Changelog for version 3.3.0#

Released Nov 11 2019#

Backend Changes#

  • Added Overwatch feature to allow master frontend to control many Gravwel clusters

  • Fixed issue in syslog search module where it was not interpretting untagged BSD messages correctly

  • SOAR scripts now have their desired schedule and interval injected into the VM

  • Updated error message when attempting to load a bad license

  • Improved message when webserver runs out of disk space during query

  • Fixed issue that was causing overly agressive load on webserver when looking at raw entries

  • Updated TLS config handling for the datastore when using distributed frontends

  • Updated SOAR script to make it easier to set timestamp and source values on new entries

  • Fixed issue where the strict flag was misbehaving on the json search module

  • Fixed issue where pointmap was performing a bad JSON encoding when a double quote was in a field name

  • Added ability to disable map tile server proxy and revert to old behavior

  • Added optiont to limit CPU threads on offline replicator

  • Fixed issue where min and max where condensing improperly in the table renderer

  • Added Macro system with nested macros and associated APIs

  • Added search library APIs

  • Added the ability to cast IPv4 addresses to an int in anko and SOAR scripts

  • Added acceleration to packet processing

  • Fixed issue where unique was not behaving correctly in temporal queries

  • Added non-zoomable mode to chart to we can be compatible with unique and non-temporal queries

  • Updated the way the fulltext system interprets inline filtering, accelerate on more data types

  • Added ability to reset the state of a scheduled script/search

  • Added ability to enable/disable scheduled searches without deleting them

GUI Changes#

  • Added search library system

  • New hotkey system makes finding search library entries much better

  • Added search macros and management system

  • Added intelligent sorting of dashboards

  • Added dashboard favorites

  • Added ability to force connections between values in sparse charts

  • Added ability to create sharable URLS that can directly launch queries

  • Rebuilt query zoom system to be faster and easier to use

  • Fixed issue where a P2P dashboard tile wasn’t staying in globe mode

  • Fixed issue where tables were not updating correctly as long running queries progressed

  • Fixed labels on hardware tabs to better represent machines with lots of RAM

  • Added redirect after login when a direct query or resource was hit

  • Improved handling of ingester filtering

  • Added ingester name display when ingesters identify themselves

  • Fixed issue where errors were not being cleared properly after a failed search

  • Fixed handling of live queries with text renderer

  • Fixed issue where table renderer wasn’t being updated in a live query

  • Improved error display when indexers are down

  • Added new welcome dialog to showcase new features across releases

  • Fixed memory leak in causing memory usage to grow

  • Fixed page crash after very long idle times

  • Added display to show ingester name, version, and UUID when supported by ingester

  • Fixed issue where chart zooming would sometimes leave artifacts on zoom bar

  • Fixed issue where some APIs would be hit twice

Ingester Changes#

  • Added ingester preprocessors

  • Kinesis ingester can now transparently decompress entries using the gzip preprocessor

  • Added system for ingesters to report their name, version, and UUID

  • Core ingesters now assign themselves a unique UUID if one hasn’t been set

  • Fixed issue in kinesis ingester when shard counts change on a stream

  • Added processors to allow for timetamp controls on data ingested from Kafka

  • Fixed windows ingester to perform better announcements on the gravwell tag

  • Updated the windows ingester to use the shared ingest config library