Illuminate Processing Management
  • 24 May 2022
  • 3 Minutes to read
  • Dark
    Light

Illuminate Processing Management

  • Dark
    Light

Note

In 4.2, we’ve changed how Illuminate processing packs are installed and managed. Starting with this version, you can automate much of the previously manual installation process.

Note

In order to get your Illuminate ZIP file, please reach out to your CSM (Customer Success Manager) for details.

Overview

When Illuminate processing packs are installed or activated, Graylog will automatically handle the creation of required streams and index sets and the installation of new Elastic templates.

In addition, your selected processing packs automatically apply to matching messages. Finally, you will no longer see Illuminate processing pipelines and rules on the Pipeline Management page.

Prerequisites

Note

You only need to install the Illuminate ZIP file once. So, if you’re running a multi-node Graylog environment, the installer synchronizes the file uploads across each node.

To get started with this installation and processing tool you'll to do the following:

Installation

Note

The installer will only accept selected bundle versions. Otherwise, it will restrict and notify you that the file type, and its contents, are invalid.

installation-image-186v1v45

To begin the installation of new Illuminate processing packs, follow these steps:

  1. Locate and click the Illuminate submenu under Operations in the main Graylog navigation bar.
  2. On the Illuminate Install page, you can either:
    • drag-and-drop your Illuminate ZIP file directly onto the page, or
    • click the rectangular help text box, which prompts a file picker to help you locate the ZIP file on your file system.

illuminate-install-main

Select and Enable Packs

Select Packs

Once Graylog has processed the uploaded file, you can select your desired packs. You can either:

  • click the empty checkbox labeled 0 Selected in the top shaded cell. This automatically chooses all Illuminate packs. Or,
    illuminate_install_delete
  • click the checkboxes corresponding to an individual pack.

In this example, the panel displays all three packs selected:
illuminate_processing_three_packs

Enable Packs

Next, you need to activate your processing packs. Be sure at least one pack is selected. From there enable your selected pack(s) by these steps:

  1. Click the Enable Selected button.
  2. Click the Confirm button on the Enabling Illuminate Pack modal.

installation-image-xhfc5axq

As a result the cell representing the enabled pack turns to a light green color. For example, consider this screen that displays three enabled packs:

illuminate_enabled_green

Disable Packs

Conversely, you can disable processing packs. To do this:

  1. Click a checkbox for the respective pack. (You can also check the box of the top gray-shaded cell to chose all.)
  2. Press theDisable Selected button.
    illuminate-install-disable-pack
  3. Click Confirm to verify the individual or list of packs presented in the Disabling Illuminate Pack modal.

Delete Packs

illuminate_delete_enabled

Also, non-active Illuminate bundles can be optionally deleted. To do this:

  1. Select the individual, or list of undesired packs.
  2. Click the disclose arrow on the right of the Activate button.
  3. Click Delete to remove the selected pack.
  4. Choose Confirm to complete the deletion process.

illuminate_processing_delete_closeup

Lookup Table Customization

Illuminate comes equipped with lists of pre-defined data — or lookup tables. This includes content such as important hostnames, accounts, and usernames. In general, the data is comprised of a key column with a corresponding column of values.

In the UI you can change (or override) default tables shipped with Illuminate. In addition, you can add data to the desired table(s).

Using msdefender-severity-map-adapter as an example, modify or edit these tables do the following:

  1. Navigate to the Illuminate screen from the Operations menu item.
  2. Click the Customization button; this takes you to a screen titled Illuminate Customization.
  3. Identify your desired lookup table by Title to modify, e.g. msdefender-severity-map-adapter.
  4. Click the corresponding Edit button (under the Actions column); this generates a modal called *Custom Values for msdefender-severity-map-adapter.
  5. Add values to both Key and Value fields.
  6. Click the green and white + button to add more key-value data (optional).
  7. Click the red and white trash can button to remove each value (optional).

Additional Information

As new versions of Illuminate are released, you will be able to upload them by clicking on the Install Another Bundle link. When multiple Illuminate versions are installed, you can use the drop-down version menu to switch between versions.


Was this article helpful?