How-To: Downgrading LogScale Collector from Version 1.8.1 to 1.7.x

The Falcon LogScale Collector version 1.8.1 optimizes the filesource performance and scalability with multiple file sources.

This change includes a revised internal database structure, which affects how file identities are stored. An automatic migration is performed during upgrade, preserving existing file identities. This change is not backwards compatible, and downgrading from 1.8.1 to an older version requires a manual action to avoid re-ingestion of new files created after the upgrade.

Note the potential re-ingestion is limited to the filesource only, all other sources will not re-ingest.

To downgrade from 1.8.1 to an older version without possible re-ingestion the following manual steps can be performed to convert the new format to a format supported by older versions.

  1. Stop the collector service running version 1.8.1 or newer

  2. Run the Falcon LogScale Collector version 1.8.1 or newer manually with a migrate command

  3. Downgrade the Falcon LogScale Collector to version 1.7.4.

  4. Restart the Falcon LogScale Collector service.

Custom Install Example Linux (Ubuntu) Installation

If the Falcon LogScale Collector tor was installed using custom installation (manually installed and up/downgraded using .rpm or .deb packages) the steps are:

  1. Run the command:

    shell
    sudo systemctl stop humio-log-collector.service

  2. Run the command:

    shell
    sudo -u humio-log-collector humio-log-collector migrate identities-to-v1 --cfg /etc/humio-log-collector/config.yaml

  3. Run the command:

    shell
    sudo dpkg -i humio-log-collector_1.7.4_linux_amd64.deb

  4. Run the command:

    shell
    sudo systemctl start humio-log-collector.service

Full Installation

If the Falcon LogScale Collector was installed using full install (up/downgraded using Fleet management):

  1. Run the command:

    shell
    sudo systemctl stop logscale-collector.service

  2. Run the command:

    shell
    sudo -u logscale-collector logscale-collector migrate identities-to-v1 --cfg /etc/logscale-collector/config.yaml

  3. Downgrade to version 1.7.4 using Fleet management.

  4. Run the command:

    shell
    sudo systemctl start logscale-collector.service