Changelog for version 3.3.7#

Released Mar 18 2020#

Backend Changes#

  • Fixed critical issue where queries on indexed wells containing multiple tags could improperly filter entries when using inline filtering.

  • Fixed critical issue with replication of extremely large blocks (over 32,000 entries in a single 1-second block).

  • Fixed issue where Community Edition systems may not properly discontinue throttling once engaged.

  • Fixed issue where the winlog module was not catching invalid filter operators.

  • Fixed issue where some unicode characters at the end of a query would cause a parse error.

  • Fixed an issue where certain macros could expand indefinitely, leading to memory exhaustion.

  • Fixed issue where ax extractor definitions could not define multiple ignored columns.

  • Improved behavior of min & max stats operations to automatically cast to a number.

  • Updated components to send Gravewll version in user agent.

  • Added maxInt config parameter on fulltext to allow for ignoring large integers in logs.

  • Most useful for log sources like Zeek, Apache, NGinx, etc…

  • Added new time module for working with timestamps in an entry.

SOAR changes#

  • Fixed issue where some anko libraries could cause panics

  • Fixed issue where debug interface would sometimes show debug prints from a previous run

  • Fixed issue where resetting script state did not remove debug output

  • Added new persistent map API to get a raw handle on a named map

  • Added system in debug API to catch when APIs that require additional configuration are not present

  • E.g. using the email system without configuring email credentials causes an error at parse time

  • Added loadConfig builtin to help with loading configuration sets

  • Added builtin api to get connected ingester lists

Ingester Changes#

  • Updated the Windows EventLog installer to better handle configuration

  • Config files are moved to %PROGRAMDATA%

  • Installer has configuration dialog

  • Configuration dialogs have localization strings

  • Fixed Windows EventLog ingester issue: when consuming from channels on a Windows Event Forwarding collector, the ingester was using an improper value for the bookmark pointer. This could cause the ingester to resume from an incorrect location upon restart in some cases.

  • Added TLS listeners prefixes to SimpleRelay to allow for listening to TLS connections

  • Installer setup scripts now properly handle port append during install configuration

  • Added additional JSON filter preprocessor

  • Enables filtering input JSON based on a whitelist or blacklist