Full Falcon LogScale Collector Release Notes Index
This section contains a single page with all release notes on the same page.
Falcon LogScale Log Collector 1.7.4 GA (2024-10-03)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.7.4 | GA | 2024-10-03 | no |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | 4812af7a6bf0ccb92651ee73f112a3b92812265c76829ed20487e23ab11b5e3e |
| linux_amd64.rpm | 74c91ac39504768fc8a40894a07571d0c66710ca9f54e63ee7c744d30bdd8386 |
| linux_arm64.deb | ed9ecdccb697702aa553b107c93ffc4fb7de4141c525fc6e7498ba6f1e54420b |
| linux_arm64.rpm | 2ed6847eac30244a4b710e0c27684401fef53b04fe938755b115f4e3b958b04d |
| macOS_universal.pkg | d266cfc6849e65d5c8d0fa53eaf8e33e539e55d70124454c9eb2aaf42a9b2e6b |
| windows_amd64.msi | f79c0a16709ee56f9bf8cda6dba832ce6b90de8cc33a7b34c89f6294f357dcd6 |
| Docker Image | Architecture | SHA256 Checksum |
|---|---|---|
| logscale-collector:1.7.4 | amd64 | cc7821f40308745e092a82f19e4b7ced0124970344b59e2629b6f07eb306806b |
| logscale-collector:1.7.4 | arm64 | cc7821f40308745e092a82f19e4b7ced0124970344b59e2629b6f07eb306806b |
Improvements, new features and functionality
Installation and Deployment
The syslog source has been optimized to use less memory in setups with high amounts of short lived TCP connections. The new approach utilizes a memory pool instead of allocating a new memory for each connection.
The number of concurrent TCP connections is limited to 1024. The default MaxEventSize for syslog over TCP is changed to 1 MB to match the same setting when using syslog over TLS.
The previous default setting was 2048 B (which is mentioned in the RFC), however as some users have experienced truncated events, the setting has been changed.
Collecting Data
File source optimization for Windows and macOS.
The filesource keeps monitoring files after all data has been read and ingested to be able to continue shipping when/if new data is added. In scenarios with a high number of files, this can be rather CPU consuming on Windows and macOS. In order to reduce the CPU usage a dynamic file scanner, which balances the CPU usage of the file scanning part has been introduced.
Other
Symbol names and debug information are now stripped from binaries, this results in smaller distributables.
Debugging
Internal log messages in the LogScale Collector have been improved. An internal buffer has been increased to avoid missing internal logs and log messages for the syslog source have been augmented with more detail.
Fleet Overview
The LogScale Collector now supports sending custom labels to Fleet Management.
This is in preparation for an upcoming Fleet Management feature which allows using labels for defining collector groups. When creating a group - labels can be used in the filter query. E.g. labels.myLabel=foo. Labels must be added to the local fleet management config file of the LogScale Collector. Label values can be expanded from environment variables as well.
Bug Fixes
Other
We have identified a previously unhandled scenario in which the LogScale Collector attempts to send data to a Data Connector and either a HTTP intermediary, such as a proxy, or the Data Connector accepts the HTTP connection, however never returns a HTTP response and in the same time keeps the connection alive.
Previously this would cause the LogScale Collector to wait for the response, thus blocking further data on that sink. To address this scenario, the LogScale Collector will now timeout, and attempt re-transmission, if it does not receive a response within 60 s. In this case a warning: "timeout awaiting response headers" will be logged.
Debugging
A race condition related to file rotation using compression could cause the checkpointer to get in a state where it would repeatedly log the following error messages, "File failed, waiting 1min. error: EOF" and "pipeline failed, error: EOF".
The LogScale Collector now marks the checkpoint for the file as done and the warning message "Handling unexpected EOF in compressed file" will be logged once.
Falcon LogScale Log Collector 1.7.3 GA (2024-08-13)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.7.3 | GA | 2024-08-13 | no |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | 15e4f7565b1dfe6e652652bb361075a8615bc42ce26d06c75158ad3e61625ecb |
| linux_amd64.rpm | 9f4a5cf8d426d116ad242cbbc78b1c02ffe6788ce41fdab080df28c63e943bb0 |
| linux_arm64.deb | d43b840ddfc42a862ce3df13ee9de761200208240a1f9f9b8b53d53f78a586a1 |
| linux_arm64.rpm | 8b0206fbb280b77a2cd2844474bab7051823eb97585cd2a5c4d2e35c59d93268 |
| macOS_universal.pkg | 26d414b4641e2af97a5014c381c4c7a5a7bfd79946ca9f872d448740524eeea2 |
| windows_amd64.msi | 816fb015a80b461b32171298db7067c55ba4e3260a987bcd5b1cf7bc05e4b936 |
| Docker Image | Architecture | SHA256 Checksum |
|---|---|---|
| logscale-collector:1.7.3 | amd64 | d2accd99bf8970cb4874c1b46c8f3d6b99db9d37b939ea1872db9ad7f762af2b |
| logscale-collector:1.7.3 | arm64 | d2accd99bf8970cb4874c1b46c8f3d6b99db9d37b939ea1872db9ad7f762af2b |
Improvements, new features and functionality
Installation and Deployment
Uninstall-scripts are now distributed as part of the "Full Install" via bash / powershell.
Note that uninstalling a custom installation via system packages (i.e. rpm, deb, msi) is still handled by the system's package manager.
See Uninstall Falcon Log Collector Installations for more information on how to uninstall LogScale Collector.
Bug Fixes
Other
A vulnerability in a library generating UUIDs is addressed. The UUIDs were exclusively used for non-cryptographic purposes.
Falcon LogScale Log Collector 1.7.2 GA (2024-07-09)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.7.2 | GA | 2024-07-09 | no |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | 55ce3d492b9bdb0fc899406a2eacc95a4a97da54ffa13ac8b2327d9e5f37f12b |
| linux_amd64.rpm | 9b45ff1c24955cf26e12242d98529a24d9b06cb1da9516d467c4e99db47591a3 |
| linux_arm64.deb | 052870d7b15708ae4043360451e558a5a185ab6e1838c365bb0d976096ae9993 |
| linux_arm64.rpm | a638bf86ac5fcb743a5aa3d9f143013b023c5ac48661a19b41d8ce4e70d19cb3 |
| macOS_universal.pkg | 45364901540b86443bfe97ef124782650daae955eaf8bfae547c2584c0fc7965 |
| windows_amd64.msi | d34795c397c7ba1097167804b6569a867f173a84a43ec339caa3004b2ae2b6a1 |
Improvements, new features and functionality
Collecting Data
The LogScale Collector (Linux only) was leaking file handles when monitoring symlinked files, causing the file scanning to be reduced to 10 second intervals. This update ensures that the file handles are closed when the symlink or the files are moved or deleted.
Falcon LogScale Log Collector 1.7.1 GA (2024-06-27)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.7.1 | GA | 2024-06-27 | no |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | 15e4f7565b1dfe6e652652bb361075a8615bc42ce26d06c75158ad3e61625ecb |
| linux_amd64.rpm | 7abba9bdfa839abf33ae693d95656e4069642b59e1a804528de9fc289ab86511 |
| linux_arm64.deb | d43b840ddfc42a862ce3df13ee9de761200208240a1f9f9b8b53d53f78a586a1 |
| linux_arm64.rpm | 88038908e16f12f6dd979021fc02f424ddccfea4e18173f6832d4a1e57181442 |
| macOS_universal.pkg | 3ba62e36a5e500bc95a2c43987a89e1361897adcef6ffc806dec807ef5149768 |
| windows_amd64.msi | 93b5bb3e639bc773aab4df1cd796c8b42a073752bb369efb5ed51b3ce19a8e51 |
Improvements, new features and functionality
Collecting Data
For Kubernetes deployments, the kubernetes transform (used by the Helm chart to collect Pod logs) now also collects metadata for init containers.
Bug Fixes
Collecting Data
Linux only: Fixed a bug in the inotify event handler which would cause excessive error messages in the internal logs.
Fixed a bug in the file source which potentially caused the collector to stop reading files, related to a race between the file inactivity timeout and a file modify event.
Fleet Overview
Fixed an issue where the LogScale Collector could stop ingesting after publishing config changes from Fleet Management.
Falcon LogScale Log Collector 1.7.0 GA (2024-06-03)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.7.0 | GA | 2024-06-03 | no |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | 34b044b8f0ae27608927d61ae4042cdece06a6e58a79f539fb3fa6259e8f1cfc |
| linux_amd64.rpm | a07608c13f03ec0ac3a0eb8d81b1719c9f3bef3dea82feb2e6858208d36e192d |
| linux_arm64.deb | abe3168393558f48fe53d87f2940b76dbb36d0ead2681bb6fce05f86066c1fa3 |
| linux_arm64.rpm | 30b6d3d3284c55d07be5c6c4cb98459cf11bceb57096bd2257c7d6168b6c2a7d |
| macOS_universal.pkg | 4959e1ec177565a6c69942a259c24fcc01f65190789788443b528ec128dfa6b1 |
| windows_amd64.msi | a8854e2931ac8450fa24a1f8406cef8fcf0ef9418bd4e5ac160d274ec5289b95 |
| Docker Image | Architecture | SHA256 Checksum |
|---|---|---|
| logscale-collector:1.7.0 | amd64 | 2e0520b8d6fa731aa4d939d84d66ee69d842d9f1f94168122df4c09f68a92c87 |
| logscale-collector:1.7.0 | arm64 | 2e0520b8d6fa731aa4d939d84d66ee69d842d9f1f94168122df4c09f68a92c87 |
Download
Docker EU-1
registry.crowdstrike.com/log-collector/eu-1/release/logscale-collector:1.7.0Docker US-1
registry.crowdstrike.com/log-collector/us-1/release/logscale-collector:1.7.0Docker US-2
registry.crowdstrike.com/log-collector/us-2/release/logscale-collector:1.7.0
Support for ephemeral hosts
Performance improvements to the file source on linux, the windows Event source and general memory handling
Improvements, new features and functionality
Collecting Data
The LogScale Collector has been optimised for a more deterministic memory footprint. Memory is now reserved in the queue before reading from each source. This will reduce memory usage in e.g. backfill scenarios with a high number of individual files.
Linux only: To reduce the CPU and file I/O usage, the file source now utilises inotify for monitoring file changes.
The Winevent log source now supports severity filters and custom XPath and XML queries. The severity filter can be used to only include events with specific levels, e.g.adding the key levels: [0,1,2,3] to the channel specification will only include events with levels above 4 (information). The queries can be used to build more specific filters.
Other
The backward compatibility checkpoint.json is from this release obsolete. If migrating from a version before 1.4.0 to 1.7.0 and above, you need to install and run 1.6.5, in order to preserve the checkpoints.
Debugging
Cleaned up the internal logs messages in the LogScale Collector. Some lowered in severity and some removed
The internal logging component handles more events per second to eliminate the "Dropped debug log.." message.
Fleet Overview
Added support for ephemeral mode by specifying an ephemeral timeout at enrollment. If a collector is offline for the specified duration, it will be unenrolled and disappear from the fleet overview.
Added auto enrollment functionality that automatically enrolls the LogScale Collector if it does not have a working access token. Refer to Fleet Modes on how to use this feature.
Falcon LogScale Log Collector 1.6.6 GA (2024-06-13)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.6.6 | GA | 2024-06-13 | no |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | 716616dc89d84d83713a6abfa1bd7e65b90c5df09f3a4b55d5546d2010b4a9e7 |
| linux_amd64.rpm | d696666bb4eb07270eadfb61f0cffce7cf3d5875183569d5b68deaa01736eade |
| linux_arm64.deb | e54e4bd314cbf51642cfdd361340662a333e72dc7df5fb3821b8bd14ec309af6 |
| linux_arm64.rpm | 3dbd586df1672e06500e407d228805492b83d195c9a50ebd1fa2196bacba27a0 |
| macOS_universal.pkg | 29da28f5146893597d0541000cd7fb6002f50790358b33cd81ccf83db4a9aa97 |
| windows_amd64.msi | 29da28f5146893597d0541000cd7fb6002f50790358b33cd81ccf83db4a9aa97 |
Bug Fixes
Collecting Data
Fixed a memory leak in the file source. In some scenarios the process would not release memory after a file was closed.
Debugging
Added User-Agent header to debug logging component.
Falcon LogScale Log Collector 1.6.5 GA (2024-04-29)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.6.5 | GA | 2024-04-29 | no |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | 81b54668ead01f8d0cf222035fcf4fa1d287f534152c3799d244e4be5a6b9c43 |
| linux_amd64.rpm | cc36493be196656d87b0412bb414125165331e96415106864d8ca95910befeb6 |
| linux_arm64.deb | b70d5006184c537dcd08fb90c72e6a92d902d3d1d34be014e28d1cb5bbfd1588 |
| linux_arm64.rpm | bdb0fdf05469660c539935ef8191f679215dc21721bbcf1ed9b76eba70b835fc |
| macOS_universal.pkg | 9a4db0cb82398ab5ccf23843b27be80bac853d492b49f0e291b601d8e9eb1ef9 |
| windows_amd64.msi | 71a965cd3af6100d9fd3d31ab2661ede3d3bf502fdafb27535c18c24f5c3fac1 |
| Docker Image | Architecture | SHA256 Checksum |
|---|---|---|
| logscale-collector:1.6.5 | amd64 | 8754dc0cdaead677439bf2a3d1c3150dc2b63ca2f1ec12a0b42a192346e91be4 |
| logscale-collector:1.6.5 | arm64 | 8754dc0cdaead677439bf2a3d1c3150dc2b63ca2f1ec12a0b42a192346e91be4 |
Download
Docker EU-1
registry.crowdstrike.com/log-collector/eu-1/release/logscale-collector:1.6.5Docker US-1
registry.crowdstrike.com/log-collector/us-1/release/logscale-collector:1.6.5Docker US-2
registry.crowdstrike.com/log-collector/us-2/release/logscale-collector:1.6.5
Improvements and bug fixes regarding handling of the file source.
Improvements, new features and functionality
Debugging
On Windows, when file open fails, the error message will now include the path to the file, matching the behaviour on Linux and macOS.
The error message "Could not identify file." will only be logged once per file that could not be identified. Previously this message would be logged at each failed attempt to identify the file.
The severity of a number of internal LogScale Collector log messages has been reduced from error to warning, in cases where the error is already handled.
The error message "Failed sink receive." was previously erroneously logged at LogScale Collector shutdown, in scenarios where the shutdown was intentional and graceful. This has been corrected.
Bug Fixes
Collecting Data
A race condition during file rotation potentially causing the LogScale Collector to crash has been identified and addressed.
In previous versions the file source would hold on to a file handle until the read content was successfully received by LogScale. This could cause the reported disk usage to be higher than expected in scenarios with frequent file-rotation and low bandwidth/loss of connection to LogScale. The LogScale Collector now releases file handles immediately after reading EOF or detecting files being removed.
A race condition which could cause the LogScale Collector to crash, when using the
static_fieldstransform, has been identified and addressed.
Debugging
An issue causing the internal debug logging module to log a warning "Dropped debug log message before they enter the ring buffer" has been fixed.
Fleet Overview
Fixed a bug where LogScale Collector metrics would fail to run, when any of the metrics could not be collected.
Falcon LogScale Log Collector 1.6.2 GA (2024-02-26)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.6.2 | GA | 2024-02-26 | yes |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | ba2332fac5b6131161380d6ea148fcb2b510d949d39943be42b28b4dbd14a1b8 |
| linux_amd64.rpm | 1eddcefc1e30d17b5f3e8571ade165964c4cd6d5f626bedc655bd3b67ef0291a |
| linux_arm64.deb | f978c49ce790a26bad87ea8faeb6d0b9ea314d06a52c13f314d5a5973386e613 |
| linux_arm64.rpm | 0c551dc50f3bad26dbaf36f7fc5cc84ef49f73c3b373f94e63fd0d50a54b8e4d |
| macOS_universal.pkg | 3339ed432f3e696645920fbc2f39b54983a9c03ed20cf5a34f1ef42972d2ff83 |
| windows_amd64.msi | 343d9aeda9cbaccbfb51a51e257053775a0795f6dec5d7443d9be1d7048cd8df |
| Docker Image | Architecture | SHA256 Checksum |
|---|---|---|
| logscale-collector:1.6.2 | amd64 | 6d33cb64cc7e6bfb08c6f365735559793b8aa40b631ca6be2a5961e009ee1217 |
| logscale-collector:1.6.2 | arm64 | 6d33cb64cc7e6bfb08c6f365735559793b8aa40b631ca6be2a5961e009ee1217 |
Download
Docker EU-1
registry.crowdstrike.com/log-collector/eu-1/release/logscale-collector:1.6.2Docker US-1
registry.crowdstrike.com/log-collector/us-1/release/logscale-collector:1.6.2Docker US-2
registry.crowdstrike.com/log-collector/us-2/release/logscale-collector:1.6.2
Improvements and bugfixes regarding handling of the file source and installation on Windows.
Improvements, new features and functionality
Collecting Data
The file source now supports environment variable expansions in the include/exclude field in the config.
Bug Fixes
Installation and Deployment
Installing the LogScale Collector on Windows using the Windows installer MSI will install it as a service and set the service start setting to
Manual. After enrolling the Collector into Fleet Management using the enroll command, the service start setting will be set to toAutomatic. and the service will be started.In previous versions of the installer a new install/upgrade using the installer MSI would set the service start setting to
Manual. (overriding any current setting), as of 1.6.2 the installer service start setting will be preserved unless you do a fresh install.When performing a new enroll command, You will set the start to
Automatic., therefore if you want to set to a custom setting, e.g.Automatic (Delayed start). this will need to be done after the enroll command is performed.Note
downgrading to version 1.6.1 or earlier will still revert to the initial setting (
Manual.).
Collecting Data
An requirement has been removed where in previous versions the Windows Event Log source required the existence of at least one channel.
An issue has been resolved when the checkpointing component used by the file source. If a file was rotated/moved while the content was read but not yet acknowledged through the network, the unacknowledged content could be re-transmitted, resulting in duplication of ingest to LogScale.
Other
Fixed a bug where the
--allow-insecure-httpflag would not take effect for communication with Fleet Management. This caused the collector to enforce usinghttps://for Fleet Management communication even if the enroll command was executed with the--allow-insecure-httpflag.
Falcon LogScale Log Collector 1.6.1 GA (2023-12-12)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.6.1 | GA | 2023-12-12 | yes |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | ae5e4d9125499203d0c324b78fe6bb06dfab80ae74d99cec6473622e2a86a273 |
| linux_amd64.rpm | a50bb0b24e692cf0e4e32a72d7f6c84a5dfd6aec868aa9d7b6bbe4ab5096b450 |
| linux_arm64.deb | 4e22b6a97fd1eade148d50583d9e78fc5a19a6f0af7591f99a59924e022f25a0 |
| linux_arm64.rpm | a6565529c3e7b290cd03079a139aec9578f150af3f21e7c167e2d2840ad5a8fc |
| macOS_universal.pkg | a7e20a99c0bde56d1a347e4880f647b03c7d6606abbfc2b0fc6dbcd0914e49c1 |
| windows_amd64.msi | 39ff61e9e66e9a2d8481a2edb9d94543ddfc1aafc7db18f4bbf1d32ff05b89ca |
| Docker Image | Architecture | SHA256 Checksum |
|---|---|---|
| logscale-collector:1.6.1 | amd64 | 98fff9a7d48767f89a87816fbc2c03f79bdd34eeccddfe8f77dafc2e0696981d |
| logscale-collector:1.6.1 | arm64 | 98fff9a7d48767f89a87816fbc2c03f79bdd34eeccddfe8f77dafc2e0696981d |
Download
Docker EU-1
registry.crowdstrike.com/log-collector/eu-1/release/logscale-collector:1.6.1Docker US-1
registry.crowdstrike.com/log-collector/us-1/release/logscale-collector:1.6.1Docker US-2
registry.crowdstrike.com/log-collector/us-2/release/logscale-collector:1.6.1
Improvements and bugfixes to the handling of the file source and debug logging.
Improvements, new features and functionality
Collecting Data
The file source been improved in scenarios with log file rotation. In previous versions a race could occur between file discovery and file read, during file rotation. This could potentially cause data to be missed (not ingested).
Performance of Syslog UDP source has been improved when running on a Linux system.
The source now uses multiple workers to receive data from the network. By default it will spawn workers corresponding to the number of CPU cores in the system. The number of workers can be controlled by specifying the 'workers' parameter under the source configuration. Specifying 0 workers, or omitting the parameter will use the detected number of cores. See Sources & Examples.
We now offer a docker image which can be deployed in a Kubernetes to forward log messages from the applications deployed in the cluster. See te documentation for more details Collect Kubernetes Pod Logs.
Debugging
Debug logging now uses the system proxy by default, previously proxy was not supported.
The debug logging configuration through environment variables now supports additional configuration options which are documented in Debug Log
Debug logging no longer accepts
http://addresses by default. If such a scenario is required thenHUMIO_DEBUG_LOG_ALLOW_HTTPmust be set to true.The debug logging mechanism has been improved. If an error occurs when sending the debug logs to LogScale, 3 attempts will be made in total before the debug logs are dropped.
Bug Fixes
Collecting Data
Configuring an incorrect exclude path for the file source could cause the collector to crash, this is corrected.
Falcon LogScale Log Collector 1.5.3 GA (2023-10-16)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.5.3 | GA | 2023-10-16 | no |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | e965acdad2676b59c351b8e9866954159e51f135a270ab6626ae88d924167265 |
| linux_amd64.rpm | 75db3d6f20bf499c7615a00637797ec641be38c721cc1f9fdb50bf20613510e3 |
| linux_arm64.deb | 9a44f418dd0dbf03adde25afb878fbba5a97cccc339b0cb5e1e657a5880734e6 |
| linux_arm64.rpm | 976d4c01248ad0da4976c1a26885be07af0b8f388fce5c43a8097ecdfd85d134 |
| macOS_universal.pkg | 56603437f3dcd77217ba59ea01f2645daae8122c0740dc1c4deffedac5ef4e32 |
| windows_amd64.msi | caced8ad05580a677cb344fe811b485471299af5219284f9d2fff392c7ee18fa |
Improvements and bugfixes regarding handling of the file source.
Improvements, new features and functionality
Collecting Data
Internal handling of the file source has been optimized to reduced the number of syscalls used to monitor files and directories for changes.
Bug Fixes
Collecting Data
An issue has been identified with the checkpointing component, causing unnecessary disk write operations when used with a file source. This scales linearly with the number of file sources configured, leading to a high disk utilization when defining multiple file sources.
Note: Multiple
`include`patterns per file source do not cause this issue, only separate sources. This behaviour started in 1.5.0, and is fixed with this release.
Falcon LogScale Log Collector 1.5.2 GA (2023-10-03)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.5.2 | GA | 2023-10-03 | no |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | b0d8b02647f01ec575717d50a2deda10edb007cfd3f889cd815ee6b593ddcac7 |
| linux_amd64.rpm | 399229099288bf11e6282e997eb972199d707be2b4475745828b9a1419a5eeac |
| linux_arm64.deb | 31f4346234eea88a93eaeae98f922a810efed1173a33294381a210b8cc5b5c6f |
| linux_arm64.rpm | b2b737649caad3fd5ffc678d0576a0fe35193ce8b069f963c075167b828534b9 |
| macOS_universal.pkg | 72c7953f7865bb73bf85692ca8f15277e2da3711578aec0624e7fe4c3771cf37 |
| windows_amd64.msi | 3d061d1a50bd2a295e72d6a001c4179f4b230e040ed4476ab4c4d72f1ed709ad |
Bug fixes and improvements.
Improvements, new features and functionality
Collecting Data
When LogScale rejects an ingest API request due to a request timeout or the request being too large, the LogScale Collector now divides the ingest request in to multiple parts and attempts to send the split files. If after dividing the ingest request, if a single event still triggers this limit, it will be discarded.
The default LogScale request size limit is 32 MB, while the LogScale Collector targets maximum of 16 MB of input per request. Due to encoding, particularly control characters or invalid UTF-8 sequences could cause an up to 6x blow up of the request size.
Added a logscale alias for the humio sink. It is now possible to write type:
logscaleinstead of type:humioin the sinks section.
Debugging
The log level for the log message "File is a duplicate of another file." has been changed from warning to info.
Bug Fixes
Collecting Data
Fixed a bug where an invalid include/exclude pattern in the config of a file source could cause the LogScale Collector to crash.
Fixed a bug where a duplicate of a file could trigger length updates in the open file source.
If a duplicate file is an included file that has the same fingerprint as another included file. The lexicographically lesser path is considered the active file.
Fixed a bug when inadvertently reading a binary file could induce a 400 Bad Request from LogScale, which discards data in the LogScale Collector.
The issue occurs when a binary file contains a UTF-8 sequence of EF BF BF that decodes to U+FFFF. The U+FFFF code point gets interpreted as end-of-input in the applicable LogScale ingest API.
The file source now completely ignores files that are of length zero bytes. This should fix an issue where the file source would inadvertently read a compressed file as plain text, if the file was opened when it was empty.
This scenario is most likely to occur when a log file is rotated and compressed. Reading a compressed file as plain text could then induce the above binary file problem regarding U+FFFF.
Falcon LogScale Log Collector 1.5.1 GA (2023-8-28)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.5.1 | GA | 2023-8-28 | no |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | 9c5cb4034ef884abdfc2708389e62e6195dc7a940be191ec7ed2aa8ff9a37957 |
| linux_amd64.rpm | 3fed6f88d9febf5e715f21987a61707aa7239628e3c6d50f0ed17ba24b7989f0 |
| linux_arm64.deb | 9779596e4b75cb1cb1c6678a310462c5d23a0be34a696d9dd16736ec24ff5800 |
| linux_arm64.rpm | abdec0dd117785e5676c931ac4e9299fe53c9f418e27b734700fb425affde080 |
| macOS_universal.pkg | 3f070774128b6cc88465b746da8cbdadd7fc614968e69a105b48bae82ea188f3 |
| windows_amd64.msi | d69bd9f4efb3437f9d0cf7e45598d8ee8a0ad1937ff7e1df6300e91f17087abc |
Bug fixes.
Bug Fixes
Collecting Data
Fixed a bug which caused the Log Collector to crash when using multiple file source declarations.
Falcon LogScale Log Collector 1.5.0 GA (2023-8-23)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.5.0 | GA | 2023-8-23 | yes |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | f4b26bf994c4664eaf664be5081401f79430ec8f81084859fdc336e23f720e6f |
| linux_amd64.rpm | 0a4b3881d4f81b6b8c94ea0b594e838fec40cb75bd169dbe8b92cc9dd2aae5e9 |
| linux_arm64.deb | cff7466e92c04a83a00ab7177097ac0d5a662ada3c4fb23ae1bb3b96a5d3450a |
| linux_arm64.rpm | c8f29ce878645196ebfa7b9f0a1b0d1578fe8ed7d81de31bfb65f909b7963900 |
| macOS_universal.pkg | 632d93e28901d3774f23c85a98e565e890bb56b5a2ac112ba8e210df313a4d12 |
| windows_amd64.msi | f65411d6243b98e6b53c8a6b96d8756423a2cca645c51034d31079a248de7e07 |
The LogScale Collector now supports macOS and is available as package installer (.pkg).
The LogScale Collector now reports metrics regarding e.g. CPU and memory usage to LogScale Fleet Management.
Improvements, new features and functionality
Collecting Data
The syslog source has been optimized with respect to UDP mode. According to internal performance measurements, the performance has been increased by a factor of 3-4.
The file source has been updated with improved file identity tracking. If multiple files are considered to be identical copies through fingerprinting, only a single copy will be opened.
The LogScale Collector now supports macOS and is available as package installer (.pkg), see Download and Install Falcon Log Collector Using Curl Commands(Full Install) for information.
The installer contains a universal binary which runs natively on both Apple silicon and Intel-based Mac computers. In addition to the source types supported on other platforms e.g. file source etc., a new source type
unifiedloghas been added, see Sources & Examples. This source type supports shipping unified logs on macOS.The disk queue has been reimplemented in order to increase performance and resilience.
One consequence of this is that the entire storage space, determined by maxLimitInMB, is allocated when the queue is created. This ensures a deterministic size of the disk queue and prevents scenarios where the configured disk queue size is not available due to missing disk space.
If the configured disk queue size is not available on the configured disk partition, an error will be issued. E.g. "Could not apply the config error="pipeline: logscale, details: no space left on device"".
If two instances of the LogScale Collector are attempting to use the same data directory, the error message has been improved.
An example scenario is if the Collector is running as a service and a second instance is started manually from the command line. Previously the error message would be: timeout.
Now the following error message will be issued: "Could not lock the checkpoint database. Maybe another process is using the same data directory? The data directory is set to: my_data_directory_location"
A new source type syslog_tls has been added. This source type supports receiving encrypted syslog traffic. See Sources & Examples for more information.
Fleet Overview
The LogScale Collector will now send its CPU usage, memory usage and disk usage of the data directory partition to LogScale Fleet Management.
These metrics will be available from within the Fleet Management|Fleet Overview pagein the LogScale user interface and can be used to provide a feedback loop when scaling instances and adjusting configuration settings. See Falcon Log Collector Metrics for more information.
Falcon LogScale Log Collector 1.4.1 GA (2023-6-13)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.4.1 | GA | 2023-6-13 | yes |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | 788d7be0888c8527501e5ca90698b0fdc06745eeddc98c7b79c240d2505e2dfb |
| linux_amd64.rpm | dee647d23060843c789360cc9ecf51fd8f59b9c9ae487c587bd2099dc11f2218 |
| linux_arm64.deb | 59f55b0668f0462c1bcf257b771edf1ae4fa365e7b905a9acea5b1494d157723 |
| linux_arm64.rpm | fcc2ee1d23f094e136e62e06d9ef55768b2dfcf2adbc6fe0ffe2467838351cd9 |
| windows_amd64.msi | 43390b610233202f0c1808a65f05b701e4c141b2781a83a0885c5aa9b2613c3e |
Improvements to the handling of the Windows event log source.
Improvements, new features and functionality
Collecting Data
The approach for handling Windows Event Logs has been revised, as the previous versions of the Collector could cause field names to be misaligned.
The previous approach was solely based on using the Windows Event API for rendering the field names. This has shown to fail in cases where the event data has a parameter without a value.
The new approach parses the XML and for events containing EventData, the field names and values are directly extracted from the XML. For events containing UserData, the XML may not be sufficient, thus the parsing falls back to the Windows Event API to render the field names.
This has the following known impact on the collector data:
Corrects the misalignment of field names, found in earlier versions.
Events containing the Binary field, are now sent as their real names, e.g, windows.EventData.Binary, which previously were sent as windows.EventData[n].
The Language for rendering Windows Event Logs is now configurable. Up to version 1.4.x The LogScale Collector used the system language to render the event message, collected as @rawstring. This has the potential downside, that for fleets with Windows hosts using different system languages, the collected @rawstring will differ. This only applies for rendering of the event message (no other values) and only for local events.
In the case of forwarded events the message is rendered locally by the Windows Event Forwarded, and when collected on the Windows Event Forwarder, the message is sent as plain text to the LogScale Collector.
A new config parameter (language) for setting the render language using Windows LCID codes has been added. The default setting is 0, which corresponds to the previous behaviour, which is the active language on the host.
Bug Fixes
Collecting Data
Misalignment of field names for the Windows event log source has been corrected, see above.
Falcon LogScale Log Collector 1.4.0 GA (2023-5-08)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.4.0 | GA | 2023-5-08 | no |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | db4ea1ad653c1c1563e9f8729a7383af01c38b739ae7df75ee24a747c57f22cf |
| linux_amd64.rpm | 260e8106189e924877b5f126ccc63bd651bf9ae40f5d16844cbe715a43a50ffa |
| linux_arm64.deb | 2278f9b10ed6547cc7814e6a7e26e26912eac8ddebc3739d09190f60a16e4100 |
| linux_arm64.rpm | d704e464b71b8514912b31d8b8b0db08fc0ff81c7a54a75bdc8d23cdb7e32da7 |
| windows_amd64.msi | ecbcb5a29e24a39749598419d13d17c3483cf6b1ea0121bea1027667577eac53 |
Bugfix for the Windows event log source, improvements to fleet Management.
Improvements, new features and functionality
Other
Checkpointer has been improved
In preparation for future improvements, the checkpoint database has been changed from a JSON file to a binary database format. The existing checkpoints.json file will be automatically imported into the new database. The LogScale Collector will now write a backwards compatible checkpoints.json file on shutdown, which will not be re-imported.
Command line arguments
The LogScale Collector command line interface has been changed to use
--(double dash) for each option. Existing-(single dash) options will be converted in a transition period. A deprecation warning is emitted when options are provided with only a single dash.
Fleet Overview
Fleet Management Improvements
When enrolling a LogScale Collector to Fleet management, the enroll process will now stop and start the service during the enrollment process. This behaviour can be omitted by using the flag to the humio-log-collector enroll command.
After a successful enrollment, the LogScale Collector service will be configured to automatically start after a reboot. This behaviour can be omitted by using the --no-service flag to the humio-log-collector enroll command.
The LogScale Collector process will now exit if it receives an 401 Unauthorized error code during a Fleet management poll operation. The error code signals that the instance no longer has access to the LogScale cluster and cannot be managed. The service manager will automatically restart the LogScale Collector after exiting.
When enrolled in Fleet Management, the LogScale Collector will now collect diagnostics from the sinks and send them to Fleet management. The diagnostics will contain various warning and error states that might occur when sending events to LogScale. The diagnostics is available for viewing in the Fleet management tab in LogScale.
Bug Fixes
Managing Data
Corrected the handling of subscription to more than 64 channels in a single Windows event log source.
The wineventlog source sometimes encountered issues when configured with more than 64 channels in a single Windows event log source (type: wineventlog). In this scenario it would not collect any events, and the following error message was observed: "extNext: The operation identifier is not valid.". .
Falcon LogScale Log Collector 1.3.4 GA (2023-3-30)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.3.4 | GA | 2023-3-30 | no |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | f0a6612a103765ff2f54121d1520290dabac64aabbd21eca423f7cd79105f230 |
| linux_amd64.rpm | a9e1d4174a8b7af93da72c01aae68e7d1a1db66fb29a40bc16bd3cafc62ef14a |
| linux_arm64.deb | e82c6c21fe2a0704c42c564cddba39337044247e82cdd5f701658c35bce6bc20 |
| linux_arm64.rpm | e70248e5caca2c2b8a44b39baf69136d2301dbdcab02269fb74a88084199c34c |
| windows_amd64.msi | 3a925d65b753bdcf4ee5724c37925a32805943f8a75b5bddf82e874d3588ff8c |
Bugfix for the Windows event log source, related to an issue with forwarded events.
Bug Fixes
Collecting Data
Using the enroll command, to enroll a new collector to fleet management in a linux environment,would previously cause an error if the collector had not been running before, i.e. if the enroll command is the first action.
When enrolling a new collector, the collector would use an empty machine id value due to incorrect permissions set up by the enroll command. This is not a problem when enrolling collectors that have already been run.
Starting with this release the enroll command no longer has this issue. In case the above error is encountered, a manual fix is required to give the service user the correct permissions:
sudo chown humio-log-collector:humio-log-collector /var/lib/humio-log-collector/.machine-idIn a setup using the Windows event log source for collecting forwarded events, the collector has been seen to crash while parsing forwarded events.
This may occur in a scenario where the remote WEF (Windows Event Forwarding client) and the WEC (Windows Event Collector) go online after a restart. The re-initiated event subscription causes an exception, which stops the collector. This has now been corrected.
Known Issues
Collecting Data
When collecting data from a Windows event, the collector extracts information from event data and maps the data to named fields in LogScale.
In scenarios with forwarded events containing empty data values, the indexing of values and names can become misaligned. In this case the current parsing approach is not possible due to misalignment of field names and values. Previously this would result in incorrect values being assigned to field names.
Starting with this release the Collector appends these values as indexed fields (windows.EventData[0..n]) instead of named fields, and introduces a new field @collect.error with the value: "wineventlog: couldn't parse names for event data".
Falcon LogScale Log Collector 1.3.3 Withdrawn (2023-3-21)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.3.3 | Withdrawn | 2023-3-21 | no |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | 2d0ae5a2f90cbef19c1058393a45ab1007f47d97e907d04505a682a75c943e3e |
| linux_amd64.rpm | c52c11f09f139b17f9389dbb3d6221a9a81715df1faf92453730708dd6963c81 |
| linux_arm64.deb | 657479d94673417eb1422e8d7f22d5a25718dd88a83db0b20caf5324b1fb2aa7 |
| linux_arm64.rpm | 011323a48d3675e7cbc3bbbf7ae54c394e43d2d53bd48c380e5a462c1c3967a1 |
| windows_amd64.msi | 416efe329da3c35a7b2f5f02811595f93a002fb8a0d8637655ca79686245f9d6 |
This release has been withdrawn due to the introduction of a regression which could result in missing @rawstring for the Windows event log source.
If you are using this version we recommend you upgrade to 1.3.4.
Falcon LogScale Log Collector 1.3.2 GA (2023-3-16)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.3.2 | GA | 2023-3-16 | No |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | e66ae46ded76c53259fc901af0a6139c3c7884007c9f10afe22c570236b7f5f8 |
| linux_amd64.rpm | 8c00a22e39161a5e8564a47712673447e014f950d41e22aa049907d653621771 |
| linux_arm64.deb | 255bfefbb886567eb3a698fb0c59cd502f0946b947fa4ff8a0a4e5caf6da921c |
| linux_arm64.rpm | c4c0f7d2b25269f18429411b4d78662f084c97aefd899d51782d68145bdd2afb |
| windows_amd64.msi | efe31334621d59610d3c533b9fdd0f6cde00024c8ded3ecb645c2879a7ea1f3d |
Bugfix for the Fleet Management communication, eliminating excessive retries.
Bug Fixes
Fleet Overview
If Fleet Management communication with LogScale is unsuccessful the LogScale Collector will do exponential backoff.
In some scenarios, an error in the backoff implementation caused the retry timeout to drop to zero, resulting in excessive retries. This is now corrected.
Falcon LogScale Log Collector 1.3.1 GA (2023-3-9)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.3.1 | GA | 2023-3-9 | Yes |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | a52f365af747a2d4eda400392e29540a92ce39cd42dd5c26554d92b5f68ecc4c |
| linux_amd64.rpm | 399cd1c41a5006a4d41f0991d00df3cee4a87b2acc0542b4707bfe01dff89cb1 |
| linux_arm64.deb | 668386f89987c7f2ac10c759e040d6fceebe8c2a30d3435b13e02e4860d9b993 |
| linux_arm64.rpm | bdd8e208551ba220016367a1ff7833fdd1bcf17449725c79e7a069e52c9bc0a1 |
| windows_amd64.msi | 191ec1f4151bf2ffaea93dedfd646974c879a62762a7c63539ab4d5f3bf34b89 |
Bugfix for the Windows event log source, related to an issue with the event data fields.
Improvements, new features and functionality
Configuration
When installing on Linux the provided service file allowing to run the collector as a systemd service, now defaults to "Restart=always". This is to ensure that unless the service is stopped, the collector service will always be restarted in case of e.g. a crash.
The behaviour in cases where the system HTTP proxy detection fails, has been changed.
If no proxy is configured, the collector will attempt to detect and use the system HTTP proxy. Previously if detection failed the collector would stop, for example this sometimes occurred on older versions of Windows.
Now in case of failure a warning will be logged, and the collector will continue without a proxy (corresponding to the configuration: proxy:none).
Debugging
Usability improvement of the enroll command.
The check for supplied command line arguments is improved and if incorrect/missing arguments are encountered usage is printed.
Bug Fixes
Collecting Data
Corrected handling of event templates version for the Windows event log source (type: wineventlog).
When collecting data from a Windows Event, the collector extracts information from event data and maps the data to named fields in LogScale.
Scenarios where an event has multiple versions of its XML template were not handled correctly, potentially resulting in incorrect values being assigned to field names.
Fleet Overview
Corrected UserAgent in HTTP requests for fleet overview and fleet management (Internal improvement).
Falcon LogScale Log Collector 1.3.0 GA (2023-2-7)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.3.0 | GA | 2023-2-7 | Yes |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | 80588964a8437e653ac0a1b9a9cf7636d287bbf2314611e09c9d5b00a28f82c4 |
| linux_amd64.rpm | a4861915f09280a16b4674ad148f61554d35da00b2683b52647473ca7f347a34 |
| linux_arm64.deb | fec6fc2f2ab5e883781531b384fd2adeca37967f97bd5ae25d44e2ea94f73baa |
| linux_arm64.rpm | 7fb71e45dab7dd5334f866e7724c39cd0291b921cb766c0630ed13051837534e |
| windows_amd64.msi | 43d999b34e702049edd281c63f142af7b4a69fb52270f9670a826b8600401209 |
Fleet management now supports remote configuration of LogScale Collectors. This gives an administrator the option of managing the configuration of LogScale Collector instances in LogScale, instead of managing configuration files directly on the device where LogScale Collector is installed.
Improvements, new features and functionality
Configuration
The configuration of LogScale Collectors can be managed in LogScale. This is accomplished using configurations and enrollment tokens stored in LogScale.
To be able to manage the configuration of collectors in LogScale, collectors need to be enrolled to remote configuration, this is done using enrollment tokens.
Two new pages have been added to the Fleet Management tab in the LogScale user interface.
The Config overview page, lists all available configurations and the number of LogScale Collectors using each configuration. The page furthermore allows you to create new configurations. See Manage Remote Configurations for more information.
The Enrollment tokens page lists all available enrollment tokens, and allows for creating new enrollment tokens.
The actual enrollment of a LogScale Collector is performed by executing an enrollment command on the device with the installed LogScale collector instance. The command to be executed can be grabbed from the enrollment token page. See Manage Falcon Log Collector Instance Enrollment for more information.
The Fleet overview page, which displays the status of all LogScale Collector instances, now includes the name of the assigned configuration to each LogScale Collector.
It is still possible to use the Fleet Overview without enrolling LogScale Collector instances in remote configuration, in which case configuration will need to be managed directly on the device with installed collector. See Fleet Management Overview for more information.
Falcon LogScale Log Collector 1.2.3 GA (2023-1-23)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.2.3 | GA | 2023-1-23 | No |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | c1e7e6608e3ef67793d4d23226dbb771b5c8e3a932358728519f8e9d52034da4 |
| linux_amd64.rpm | 98ba2862e925513721b0f856712787a522fea1ed5b0eb34c7a20008b7a233fc7 |
| linux_arm64.deb | 4234b9d340569872528eaa9eed5bb9aaa1b7130317f89e32c48550e655764e13 |
| linux_arm64.rpm | 89344a58c18bb914d8ce8bbe688eac3cf2c9ba236098dd2baeddad9b2a394f59 |
| windows_amd64.msi | 7571d07dac0240d9620ef1a9a1c7dace12473ddfc09d3d0f327ff281fb928785 |
This version contains bug fixes.
Bug Fixes
Collecting Data
Fixed a bug on Windows where the Log Collector locks open log files, preventing applications from rotating log files via rename or delete.
Falcon LogScale Log Collector 1.2.2 GA (2023-1-16)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.2.2 | GA | 2023-1-16 | Yes |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | 9fabeb63439db16d6c425d73497809963260670a72564da7f068dd667aff8605 |
| linux_amd64.rpm | 732aaa87dfa023fc64efd1c1f211f828ee32af8901dd97c34186cf39c51d071e |
| linux_arm64.deb | f8f0ea531620160112452f4dd6d158137be829d8b93f4c042bb1d562991d6733 |
| linux_arm64.rpm | 49ddd2dcc179a47c10f16aaa747f0148dd82137b488ec125ae7bc94422f6e7fe |
| windows_amd64.msi | fa41725bc6ebc425db6fec0c81eb895c9a4239cfa18511e6abbc30588bc64913 |
Bug fixes, improvements and Windows log format collecting features.
Improvements, new features and functionality
Collecting Data
Added an option to WinEventLog source for including/excluding the XML.
Moved default program data directory on Windows to prevent possible conflicts with Falcon Sensor.
Improved performance of the WinEventLog source.
Added an option to WinEventLog source for excluding eventIDs.
Bug Fixes
Collecting Data
Fixed a bug which caused the checkpointer for WinEventLog source to not update all of the configured channels.
Falcon LogScale Log Collector 1.2.1 GA (2022-11-10)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.2.1 | GA | 2022-11-10 | No |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | dc7bf952be2ff5c541de2d9d927d03bec578f84fe0cb7214db428f3f4638dafb |
| linux_amd64.rpm | 3cd03e99fcf1f6061941c6b38e68656325d0b5c945571715bdd65381ca488370 |
| linux_arm64.deb | 6e85664f54c84154d1c9b3f4f3b48ae8961e13a643b86981ceba927c733590d1 |
| linux_arm64.rpm | 904845aef96db4a40b83a3bbe1dcf1e79cceb6e072375ee4c0b3eb4695effb3d |
| windows_amd64.msi | 992cbdda12353a4cd4e7bc1672fb31a0033e46096438bed71c4869314ed54ace |
Bug fix for an issue related to file source which caused it to stop monitoring files.
Bug Fixes
Collecting Data
Fixed a bug which could cause the
filesource to stop monitoring files due to a race condition in file creation, update or deletion scenarios.
Falcon LogScale Log Collector 1.2.0 GA (2022-10-27)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.2.0 | GA | 2022-10-27 | Yes |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | 34ebabca8336e6e84a97684dea8a6592eb893dc1db026096845fc1ff596996c3 |
| linux_amd64.rpm | 2bcae521ba78bbdd54db0b8b77d536e80eca4a6bd1d3247e757e06ed424be93dd |
| linux_arm64.deb | 137f2d376a4d45045258ace6c8c7f9efb5bab808b67c195f98544862cbbf976a |
| linux_arm64.rpm | 93f3d1d37c86971ddf6e503e0832f361a98b34b93fecb3f92d696bb7d7355743 |
| windows_amd64.msi | 9c47b0c008cd5ef83d5569132181d49c8ad929b59cf29e3a65a787bd88e9cce9 |
This version of the humio log collector offers the Fleet Overview functionality, which allows you to monitor the status of log collector instances and the following improvements:
Improved configuration file validation
Improved error logging
Reload configuration file feature
Using environment variables as the sink url
The file source now has more include and exclude patterns and uses less resources by waiting for changes to the file
the CMD source can now create single multiline events
the wineventlog can now filter events by provider and keep bookmarks of its progress
Performance improvements
improved batch handling
Enforces the use of HTTPS.
Improvements, new features and functionality
Configuration
Improved configuration file validation - The collector is now more thorough when validating its configuration file. An example of this is that unknown options in the configuration are invalid and will prevent running the program. Upon detection of an invalid configuration, the collecter will attempt to provide a descriptive error, some examples of this are:
error reading config file "my_config.yaml" sources: name must consist of only alphanumeric characters or '.', '_' and '-' error reading config file "my_config.yaml": sources.cmd_uname_scheduled.interval: invalid type string, wanted int` error reading config file "my_config.yaml" : sources.dummy_logs.sink: missing value for required field`The collector now enforces using
https://for URLs, this can be overridden by adding the -allow-insecure-http command line flag.The collector now reloads the configuration file when it receives a
SIGHUP. This does not apply to thelogLevelanddataDirectoryoptions. If the new configuration is invalid, the program will stop.
Collecting Data
The
urloption in the sinks part of the configuration can now refer to an environment variable by using the${ENVVAR}syntax.The
wineventlogsource can now filter events based on the provider name. Set the optionprovidersto an array of provider names that should be included to enable this feature. This source also keeps a bookmark of its progress in theWindows event log, and resumes from there when the collector is restarted.The
cmdsource can now create a single multiline event when running in the schedule mode. Set the optionconsolidateOutputto true to enable this feature.The
filesource can now have additionalincludeandexcludepatterns in the same configuration. Specifically, the optionsexcludeandincludecan be either a string or an array of strings.Improved batch handling
The sinks now have additional configuration options to change the maximum event size
maxEventSize(default 1MB) and the maximum batch sizemaxBatchSize(default: 16 MB). The limits are propagated to the queue, where it replaces the previousmaxEventsPerRequestoption. The limits are also propagated to all the sources that reference the sink.The memory queue no longer supports configuration of
maxEventsPerRequest, it inherits the maximum bytes per request from the sinkmaxBatchSize.The memory queue no longer waits before flushing a batch that is larger than the maximum batch size.
The collector now warns you when a memory queue reaches 50% and 80% of capacity.
The collector now sends a warning after 2 retry attempts when sending events to a http sink.
Managing Data
Improved memory usage of the memory queue component by removing an upfront buffer that caused it to store more events than specified by the
maxLimitInMBoption.Improved serialization performance in the
humiosink leading to lower memory usage and faster serialization of events.If a file monitored by the
filesource is inactive not written for a configurable period default: 60 seconds, the file descriptor is closed to release system resources, and watched for changes instead. Whenever the file changes, it is re-opened. This is configurable by theinactivityTimeoutoption in the file source.
Debugging
The default log level is now set to warnings, previously only errors were logged by default.
Fleet Overview
The collector now supports reporting to the fleet overview of LogScale. Configure the
fleetManagementpart of the configuration to enable this feature, see Fleet Management (fleetManagement) for more information.When the feature is enabled, the collector will periodically send metrics to LogScale, including the OS version, the collector version, how much data is ingested, and a description of the configured log sources.
Bug Fixes
Collecting Data
Events from the
wineventlogsource which contain fields of the type hexadecimal integer were presented as a base 10 number, they are now presented as a base 16 number.
Humio Log Collector 1.1.4 GA (2022-10-12)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.1.4 | GA | 2022-10-12 | No |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | bd486f2ad1facb7d77fbe19a529f276d5229f60b1a2bbe8aeef8688afd87110a |
| linux_amd64.rpm | 67d8242b89df0fc9751153b0d989efaaf913e1db89e027d9246e2229a446bebf |
| linux_arm64.deb | adc9a57861c9076c3ff2b123a114ea5590ae973cf00c23486325349693ac11b0 |
| linux_arm64.rpm | 034aad8e7be0180cf5b8ec22b7f5f976baf8ea1f812fc47345bc9bdb1dcc5065 |
| windows_amd64.msi | ec99bfb404c297e45d67843c10f6c9960d95adb11fa6bf39837ab98171e4e6d1 |
Fixed a bug with the Windows event log source.
Bug Fixes
Collecting Data
Fixed a bug which made the log collector stop when it encountered a Windows event that contained a binary property of zero-length.
Humio Log Collector 1.1.3 GA (2022-10-03)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.1.3 | GA | 2022-10-03 | No |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | 5be06657ddddaa365fc4cf3fbfa568f6f2e898f1b47510ba9331d8429ad4f4f8 |
| linux_amd64.rpm | 662ffdeb1647084d70d6f6a7d6a46c41599320cfc620f9d7770836eab6cc06a8 |
| linux_arm64.deb | fba12903af198ae7004bbc93d81bdc973fa4fa18d1c47106d233b3787850d7db |
| linux_arm64.rpm | 22641197a84f7924a1e5d6f5975318846958bd4601d9f7e7b7893c6dfbe2ea01 |
| windows_amd64.msi | 3c43952dae2dc726d1a1cb6862ced922893454d4e019984e0b2efe5419319337 |
Improved troubleshooting on Windows, improved checkpointing on disk and fix for a bug on the data sink type.
Improvements, new features and functionality
Debugging
Improved Checkpointing to disk -- In case of failure writing checkpoints to disk, an error will be logged and writing to disk will be retried with exponential backoff for up to 1 second. This avoids a potential race condition, in which an external program (e.g. an anti-virus program) locks a file that is being simultaneously accessed by the Log Collector.
Improved troubleshooting On Windows platforms -- the Log Collector will send errors and warnings to the Windows event log.
Bug Fixes
Collecting Data
When sending data to a configured sink the http-header:
Content-Typeis now set toapplication/json.
Humio Log Collector 1.1.2 Not Released (2022-09-29)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.1.2 | Not Released | 2022-09-29 | No |
Important
This release has been withdrawn due to an issue on
Windows, where, in
certain configurations, it will continuously log the same
event.
If you upgraded to this version we recommend you downgrade to 1.1.1. If you have not installed 1.1.2 upgrade directly to 1.1.3 when it is available.
Humio Log Collector 1.1.1 GA (2022-09-19)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.1.1 | GA | 2022-09-19 | Yes |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | aceca7f505bc044b275077fa20f9ee565dbc85a48e2454834cbc31a65c3c73aa |
| linux_amd64.rpm | ab8afd8cbab28d9072e5d1c5dee1b59acc4aeef640dbf7d9284bf44424fef6e9 |
| linux_arm64.deb | 9fc3968c093dd341e61b09694fb504f9d1e5116c22d4cc519e3389bcf9148dfe |
| linux_arm64.rpm | 26fb2eee00c61903095ea5daab3f3b9e30f0ec0841a13e826c17f2683f714fb9 |
| windows_amd64.msi | faab7fb9f935ae4b184debae3cb1310821c5bdc7c3a1ede3a96ce8c4156d8120 |
Fixed issues on Syslog and
JournalD data
collection and improved the queue.
Improvements, new features and functionality
Managing Data
Improved the way events are being queued in order to better respect the maximum limit of the queue.
Bug Fixes
Collecting Data
Fixed an issue with Syslog data where the source would allocate more memory than was needed.
Fixed a
JournalDsource issue where the collector would stop collecting new events after journal files have been rotated.Fixed an issue when using
Syslogsource where syslog messages were silently discarded.The Syslog source now limits events to 2 KB (configurable via the maxEventSize parameter on the source).
Humio Log Collector 1.1.0 GA (2022-06-25)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.1.0 | GA | 2022-06-25 | Yes |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | 2788c0c46fb6d91c33c9564ef93d8f9d25eb1c711075951784da74661b675c15 |
| linux_amd64.rpm | 0dda3ece37b7c85be69b2c766b671dd9cfb94248b93159e43a0d266b54df8fe1 |
| linux_arm64.deb | 6e599f88f53765babfe08a759297a235224b29ff9dd1b6571803a80ac694ca34 |
| linux_arm64.rpm | 71f7be590748b3030dd716d03ea015d84867910724c7e1ba6b26cb678c3a0cea |
| windows_amd64.msi | 7492cf419ac1bfad63917e509a513f38363f2854c0edeeaf0f5852c9b2bc3adc |
Extended support and functionalities.
Improvements, new features and functionality
Collecting Data
Support for Multiline logs
JournalDsource supportUpdated cmd source support
The log collector supports for reading
gzipandbzip2compressed files by default.
Managing Data
Filter Windows event log by
EventIDDisk queue support
Transform Static fields
The user can use environment variables to configure:
ingest tokens
the field values in the static field transform
the environment for any command run through the cmd source
The queue configuration option
fullAction: deleteLatesthas been removed are set to the default pause.
Humio Log Collector 1.0.2 LTS (2022-05-05)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.0.2 | LTS | 2022-05-05 | No |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | 2ed466469b51768b2c3f46c465a23bb0c867fe684adf5715688d223af40d276a |
| linux_amd64.rpm | 43d93110a6a365dbd01044a142a4add813c95e37491d8053129dc4bd1fba1bf2 |
| linux_amd64.zip | 62eaaf9bcf42b986717c8123e65ff9ea4788162757f7ae8f518941ddcb338825 |
| linux_arm64.deb | bc9a7dc9f2688adbae7d071f7225e6ebeef3e2def88ebccbc5dc290056f7aa7a |
| linux_arm64.rpm | 238249181ca038f81cef90855b90f2ed608d8164fbd347c42935db8dc624abf5 |
| linux_arm64.zip | 9fe71e0409a1e94c8ce225ab90af3f46115210043221e0d6f1570e427cd40f2e |
Bug Fixes
Other
Automatically reload the systemd daemon after install on Linux.
Fixed a bug that caused the log collector to start from the beginning of all files after being restarted.
Humio Log Collector 1.0.1 LTS (2022-04-25)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.0.1 | LTS | 2022-04-25 | No |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | 7e3addbfd503339afb032dc92da25a6aff0a6fb7ee8b516e90c81666a8127923 |
| linux_amd64.rpm | 43d93110a6a365dbd01044a142a4add813c95e37491d8053129dc4bd1fba1bf2 |
| linux_amd64.zip | d7191c83ec5c95bc5213ec1dbee6f831205755c1ab1bdd0b69443ee19e268a04 |
| linux_arm64.deb | 44355e8cce6e7db84cf1d43e75b17a7a6b3118744c8582fcf5852be6c44dc0a8 |
| linux_arm64.rpm | 08b4ef1eb37dea3902694e2ef3b4cbe69dcc9633dce95e19a00cd60f739aeaa3 |
| linux_arm64.zip | a88e7dc6183004b8c5c7a167400b6d351489a7bbd93fece1466ab21d6408d1fd |
Bug Fixes
Other
Fixed a bug where the log collector would get stuck when encountering a long line (131,072 B) and use 100 % CPU.
Humio Log Collector 1.0.0 LTS (2022-04-23)
| Version? | Type? | Release Date? | Config. Changes? |
|---|---|---|---|
| 1.0.0 | LTS | 2022-04-23 | Yes |
| File | SHA256 Checksum |
|---|---|
| linux_amd64.deb | cd65f255943e03f5ad01bed20196742a25e48240ee3dadfeeb363911afe8b8ab |
| linux_amd64.rpm | 8482625c6795954d137609b77737c7c719ce457d4a4b78aace0b5a2cd09df5e6 |
| linux_amd64.zip | 888d95ec898eb16a528c5537836a4ec42cc543dff206539741816d7c0f564bde |
| linux_arm64.deb | 348a3be0ccb4b5c11e88ea18ce8a858814f4d568b5a8b43082811db4e7aa8e9e |
| linux_arm64.rpm | 39da26f504af0aa20a40d3c8d08803eecd474163d9650a71803344b85672fe54 |
| linux_arm64.zip | 3f37407ead2a2e712a9bfcd307b1c6e5ef256d2cb9968dd86bfe70d50aedb634 |
The first release of Humio Log
Collector our native Log shipper which can be used to
ship local files to a Humio repository by specifying an ingest
token. This version of the log collector offers the following
features.
Improvements, new features and functionality
Managing Data
Ships all existing events in the file.
@collect.* metadata attached to the events including unique collector ID, hostname, @collect.timestamp etc
Only handles single line events
Collects from local files using a glob pattern (so single file, directory, recursive, etc) and from windows eventlogs and system logs.
Buffers in memory.
Tails for new events in the file.
Offers a sub-second ingest lag between a line being written and sent to Humio (configurable)
Network
Offers network compression which defaults to ON.
Supports HTTP(S) proxies.