What is the different when you have illuminate and without?

Hi all,

I do have illuminate in my graylog server since the start. However, I would like to know if anyone have different between illuminate and without?

As I have send in the my window log through Nxlog to graylog GLEF input. In additional, when I saw my search, it has routed into stream Illuminate:Windows Security Event Log Messages.

Illuminate does a lot of parsing for you, and pushes logs into the GIM. The GIM helps you to have the same fieldnames in your logs. Example: it will always be source_ip, and never be src, src_ip, client_adress or whatever you can imagine. This makes a search across multiple sources much more efficient.
Beside that illuminate enritches some logs with additional information with lookup-tables.

Understand that it will extract out some wording and put into a field.

But I did two example,

  1. NxLog send to Graylog Syslog UDP
  2. Winlogbeat send to Graylog beat

But I have notices that illuminate have done a transformation for the NxLog. But the Winlogbeat didn’t has any change.

I would like to know that illuminate accept any form of input?

nope, you have to stay within the available packages. I have not seen so much documentation in regards what and how it does processing, enritchment and so on. Here is the best I found: Security Content Packs

Hey @ihe,

Thanks for your reply.
Yea the documentation is very brief. What I have done is creating another server and compare both server to see what is the different.

But unable to see much different.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.