Release Notes - Version 6.28
API
- Fixed an issue with our PCI Compliance tool.
- Fixed an issue where some user tag values were not populating in event display.
- Fixed some typos in App Description.
Documentation
- Documented port number to name translation.
- Rewrote docs to use YAML as examples instead of JSON.
Release Notes - Version 6.27
API
Tasks
- Updated the PaloAlto dashboard.
Bugs
- Fixed some missing images from UI docs.
- Fixed an issue where LZ would not start when a user removed a required config file.
Release Notes - Version 6.26
API
Tasks
- Added a link to the LogZilla windows agent to product documentation
- Added a 'Clone trigger' option on the triggers drop down menu.
Release Notes - Version 6.25
API
Tasks
- Added EULA to the LogZilla command line install.
- Added test for internal/reserved words when users use one of them in a dashboard
- Updated Fortigate App to not use internal reserved type name
- When a user navigates away from a search result, the query would continue to run. Now it doesn't.
- Upgraded base images for boost and python libs.
- Added UI documentation for changing the default location of LogZilla Archive files.
- Added search filter for meta tag list when editing widget filters.
- Added an auto-stop for LogZilla when host OS disk is full.
- Added UI docs for rsyslog multiline configuration.
- Added documentation for setting up Avaya Communication Manager.
Bugs
- Improve search button behavior.
- Fixed gunicorn logs format.
- Fixed 'du' celery errors.
- Updated Linux DHCPd Cardinality Tag for
DHCP Client ID
. - Fixed send mail test.
Release Notes - Version 6.24
API
Tasks
- Updated TLS documentation.
- Converted
logzilla ldap
command line options to import a config file rather than multiple command line options. - Updated LDAP configuration documentation.
- Updated UI Help documentation section 4.17.
- Added UI documentation for receiving events via httpx.
- Added a feature to allow user to configure syslog TLS without custom config.
Bugs
- Fixed UI bug where selected option in admin section wasn't showing the current value
App Store
- Updated Cisco ISE App with new tags
- Added MITRE descriptions and category translations to Trendmicro App.
Release Notes - Version 6.23
API
Tasks
- Added support for Docker cgroups used in Ubuntu 22.04.
- Add README docs for Appstore apps that didn't have them.
- Updated Cisco Mnemonics Database for FirePower Threat Defense events.
- Fixed long message expansion when in duplicate view mode.
- Updated documentation for UI Help section 4.12, 7.2, and 7.4.
- Added support for multiline logs from rsyslog relay agents.
- Updated LogZilla port mappings in UI Help Documentation.
- Allow windows agent to select events by nested event type. Added unicode/foreign character support to the Windows agent.
- Updated the way users add custom syslog-ng rules.
- Added a log replay option to the 'logzilla sniffer' command.
- Added an 'info' option to the 'logzilla license' command to display license expiration and epd limit.
App Store
- Added a README for the Cisco FTD app.
- Added apps for Fortigate FortiOS, TrendMicro, Avaya Call Manager, and HP Procurve and Aruba.
- Added an app for SNARE-based Windows events.
Bugs
- Fixed a bug where dashboard imports from the UI would glitch when the export was done from the console.
- Fixed an issue with Sphinx index names and time zones.
- Changed the 'logzilla install' command to use standard ports where they are not already in use.
Release Notes - Version 6.22
API
Tasks
- Added a filter bar for installed apps.
- Added a feature to send events from syslog instances to LogZilla with http(s) protocol.
- When clicking to the next page in search results, the view will now go to the top of the page.
- Updated Cisco Mnemonic Database for Cisco Nexus gear.
Bugs
- Fixed an issue where long messages wouldn't expand in duplicate view mode.
- Fixed the shell install/upgrade message where the "open http://xxx to get started" was displaying the incorrect interface.
App Store
- Fixed an issue where the Sonicawall dashboard was showing events for non-sonicwall events due to a missing program filter.
Release Notes - Version 6.21
API
Tasks
- Moved all http endpoints to /incoming.
- Added the ability to tag incoming IP addresses with GEOIP information.
- Updated user documentation for syslog-ng network connections.
- Updated LZ Firehose documentation.
- Added the option to set a default dashboard for all users.
- Updated documentation on LogZilla port usage.
- Added option to store events for PCI compliance.
- Added option to enable syslog debug logs
- Added the ability to use custom syslog-ng rules in /etc/logzilla/syslog-ng/conf.d.
- Added user tags columns in search results.
- Changed the 'logzilla config' usage for HTTP and SYSLOG port mappings. See UI Help section 4.15 for details
App Store
- Added dashboard filters for Sonicwall app.
- Added a Date/Time normalizer.
- Added an app readme for Cisco FMC.
- Renamed FMC dashboard to indicate FMC.
- Added Linux dnsmasq rules and dashboard.
- Added Linux dhcpd rules and dashboard.
- Added App for SNARE-based Windows events.
- Added Fortigate FortiOS rules and dashboard.
Release Notes - Version 6.20
API
Tasks
- Added compression for older LogZilla operational logs.
- Removed logzilla kinesis container in lieu of Firehose
- Increased the result limit in query bar dropdown filters for Host, Program, etc.
Bugs
- Fixed a bug where "logzilla reset --events" didn't remove programs or hosts.
- Fixed a bug where, after upgrades, the browser cache required clearing.
Appstore
- Added new apps with rules and dashboards for TrendMicro, Sonicwall, Nginx, Infoblox, Arcsight, Barracuda, Linux PAM, and Linux Iptables.
- Changed AWS VPC Flow icon.
- Improved performance of app install/uninstall.
- Added display of readme/docs to individual apps in the app store to the UI
- Fixed some issues with the Cisco ASA app.
- Added more mnemonic logic for Cisco ASA/FTD app.
- Fixed a bug in the search that would return incorrect results.
- Fixed a bug where the UI did not show mark actionable status on Appstore triggers.
Release Notes - Version 6.19
API
Tasks
- Added documentation for LDAP certificate usage.
- Events dropped in parser rules will no longer count against a license's EPD limit.
- Appstore: Added more triggers to Cisco and Juniper apps.
- Appstore: Added Sonicwall rules and dashboards.
- Appstore: Added rules and dashboards for Zeek security.
- Added a 'logzilla reset' shell command to clear all data, events only, or reset the admin password.
Release Notes - Version 6.18
API
Tasks
- Updated Help section documentation.
- Added additional rules to the MS Windows app.
- Updated UI docs for Windows Syslog Agent.
- Added columns for user tags to search results.
- Added appstore app documentation for Cisco ISE.
- Added appstore documentation for Juniper unstructured data.
- Added appstore documentation for NGinx.
- Added the ability to forward logs from other sources through the Windows agent.
- Upgraded postgres container for security compliance
- Created a visibility attribute for custom appstore apps.
- Updated UI docs for lua rules feature.
- Added a "logzilla config" option to set UI session timeouts (SESSION_COOKIE_AGE). Default is 2 weeks.
Bugs
- Fix Cisco ISE step_info rule bug.
Release Notes - Version 6.17
API
Tasks
- Added a configuration option for ldap tls certificates.
- Upgraded Postfix container to the latest release.
- Scripts have been moved from a container to the host directory /etc/logzilla/scripts.
- Updated the ssh config to allow the UI to connect to older Cisco devices.
- App Store: Added rules and dashboards for Juniper devices.
- Moved logzilla container logs from a container to the host directory /var/log/logzilla.
- Only allow executable and non-hidden scripts in the trigger menu.
- Added the ability to use placeholders when using webhook GET option in triggers.
Bugs
- Cisco widgets were missing in the "add widget" list.
- Resolved issue where RHEL/CentOS users would periodically experience install errors when IPv6 was disabled in the host kernel.
Release Notes - Version 6.16
API
Tasks
- Resolved issues with the Watchguard app.
- Added Docker support for cgroups v2.
- Added API calls for configuring items in the Appstore.
Bugs
- Fixed an issue where search results for MAC addresses were slow.
Release Notes - Version 6.15
API
Tasks
- When typing long strings in the Query box, only a portion would be viewable, so we've enabled auto-expansion of that box for long queries.
- Updated AWS Kinesis reception for appstore changes.
Bugs
- When a forwarder destination was unreachable, it would sometimes cause LZ to stop processing incoming events, now it doesn't.
- Expanded search character limit beyond the default of 42 characters.
- Fixed a bug where some widgets would refresh too often.
- Increased buffer limits in the Redis container.
UI
Tasks
- Added a column selector option in widgets so users can select the information displayed.
Release Notes - Version 6.14
New Features
App Store
LogZilla v6.14
includes a major update which now offers an App Store allowing users to add rules, dashboards and triggers at the click on a button.
The new app store is available in the UI under the Settings
menu.
In this initial release, we have added apps for the following types:
- Cisco ASA
- Cisco Firepower
- Cisco Meraki
- Cisco route/switch
- Cisco WLC
- Microsoft Windows
- Palo Alto
- Watchguard
Future releases will include most, if not all, of the rules currently located in the Packages and Rules directories on GitHub.
AWS Kinesis Firehose Receiver
Customers may now send their Firehose data streams using http(s) to the LogZilla API using the /firehose
URL.
E.g.: http://logzilla.mycompany.com/firehose
LUA-based rules
The LogZilla rules engine now supports LUA
Lua is a powerful, efficient, lightweight, embeddable scripting language supporting procedural programming, object-oriented programming, functional programming, data-driven programming, and data description.
The addition of LUA increases LogZilla's rule parsing performance by a factor of 10 (it was already fast, but now it's faster) and also adds much more flexibility to data manipulation in real-time.
Docker Volume Locations
Most of LogZilla's configuration files are now stored on the host OS at /etc/logzilla
providing much easier access to power-users.
/etc/logzilla/
├── apps
├── forwarder.d
├── nginx
├── rules
│ ├── enabled
│ ├── system
│ └── user
├── sec
├── syslog-ng
└── telegraf
Windows Event ID Descriptions
We've added a knowledge base of Windows Event ID's, accessible in the "Description" column in search results. Selecting the ID will provide:
- Full Description
- Category
- Sub Category
- Auditing
- Volume
- PCI
- Command
- Tags
- Operating Systems this EID applies to
- URL Reference
API Updates
Tasks
- Improved diagnostics for App Store rules.
- Upgraded libraries for CPP & Python.
- Added Lua scripting rules feature to improve App Store performance.
Bugs
- Fixed a bug where data corrupted by OS disk failure could prevent LZ from archiving data.
- Fixed Cisco FirePower events being marked as
Cisco
for the program name rather thatCisco FirePower
. - Set archiving to ignore locked chunks.
- Corrected issue where some MAC OUIs weren't displaying properly in search results.
- Offline (Air-Gapped) installs were failing when a license couldn't be downloaded from the internet. Instead of failure, it will now provide instructions for downloading the license manually.
- Widgets set to "same as dashboard" time range were defaulting to last hour in searches.
- When adding a new dashboard, some user tags weren't showing in widgets by their correct name.
- Minor bug fixes for command line scripts.
UI
Tasks
- Changed "Mnemonic" Column in search results to "Description" which now shows both Cisco and Windows descriptions.
Bugs
- Fixed notification row expansion of long messages
Release Notes - Version 6.13
API
- Tasks
- Added logzilla admin command line option for removing dashboards
-
Set a default retention period for InfluxDB to prevent excessive disk space use.
-
Bugs
- Fixed an issue where the epd widget was not matching the counter for "Today" in the top menu.
- LDAP bind passwords with certain special characters would fail authentication. This has been resolved.
- Fixed issue where user tags with null values would have a value of '-'.
- Fixed an issue where certain time ranges would incorrectly return no results.
- Fixed an issue where events with broken encoding would cause an exception.
- Corrected import bug for script_docker_image key
- Fixed an issue where cloud instances would change their license key during upgrades.
- Fixed a bug where non Cisco events were being detected as mnemonics.
UI
- Tasks
- Updated documentation for the 'logzilla query' command.
Release Notes - Version 6.12
API
- Tasks
-
Intermittently, the EPD widget would show the wrong count for today's events. This has been resolved.
-
Bugs
- Fixed a problem where the 'logzilla query' would fail.
- Upgraded Nginx to patch CVE-2019-20372 vulnerability
UI
- Tasks
- On occasion, reordering Triggers would require a page refresh to show the new location. This has been resolved.
Release Notes - Version 6.11
API
- Tasks
- Added the ability to flag user tags as high cardinality to avoid high memory utilization.
- Removed enabling Indicators of Compromise from the UI Settings. This can still be done with the 'logzilla config' command.
-
Fixed missing swagger API descriptions and summaries in /api/docs.
-
Bugs
- Fixed an issue where systems with a low number of events per day were seeing higher than expected CPU utilization.
UI
- Bugs
- Fixed adding multiple widgets
- The 'Mark as read' option on the Notifications page now marks items as read.
Release Notes - Version 6.10
API
- Tasks
- Since archives are now searchable, the total event count will now include archived events.
- Removed backward compatibility for v6.1.4 and older
- LogZilla now supports searching archived data without having to restore
UI
- Tasks
-
Added a field showing whether users and groups were created locally or imported from LDAP.
-
Bugs
-
Selected items in widgets were not being sorted to the top for visibility. This has been fixed.
-
Fixed a broken hyperlink to the Help section on the Trigger edit page.
Release Notes - Version 6.9
API
- Tasks
- Lowered the frequency of email alerts when disk space on the server is running low.
- Better handling of out of disk space problems
- Added support for SSL in Splunk HEC Forwarder.
- Changed output of the 'logzilla rules add' command to make it more helpful when rules already exist.
- Added the ability to include user tag information to Trigger email alerts.
- New Forwarder destination: Splunk HTTP Event Collector. Both HTTP and HTTPS are supported.
- Added the ability to extract key value pairs from tsv and csv formatted messages to rewrite rules.
- Unused docker images will now be removed from host if not used. This behavior is controlled by PRUNE_DOCKER_IMAGES config item.
- replaced LOG_INTERNAL_COUNTERS config entry with INTERNAL_COUNTERS_MAX_LEVEL
- Added the use of wildcards in loading of rules, dashboards, and triggers when using command line.
-
The 'logzilla forwarder --stats' command now shows forwarder stats per target.
-
Bugs
- Fixed an issue where LogZilla would not start if a forwarder destination was non-routable.
- Fixed problems with LogZilla start after system reboot
- Feeder buffer performance improvements
- Added verification of values being set in rewrite section of parser rules.
- Upgraded the lz_etcd image to version 3.2 to resolve issues that occurred when servers ran out of disk space.
- Fixed a timeout issue that occurred when adding triggers in the shell.
- New triggers are now added at the top of the list in the UI
UI
- Bugs
- The EPD widget, when set for 7 days, was showing an incorrect event count. It now displays the correct number.
Release Notes - Version 6.8
API
- Tasks
- Added Severity and Facility to widget's field options.
- Using the 'counter' option in the 'field' for forwarder rules stopped working. Now it's working again.
- Rotated, very old internal logs will now be removed
- Forwarder rules can now use the YAML format.
- Added the "logzilla download" command to simplify offline installs
-
For trigger scripts which require extra libraries or programs such as perl modules, you may use your own docker image containing all required modules. You may also use any images found on docker hub.
-
Bugs
- Fixed a bug that prevented long running auto archive processes from finishing
- Fixed a bug that prevented 'logzilla config' from clearing a value.
UI
- Bugs
- Adding a new trigger would put it in the second position. It will now put it at the top of the list.
Release Notes - Version 6.7
API
- Tasks
- "passwd" command renamed to "password"
- Rewrite rules can now split kv pairs based on client defined separator
- Some portions of the install script didn't use proxy settings. Now they do.
Release Notes - Version 6.6
API
- Tasks
- Rewrite rules can now split kv pairs based on client defined separator
- logzilla "passwd" command renamed to "password"
UI
- Bugs
- The ability to change dashboard names was not working, this has been fixed.
Release Notes - Version 6.5
API
- Tasks
- Moved event correlation from Trigger scripts to a separate container
- Added
logzilla kinesis
for ingesting data from AWS Kinesis Stream
UI
- Bugs
- By default, dashboards created by the admin user were not public. We added an option to make them public when creating new ones.
- Added a notification in the UI when a new LogZilla version is available.
- Bar charts in widgets will no longer refresh when there is no new data.
Release Notes - Version 6.4
API
- Tasks
-
Added support for YAML format in import/export rewrite rules, dashboards, and triggers.
-
Bugs
- Support UTF-8 characters in command line scripts
logzilla
commands show help when called with no arguments (where applicable)- Fixed issue where a bug in the cpp sender/syslog which caused data loss during reconnect.
Release Notes - Version 6.3
API
- Tasks
- Improved the performance of InfluxDB queries.
- Added
/api/version
URL to get the currently installed version. - Added "logzilla forwarder" for printing and importing forwarder configuration
- Updated the
logzilla rules
command so that adding, editing, or removing rules would automatically reload them. -
Added feature to backup and restore users, triggers, dashboards, and rules.
-
Bugs
- Influx was available for network connections. It is now restricted to the localhost.
- Fixed problems with the 'logzilla snapshot restore' command.
- Resolved issue where invalid rules could still added. Rules are now tested on adding, and NOT added if they fail.
- Trying to list dashboards in the shell would export them. Now it lists them properly.
- Exporting rules would drop numeric prefixes in the names. This caused users to lose the order of those rules, now it retains the full original name.
- Added support for non-interactive uses of
logzilla
command - The syslog container has been modified to listen on the host network address. This fixes an issue where UDP-based messages would be mistakenly identified as being received from the container address.
Release Notes - Version 6.2
API
- Tasks
-
Added a migration for ldap settings from v5 to NEO.
-
Bugs
- Fixed issue where upgrading or restarting LogZilla would fail if the license was expired.
- Moved custom syslog-ng config files from the container to a volume so they wouldn't be lost when restarting the container.
- Simplified usage of "logzilla config" script
- Removed several internal warning messages that were informational.
- Fixed issue where imported dashboards could only be viewed by the admin account in the UI.
- Fixed a bug in the event forwarder where it would stop sending when the destination host went down.
Release Notes - Version 6.1
API
- Tasks
- Change AUTO_MALWARE_RULES_UPDATE default value to false
-
"config" alias for "configmanager"; default to --list with no args; --list is now sorted alphabetically
-
Bugs
- Critical bug for upgrade 6.0 -> 6.1+ fixed
- Upgrading from v6.0.0 correctly updates containers again
- Fixed problem in migration from v5 to v6. Also adds a check for a deb based install and prompts user asking if they want to migrate.
Release Notes - Version 6.0
API
- Tasks
- Updated the Cisco: NetOps Events dashboard on new installs.
- Syslog-ng now supports add-contextual-data directive
- Added option in the forwarder to send the first event immediately rather than after the deduplication window.
Release Notes - Version 5.99
API
- Tasks
- Removed PaloAlto dashboards from the default install. These are still available from github.com/logzilla.
- Changed the 'logzilla rules performance' command to only require a path when the user has changed the default location.
-
logzilla version command to display installed version
-
Bugs
- Added a warning when Docker installation fails on systems with low resources.
Release Notes - Version 5.94
API
- Tasks
-
Previously, exceeding the license limit would lock access to the UI immediately. Lockout now won't occur until the limit is exceeded 3 days in a row.
-
Bugs
- Key-value parser now correctly recognizes empty values
- LDAP was temporarily broken by a new version of a dependency. Now it's fixed.
- Made some widget sections more human readable.
- Built in some information checks to refresh information after upgrades so users won't have to clear their browser's cache.
- Tweaked the UI color scheme.
UI
- Bugs
- Made some widget sections more human readable.
- Built in some information checks to refresh information after upgrades so users won't have to clear their browser's cache.
- Tweaked the UI color scheme.
Release Notes - Version 5.93
Note: This will be the last release of LogZilla using .deb packages. LogZilla v6 will be released in September, 2018 and will be docker-based. Install guides and documentation will be updated soon along with upgrade options.
Release Notes - Version 5.90
API
- Tasks
- Added syntax checker to
lz5rules reload
command. - Added rule parser function to skip rules which do not pass JSON syntax validation
-
Added ability to feed data from multiple streams simultaneously into the
lz5feeder
command -
Bugs
- Ensure that disk-based buffer lock file is removed if feeder is killed by user
- Cisco Mnemonic queries were throwing a 500 error in some browsers.
- Added safety check to archive restore process to ensure that the user doesn't try to import the same data more than once.
UI
- Bugs
- Fixed div boundaries in license information display
Release Notes - Version 5.89
API
- Tasks
-
During registration, the admin email will now be set as the email address listed in the registration instead of a generic email example.
-
Bugs
- Fixed Network performance chart for hourly not displaying properly in some browsers.
UI
- Features
-
Users may now pass search parameters directly into the browser's URL instead of using the UI forms. (GET vs. POST)
-
Bugs
- Provided workaround for old versions of Firefox containing a bug that causes SVG-based icons to not show in the browser.
Release Notes - Version 5.88
API
-
Tasks
-
Enhanced performance on incoming event processing
- Right-click->execute script was borked in the search results page. We unborked it.
- Added automatic repair of missing data resulting from end-user disk full.
- ParserModule performance degradation was a tad overzealous in it's warnings. After a holiday, It's now now much more relaxed.
-
Ensure that command line tools run using sudo do not change file permissions for the logzilla user.
-
Bugs
- RBAC was not RBAC'ing properly for some environments. It does now.
- Added better escaping for invalid user-created patterns in
/etc/logzilla/rules.d
Release Notes - Version 5.87
API
- Added better error reporting for invalid rules (such as poor regex patterns)
- Added ability to set
actionable
ornon-actionable
flags using rules in /etc/logzilla/rules.d - Added command line tool
lz5rules performance
which allows performance testing of rules located in /etc/logzilla/rules.d - Added ability to import old data streams (previous versions would only accept "real time" data).
- JSON export of dashboards or triggers containing some unicode characters would fail to export.
- API Requests should return "Access Denied" rather than a generic "403" error
Release Notes - Version 5.86
API
- Added
lz5stats
command line option to provide a quick summary of current server metrics - Removed version dependencies for syslog-ng
- Moved "Cisco Most Actionable" trigger to the last position so that it fires after other more focused rules.
Release Notes - Version 5.85
API
- Task
- Allow
lz5triggers export
to export individual triggers - Add Malware IoC's as a tag for individual Malware names
- Set worker during LogZilla install based on server's available cores
-
Add rewrite for program on malware-ioc's
-
Bug
- Error when asking for malware-iocs rules: 404
- When install fails, it sometimes doesn't give a reason
Release Notes - Version 5.84
FEATURE
- Added LDAP Authentication
- Added
lz5rules
to help users with adding/disabling/re-reading rule files from/etc/logzilla/rules.d
- Added ability to set the hour of day in which Auto archive runs
API
- Task
- Reduced number of non-useful internal events
- Average calculations should not include zero's when exporting data
- Google and yahoo code used in
/api/docs
should be stored locally - Moved trigger tracking to internal tags for better performance.
-
Set default for User Tags feature to
enabled
-
Bug
- UT Source and Dst Ports were showing a
-
as one of the ports - Warnings in logzilla.log we're more indicative of an INFO than WARN
- Auto archive cleanup was leaving some old files...which wasn't very "clean-y" of it...
UI
- Bug
- Widgets would display incoming time of events as
in a few seconds
if the user's local system had a poorly sync'd/misconfigured time.
Release Notes - Version 5.83
API
-
Task
-
Remove repeated trigger id from event TimePoints
- Convert well-known ports to names and other ports to
dynamic
- [Performance] Improve duplication tps sorting
-
Updated rewrite rule for windows events
-
Bug
-
Triggered Emails translating some characters to HTML
- Fixed Balabit/syslog-ng update bug (their repo crashed)
UI
-
Bug
-
Notifications badge wasn't updating count after delete
- After clicking reset in query bar, pressing
enter
on text search would not trigger search (required actual click) - Context-sensitive right click menu (from widgets) was not...contexting.
- Average Disk Usage Values were 5% off due to OS reserved space
- Regression Fix: "Time Range" from the search bar got a little wonky
- Regression Fix: Long messages in search results were not expanding upon click
- Regression Fix: "Search using filters from this widget" went missing
Release Notes - Version 5.82
API
-
Feature
-
Converted all syslog-ng rules and patterns to parser rules at
/etc/logzilla/rules.d
- Added
comments
field capability to parser rules - Added basic LDAP support
-
Added basic Office365 LDAP support
-
Bug
-
ParserModule improvements
- deb postinst was creating duplicate lines in
/etc/default/sec
- Parser restart on high EPS servers caused oot
- Removed ip src/dst rule from distribution
- Malware iocs were not auto-updating
- Parser rule for junk programs renamed so that it fires later.
lz5dashboards export -l
was not listing available dashboard ID's
UI
- Feature
-
Added "Apply" button when setting custom time ranges
-
Bug
- Red asterisk on settings>generic was missing description
- UI Dashboard export broken on Firefox
- Report generator was failing under some conditions.
- Query parameter cache allowed an incorrect number of search results
Release Notes - Version 5.81
API
- Feature
-
Added API pull from AlienVault's Open Threat Exchange which will automatically download the latest IoC's (indicator of compromise) such as Malware/Blacklists, etc. and add them as an parser rule.
-
Bug
- Query Update Module would throw a seg fault during calculation of
LastN
widgets. This would cause "spinning widgets" with no data in some cases. - After back-end model update, adding groups was borked. We unborked it.
- GeoIP lookup's for IP's disappeared from the right-click menu on the search results page. We found him hiding in South America and made him come home ;)
UI
- Bug
- Add widget display has misaligned descriptions
Release Notes - Version 5.80
API
- Feature
- Replaced all default dashboards for new installs with the ones from LogZilla's GitHub account. Note: new dashboards will only be included during new installs, if upgrading, please visit GitHub for instructions.
- Added many new enhancements to the parser rewrite feature including RegEx captures, ability to drop messages, and dynamic key/value pair recognition from RFC5424 events.
UI
- Feature
- Many UI usability enhancements including FontAwesome 5 glyphs.
-
Added ability to run a query based on the filters set in a widget.
-
Bug
- Ability to use boolean values in text search were borked, we unborked them.
- Counters displayed
g
instead ifb
(forbillion
) when showing total events in the server. - Enter key was not performing a search after inputting search terms (users had to click the search button.
- GeoIP lookup map had a misleading close icon.
- Context-sensitive filter menu would sometimes appear off-screen when close to the search ribbon.
- Querying invalid DNS lookups (for non-existent or internal IP's) would throw a 500 internal error instead of just telling the user it was an invalid IP.
- Some UI icons were missing when using Chrome. We found them...hooray!
Release Notes - Version 5.79
- Feature
-
Enable rewrite rules to use grouped matches while rewriting
-
Bug
- apt-get dist-upgrade caused timeout when postgres was upgraded. LZ would restart automatically, but it was ugly. So we made it pretty.
Release Notes - Version 5.78
- Maintenance
- Maintenance release - nothing noteworthy :)
Release Notes - Version 5.77
API
- Story
-
As a large enterprise customer, I need to have triggers on the most actionable Cisco events
-
Task
- Improve future events buffer
- Move Config outside the api.model
- Allow Regex Patterns in
/etc/logzilla/rules.d
Rewrite Rules - Use storage filtering in queries
- Internal counter cleanup
- The version of syslog-ng installed should match the version in the syslog-ng.conf (fix for Balabit bug)
- Unable to pass logs containing unicode into a trigger script
- add support for INFLUXDB v1.3
- Make sure tps is always sorted
- Influx bug causes archive problems
- Fix broken config migration for older versions
-
Remove absolute file path from logs
-
Bug
- lz5sender test tool is missing the option to use TCP instead of UDP
- Kaboom should not remove custom files in
/var/lib/logzilla/scripts
- Unable to import a single trigger (all triggers work)
- Influx parse error
UI
- Story
-
UI: Add display warnings for disk full alert
-
Task
- Make phone field not required in the UI registration
- Users should be asked to confirm when deleting a dashboard
- Change "Search Cisco.com for this Mnemonic"
Release Notes - Version 5.76
- Feature
- Add event filters to storage
-
Rewrite parser workers to use threads
-
Bug
- Fixed bug in multiple ParserWorkers
- Excluding > 1 host made a widget not filter anything
Release Notes - Version 5.75
- Feature
- Added 900+ pre-configured Cisco Alerts
-
Allow multiple rewrite rules to be read from `/etc/logzilla/rules.d
-
Task
- Rewrite parser workers to use threads
- Allow User Tags in rewrite rules
- Move /etc/logzilla* files to its own dir under /etc/logzilla
- Make lz5archive/restore work "offline"
-
lz5manage/setup should only warn if syslog-ng is not running
-
Bug
.deb
postinst missing apache restart- Fixed intermittent problems with multiple ParserWorkers
Release Notes - Version 5.74
- Feature
- Users may now share search result links
Release Notes - Version 5.73
- Task
-
API: Add a UI option to register evaluation license
-
Bug
- API: CPP filters - fix exclude operator (NE)
- Fixed QueryUpdateModule WARNING queries_live_update_events
- Modifying dashboards widgets should check dashboard owner
Release Notes - Version 5.72
- Feature
- Ability to import and export Dashboards
-
Implemented multiple pre-built dashboards
-
Task
-
Improvements on lz5query command
-
Bug
- Add widget modal had duplicated widget types in some browsers
Release Notes - Version 5.71
- Feature
- Added tag rules for Windows-based events
- Added autoarchive and retention options to the UI
-
Added pre-built triggers for Cisco and Windows
-
Bug
- Autoarchive was not updating storage counters post-archive
- "Save To Dashboard" from search results was not saving to dashboard.
- Modifying HH:MM:SS on search query bar was causing a search to start prior to actually clicking search.
Release Notes - Version 5.70
- Feature
- Added ability to search data using prefix wildcards
- Added ability to change the min word indexing length
- Added ability to set custom time ranges for Seconds value
-
Added ability to configure LogZilla not to use any auth methods
-
Task
- API: Add simple cache for chunk counters
-
API: Add a cache for influx dictionaries
-
Bug
- set
LOG_INTERNAL_COUNTERS
default value to False - UI: Demo license is blank with only an exclamation
- Creation of new users or triggers would not show until after a browser refresh -
Release Notes - Version 5.69
- Task
- Query progress bar improvements
- Better in-progress reporting for search queries
- freeze_time option for queries
- Remove time zone option from UI Settings page
-
Add EULA_ACCEPTED to settings
-
Bug
- Check for and remove rest_framework_swagger
- Mnemonic right-click fails if it contains a %
- Fix indexer crash bug
- license EPD exceeded bug
- StorageStats query return null results for today preset
Release Notes - Version 5.68
- Task
- Create new trigger destination for Webhooks
- Improve TopN performance
-
Added retention policy to rusage db
-
Bug
- Fix query processing for relative past time range
- Allow users to format outgoing webhooks
- Query update memory crash
Release Notes - Version 5.67
- Task
- Added storage sync writes for performance improvement
-
Fix diskfree-alert in deb package
-
Bug
- Query initial values for some time zones were invalid
- Fixed query updates on new events during initialization
Release Notes - Version 5.66
- Task
- Remove duplicate trigger notifications
- Timerange validator Improvements
- Fix diskfree-alert in deb package
Release Notes - Version 5.65
- Bug
- Filter corruption when new tag contains empty value
Release Notes - Version 5.64
- Task
- Add ability to run 'or' boolean queries (Part 1 of 3)
- Display Widget selected time ranges in widget title bar
Release Notes - Version 5.63
- Task
- Added command line
lz5dashboards
command for import and export of custom dashboards. - Removed references to deprecated Graphite/Carbon/Whisper - Added Author and Author Email to Trigger environment variables
- Disk IOPS widget now uses negative scale similar to Bandwidth Utilization
- Bug
- Widget gauges do not show up until turned off and on again
- Pie slices not clickable on some of the slices
- Unable to expand message text when it is displayed in a widget
- Network Widget should show Bps/Kbps/Mbps/Gbps and not be stacked
- Creating a new user with the same name as a deleted one fails with no error
- Add New Dashboard failing for some browsers
- Dedup settings update causes spinner on some browsers
- Dashboard time change not working in some browsers
Release Notes - Version 5.62
- Task
-
Create separated queues for tasks
-
Bug
- lz5manage and lz5setup should check for dependency connections and wait (with timeout)
- Search results caching causes incorrect count of matches