Skip to content

Changelog

All notable changes to the Watchdog will be documented in this file.

[4.1.0]

  • Controller blacklist: block specific endpoints from obtaining a license by individual endpoint ID or by IP range. Configured via blacklist=guid|ip in watchdog.conf with entries listed in watchdog-blacklist.conf. Blacklisted endpoints receive a 403 from /api/check-license/.
  • Unified TLS: Watchdog, Kafka, and Elasticsearch now share a single TLS certificate that the installer generates for you on first install — no more managing three separate cert sets. To replace it with your own CA-signed cert or to rotate it, see the new Certificate Management guide.
  • Guided VM setup: the prebuilt Watchdog VM image now launches an interactive setup screen on first login. Pick the services you want, provide the required values, and the installer runs automatically.

Upgrade notes (from 4.0.x)

  • If you carry over an existing watchdog.conf, update the cert paths:
  • certfile=./cert/cacert.crtcertfile=./cert/server.crt
  • keyfile=./cert/private.keykeyfile=./cert/server.key
  • The blacklist= setting is now strict — set it to guid or ip. Old values like blacklist=None will prevent Watchdog from starting.
  • The old generate-certs.sh script has been removed; the installer now generates certificates automatically.

[4.0.2]

  • Rewrote installer in Bash — eliminates /tmp noexec failures on CIS-hardened VMs, removes glibc dependency, and produces a single universal release zip
  • Added Packer-based OVA build system for air-gapped deployment (CIS Level 1 hardened Ubuntu 24.04 LTS)
  • Bind kafka-connect REST API (8083) to localhost only
  • Centralized proxy override via no-proxy.env across all Docker Compose services
  • Added tcpdump and ping to Watchdog Docker image
  • CI pipeline simplified: removed dual-platform installer builds (Ubuntu + CentOS)
  • Documentation updates (log schema, deployment guide, offline images)

[4.0.1]

  • Depriciated locally build images instead shipping the prebuild ones
  • Updated the kafka image
  • Installation Logs Added
  • Images removal on cleanup
  • Removed extensions_backup_count from browsermon-watchdog.conf

[4.0.0]

  • Introduce ETI API
    • eti_host and eti_port variables introduced in watchdog.conf
    • threat collector to fetch ETI data from ETI API i.e eti.eunomatix.com
  • Checksum verification added for both ETI and UCS API calls
  • Watchdog 4.0.0 can push extensions variables like extensions_scheduler and extensions_backup_count defined in browsermon-watchdog.conf to browsermon endpoints.
  • Log Reference added for ETI and UCS

[3.0.11]

  • Remove 'depends on' module from compose files for eti, ucs, elastic
  • checks for eti-init and ucs-init implemented inside entrypoint.sh

[3.0.10]

  • Watchdog 3.0.10
  • Removed APscheduler from threat_collector and ucs_client
  • Increased Retry time inside threat_collector to 30 seconds
  • Implemented retry logic in ucs_client same as threat_collector
  • Phishtank http url changed to https
  • Timeout of 100 seconds added to requests
  • Using authcode hash from watchdog.conf to validate UCS API calls
  • Set ucs_client API call 15 minutes after midnight
  • Refactored code for both threat_collector and ucs_client

[3.0.9]

  • Removed external dependency from threat collector

[3.0.8]

  • Setting certificate verification false in requests

[3.0.7]

  • Added proxy section in watchdog.conf
  • Changes in threat_collector and ucs_client for proxy settings
  • Removed input for host, port and scheme from installer.

[3.0.6]

  • Removed conflicting networks

[3.0.5]

  • Removed jq dependancy for snapshot restoration in airgapped systems
  • Container name fixed in docker-compose

[3.0.4]

  • Watchdog 3.0.4
  • Introduction of UCS Integration
  • Updated Installer Script
  • Watchdog restarting issue is fixed
  • Watchdog will ask for UCS mode when installer is run.
  • If UCS mode is on a seperate container will be created named ucs_client to fetch UCS updates from UCS API.
  • Added [ucs] stanza for API configurations in watchdog.conf
  • Introduced 'eti_mode' and 'ucs_mode' in browsermon-watchdog.conf which can be passed to browsermon
  • Inside watchdog.conf if ucs_updates are true daily updates will be fetched from UCS API and if false, local snapshot will get restored.

[3.0.2]

  • ETI index rotation bug fixed
  • Improved Threat Intelligence handling with index rotation.
  • Simplified log files for better readability and tracking of system operations.
  • The deployment process has been shifted to Docker. The Watchdog and Browsermon Inspect images are now included in the offline release.
  • You can load these images using the docker load command and deploy using Docker Compose.
  • A detailed deployment guide is included in the release package.

[3.0.1]

  • Added index rotation in ETI
  • Added eti section in watchdog.conf
  • Unify multiple thread log files into watchdog.log

[3.0.0]

  • Added the ETI for classification of URLs
  • Added the threat collector service for loading threat datasets into ETI
  • Updated conf for ETI integration

[2.0.1]

  • Enhanced Config Matching
  • Reduce File IO, Optimized Speed
  • Minor fixes
  • Improved Logging

[2.0.0]

  • Enhanced Documentation
  • Key Expiry
  • Config with Watchdog
  • Kafka Integrated

[1.1.0]

  • Enhanced Logging
  • Configurable Watchdog port
  • Changed Public Key (Breaking Change)

[1.0.4]

  • Fixed Gunicorn Bug
  • Improved Documentation

[1.0.3]

  • Added the SSL support
  • Added the Gunicorn as server

[1.0.2]

  • Changed rate limitation based on GUID on check license API
  • Added the controller, public key version

[1.0.1]

  • Added the rate limitation
  • Added the debug logs
  • Added the version information and changelog

[1.0.0]

  • validate license at the start of the server.
  • added the check license view API.
  • added the generate controllers info API.
  • added the logging
  • added the runners for creating release
  • added the docs
  • added the ruff runner