Full Falcon LogScale Collector Release Notes Index

This section contains a single page with all release notes on the same page.

Falcon LogScale Log Collector 1.7.4 GA (2024-10-03)
Version?Type?Release Date?

Config.

Changes?
1.7.4GA2024-10-03no
FileSHA256 Checksum
linux_amd64.deb4812af7a6bf0ccb92651ee73f112a3b92812265c76829ed20487e23ab11b5e3e
linux_amd64.rpm74c91ac39504768fc8a40894a07571d0c66710ca9f54e63ee7c744d30bdd8386
linux_arm64.debed9ecdccb697702aa553b107c93ffc4fb7de4141c525fc6e7498ba6f1e54420b
linux_arm64.rpm2ed6847eac30244a4b710e0c27684401fef53b04fe938755b115f4e3b958b04d
macOS_universal.pkgd266cfc6849e65d5c8d0fa53eaf8e33e539e55d70124454c9eb2aaf42a9b2e6b
windows_amd64.msif79c0a16709ee56f9bf8cda6dba832ce6b90de8cc33a7b34c89f6294f357dcd6
Docker ImageArchitectureSHA256 Checksum
logscale-collector:1.7.4amd64cc7821f40308745e092a82f19e4b7ced0124970344b59e2629b6f07eb306806b
logscale-collector:1.7.4arm64cc7821f40308745e092a82f19e4b7ced0124970344b59e2629b6f07eb306806b
Performance improvements for file sources and syslog sources.

Improvements, new features and functionality

  • Installation and Deployment

    • The syslog source has been optimized to use less memory in setups with high amounts of short lived TCP connections. The new approach utilizes a memory pool instead of allocating a new memory for each connection.

      The number of concurrent TCP connections is limited to 1024. The default MaxEventSize for syslog over TCP is changed to 1 MB to match the same setting when using syslog over TLS.

      The previous default setting was 2048 B (which is mentioned in the RFC), however as some users have experienced truncated events, the setting has been changed.

  • Debugging

    • Internal log messages in the LogScale Collector have been improved. An internal buffer has been increased to avoid missing internal logs and log messages for the syslog source have been augmented with more detail.

  • Collecting Data

    • File source optimization for Windows and macOS.

      The filesource keeps monitoring files after all data has been read and ingested to be able to continue shipping when/if new data is added. In scenarios with a high number of files, this can be rather CPU consuming on Windows and macOS. In order to reduce the CPU usage a dynamic file scanner, which balances the CPU usage of the file scanning part has been introduced.

  • Fleet Overview

    • The LogScale Collector now supports sending custom labels to Fleet Management.

      This is in preparation for an upcoming Fleet Management feature which allows using labels for defining collector groups. When creating a group - labels can be used in the filter query. E.g. labels.myLabel=foo. Labels must be added to the local fleet management config file of the LogScale Collector. Label values can be expanded from environment variables as well.

  • Other

    • Symbol names and debug information are now stripped from binaries, this results in smaller distributables.

Bug Fixes

  • Debugging

    • A race condition related to file rotation using compression could cause the checkpointer to get in a state where it would repeatedly log the following error messages, "File failed, waiting 1min. error: EOF" and "pipeline failed, error: EOF".

      The LogScale Collector now marks the checkpoint for the file as done and the warning message "Handling unexpected EOF in compressed file" will be logged once.

  • Other

    • We have identified a previously unhandled scenario in which the LogScale Collector attempts to send data to a Data Connector and either a HTTP intermediary, such as a proxy, or the Data Connector accepts the HTTP connection, however never returns a HTTP response and in the same time keeps the connection alive.

      Previously this would cause the LogScale Collector to wait for the response, thus blocking further data on that sink. To address this scenario, the LogScale Collector will now timeout, and attempt re-transmission, if it does not receive a response within 60 s. In this case a warning: "timeout awaiting response headers" will be logged.

Falcon LogScale Log Collector 1.7.3 GA (2024-08-13)
Version?Type?Release Date?

Config.

Changes?
1.7.3GA2024-08-13no
FileSHA256 Checksum
linux_amd64.deb15e4f7565b1dfe6e652652bb361075a8615bc42ce26d06c75158ad3e61625ecb
linux_amd64.rpm9f4a5cf8d426d116ad242cbbc78b1c02ffe6788ce41fdab080df28c63e943bb0
linux_arm64.debd43b840ddfc42a862ce3df13ee9de761200208240a1f9f9b8b53d53f78a586a1
linux_arm64.rpm8b0206fbb280b77a2cd2844474bab7051823eb97585cd2a5c4d2e35c59d93268
macOS_universal.pkg26d414b4641e2af97a5014c381c4c7a5a7bfd79946ca9f872d448740524eeea2
windows_amd64.msi816fb015a80b461b32171298db7067c55ba4e3260a987bcd5b1cf7bc05e4b936
Docker ImageArchitectureSHA256 Checksum
logscale-collector:1.7.3amd64d2accd99bf8970cb4874c1b46c8f3d6b99db9d37b939ea1872db9ad7f762af2b
logscale-collector:1.7.3arm64d2accd99bf8970cb4874c1b46c8f3d6b99db9d37b939ea1872db9ad7f762af2b
Bugfix and improved support of uninstall.

Improvements, new features and functionality

  • Installation and Deployment

    • Uninstall-scripts are now distributed as part of the "Full Install" via bash / powershell.

      Note that uninstalling a custom installation via system packages (i.e. rpm, deb, msi) is still handled by the system's package manager.

      See Uninstall Falcon Log Collector Installations for more information on how to uninstall LogScale Collector.

Bug Fixes

  • Other

    • A vulnerability in a library generating UUIDs is addressed. The UUIDs were exclusively used for non-cryptographic purposes.

Falcon LogScale Log Collector 1.7.2 GA (2024-07-09)
Version?Type?Release Date?

Config.

Changes?
1.7.2GA2024-07-09no
FileSHA256 Checksum
linux_amd64.deb55ce3d492b9bdb0fc899406a2eacc95a4a97da54ffa13ac8b2327d9e5f37f12b
linux_amd64.rpm9b45ff1c24955cf26e12242d98529a24d9b06cb1da9516d467c4e99db47591a3
linux_arm64.deb052870d7b15708ae4043360451e558a5a185ab6e1838c365bb0d976096ae9993
linux_arm64.rpma638bf86ac5fcb743a5aa3d9f143013b023c5ac48661a19b41d8ce4e70d19cb3
macOS_universal.pkg45364901540b86443bfe97ef124782650daae955eaf8bfae547c2584c0fc7965
windows_amd64.msid34795c397c7ba1097167804b6569a867f173a84a43ec339caa3004b2ae2b6a1
Bugfix for the file source (Linux only).

Improvements, new features and functionality

  • Collecting Data

    • The LogScale Collector (Linux only) was leaking file handles when monitoring symlinked files, causing the file scanning to be reduced to 10 second intervals. This update ensures that the file handles are closed when the symlink or the files are moved or deleted.

Falcon LogScale Log Collector 1.7.1 GA (2024-06-27)
Version?Type?Release Date?

Config.

Changes?
1.7.1GA2024-06-27no
FileSHA256 Checksum
linux_amd64.deb15e4f7565b1dfe6e652652bb361075a8615bc42ce26d06c75158ad3e61625ecb
linux_amd64.rpm7abba9bdfa839abf33ae693d95656e4069642b59e1a804528de9fc289ab86511
linux_arm64.debd43b840ddfc42a862ce3df13ee9de761200208240a1f9f9b8b53d53f78a586a1
linux_arm64.rpm88038908e16f12f6dd979021fc02f424ddccfea4e18173f6832d4a1e57181442
macOS_universal.pkg3ba62e36a5e500bc95a2c43987a89e1361897adcef6ffc806dec807ef5149768
windows_amd64.msi93b5bb3e639bc773aab4df1cd796c8b42a073752bb369efb5ed51b3ce19a8e51
Bug fixes to 1.7.0 regarding the file source and Fleet Management config changes.

Improvements, new features and functionality

  • Collecting Data

    • For Kubernetes deployments, the kubernetes transform (used by the Helm chart to collect Pod logs) now also collects metadata for init containers.

Bug Fixes

  • Collecting Data

    • Linux only: Fixed a bug in the inotify event handler which would cause excessive error messages in the internal logs.

    • Fixed a bug in the file source which potentially caused the collector to stop reading files, related to a race between the file inactivity timeout and a file modify event.

  • Fleet Overview

    • Fixed an issue where the LogScale Collector could stop ingesting after publishing config changes from Fleet Management.

Falcon LogScale Log Collector 1.7.0 GA (2024-06-03)
Version?Type?Release Date?

Config.

Changes?
1.7.0GA2024-06-03no
FileSHA256 Checksum
linux_amd64.deb34b044b8f0ae27608927d61ae4042cdece06a6e58a79f539fb3fa6259e8f1cfc
linux_amd64.rpma07608c13f03ec0ac3a0eb8d81b1719c9f3bef3dea82feb2e6858208d36e192d
linux_arm64.debabe3168393558f48fe53d87f2940b76dbb36d0ead2681bb6fce05f86066c1fa3
linux_arm64.rpm30b6d3d3284c55d07be5c6c4cb98459cf11bceb57096bd2257c7d6168b6c2a7d
macOS_universal.pkg4959e1ec177565a6c69942a259c24fcc01f65190789788443b528ec128dfa6b1
windows_amd64.msia8854e2931ac8450fa24a1f8406cef8fcf0ef9418bd4e5ac160d274ec5289b95
Docker ImageArchitectureSHA256 Checksum
logscale-collector:1.7.0amd642e0520b8d6fa731aa4d939d84d66ee69d842d9f1f94168122df4c09f68a92c87
logscale-collector:1.7.0arm642e0520b8d6fa731aa4d939d84d66ee69d842d9f1f94168122df4c09f68a92c87

Download

  • Docker EU-1 registry.crowdstrike.com/log-collector/eu-1/release/logscale-collector:1.7.0

  • Docker US-1 registry.crowdstrike.com/log-collector/us-1/release/logscale-collector:1.7.0

  • Docker US-2 registry.crowdstrike.com/log-collector/us-2/release/logscale-collector:1.7.0

  • Support for ephemeral hosts

  • Performance improvements to the file source on linux, the windows Event source and general memory handling

Improvements, new features and functionality

  • Debugging

    • Cleaned up the internal logs messages in the LogScale Collector. Some lowered in severity and some removed

    • The internal logging component handles more events per second to eliminate the "Dropped debug log.." message.

  • Collecting Data

    • The LogScale Collector has been optimised for a more deterministic memory footprint. Memory is now reserved in the queue before reading from each source. This will reduce memory usage in e.g. backfill scenarios with a high number of individual files.

    • Linux only: To reduce the CPU and file I/O usage, the file source now utilises inotify for monitoring file changes.

    • The Winevent log source now supports severity filters and custom XPath and XML queries. The severity filter can be used to only include events with specific levels, e.g.adding the key levels: [0,1,2,3] to the channel specification will only include events with levels above 4 (information). The queries can be used to build more specific filters.

  • Fleet Overview

    • Added support for ephemeral mode by specifying an ephemeral timeout at enrollment. If a collector is offline for the specified duration, it will be unenrolled and disappear from the fleet overview.

    • Added auto enrollment functionality that automatically enrolls the LogScale Collector if it does not have a working access token. Refer to Fleet Modes on how to use this feature.

  • Other

    • The backward compatibility checkpoint.json is from this release obsolete. If migrating from a version before 1.4.0 to 1.7.0 and above, you need to install and run 1.6.5, in order to preserve the checkpoints.

Falcon LogScale Log Collector 1.6.6 GA (2024-06-13)
Version?Type?Release Date?

Config.

Changes?
1.6.6GA2024-06-13no
FileSHA256 Checksum
linux_amd64.deb716616dc89d84d83713a6abfa1bd7e65b90c5df09f3a4b55d5546d2010b4a9e7
linux_amd64.rpmd696666bb4eb07270eadfb61f0cffce7cf3d5875183569d5b68deaa01736eade
linux_arm64.debe54e4bd314cbf51642cfdd361340662a333e72dc7df5fb3821b8bd14ec309af6
linux_arm64.rpm3dbd586df1672e06500e407d228805492b83d195c9a50ebd1fa2196bacba27a0
macOS_universal.pkg29da28f5146893597d0541000cd7fb6002f50790358b33cd81ccf83db4a9aa97
windows_amd64.msi29da28f5146893597d0541000cd7fb6002f50790358b33cd81ccf83db4a9aa97
Bug fix related to the handling of the file source.

Bug Fixes

  • Debugging

    • Added User-Agent header to debug logging component.

  • Collecting Data

    • Fixed a memory leak in the file source. In some scenarios the process would not release memory after a file was closed.

Falcon LogScale Log Collector 1.6.5 GA (2024-04-29)
Version?Type?Release Date?

Config.

Changes?
1.6.5GA2024-04-29no
FileSHA256 Checksum
linux_amd64.deb81b54668ead01f8d0cf222035fcf4fa1d287f534152c3799d244e4be5a6b9c43
linux_amd64.rpmcc36493be196656d87b0412bb414125165331e96415106864d8ca95910befeb6
linux_arm64.debb70d5006184c537dcd08fb90c72e6a92d902d3d1d34be014e28d1cb5bbfd1588
linux_arm64.rpmbdb0fdf05469660c539935ef8191f679215dc21721bbcf1ed9b76eba70b835fc
macOS_universal.pkg9a4db0cb82398ab5ccf23843b27be80bac853d492b49f0e291b601d8e9eb1ef9
windows_amd64.msi71a965cd3af6100d9fd3d31ab2661ede3d3bf502fdafb27535c18c24f5c3fac1
Docker ImageArchitectureSHA256 Checksum
logscale-collector:1.6.5amd648754dc0cdaead677439bf2a3d1c3150dc2b63ca2f1ec12a0b42a192346e91be4
logscale-collector:1.6.5arm648754dc0cdaead677439bf2a3d1c3150dc2b63ca2f1ec12a0b42a192346e91be4

Download

  • Docker EU-1 registry.crowdstrike.com/log-collector/eu-1/release/logscale-collector:1.6.5

  • Docker US-1 registry.crowdstrike.com/log-collector/us-1/release/logscale-collector:1.6.5

  • Docker US-2 registry.crowdstrike.com/log-collector/us-2/release/logscale-collector:1.6.5

Improvements and bug fixes regarding handling of the file source.

Improvements, new features and functionality

  • Debugging

    • On Windows, when file open fails, the error message will now include the path to the file, matching the behaviour on Linux and macOS.

    • The error message "Could not identify file." will only be logged once per file that could not be identified. Previously this message would be logged at each failed attempt to identify the file.

    • The severity of a number of internal LogScale Collector log messages has been reduced from error to warning, in cases where the error is already handled.

    • The error message "Failed sink receive." was previously erroneously logged at LogScale Collector shutdown, in scenarios where the shutdown was intentional and graceful. This has been corrected.

Bug Fixes

  • Debugging

    • An issue causing the internal debug logging module to log a warning "Dropped debug log message before they enter the ring buffer" has been fixed.

  • Collecting Data

    • A race condition during file rotation potentially causing the LogScale Collector to crash has been identified and addressed.

    • In previous versions the file source would hold on to a file handle until the read content was successfully received by LogScale. This could cause the reported disk usage to be higher than expected in scenarios with frequent file-rotation and low bandwidth/loss of connection to LogScale. The LogScale Collector now releases file handles immediately after reading EOF or detecting files being removed.

    • A race condition which could cause the LogScale Collector to crash, when using the static_fields transform, has been identified and addressed.

  • Fleet Overview

    • Fixed a bug where LogScale Collector metrics would fail to run, when any of the metrics could not be collected.

Falcon LogScale Log Collector 1.6.2 GA (2024-02-26)
Version?Type?Release Date?

Config.

Changes?
1.6.2GA2024-02-26yes
FileSHA256 Checksum
linux_amd64.debba2332fac5b6131161380d6ea148fcb2b510d949d39943be42b28b4dbd14a1b8
linux_amd64.rpm1eddcefc1e30d17b5f3e8571ade165964c4cd6d5f626bedc655bd3b67ef0291a
linux_arm64.debf978c49ce790a26bad87ea8faeb6d0b9ea314d06a52c13f314d5a5973386e613
linux_arm64.rpm0c551dc50f3bad26dbaf36f7fc5cc84ef49f73c3b373f94e63fd0d50a54b8e4d
macOS_universal.pkg3339ed432f3e696645920fbc2f39b54983a9c03ed20cf5a34f1ef42972d2ff83
windows_amd64.msi343d9aeda9cbaccbfb51a51e257053775a0795f6dec5d7443d9be1d7048cd8df
Docker ImageArchitectureSHA256 Checksum
logscale-collector:1.6.2amd646d33cb64cc7e6bfb08c6f365735559793b8aa40b631ca6be2a5961e009ee1217
logscale-collector:1.6.2arm646d33cb64cc7e6bfb08c6f365735559793b8aa40b631ca6be2a5961e009ee1217

Download

  • Docker EU-1 registry.crowdstrike.com/log-collector/eu-1/release/logscale-collector:1.6.2

  • Docker US-1 registry.crowdstrike.com/log-collector/us-1/release/logscale-collector:1.6.2

  • Docker US-2 registry.crowdstrike.com/log-collector/us-2/release/logscale-collector:1.6.2

Improvements and bugfixes regarding handling of the file source and installation on Windows.

Improvements, new features and functionality

  • Collecting Data

    • The file source now supports environment variable expansions in the include/exclude field in the config.

Bug Fixes

  • Installation and Deployment

    • Installing the LogScale Collector on Windows using the Windows installer MSI will install it as a service and set the service start setting to Manual. After enrolling the Collector into Fleet Management using the enroll command, the service start setting will be set to to Automatic. and the service will be started.

      In previous versions of the installer a new install/upgrade using the installer MSI would set the service start setting to Manual. (overriding any current setting), as of 1.6.2 the installer service start setting will be preserved unless you do a fresh install.

      When performing a new enroll command, You will set the start to Automatic., therefore if you want to set to a custom setting, e.g. Automatic (Delayed start). this will need to be done after the enroll command is performed.

      Note

      downgrading to version 1.6.1 or earlier will still revert to the initial setting (Manual.).

  • Collecting Data

    • An requirement has been removed where in previous versions the Windows Event Log source required the existence of at least one channel.

    • An issue has been resolved when the checkpointing component used by the file source. If a file was rotated/moved while the content was read but not yet acknowledged through the network, the unacknowledged content could be re-transmitted, resulting in duplication of ingest to LogScale.

  • Other

    • Fixed a bug where the --allow-insecure-http flag would not take effect for communication with Fleet Management. This caused the collector to enforce using https:// for Fleet Management communication even if the enroll command was executed with the --allow-insecure-http flag.

Falcon LogScale Log Collector 1.6.1 GA (2023-12-12)
Version?Type?Release Date?

Config.

Changes?
1.6.1GA2023-12-12yes
FileSHA256 Checksum
linux_amd64.debae5e4d9125499203d0c324b78fe6bb06dfab80ae74d99cec6473622e2a86a273
linux_amd64.rpma50bb0b24e692cf0e4e32a72d7f6c84a5dfd6aec868aa9d7b6bbe4ab5096b450
linux_arm64.deb4e22b6a97fd1eade148d50583d9e78fc5a19a6f0af7591f99a59924e022f25a0
linux_arm64.rpma6565529c3e7b290cd03079a139aec9578f150af3f21e7c167e2d2840ad5a8fc
macOS_universal.pkga7e20a99c0bde56d1a347e4880f647b03c7d6606abbfc2b0fc6dbcd0914e49c1
windows_amd64.msi39ff61e9e66e9a2d8481a2edb9d94543ddfc1aafc7db18f4bbf1d32ff05b89ca
Docker ImageArchitectureSHA256 Checksum
logscale-collector:1.6.1amd6498fff9a7d48767f89a87816fbc2c03f79bdd34eeccddfe8f77dafc2e0696981d
logscale-collector:1.6.1arm6498fff9a7d48767f89a87816fbc2c03f79bdd34eeccddfe8f77dafc2e0696981d

Download

  • Docker EU-1 registry.crowdstrike.com/log-collector/eu-1/release/logscale-collector:1.6.1

  • Docker US-1 registry.crowdstrike.com/log-collector/us-1/release/logscale-collector:1.6.1

  • Docker US-2 registry.crowdstrike.com/log-collector/us-2/release/logscale-collector:1.6.1

Improvements and bugfixes to the handling of the file source and debug logging.

Improvements, new features and functionality

  • Debugging

    • Debug logging now uses the system proxy by default, previously proxy was not supported.

    • The debug logging configuration through environment variables now supports additional configuration options which are documented in Debug Log

    • Debug logging no longer accepts http:// addresses by default. If such a scenario is required then HUMIO_DEBUG_LOG_ALLOW_HTTP must be set to true.

    • The debug logging mechanism has been improved. If an error occurs when sending the debug logs to LogScale, 3 attempts will be made in total before the debug logs are dropped.

  • Collecting Data

    • The file source been improved in scenarios with log file rotation. In previous versions a race could occur between file discovery and file read, during file rotation. This could potentially cause data to be missed (not ingested).

    • Performance of Syslog UDP source has been improved when running on a Linux system.

      The source now uses multiple workers to receive data from the network. By default it will spawn workers corresponding to the number of CPU cores in the system. The number of workers can be controlled by specifying the 'workers' parameter under the source configuration. Specifying 0 workers, or omitting the parameter will use the detected number of cores. See Sources & Examples.

    • We now offer a docker image which can be deployed in a Kubernetes to forward log messages from the applications deployed in the cluster. See te documentation for more details Collect Kubernetes Pod Logs.

Bug Fixes

  • Collecting Data

    • Configuring an incorrect exclude path for the file source could cause the collector to crash, this is corrected.

Falcon LogScale Log Collector 1.5.3 GA (2023-10-16)
Version?Type?Release Date?

Config.

Changes?
1.5.3GA2023-10-16no
FileSHA256 Checksum
linux_amd64.debe965acdad2676b59c351b8e9866954159e51f135a270ab6626ae88d924167265
linux_amd64.rpm75db3d6f20bf499c7615a00637797ec641be38c721cc1f9fdb50bf20613510e3
linux_arm64.deb9a44f418dd0dbf03adde25afb878fbba5a97cccc339b0cb5e1e657a5880734e6
linux_arm64.rpm976d4c01248ad0da4976c1a26885be07af0b8f388fce5c43a8097ecdfd85d134
macOS_universal.pkg56603437f3dcd77217ba59ea01f2645daae8122c0740dc1c4deffedac5ef4e32
windows_amd64.msicaced8ad05580a677cb344fe811b485471299af5219284f9d2fff392c7ee18fa

Improvements and bugfixes regarding handling of the file source.

Improvements, new features and functionality

  • Collecting Data

    • Internal handling of the file source has been optimized to reduced the number of syscalls used to monitor files and directories for changes.

Bug Fixes

  • Collecting Data

    • An issue has been identified with the checkpointing component, causing unnecessary disk write operations when used with a file source. This scales linearly with the number of file sources configured, leading to a high disk utilization when defining multiple file sources.

      Note: Multiple `include` patterns per file source do not cause this issue, only separate sources. This behaviour started in 1.5.0, and is fixed with this release.

Falcon LogScale Log Collector 1.5.2 GA (2023-10-03)
Version?Type?Release Date?

Config.

Changes?
1.5.2GA2023-10-03no
FileSHA256 Checksum
linux_amd64.debb0d8b02647f01ec575717d50a2deda10edb007cfd3f889cd815ee6b593ddcac7
linux_amd64.rpm399229099288bf11e6282e997eb972199d707be2b4475745828b9a1419a5eeac
linux_arm64.deb31f4346234eea88a93eaeae98f922a810efed1173a33294381a210b8cc5b5c6f
linux_arm64.rpmb2b737649caad3fd5ffc678d0576a0fe35193ce8b069f963c075167b828534b9
macOS_universal.pkg72c7953f7865bb73bf85692ca8f15277e2da3711578aec0624e7fe4c3771cf37
windows_amd64.msi3d061d1a50bd2a295e72d6a001c4179f4b230e040ed4476ab4c4d72f1ed709ad

Bug fixes and improvements.

Improvements, new features and functionality

  • Debugging

    • The log level for the log message "File is a duplicate of another file." has been changed from warning to info.

  • Collecting Data

    • When LogScale rejects an ingest API request due to a request timeout or the request being too large, the LogScale Collector now divides the ingest request in to multiple parts and attempts to send the split files. If after dividing the ingest request, if a single event still triggers this limit, it will be discarded.

      The default LogScale request size limit is 32 MB, while the LogScale Collector targets maximum of 16 MB of input per request. Due to encoding, particularly control characters or invalid UTF-8 sequences could cause an up to 6x blow up of the request size.

    • Added a logscale alias for the humio sink. It is now possible to write type: logscale instead of type: humio in the sinks section.

Bug Fixes

  • Collecting Data

    • Fixed a bug where an invalid include/exclude pattern in the config of a file source could cause the LogScale Collector to crash.

    • Fixed a bug where a duplicate of a file could trigger length updates in the open file source.

      If a duplicate file is an included file that has the same fingerprint as another included file. The lexicographically lesser path is considered the active file.

    • Fixed a bug when inadvertently reading a binary file could induce a 400 Bad Request from LogScale, which discards data in the LogScale Collector.

      The issue occurs when a binary file contains a UTF-8 sequence of EF BF BF that decodes to U+FFFF. The U+FFFF code point gets interpreted as end-of-input in the applicable LogScale ingest API.

    • The file source now completely ignores files that are of length zero bytes. This should fix an issue where the file source would inadvertently read a compressed file as plain text, if the file was opened when it was empty.

      This scenario is most likely to occur when a log file is rotated and compressed. Reading a compressed file as plain text could then induce the above binary file problem regarding U+FFFF.

Falcon LogScale Log Collector 1.5.1 GA (2023-8-28)
Version?Type?Release Date?

Config.

Changes?
1.5.1GA2023-8-28no
FileSHA256 Checksum
linux_amd64.deb9c5cb4034ef884abdfc2708389e62e6195dc7a940be191ec7ed2aa8ff9a37957
linux_amd64.rpm3fed6f88d9febf5e715f21987a61707aa7239628e3c6d50f0ed17ba24b7989f0
linux_arm64.deb9779596e4b75cb1cb1c6678a310462c5d23a0be34a696d9dd16736ec24ff5800
linux_arm64.rpmabdec0dd117785e5676c931ac4e9299fe53c9f418e27b734700fb425affde080
macOS_universal.pkg3f070774128b6cc88465b746da8cbdadd7fc614968e69a105b48bae82ea188f3
windows_amd64.msid69bd9f4efb3437f9d0cf7e45598d8ee8a0ad1937ff7e1df6300e91f17087abc

Bug fixes.

Bug Fixes

  • Collecting Data

    • Fixed a bug which caused the Log Collector to crash when using multiple file source declarations.

Falcon LogScale Log Collector 1.5.0 GA (2023-8-23)
Version?Type?Release Date?

Config.

Changes?
1.5.0GA2023-8-23yes
FileSHA256 Checksum
linux_amd64.debf4b26bf994c4664eaf664be5081401f79430ec8f81084859fdc336e23f720e6f
linux_amd64.rpm0a4b3881d4f81b6b8c94ea0b594e838fec40cb75bd169dbe8b92cc9dd2aae5e9
linux_arm64.debcff7466e92c04a83a00ab7177097ac0d5a662ada3c4fb23ae1bb3b96a5d3450a
linux_arm64.rpmc8f29ce878645196ebfa7b9f0a1b0d1578fe8ed7d81de31bfb65f909b7963900
macOS_universal.pkg632d93e28901d3774f23c85a98e565e890bb56b5a2ac112ba8e210df313a4d12
windows_amd64.msif65411d6243b98e6b53c8a6b96d8756423a2cca645c51034d31079a248de7e07

  • The LogScale Collector now supports macOS and is available as package installer (.pkg).

  • The LogScale Collector now reports metrics regarding e.g. CPU and memory usage to LogScale Fleet Management.

Improvements, new features and functionality

  • Collecting Data

    • The syslog source has been optimized with respect to UDP mode. According to internal performance measurements, the performance has been increased by a factor of 3-4.

    • The file source has been updated with improved file identity tracking. If multiple files are considered to be identical copies through fingerprinting, only a single copy will be opened.

    • The LogScale Collector now supports macOS and is available as package installer (.pkg), see Install Falcon Log Collector for information.

      The installer contains a universal binary which runs natively on both Apple silicon and Intel-based Mac computers. In addition to the source types supported on other platforms e.g. file source etc., a new source type unifiedlog has been added, see Sources & Examples. This source type supports shipping unified logs on macOS.

    • The disk queue has been reimplemented in order to increase performance and resilience.

      One consequence of this is that the entire storage space, determined by maxLimitInMB, is allocated when the queue is created. This ensures a deterministic size of the disk queue and prevents scenarios where the configured disk queue size is not available due to missing disk space.

      If the configured disk queue size is not available on the configured disk partition, an error will be issued. E.g. "Could not apply the config error="pipeline: logscale, details: no space left on device"".

    • If two instances of the LogScale Collector are attempting to use the same data directory, the error message has been improved.

      An example scenario is if the Collector is running as a service and a second instance is started manually from the command line. Previously the error message would be: timeout.

      Now the following error message will be issued: "Could not lock the checkpoint database. Maybe another process is using the same data directory? The data directory is set to: my_data_directory_location"

    • A new source type syslog_tls has been added. This source type supports receiving encrypted syslog traffic. See Sources & Examples for more information.

  • Fleet Overview

    • The LogScale Collector will now send its CPU usage, memory usage and disk usage of the data directory partition to LogScale Fleet Management.

      These metrics will be available from within the Fleet Management|Fleet Overview pagein the LogScale user interface and can be used to provide a feedback loop when scaling instances and adjusting configuration settings. See Falcon Log Collector Metrics for more information.

Falcon LogScale Log Collector 1.4.1 GA (2023-6-13)
Version?Type?Release Date?

Config.

Changes?
1.4.1GA2023-6-13yes
FileSHA256 Checksum
linux_amd64.deb788d7be0888c8527501e5ca90698b0fdc06745eeddc98c7b79c240d2505e2dfb
linux_amd64.rpmdee647d23060843c789360cc9ecf51fd8f59b9c9ae487c587bd2099dc11f2218
linux_arm64.deb59f55b0668f0462c1bcf257b771edf1ae4fa365e7b905a9acea5b1494d157723
linux_arm64.rpmfcc2ee1d23f094e136e62e06d9ef55768b2dfcf2adbc6fe0ffe2467838351cd9
windows_amd64.msi43390b610233202f0c1808a65f05b701e4c141b2781a83a0885c5aa9b2613c3e

Improvements to the handling of the Windows event log source.

Improvements, new features and functionality

  • Collecting Data

    • The approach for handling Windows Event Logs has been revised, as the previous versions of the Collector could cause field names to be misaligned.

      The previous approach was solely based on using the Windows Event API for rendering the field names. This has shown to fail in cases where the event data has a parameter without a value.

      The new approach parses the XML and for events containing EventData, the field names and values are directly extracted from the XML. For events containing UserData, the XML may not be sufficient, thus the parsing falls back to the Windows Event API to render the field names.

      This has the following known impact on the collector data:

      • Corrects the misalignment of field names, found in earlier versions.

      • Events containing the Binary field, are now sent as their real names, e.g, windows.EventData.Binary, which previously were sent as windows.EventData[n].

    • The Language for rendering Windows Event Logs is now configurable. Up to version 1.4.x The LogScale Collector used the system language to render the event message, collected as @rawstring. This has the potential downside, that for fleets with Windows hosts using different system languages, the collected @rawstring will differ. This only applies for rendering of the event message (no other values) and only for local events.

      In the case of forwarded events the message is rendered locally by the Windows Event Forwarded, and when collected on the Windows Event Forwarder, the message is sent as plain text to the LogScale Collector.

      A new config parameter (language) for setting the render language using Windows LCID codes has been added. The default setting is 0, which corresponds to the previous behaviour, which is the active language on the host.

Bug Fixes

  • Collecting Data

    • Misalignment of field names for the Windows event log source has been corrected, see above.

Falcon LogScale Log Collector 1.4.0 GA (2023-5-08)
Version?Type?Release Date?

Config.

Changes?
1.4.0GA2023-5-08no
FileSHA256 Checksum
linux_amd64.debdb4ea1ad653c1c1563e9f8729a7383af01c38b739ae7df75ee24a747c57f22cf
linux_amd64.rpm260e8106189e924877b5f126ccc63bd651bf9ae40f5d16844cbe715a43a50ffa
linux_arm64.deb2278f9b10ed6547cc7814e6a7e26e26912eac8ddebc3739d09190f60a16e4100
linux_arm64.rpmd704e464b71b8514912b31d8b8b0db08fc0ff81c7a54a75bdc8d23cdb7e32da7
windows_amd64.msiecbcb5a29e24a39749598419d13d17c3483cf6b1ea0121bea1027667577eac53

Bugfix for the Windows event log source, improvements to fleet Management.

Improvements, new features and functionality

  • Fleet Overview

    • Fleet Management Improvements

      • When enrolling a LogScale Collector to Fleet management, the enroll process will now stop and start the service during the enrollment process. This behaviour can be omitted by using the flag to the humio-log-collector enroll command.

      • After a successful enrollment, the LogScale Collector service will be configured to automatically start after a reboot. This behaviour can be omitted by using the --no-service flag to the humio-log-collector enroll command.

      • The LogScale Collector process will now exit if it receives an 401 Unauthorized error code during a Fleet management poll operation. The error code signals that the instance no longer has access to the LogScale cluster and cannot be managed. The service manager will automatically restart the LogScale Collector after exiting.

      • When enrolled in Fleet Management, the LogScale Collector will now collect diagnostics from the sinks and send them to Fleet management. The diagnostics will contain various warning and error states that might occur when sending events to LogScale. The diagnostics is available for viewing in the Fleet management tab in LogScale.

  • Other

    • Checkpointer has been improved

      In preparation for future improvements, the checkpoint database has been changed from a JSON file to a binary database format. The existing checkpoints.json file will be automatically imported into the new database. The LogScale Collector will now write a backwards compatible checkpoints.json file on shutdown, which will not be re-imported.

    • Command line arguments

      The LogScale Collector command line interface has been changed to use -- (double dash) for each option. Existing - (single dash) options will be converted in a transition period. A deprecation warning is emitted when options are provided with only a single dash.

Bug Fixes

  • Managing Data

    • Corrected the handling of subscription to more than 64 channels in a single Windows event log source.

      The wineventlog source sometimes encountered issues when configured with more than 64 channels in a single Windows event log source (type: wineventlog). In this scenario it would not collect any events, and the following error message was observed: "extNext: The operation identifier is not valid.". .

Falcon LogScale Log Collector 1.3.4 GA (2023-3-30)
Version?Type?Release Date?

Config.

Changes?
1.3.4GA2023-3-30no
FileSHA256 Checksum
linux_amd64.debf0a6612a103765ff2f54121d1520290dabac64aabbd21eca423f7cd79105f230
linux_amd64.rpma9e1d4174a8b7af93da72c01aae68e7d1a1db66fb29a40bc16bd3cafc62ef14a
linux_arm64.debe82c6c21fe2a0704c42c564cddba39337044247e82cdd5f701658c35bce6bc20
linux_arm64.rpme70248e5caca2c2b8a44b39baf69136d2301dbdcab02269fb74a88084199c34c
windows_amd64.msi3a925d65b753bdcf4ee5724c37925a32805943f8a75b5bddf82e874d3588ff8c

Bugfix for the Windows event log source, related to an issue with forwarded events.

Bug Fixes

  • Collecting Data

    • Using the enroll command, to enroll a new collector to fleet management in a linux environment,would previously cause an error if the collector had not been running before, i.e. if the enroll command is the first action.

      When enrolling a new collector, the collector would use an empty machine id value due to incorrect permissions set up by the enroll command. This is not a problem when enrolling collectors that have already been run.

      Starting with this release the enroll command no longer has this issue. In case the above error is encountered, a manual fix is required to give the service user the correct permissions:

      sudo chown humio-log-collector:humio-log-collector /var/lib/humio-log-collector/.machine-id

    • In a setup using the Windows event log source for collecting forwarded events, the collector has been seen to crash while parsing forwarded events.

      This may occur in a scenario where the remote WEF (Windows Event Forwarding client) and the WEC (Windows Event Collector) go online after a restart. The re-initiated event subscription causes an exception, which stops the collector. This has now been corrected.

Known Issues

  • Collecting Data

    • When collecting data from a Windows event, the collector extracts information from event data and maps the data to named fields in LogScale.

      In scenarios with forwarded events containing empty data values, the indexing of values and names can become misaligned. In this case the current parsing approach is not possible due to misalignment of field names and values. Previously this would result in incorrect values being assigned to field names.

      Starting with this release the Collector appends these values as indexed fields (windows.EventData[0..n]) instead of named fields, and introduces a new field @collect.error with the value: "wineventlog: couldn't parse names for event data".

Falcon LogScale Log Collector 1.3.3 Withdrawn (2023-3-21)
Version?Type?Release Date?

Config.

Changes?
1.3.3Withdrawn2023-3-21no
FileSHA256 Checksum
linux_amd64.deb2d0ae5a2f90cbef19c1058393a45ab1007f47d97e907d04505a682a75c943e3e
linux_amd64.rpmc52c11f09f139b17f9389dbb3d6221a9a81715df1faf92453730708dd6963c81
linux_arm64.deb657479d94673417eb1422e8d7f22d5a25718dd88a83db0b20caf5324b1fb2aa7
linux_arm64.rpm011323a48d3675e7cbc3bbbf7ae54c394e43d2d53bd48c380e5a462c1c3967a1
windows_amd64.msi416efe329da3c35a7b2f5f02811595f93a002fb8a0d8637655ca79686245f9d6

This release has been withdrawn due to the introduction of a regression which could result in missing @rawstring for the Windows event log source.

If you are using this version we recommend you upgrade to 1.3.4.

Falcon LogScale Log Collector 1.3.2 GA (2023-3-16)
Version?Type?Release Date?

Config.

Changes?
1.3.2GA2023-3-16No
FileSHA256 Checksum
linux_amd64.debe66ae46ded76c53259fc901af0a6139c3c7884007c9f10afe22c570236b7f5f8
linux_amd64.rpm8c00a22e39161a5e8564a47712673447e014f950d41e22aa049907d653621771
linux_arm64.deb255bfefbb886567eb3a698fb0c59cd502f0946b947fa4ff8a0a4e5caf6da921c
linux_arm64.rpmc4c0f7d2b25269f18429411b4d78662f084c97aefd899d51782d68145bdd2afb
windows_amd64.msiefe31334621d59610d3c533b9fdd0f6cde00024c8ded3ecb645c2879a7ea1f3d

Bugfix for the Fleet Management communication, eliminating excessive retries.

Bug Fixes

  • Fleet Overview

    • If Fleet Management communication with LogScale is unsuccessful the LogScale Collector will do exponential backoff.

      In some scenarios, an error in the backoff implementation caused the retry timeout to drop to zero, resulting in excessive retries. This is now corrected.

Falcon LogScale Log Collector 1.3.1 GA (2023-3-9)
Version?Type?Release Date?

Config.

Changes?
1.3.1GA2023-3-9Yes
FileSHA256 Checksum
linux_amd64.deba52f365af747a2d4eda400392e29540a92ce39cd42dd5c26554d92b5f68ecc4c
linux_amd64.rpm399cd1c41a5006a4d41f0991d00df3cee4a87b2acc0542b4707bfe01dff89cb1
linux_arm64.deb668386f89987c7f2ac10c759e040d6fceebe8c2a30d3435b13e02e4860d9b993
linux_arm64.rpmbdd8e208551ba220016367a1ff7833fdd1bcf17449725c79e7a069e52c9bc0a1
windows_amd64.msi191ec1f4151bf2ffaea93dedfd646974c879a62762a7c63539ab4d5f3bf34b89

Bugfix for the Windows event log source, related to an issue with the event data fields.

Improvements, new features and functionality

  • Configuration

    • When installing on Linux the provided service file allowing to run the collector as a systemd service, now defaults to "Restart=always". This is to ensure that unless the service is stopped, the collector service will always be restarted in case of e.g. a crash.

    • The behaviour in cases where the system HTTP proxy detection fails, has been changed.

      If no proxy is configured, the collector will attempt to detect and use the system HTTP proxy. Previously if detection failed the collector would stop, for example this sometimes occurred on older versions of Windows.

      Now in case of failure a warning will be logged, and the collector will continue without a proxy (corresponding to the configuration: proxy:none).

  • Debugging

    • Usability improvement of the enroll command.

      The check for supplied command line arguments is improved and if incorrect/missing arguments are encountered usage is printed.

Bug Fixes

  • Collecting Data

    • Corrected handling of event templates version for the Windows event log source (type: wineventlog).

      When collecting data from a Windows Event, the collector extracts information from event data and maps the data to named fields in LogScale.

      Scenarios where an event has multiple versions of its XML template were not handled correctly, potentially resulting in incorrect values being assigned to field names.

  • Fleet Overview

    • Corrected UserAgent in HTTP requests for fleet overview and fleet management (Internal improvement).

Falcon LogScale Log Collector 1.3.0 GA (2023-2-7)
Version?Type?Release Date?

Config.

Changes?
1.3.0GA2023-2-7Yes
FileSHA256 Checksum
linux_amd64.deb80588964a8437e653ac0a1b9a9cf7636d287bbf2314611e09c9d5b00a28f82c4
linux_amd64.rpma4861915f09280a16b4674ad148f61554d35da00b2683b52647473ca7f347a34
linux_arm64.debfec6fc2f2ab5e883781531b384fd2adeca37967f97bd5ae25d44e2ea94f73baa
linux_arm64.rpm7fb71e45dab7dd5334f866e7724c39cd0291b921cb766c0630ed13051837534e
windows_amd64.msi43d999b34e702049edd281c63f142af7b4a69fb52270f9670a826b8600401209

Fleet management now supports remote configuration of LogScale Collectors. This gives an administrator the option of managing the configuration of LogScale Collector instances in LogScale, instead of managing configuration files directly on the device where LogScale Collector is installed.

Improvements, new features and functionality

  • Configuration

    • The configuration of LogScale Collectors can be managed in LogScale. This is accomplished using configurations and enrollment tokens stored in LogScale.

      To be able to manage the configuration of collectors in LogScale, collectors need to be enrolled to remote configuration, this is done using enrollment tokens.

      Two new pages have been added to the Fleet Management tab in the LogScale user interface.

      • The Config overview page, lists all available configurations and the number of LogScale Collectors using each configuration. The page furthermore allows you to create new configurations. See Manage Remote Configurations for more information.

      • The Enrollment tokens page lists all available enrollment tokens, and allows for creating new enrollment tokens.

        The actual enrollment of a LogScale Collector is performed by executing an enrollment command on the device with the installed LogScale collector instance. The command to be executed can be grabbed from the enrollment token page. See Manage Falcon Log Collector Instance Enrollment for more information.

      The Fleet overview page, which displays the status of all LogScale Collector instances, now includes the name of the assigned configuration to each LogScale Collector.

      It is still possible to use the Fleet Overview without enrolling LogScale Collector instances in remote configuration, in which case configuration will need to be managed directly on the device with installed collector. See Fleet Management Overview for more information.

Falcon LogScale Log Collector 1.2.3 GA (2023-1-23)
Version?Type?Release Date?

Config.

Changes?
1.2.3GA2023-1-23No
FileSHA256 Checksum
linux_amd64.debc1e7e6608e3ef67793d4d23226dbb771b5c8e3a932358728519f8e9d52034da4
linux_amd64.rpm98ba2862e925513721b0f856712787a522fea1ed5b0eb34c7a20008b7a233fc7
linux_arm64.deb4234b9d340569872528eaa9eed5bb9aaa1b7130317f89e32c48550e655764e13
linux_arm64.rpm89344a58c18bb914d8ce8bbe688eac3cf2c9ba236098dd2baeddad9b2a394f59
windows_amd64.msi7571d07dac0240d9620ef1a9a1c7dace12473ddfc09d3d0f327ff281fb928785

This version contains bug fixes.

Bug Fixes

  • Collecting Data

    • Fixed a bug on Windows where the Log Collector locks open log files, preventing applications from rotating log files via rename or delete.

Falcon LogScale Log Collector 1.2.2 GA (2023-1-16)
Version?Type?Release Date?

Config.

Changes?
1.2.2GA2023-1-16Yes
FileSHA256 Checksum
linux_amd64.deb9fabeb63439db16d6c425d73497809963260670a72564da7f068dd667aff8605
linux_amd64.rpm732aaa87dfa023fc64efd1c1f211f828ee32af8901dd97c34186cf39c51d071e
linux_arm64.debf8f0ea531620160112452f4dd6d158137be829d8b93f4c042bb1d562991d6733
linux_arm64.rpm49ddd2dcc179a47c10f16aaa747f0148dd82137b488ec125ae7bc94422f6e7fe
windows_amd64.msifa41725bc6ebc425db6fec0c81eb895c9a4239cfa18511e6abbc30588bc64913

Bug fixes, improvements and Windows log format collecting features.

Improvements, new features and functionality

  • Collecting Data

    • Added an option to WinEventLog source for including/excluding the XML.

    • Moved default program data directory on Windows to prevent possible conflicts with Falcon Sensor.

    • Improved performance of the WinEventLog source.

    • Added an option to WinEventLog source for excluding eventIDs.

Bug Fixes

  • Collecting Data

    • Fixed a bug which caused the checkpointer for WinEventLog source to not update all of the configured channels.

Falcon LogScale Log Collector 1.2.1 GA (2022-11-10)
Version?Type?Release Date?

Config.

Changes?
1.2.1GA2022-11-10No
FileSHA256 Checksum
linux_amd64.debdc7bf952be2ff5c541de2d9d927d03bec578f84fe0cb7214db428f3f4638dafb
linux_amd64.rpm3cd03e99fcf1f6061941c6b38e68656325d0b5c945571715bdd65381ca488370
linux_arm64.deb6e85664f54c84154d1c9b3f4f3b48ae8961e13a643b86981ceba927c733590d1
linux_arm64.rpm904845aef96db4a40b83a3bbe1dcf1e79cceb6e072375ee4c0b3eb4695effb3d
windows_amd64.msi992cbdda12353a4cd4e7bc1672fb31a0033e46096438bed71c4869314ed54ace

Bug fix for an issue related to file source which caused it to stop monitoring files.

Bug Fixes

  • Collecting Data

    • Fixed a bug which could cause the file source to stop monitoring files due to a race condition in file creation, update or deletion scenarios.

Falcon LogScale Log Collector 1.2.0 GA (2022-10-27)
Version?Type?Release Date?

Config.

Changes?
1.2.0GA2022-10-27Yes
FileSHA256 Checksum
linux_amd64.deb34ebabca8336e6e84a97684dea8a6592eb893dc1db026096845fc1ff596996c3
linux_amd64.rpm2bcae521ba78bbdd54db0b8b77d536e80eca4a6bd1d3247e757e06ed424be93dd
linux_arm64.deb137f2d376a4d45045258ace6c8c7f9efb5bab808b67c195f98544862cbbf976a
linux_arm64.rpm93f3d1d37c86971ddf6e503e0832f361a98b34b93fecb3f92d696bb7d7355743
windows_amd64.msi9c47b0c008cd5ef83d5569132181d49c8ad929b59cf29e3a65a787bd88e9cce9

This version of the humio log collector offers the Fleet Overview functionality, which allows you to monitor the status of log collector instances and the following improvements:

  • Improved configuration file validation

  • Improved error logging

  • Reload configuration file feature

  • Using environment variables as the sink url

  • The file source now has more include and exclude patterns and uses less resources by waiting for changes to the file

  • the CMD source can now create single multiline events

  • the wineventlog can now filter events by provider and keep bookmarks of its progress

  • Performance improvements

  • improved batch handling

  • Enforces the use of HTTPS.

Improvements, new features and functionality

  • Configuration

    • Improved configuration file validation - The collector is now more thorough when validating its configuration file. An example of this is that unknown options in the configuration are invalid and will prevent running the program. Upon detection of an invalid configuration, the collecter will attempt to provide a descriptive error, some examples of this are:

      error reading config file "my_config.yaml" sources:
              name must consist of only alphanumeric characters or '.', '_'
              and '-'
      
                  error reading config file "my_config.yaml": 
                  sources.cmd_uname_scheduled.interval: invalid type string,
                  wanted int` 
      
                  error reading config file "my_config.yaml"
        : sources.dummy_logs.sink: missing value for required field`
                  
    • The collector now enforces using https:// for URLs, this can be overridden by adding the -allow-insecure-http command line flag.

    • The collector now reloads the configuration file when it receives a SIGHUP. This does not apply to the logLevel and dataDirectory options. If the new configuration is invalid, the program will stop.

  • Managing Data

    • Improved memory usage of the memory queue component by removing an upfront buffer that caused it to store more events than specified by the maxLimitInMB option.

    • Improved serialization performance in the humiosink leading to lower memory usage and faster serialization of events.

    • If a file monitored by the file source is inactive not written for a configurable period default: 60 seconds, the file descriptor is closed to release system resources, and watched for changes instead. Whenever the file changes, it is re-opened. This is configurable by the inactivityTimeout option in the file source.

  • Debugging

    • The default log level is now set to warnings, previously only errors were logged by default.

  • Collecting Data

    • The url option in the sinks part of the configuration can now refer to an environment variable by using the ${ENVVAR} syntax.

    • The wineventlog source can now filter events based on the provider name. Set the option providers to an array of provider names that should be included to enable this feature. This source also keeps a bookmark of its progress in the Windows event log, and resumes from there when the collector is restarted.

    • The cmd source can now create a single multiline event when running in the schedule mode. Set the option consolidateOutput to true to enable this feature.

    • The file source can now have additional include and exclude patterns in the same configuration. Specifically, the options exclude and include can be either a string or an array of strings.

    • Improved batch handling

      • The sinks now have additional configuration options to change the maximum event size maxEventSize (default 1MB) and the maximum batch size maxBatchSize (default: 16 MB). The limits are propagated to the queue, where it replaces the previous maxEventsPerRequest option. The limits are also propagated to all the sources that reference the sink.

      • The memory queue no longer supports configuration of maxEventsPerRequest, it inherits the maximum bytes per request from the sink maxBatchSize.

      • The memory queue no longer waits before flushing a batch that is larger than the maximum batch size.

      • The collector now warns you when a memory queue reaches 50% and 80% of capacity.

      • The collector now sends a warning after 2 retry attempts when sending events to a http sink.

  • Fleet Overview

    • The collector now supports reporting to the fleet overview of LogScale. Configure the fleetManagement part of the configuration to enable this feature, see Fleet Management (fleetManagement) for more information.

      When the feature is enabled, the collector will periodically send metrics to LogScale, including the OS version, the collector version, how much data is ingested, and a description of the configured log sources.

Bug Fixes

  • Collecting Data

    • Events from the wineventlog source which contain fields of the type hexadecimal integer were presented as a base 10 number, they are now presented as a base 16 number.

Humio Log Collector 1.1.4 GA (2022-10-12)
Version?Type?Release Date?

Config.

Changes?
1.1.4GA2022-10-12No
FileSHA256 Checksum
linux_amd64.debbd486f2ad1facb7d77fbe19a529f276d5229f60b1a2bbe8aeef8688afd87110a
linux_amd64.rpm67d8242b89df0fc9751153b0d989efaaf913e1db89e027d9246e2229a446bebf
linux_arm64.debadc9a57861c9076c3ff2b123a114ea5590ae973cf00c23486325349693ac11b0
linux_arm64.rpm034aad8e7be0180cf5b8ec22b7f5f976baf8ea1f812fc47345bc9bdb1dcc5065
windows_amd64.msiec99bfb404c297e45d67843c10f6c9960d95adb11fa6bf39837ab98171e4e6d1

Fixed a bug with the Windows event log source.

Bug Fixes

  • Collecting Data

    • Fixed a bug which made the log collector stop when it encountered a Windows event that contained a binary property of zero-length.

Humio Log Collector 1.1.3 GA (2022-10-03)
Version?Type?Release Date?

Config.

Changes?
1.1.3GA2022-10-03No
FileSHA256 Checksum
linux_amd64.deb5be06657ddddaa365fc4cf3fbfa568f6f2e898f1b47510ba9331d8429ad4f4f8
linux_amd64.rpm662ffdeb1647084d70d6f6a7d6a46c41599320cfc620f9d7770836eab6cc06a8
linux_arm64.debfba12903af198ae7004bbc93d81bdc973fa4fa18d1c47106d233b3787850d7db
linux_arm64.rpm22641197a84f7924a1e5d6f5975318846958bd4601d9f7e7b7893c6dfbe2ea01
windows_amd64.msi3c43952dae2dc726d1a1cb6862ced922893454d4e019984e0b2efe5419319337

Improved troubleshooting on Windows, improved checkpointing on disk and fix for a bug on the data sink type.

Improvements, new features and functionality

  • Debugging

    • Improved Checkpointing to disk -- In case of failure writing checkpoints to disk, an error will be logged and writing to disk will be retried with exponential backoff for up to 1 second. This avoids a potential race condition, in which an external program (e.g. an anti-virus program) locks a file that is being simultaneously accessed by the Log Collector.

    • Improved troubleshooting On Windows platforms -- the Log Collector will send errors and warnings to the Windows event log.

Bug Fixes

  • Collecting Data

    • When sending data to a configured sink the http-header: Content-Type is now set to application/json.

Humio Log Collector 1.1.2 Not Released (2022-09-29)
Version?Type?Release Date?

Config.

Changes?
1.1.2Not Released2022-09-29No

Important

This release has been withdrawn due to an issue on Windows, where, in certain configurations, it will continuously log the same event.

If you upgraded to this version we recommend you downgrade to 1.1.1. If you have not installed 1.1.2 upgrade directly to 1.1.3 when it is available.

Humio Log Collector 1.1.1 GA (2022-09-19)
Version?Type?Release Date?

Config.

Changes?
1.1.1GA2022-09-19Yes
FileSHA256 Checksum
linux_amd64.debaceca7f505bc044b275077fa20f9ee565dbc85a48e2454834cbc31a65c3c73aa
linux_amd64.rpmab8afd8cbab28d9072e5d1c5dee1b59acc4aeef640dbf7d9284bf44424fef6e9
linux_arm64.deb9fc3968c093dd341e61b09694fb504f9d1e5116c22d4cc519e3389bcf9148dfe
linux_arm64.rpm26fb2eee00c61903095ea5daab3f3b9e30f0ec0841a13e826c17f2683f714fb9
windows_amd64.msifaab7fb9f935ae4b184debae3cb1310821c5bdc7c3a1ede3a96ce8c4156d8120

Fixed issues on Syslog and JournalD data collection and improved the queue.

Improvements, new features and functionality

  • Managing Data

    • Improved the way events are being queued in order to better respect the maximum limit of the queue.

Bug Fixes

  • Collecting Data

    • Fixed an issue with Syslog data where the source would allocate more memory than was needed.

    • Fixed a JournalD source issue where the collector would stop collecting new events after journal files have been rotated.

    • Fixed an issue when using Syslog source where syslog messages were silently discarded.

    • The Syslog source now limits events to 2 KB (configurable via the maxEventSize parameter on the source).

Humio Log Collector 1.1.0 GA (2022-06-25)
Version?Type?Release Date?

Config.

Changes?
1.1.0GA2022-06-25Yes
FileSHA256 Checksum
linux_amd64.deb2788c0c46fb6d91c33c9564ef93d8f9d25eb1c711075951784da74661b675c15
linux_amd64.rpm0dda3ece37b7c85be69b2c766b671dd9cfb94248b93159e43a0d266b54df8fe1
linux_arm64.deb6e599f88f53765babfe08a759297a235224b29ff9dd1b6571803a80ac694ca34
linux_arm64.rpm71f7be590748b3030dd716d03ea015d84867910724c7e1ba6b26cb678c3a0cea
windows_amd64.msi7492cf419ac1bfad63917e509a513f38363f2854c0edeeaf0f5852c9b2bc3adc

Extended support and functionalities.

Improvements, new features and functionality

  • Managing Data

    • Filter Windows event log by EventID

    • Disk queue support

    • Transform Static fields

    • The user can use environment variables to configure:

      • ingest tokens

      • the field values in the static field transform

      • the environment for any command run through the cmd source

    • The queue configuration option fullAction: deleteLatest has been removed are set to the default pause.

  • Collecting Data

    • Support for Multiline logs

    • JournalD source support

    • Updated cmd source support

    • The log collector supports for reading gzip and bzip2 compressed files by default.

Humio Log Collector 1.0.2 LTS (2022-05-05)
Version?Type?Release Date?

Config.

Changes?
1.0.2LTS2022-05-05No
FileSHA256 Checksum
linux_amd64.deb2ed466469b51768b2c3f46c465a23bb0c867fe684adf5715688d223af40d276a
linux_amd64.rpm43d93110a6a365dbd01044a142a4add813c95e37491d8053129dc4bd1fba1bf2
linux_amd64.zip62eaaf9bcf42b986717c8123e65ff9ea4788162757f7ae8f518941ddcb338825
linux_arm64.debbc9a7dc9f2688adbae7d071f7225e6ebeef3e2def88ebccbc5dc290056f7aa7a
linux_arm64.rpm238249181ca038f81cef90855b90f2ed608d8164fbd347c42935db8dc624abf5
linux_arm64.zip9fe71e0409a1e94c8ce225ab90af3f46115210043221e0d6f1570e427cd40f2e

Bug Fixes

  • Other

    • Automatically reload the systemd daemon after install on Linux.

    • Fixed a bug that caused the log collector to start from the beginning of all files after being restarted.

Humio Log Collector 1.0.1 LTS (2022-04-25)
Version?Type?Release Date?

Config.

Changes?
1.0.1LTS2022-04-25No
FileSHA256 Checksum
linux_amd64.deb7e3addbfd503339afb032dc92da25a6aff0a6fb7ee8b516e90c81666a8127923
linux_amd64.rpm43d93110a6a365dbd01044a142a4add813c95e37491d8053129dc4bd1fba1bf2
linux_amd64.zipd7191c83ec5c95bc5213ec1dbee6f831205755c1ab1bdd0b69443ee19e268a04
linux_arm64.deb44355e8cce6e7db84cf1d43e75b17a7a6b3118744c8582fcf5852be6c44dc0a8
linux_arm64.rpm08b4ef1eb37dea3902694e2ef3b4cbe69dcc9633dce95e19a00cd60f739aeaa3
linux_arm64.zipa88e7dc6183004b8c5c7a167400b6d351489a7bbd93fece1466ab21d6408d1fd

Bug Fixes

  • Other

    • Fixed a bug where the log collector would get stuck when encountering a long line (131,072 B) and use 100 % CPU.

Humio Log Collector 1.0.0 LTS (2022-04-23)
Version?Type?Release Date?

Config.

Changes?
1.0.0LTS2022-04-23Yes
FileSHA256 Checksum
linux_amd64.debcd65f255943e03f5ad01bed20196742a25e48240ee3dadfeeb363911afe8b8ab
linux_amd64.rpm 8482625c6795954d137609b77737c7c719ce457d4a4b78aace0b5a2cd09df5e6
linux_amd64.zip888d95ec898eb16a528c5537836a4ec42cc543dff206539741816d7c0f564bde
linux_arm64.deb348a3be0ccb4b5c11e88ea18ce8a858814f4d568b5a8b43082811db4e7aa8e9e
linux_arm64.rpm39da26f504af0aa20a40d3c8d08803eecd474163d9650a71803344b85672fe54
linux_arm64.zip3f37407ead2a2e712a9bfcd307b1c6e5ef256d2cb9968dd86bfe70d50aedb634

The first release of Humio Log Collector our native Log shipper which can be used to ship local files to a Humio repository by specifying an ingest token. This version of the log collector offers the following features.

Improvements, new features and functionality

  • Network

    • Offers network compression which defaults to ON.

    • Supports HTTP(S) proxies.

  • Managing Data

    • Ships all existing events in the file.

    • @collect.* metadata attached to the events including unique collector ID, hostname, @collect.timestamp etc

    • Only handles single line events

    • Collects from local files using a glob pattern (so single file, directory, recursive, etc) and from windows eventlogs and system logs.

    • Buffers in memory.

    • Tails for new events in the file.

    • Offers a sub-second ingest lag between a line being written and sent to Humio (configurable)