Changelog for version 4.0.4#

Released Nov 18 2020#

Hotfixes#

  • Fixed issue where large JSON arrays could cause the json module to abort

  • Fixed issue where network failures could cause TLS ingesters to hang

Web UI Changes#

  • Search chart granularity is now more intelligent (eliminate unintuitive “spikes” in charts).

  • Scheduled searches & scripts can now be shared with group members or set global (by admins).

  • Improved playbook editing.

  • Kits can now be saved to the “Favorites” menu.

  • Fixed issue where charts could occasionally appear “squashed” on search results.

  • Fixed issue where kits may not be displayed in “available kits” page.

  • Fixed incorrect behavior in ISO duration & custom duration timeframe selection.

  • Fixed scrolling in actionable sub-menus.

  • Fixed various spacing & display bugs in dashboards, actionables, and elsewhere.

  • Improved display of images in kits and playbooks.

Backend Changes#

  • limit module now supports “N M” mode, e.g. limit 5 10 will drop the first 5 entries, then pass the next 5, then drop all further entries.

  • Fixed race condition where extremely brief queries could be improperly marked “SAVED”.

  • Fixed bug where queries could temporarily read from the wrong well if wells are configured with wildcard tags and a new tag is added to the well.

  • Fixed bug where autoextractors could fail if some indexers lacked a particular tag.

  • Improved error messages for certificate problems.

  • Improved handling of corrupted nodes in entry index files.

  • Added saveSearch function so scripts can save searches for later.

  • The toDuration function in anko scripts is now more flexible.

  • Searchagent should now execute debug scripts much sooner, also eliminated potential bug where searchagent could execute a debug script twice when using distributed webservers.

  • Indexer and webserver processes now send both stdout and stderr to the systemd journal.

  • Version API now includes server timezone.

Ingesters and Ingest Library Changes#

  • Added “health check” URL capability to HTTP ingester.

  • Added Rate-Limit config option to all ingesters.

  • Fixed map access race in Federator.

  • Fixed bug where standalone Federator listening on a Unix pipe wouldn’t create /opt/gravwell/comms automatically.

  • Fixed potential deadlock when calling NegotiateTag with no open indexer connections.

  • Fixed bug where Cleartext-Backend-Target=::1 could fail.

  • Fixed some potential races in the gravwelforwarder preprocessor.

  • jsonarraysplit preprocessor can now split on a top-level array (an entry consisting solely of a JSON array).

  • Improved some logging.

General/Miscellaneous#

  • Released new Zeek kit.