when using webhook GET option in triggers.

Bugs

• Cisco widgets were missing in the "add widget" list.
• Resolved issue where RHEL/CentOS users would periodically experience install errors when IPv6 was disabled in the host kernel.

Release Notes - Version 6.16

API

Tasks

• Resolved issues with the Watchguard app.
• Added Docker support for cgroups v2.
• Added API calls for configuring items in the Appstore.

Bugs

• Fixed an issue where search results for MAC addresses were slow.

Release Notes - Version 6.15

API

Tasks

• When typing long strings in the Query box, only a portion would be viewable, so we've enabled auto-expansion of that box for long queries.
• Updated AWS Kinesis reception for appstore changes.

Bugs

• When a forwarder destination was unreachable, it would sometimes cause LZ to stop processing incoming events, now it doesn't.
• Expanded search character limit beyond the default of 42 characters.
• Fixed a bug where some widgets would refresh too often.
• Increased buffer limits in the Redis container.

UI

Tasks

• Added a column selector option in widgets so users can select the information displayed.

Release Notes - Version 6.14

New Features

App Store

LogZilla v6.14 includes a major update which now offers an App Store allowing users to add rules, dashboards and triggers at the click on a button.

The new app store is available in the UI under the Settings menu.

In this initial release, we have added apps for the following types:

• Cisco ASA
• Cisco Firepower
• Cisco Meraki
• Cisco route/switch
• Cisco WLC
• Microsoft Windows
• Palo Alto
• Watchguard

Future releases will include most, if not all, of the rules currently located in the Packages and Rules directories on GitHub.

AWS Kinesis Firehose Receiver

Customers may now send their Firehose data streams using http(s) to the LogZilla API using the /firehose URL.

E.g.: http://logzilla.mycompany.com/firehose

LUA-based rules

The LogZilla rules engine now supports LUA

Lua is a powerful, efficient, lightweight, embeddable scripting language supporting procedural programming, object-oriented programming, functional programming, data-driven programming, and data description.

The addition of LUA increases LogZilla's rule parsing performance by a factor of 10 (it was already fast, but now it's faster) and also adds much more flexibility to data manipulation in real-time.

Docker Volume Locations

Most of LogZilla's configuration files are now stored on the host OS at /etc/logzilla providing much easier access to power-users.

/etc/logzilla/
├── apps
├── forwarder.d
├── nginx
├── rules
│   ├── enabled
│   ├── system
│   └── user
├── sec
├── syslog-ng
└── telegraf

Windows Event ID Descriptions

We've added a knowledge base of Windows Event ID's, accessible in the "Description" column in search results. Selecting the ID will provide:

• Full Description
• Category
• Sub Category
• Auditing
• Volume
• PCI
• Command
• Tags
• Operating Systems this EID applies to
• URL Reference

API Updates

Tasks

• Improved diagnostics for App Store rules.
• Upgraded libraries for CPP & Python.
• Added Lua scripting rules feature to improve App Store performance.

Bugs

• Fixed a bug where data corrupted by OS disk failure could prevent LZ from archiving data.
• Fixed Cisco FirePower events being marked as Cisco for the program name rather that Cisco FirePower.
• Set archiving to ignore locked chunks.
• Corrected issue where some MAC OUIs weren't displaying properly in search results.
• Offline (Air-Gapped) installs were failing when a license couldn't be downloaded from the internet. Instead of failure, it will now provide instructions for downloading the license manually.
• Widgets set to "same as dashboard" time range were defaulting to last hour in searches.
• When adding a new dashboard, some user tags weren't showing in widgets by their correct name.
• Minor bug fixes for command line scripts.

UI

Tasks

• Changed "Mnemonic" Column in search results to "Description" which now shows both Cisco and Windows descriptions.

Bugs

• Fixed notification row expansion of long messages

Release Notes - Version 6.13

API

• Tasks
• Added logzilla admin command line option for removing dashboards

• Set a default retention period for InfluxDB to prevent excessive disk space use.

• Bugs

• Fixed an issue where the epd widget was not matching the counter for "Today" in the top menu.
• LDAP bind passwords with certain special characters would fail authentication. This has been resolved.
• Fixed issue where user tags with null values would have a value of '-'.
• Fixed an issue where certain time ranges would incorrectly return no results.
• Fixed an issue where events with broken encoding would cause an exception.
• Corrected import bug for script_docker_image key
• Fixed an issue where cloud instances would change their license key during upgrades.
• Fixed a bug where non Cisco events were being detected as mnemonics.

UI

• Tasks
• Updated documentation for the 'logzilla query' command.

Release Notes - Version 6.12

API

• Tasks

• Intermittently, the EPD widget would show the wrong count for today's events. This has been resolved.

• Bugs

• Fixed a problem where the 'logzilla query' would fail.
• Upgraded Nginx to patch CVE-2019-20372 vulnerability

UI

• Tasks
• On occasion, reordering Triggers would require a page refresh to show the new location. This has been resolved.

Release Notes - Version 6.11

API

• Tasks
• Added the ability to flag user tags as high cardinality to avoid high memory utilization.
• Removed enabling Indicators of Compromise from the UI Settings. This can still be done with the 'logzilla config' command.

• Fixed missing swagger API descriptions and summaries in /api/docs.

• Bugs

• Fixed an issue where systems with a low number of events per day were seeing higher than expected CPU utilization.

UI

• Bugs
• Fixed adding multiple widgets
• The 'Mark as read' option on the Notifications page now marks items as read.

Release Notes - Version 6.10

API

• Tasks
• Since archives are now searchable, the total event count will now include archived events.
• Removed backward compatibility for v6.1.4 and older
• LogZilla now supports searching archived data without having to restore

UI

• Tasks

• Added a field showing whether users and groups were created locally or imported from LDAP.

• Bugs

• Selected items in widgets were not being sorted to the top for visibility. This has been fixed.

• Fixed a broken hyperlink to the Help section on the Trigger edit page.

Release Notes - Version 6.9

API

• Tasks
• Lowered the frequency of email alerts when disk space on the server is running low.
• Better handling of out of disk space problems
• Added support for SSL in Splunk HEC Forwarder.
• Changed output of the 'logzilla rules add' command to make it more helpful when rules already exist.
• Added the ability to include user tag information to Trigger email alerts.
• New Forwarder destination: Splunk HTTP Event Collector. Both HTTP and HTTPS are supported.
• Added the ability to extract key value pairs from tsv and csv formatted messages to rewrite rules.
• Unused docker images will now be removed from host if not used. This behavior is controlled by PRUNE_DOCKER_IMAGES config item.
• replaced LOG_INTERNAL_COUNTERS config entry with INTERNAL_COUNTERS_MAX_LEVEL
• Added the use of wildcards in loading of rules, dashboards, and triggers when using command line.

• The 'logzilla forwarder --stats' command now shows forwarder stats per target.

• Bugs

• Fixed an issue where LogZilla would not start if a forwarder destination was non-routable.
• Fixed problems with LogZilla start after system reboot
• Feeder buffer performance improvements
• Added verification of values being set in rewrite section of parser rules.
• Upgraded the lz_etcd image to version 3.2 to resolve issues that occurred when servers ran out of disk space.
• Fixed a timeout issue that occurred when adding triggers in the shell.
• New triggers are now added at the top of the list in the UI

UI

• Bugs
• The EPD widget, when set for 7 days, was showing an incorrect event count. It now displays the correct number.

Release Notes - Version 6.8

API

• Tasks
• Added Severity and Facility to widget's field options.
• Using the 'counter' option in the 'field' for forwarder rules stopped working. Now it's working again.
• Rotated, very old internal logs will now be removed
• Forwarder rules can now use the YAML format.
• Added the "logzilla download" command to simplify offline installs

• For trigger scripts which require extra libraries or programs such as perl modules, you may use your own docker image containing all required modules. You may also use any images found on docker hub.

• Bugs

• Fixed a bug that prevented long running auto archive processes from finishing
• Fixed a bug that prevented 'logzilla config' from clearing a value.

UI

• Bugs
• Adding a new trigger would put it in the second position. It will now put it at the top of the list.

Release Notes - Version 6.7

API

• Tasks
• "passwd" command renamed to "password"
• Rewrite rules can now split kv pairs based on client defined separator
• Some portions of the install script didn't use proxy settings. Now they do.

Release Notes - Version 6.6

API

• Tasks
• Rewrite rules can now split kv pairs based on client defined separator
• logzilla "passwd" command renamed to "password"

UI

• Bugs
• The ability to change dashboard names was not working, this has been fixed.

Release Notes - Version 6.5

API

• Tasks
• Moved event correlation from Trigger scripts to a separate container
• Added logzilla kinesis for ingesting data from AWS Kinesis Stream

UI

• Bugs
• By default, dashboards created by the admin user were not public. We added an option to make them public when creating new ones.
• Added a notification in the UI when a new LogZilla version is available.
• Bar charts in widgets will no longer refresh when there is no new data.

Release Notes - Version 6.4

API

• Tasks

• Added support for YAML format in import/export rewrite rules, dashboards, and triggers.

• Bugs

• Support UTF-8 characters in command line scripts
• logzilla commands show help when called with no arguments (where applicable)
• Fixed issue where a bug in the cpp sender/syslog which caused data loss during reconnect.

Release Notes - Version 6.3

API

• Tasks
• Improved the performance of InfluxDB queries.
• Added /api/version URL to get the currently installed version.
• Added "logzilla forwarder" for printing and importing forwarder configuration
• Updated the logzilla rules command so that adding, editing, or removing rules would automatically reload them.

• Added feature to backup and restore users, triggers, dashboards, and rules.

• Bugs

• Influx was available for network connections. It is now restricted to the localhost.
• Fixed problems with the 'logzilla snapshot restore' command.
• Resolved issue where invalid rules could still added. Rules are now tested on adding, and NOT added if they fail.
• Trying to list dashboards in the shell would export them. Now it lists them properly.
• Exporting rules would drop numeric prefixes in the names. This caused users to lose the order of those rules, now it retains the full original name.
• Added support for non-interactive uses of logzilla command
• The syslog container has been modified to listen on the host network address. This fixes an issue where UDP-based messages would be mistakenly identified as being received from the container address.

Release Notes - Version 6.2

API

• Tasks

• Added a migration for ldap settings from v5 to NEO.

• Bugs

• Fixed issue where upgrading or restarting LogZilla would fail if the license was expired.
• Moved custom syslog-ng config files from the container to a volume so they wouldn't be lost when restarting the container.
• Simplified usage of "logzilla config" script
• Removed several internal warning messages that were informational.
• Fixed issue where imported dashboards could only be viewed by the admin account in the UI.
• Fixed a bug in the event forwarder where it would stop sending when the destination host went down.

Release Notes - Version 6.1

API

• Tasks
• Change AUTO_MALWARE_RULES_UPDATE default value to false

• "config" alias for "configmanager"; default to --list with no args; --list is now sorted alphabetically

• Bugs

• Critical bug for upgrade 6.0 -> 6.1+ fixed
• Upgrading from v6.0.0 correctly updates containers again
• Fixed problem in migration from v5 to v6. Also adds a check for a deb based install and prompts user asking if they want to migrate.

Release Notes - Version 6.0

API

• Tasks
• Updated the Cisco: NetOps Events dashboard on new installs.
• Syslog-ng now supports add-contextual-data directive
• Added option in the forwarder to send the first event immediately rather than after the deduplication window.

Release Notes - Version 5.99

API

• Tasks
• Removed PaloAlto dashboards from the default install. These are still available from github.com/logzilla.
• Changed the 'logzilla rules performance' command to only require a path when the user has changed the default location.

• logzilla version command to display installed version

• Bugs

• Added a warning when Docker installation fails on systems with low resources.

Release Notes - Version 5.94

API

• Tasks

• Previously, exceeding the license limit would lock access to the UI immediately. Lockout now won't occur until the limit is exceeded 3 days in a row.

• Bugs

• Key-value parser now correctly recognizes empty values
• LDAP was temporarily broken by a new version of a dependency. Now it's fixed.
• Made some widget sections more human readable.
• Built in some information checks to refresh information after upgrades so users won't have to clear their browser's cache.
• Tweaked the UI color scheme.

UI

• Bugs
• Made some widget sections more human readable.
• Built in some information checks to refresh information after upgrades so users won't have to clear their browser's cache.
• Tweaked the UI color scheme.

Release Notes - Version 5.93

Note: This will be the last release of LogZilla using .deb packages. LogZilla v6 will be released in September, 2018 and will be docker-based. Install guides and documentation will be updated soon along with upgrade options.

Release Notes - Version 5.90

API

• Tasks
• Added syntax checker to lz5rules reload command.
• Added rule parser function to skip rules which do not pass JSON syntax validation

• Added ability to feed data from multiple streams simultaneously into the lz5feeder command

• Bugs

• Ensure that disk-based buffer lock file is removed if feeder is killed by user
• Cisco Mnemonic queries were throwing a 500 error in some browsers.
• Added safety check to archive restore process to ensure that the user doesn't try to import the same data more than once.

UI

• Bugs
• Fixed div boundaries in license information display

Release Notes - Version 5.89

API

• Tasks

• During registration, the admin email will now be set as the email address listed in the registration instead of a generic email example.

• Bugs

• Fixed Network performance chart for hourly not displaying properly in some browsers.

UI

• Features

• Users may now pass search parameters directly into the browser's URL instead of using the UI forms. (GET vs. POST)

• Bugs

• Provided workaround for old versions of Firefox containing a bug that causes SVG-based icons to not show in the browser.

Release Notes - Version 5.88

API

• Tasks

• Enhanced performance on incoming event processing

• Right-click->execute script was borked in the search results page. We unborked it.
• Added automatic repair of missing data resulting from end-user disk full.
• ParserModule performance degradation was a tad overzealous in it's warnings. After a holiday, It's now now much more relaxed.

• Ensure that command line tools run using sudo do not change file permissions for the logzilla user.

• Bugs

• RBAC was not RBAC'ing properly for some environments. It does now.
• Added better escaping for invalid user-created patterns in /etc/logzilla/rules.d

Release Notes - Version 5.87

API

• Added better error reporting for invalid rules (such as poor regex patterns)
• Added ability to set actionable or non-actionable flags using rules in /etc/logzilla/rules.d
• Added command line tool lz5rules performance which allows performance testing of rules located in /etc/logzilla/rules.d
• Added ability to import old data streams (previous versions would only accept "real time" data).
• JSON export of dashboards or triggers containing some unicode characters would fail to export.
• API Requests should return "Access Denied" rather than a generic "403" error

Release Notes - Version 5.86

API

• Added lz5stats command line option to provide a quick summary of current server metrics
• Removed version dependencies for syslog-ng
• Moved "Cisco Most Actionable" trigger to the last position so that it fires after other more focused rules.

Release Notes - Version 5.85

API

• Task
• Allow lz5triggers export to export individual triggers
• Add Malware IoC's as a tag for individual Malware names
• Set worker during LogZilla install based on server's available cores

• Add rewrite for program on malware-ioc's

• Bug

• Error when asking for malware-iocs rules: 404
• When install fails, it sometimes doesn't give a reason

Release Notes - Version 5.84

FEATURE

• Added LDAP Authentication
• Added lz5rules to help users with adding/disabling/re-reading rule files from /etc/logzilla/rules.d
• Added ability to set the hour of day in which Auto archive runs

API

• Task
• Reduced number of non-useful internal events
• Average calculations should not include zero's when exporting data
• Google and yahoo code used in /api/docs should be stored locally
• Moved trigger tracking to internal tags for better performance.

• Set default for User Tags feature to enabled

• Bug

• UT Source and Dst Ports were showing a - as one of the ports
• Warnings in logzilla.log we're more indicative of an INFO than WARN
• Auto archive cleanup was leaving some old files...which wasn't very "clean-y" of it...

UI

• Bug
• Widgets would display incoming time of events as in a few seconds if the user's local system had a poorly sync'd/misconfigured time.

Release Notes - Version 5.83

API

• Task

• Remove repeated trigger id from event TimePoints

• Convert well-known ports to names and other ports to dynamic
• [Performance] Improve duplication tps sorting

• Updated rewrite rule for windows events

• Bug

• Triggered Emails translating some characters to HTML

• Fixed Balabit/syslog-ng update bug (their repo crashed)

UI

• Bug

• Notifications badge wasn't updating count after delete

• After clicking reset in query bar, pressing enter on text search would not trigger search (required actual click)
• Context-sensitive right click menu (from widgets) was not...contexting.
• Average Disk Usage Values were 5% off due to OS reserved space
• Regression Fix: "Time Range" from the search bar got a little wonky
• Regression Fix: Long messages in search results were not expanding upon click
• Regression Fix: "Search using filters from this widget" went missing

Release Notes - Version 5.82

API

• Feature

• Converted all syslog-ng rules and patterns to parser rules at /etc/logzilla/rules.d

• Added comments field capability to parser rules
• Added basic LDAP support

• Added basic Office365 LDAP support

• Bug

• ParserModule improvements

• deb postinst was creating duplicate lines in /etc/default/sec
• Parser restart on high EPS servers caused oot
• Removed ip src/dst rule from distribution
• Malware iocs were not auto-updating
• Parser rule for junk programs renamed so that it fires later.
• lz5dashboards export -l was not listing available dashboard ID's

UI

• Feature

• Added "Apply" button when setting custom time ranges

• Bug

• Red asterisk on settings>generic was missing description
• UI Dashboard export broken on Firefox
• Report generator was failing under some conditions.
• Query parameter cache allowed an incorrect number of search results

Release Notes - Version 5.81

API

• Feature

• Added API pull from AlienVault's Open Threat Exchange which will automatically download the latest IoC's (indicator of compromise) such as Malware/Blacklists, etc. and add them as an parser rule.

• Bug

• Query Update Module would throw a seg fault during calculation of LastN widgets. This would cause "spinning widgets" with no data in some cases.
• After back-end model update, adding groups was borked. We unborked it.
• GeoIP lookup's for IP's disappeared from the right-click menu on the search results page. We found him hiding in South America and made him come home ;)

UI

• Bug
• Add widget display has misaligned descriptions

Release Notes - Version 5.80

API

• Feature
• Replaced all default dashboards for new installs with the ones from LogZilla's GitHub account. Note: new dashboards will only be included during new installs, if upgrading, please visit GitHub for instructions.
• Added many new enhancements to the parser rewrite feature including RegEx captures, ability to drop messages, and dynamic key/value pair recognition from RFC5424 events.

UI

• Feature
• Many UI usability enhancements including FontAwesome 5 glyphs.

• Added ability to run a query based on the filters set in a widget.

• Bug

• Ability to use boolean values in text search were borked, we unborked them.
• Counters displayed g instead if b (for billion) when showing total events in the server.
• Enter key was not performing a search after inputting search terms (users had to click the search button.
• GeoIP lookup map had a misleading close icon.
• Context-sensitive filter menu would sometimes appear off-screen when close to the search ribbon.
• Querying invalid DNS lookups (for non-existent or internal IP's) would throw a 500 internal error instead of just telling the user it was an invalid IP.
• Some UI icons were missing when using Chrome. We found them...hooray!

Release Notes - Version 5.79

• Feature

• Enable rewrite rules to use grouped matches while rewriting

• Bug

• apt-get dist-upgrade caused timeout when postgres was upgraded. LZ would restart automatically, but it was ugly. So we made it pretty.

Release Notes - Version 5.78

• Maintenance
• Maintenance release - nothing noteworthy :)

Release Notes - Version 5.77

API

• Story

• As a large enterprise customer, I need to have triggers on the most actionable Cisco events

• Task

• Improve future events buffer
• Move Config outside the api.model
• Allow Regex Patterns in /etc/logzilla/rules.d Rewrite Rules
• Use storage filtering in queries
• Internal counter cleanup
• The version of syslog-ng installed should match the version in the syslog-ng.conf (fix for Balabit bug)
• Unable to pass logs containing unicode into a trigger script
• add support for INFLUXDB v1.3
• Make sure tps is always sorted
• Influx bug causes archive problems
• Fix broken config migration for older versions

• Remove absolute file path from logs

• Bug

• lz5sender test tool is missing the option to use TCP instead of UDP
• Kaboom should not remove custom files in /var/lib/logzilla/scripts
• Unable to import a single trigger (all triggers work)
• Influx parse error

UI

• Story

• UI: Add display warnings for disk full alert

• Task

• Make phone field not required in the UI registration
• Users should be asked to confirm when deleting a dashboard
• Change "Search Cisco.com for this Mnemonic"

Release Notes - Version 5.76

• Feature
• Add event filters to storage

• Rewrite parser workers to use threads

• Bug

• Fixed bug in multiple ParserWorkers
• Excluding > 1 host made a widget not filter anything

Release Notes - Version 5.75

• Feature
• Added 900+ pre-configured Cisco Alerts

• Allow multiple rewrite rules to be read from `/etc/logzilla/rules.d

• Task

• Rewrite parser workers to use threads
• Allow User Tags in rewrite rules
• Move /etc/logzilla* files to its own dir under /etc/logzilla
• Make lz5archive/restore work "offline"

• lz5manage/setup should only warn if syslog-ng is not running

• Bug

• .deb postinst missing apache restart
• Fixed intermittent problems with multiple ParserWorkers

Release Notes - Version 5.74

• Feature
• Users may now share search result links

Release Notes - Version 5.73

• Task

• API: Add a UI option to register evaluation license

• Bug

• API: CPP filters - fix exclude operator (NE)
• Fixed QueryUpdateModule WARNING queries_live_update_events
• Modifying dashboards widgets should check dashboard owner

Release Notes - Version 5.72

• Feature
• Ability to import and export Dashboards

• Implemented multiple pre-built dashboards

• Task

• Improvements on lz5query command

• Bug

• Add widget modal had duplicated widget types in some browsers

Release Notes - Version 5.71

• Feature
• Added tag rules for Windows-based events
• Added autoarchive and retention options to the UI

• Added pre-built triggers for Cisco and Windows

• Bug

• Autoarchive was not updating storage counters post-archive
• "Save To Dashboard" from search results was not saving to dashboard.
• Modifying HH:MM:SS on search query bar was causing a search to start prior to actually clicking search.

Release Notes - Version 5.70

• Feature
• Added ability to search data using prefix wildcards
• Added ability to change the min word indexing length
• Added ability to set custom time ranges for Seconds value

• Added ability to configure LogZilla not to use any auth methods

• Task

• API: Add simple cache for chunk counters

• API: Add a cache for influx dictionaries

• Bug

• set LOG_INTERNAL_COUNTERS default value to False
• UI: Demo license is blank with only an exclamation
• Creation of new users or triggers would not show until after a browser refresh -

Release Notes - Version 5.69

• Task
• Query progress bar improvements
• Better in-progress reporting for search queries
• freeze_time option for queries
• Remove time zone option from UI Settings page

• Add EULA_ACCEPTED to settings

• Bug

• Check for and remove rest_framework_swagger
• Mnemonic right-click fails if it contains a %
• Fix indexer crash bug
• license EPD exceeded bug
• StorageStats query return null results for today preset

Release Notes - Version 5.68

• Task
• Create new trigger destination for Webhooks
• Improve TopN performance

• Added retention policy to rusage db

• Bug

• Fix query processing for relative past time range
• Allow users to format outgoing webhooks
• Query update memory crash

Release Notes - Version 5.67

• Task
• Added storage sync writes for performance improvement

• Fix diskfree-alert in deb package

• Bug

• Query initial values for some time zones were invalid
• Fixed query updates on new events during initialization

Release Notes - Version 5.66

• Task
• Remove duplicate trigger notifications
• Timerange validator Improvements
• Fix diskfree-alert in deb package

Release Notes - Version 5.65

• Bug
• Filter corruption when new tag contains empty value

Release Notes - Version 5.64

• Task
• Add ability to run 'or' boolean queries (Part 1 of 3)
• Display Widget selected time ranges in widget title bar

Release Notes - Version 5.63

• Task
• Added command line lz5dashboards command for import and export of custom dashboards. - Removed references to deprecated Graphite/Carbon/Whisper
• Added Author and Author Email to Trigger environment variables
• Disk IOPS widget now uses negative scale similar to Bandwidth Utilization
• Bug
• Widget gauges do not show up until turned off and on again
• Pie slices not clickable on some of the slices
• Unable to expand message text when it is displayed in a widget
• Network Widget should show Bps/Kbps/Mbps/Gbps and not be stacked
• Creating a new user with the same name as a deleted one fails with no error
• Add New Dashboard failing for some browsers
• Dedup settings update causes spinner on some browsers
• Dashboard time change not working in some browsers

Release Notes - Version 5.62

• Task

• Create separated queues for tasks

• Bug

• lz5manage and lz5setup should check for dependency connections and wait (with timeout)
• Search results caching causes incorrect count of matches