How-To: Downgrading LogScale Collector from Version 1.8.1 to 1.7.x

The Falcon Log Collector version 1.8.1 optimizes the filesource performance and scalability with multiple file sources.

This change includes a revised internal database structure, which affects how file identities are stored. An automatic migration is performed during upgrade, preserving existing file identities. This change is not backwards compatible, and downgrading from 1.8.1 to an older version requires a manual action to avoid re-ingestion of new files created after the upgrade.

Note the potential re-ingestion is limited to the filesource only, all other sources will not re-ingest.

To downgrade from 1.8.1 to an older version without possible re-ingestion the following manual steps can be performed to convert the new format to a format supported by older versions.

  1. Stop the collector service running version 1.8.1 or newer

  2. Run the Falcon Log Collector version 1.8.1 or newer manually with a migrate command

  3. Downgrade the Falcon Log Collector to version 1.7.4.

  4. Restart the Falcon Log Collector service.

Custom Install Example Linux (Ubuntu) Installation

If the Falcon Log Collector tor was installed using custom installation (manually installed and up/downgraded using .rpm or .deb packages) the steps are:

  1. Run the command: 

    sudo systemctl stop humio-log-collector.service

  2. Run the command: 

    sudo -u humio-log-collector humio-log-collector migrate identities-to-v1 --cfg /etc/humio-log-collector/config.yaml

  3. Run the command: 

    sudo dpkg -i humio-log-collector_1.7.4_linux_amd64.deb

  4. Run the command: 

    sudo systemctl start humio-log-collector.service

Full Installation

If the Falcon Log Collector was installed using full install (up/downgraded using Fleet management):

  1. Run the command: 

    sudo systemctl stop logscale-collector.service

  2. Run the command: 

    sudo -u logscale-collector logscale-collector migrate identities-to-v1 --cfg /etc/logscale-collector/config.yaml

  3. Downgrade to version 1.7.4 using Fleet management. 

    sudo -u logscale-collector logscale-collector migrate identities-to-v1 --cfg /etc/logscale-collector/config.yaml

  4. Run the command: 

    sudo systemctl start logscale-collector.service