Full Falcon LogScale Collector Release Notes Index

This section contains a single page with all release notes on the same page.

Falcon LogScale Log Collector 1.6.1 GA (2023-12-12)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum
Docker ImageArchitectureSHA256 Checksum


  • Docker EU-1 registry.crowdstrike.com/log-collector/eu-1/release/logscale-collector:1.6.1

  • Docker US-1 registry.crowdstrike.com/log-collector/us-1/release/logscale-collector:1.6.1

  • Docker US-2 registry.crowdstrike.com/log-collector/us-2/release/logscale-collector:1.6.1

Improvements and bugfixes to the handling of the file source and debug logging.

Improvements, new features and functionality

  • Debugging

    • Debug logging no longer accepts http:// adresses by default. If such a scenario is required HUMIO_DEBUG_LOG_ALLOW_HTTP must be configured true.

    • The debug logging mechanism has been improved. If an error occurs when sending the debug logs to LogScale, 3 attempts will be made in total before the debug logs are dropped.

    • Debug logging now uses the system proxy by default, previously proxy was not supported.

    • The debug logging configuration through environment variables now supports additional configuration options which are documented in Debug Log

  • Collecting Data

    • The file source been improved in scenarios with log file rotation. In previous versions a race could occur between file discovery and file read, during file rotation. This could potentially cause data to be missed (not ingested).

    • Performance of Syslog UDP source has been improved when running on a Linux system.

      The source now uses multiple workers to receive data from the network. By default it will spawn workers corresponding to the number of CPU cores in the system. The number of workers can be controlled by specifying the 'workers' parameter under the source configuration. Specifying 0 workers, or omitting the parameter will use the detected number of cores. See Sources & Examples.

    • We now offer a docker image which can be deployed in a Kubernetes to forward log messages from the applications deployed in the cluster. See te documentation for more details Collecting Kubernetes Pod Logs.

Bug Fixes

  • Collecting Data

    • Configuring an incorrect exclude path for the file source could cause the collector to crash, this is corrected.

Falcon LogScale Log Collector 1.5.3 GA (2023-10-16)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

Improvements and bugfixes regarding handling of the file source.

Improvements, new features and functionality

  • Collecting Data

    • Internal handling of the file source has been optimized to reduced the number of syscalls used to monitor files and directories for changes.

Bug Fixes

  • Collecting Data

    • An issue has been identified with the checkpointing component, causing unnecessary disk write operations when used with a file source. This scales linearly with the number of file sources configured, leading to a high disk utilization when defining multiple file sources.

      Note: Multiple `include` patterns per file source do not cause this issue, only separate sources. This behaviour started in 1.5.0, and is fixed with this release.

Falcon LogScale Log Collector 1.5.2 GA (2023-10-03)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

Bug fixes and improvements.

Improvements, new features and functionality

  • Debugging

    • The log level for the log message "File is a duplicate of another file." has been changed from warning to info.

  • Collecting Data

    • Added a logscale alias for the humio sink. It is now possible to write type: logscale instead of type: humio in the sinks section.

    • When LogScale rejects an ingest API request due to a request timeout or the request being too large, the LogScale Collector now divides the ingest request in to multiple parts and attempts to send the split files. If after dividing the ingest request, if a single event still triggers this limit, it will be discarded.

      The default LogScale request size limit is 32 MB, while the LogScale Collector targets maximum of 16 MB of input per request. Due to encoding, particularly control characters or invalid UTF-8 sequences could cause an up to 6x blow up of the request size.

Bug Fixes

  • Collecting Data

    • Fixed a bug where an invalid include/exclude pattern in the config of a file source could cause the LogScale Collector to crash.

    • Fixed a bug when inadvertently reading a binary file could induce a 400 Bad Request from LogScale, which discards data in the LogScale Collector.

      The issue occurs when a binary file contains a UTF-8 sequence of EF BF BF that decodes to U+FFFF. The U+FFFF code point gets interpreted as end-of-input in the applicable LogScale ingest API.

    • The file source now completely ignores files that are of length zero bytes. This should fix an issue where the file source would inadvertently read a compressed file as plain text, if the file was opened when it was empty.

      This scenario is most likely to occur when a log file is rotated and compressed. Reading a compressed file as plain text could then induce the above binary file problem regarding U+FFFF.

    • Fixed a bug where a duplicate of a file could trigger length updates in the open file source.

      If a duplicate file is an included file that has the same fingerprint as another included file. The lexicographically lesser path is considered the active file.

Falcon LogScale Log Collector 1.5.1 GA (2023-8-28)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

Bug fixes.

Bug Fixes

  • Collecting Data

    • Fixed a bug which caused the Log Collector to crash when using multiple file source declarations.

Falcon LogScale Log Collector 1.5.0 GA (2023-8-23)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

  • The LogScale Collector now supports macOS and is available as package installer (.pkg).

  • The LogScale Collector now reports metrics regarding e.g. CPU and memory usage to LogScale Fleet Management.

Improvements, new features and functionality

  • Fleet Overview

    • The LogScale Collector will now send its CPU usage, memory usage and disk usage of the data directory partition to LogScale Fleet Management.

      These metrics will be available from within the Fleet Management|Fleet Overview pagein the LogScale user interface and can be used to provide a feedback loop when scaling instances and adjusting configuration settings. See LogScale Collector Metrics for more information.

  • Collecting Data

    • The file source has been updated with improved file identity tracking. If multiple files are considered to be identical copies through fingerprinting, only a single copy will be opened.

    • The LogScale Collector now supports macOS and is available as package installer (.pkg), see Installing LogScale Collector on macOS for information.

      The installer contains a universal binary which runs natively on both Apple silicon and Intel-based Mac computers. In addition to the source types supported on other platforms e.g. file source etc., a new source type unifiedlog has been added, see Sources & Examples. This source type supports shipping unified logs on macOS.

    • The disk queue has been reimplemented in order to increase performance and resilience.

      One consequence of this is that the entire storage space, determined by maxLimitInMB, is allocated when the queue is created. This ensures a deterministic size of the disk queue and prevents scenarios where the configured disk queue size is not available due to missing disk space.

      If the configured disk queue size is not available on the configured disk partition, an error will be issued. E.g. "Could not apply the config error="pipeline: logscale, details: no space left on device"".

    • A new source type syslog_tls has been added. This source type supports receiving encrypted syslog traffic. See Sources & Examples for more information.

    • The syslog source has been optimized with respect to UDP mode. According to internal performance measurements, the performance has been increased by a factor of 3-4.

    • If two instances of the LogScale Collector are attempting to use the same data directory, the error message has been improved.

      An example scenario is if the Collector is running as a service and a second instance is started manually from the command line. Previously the error message would be: timeout.

      Now the following error message will be issued: "Could not lock the checkpoint database. Maybe another process is using the same data directory? The data directory is set to: my_data_directory_location"

Falcon LogScale Log Collector 1.4.1 GA (2023-6-13)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

Improvements to the handling of the Windows event log source.

Improvements, new features and functionality

  • Collecting Data

    • The approach for handling Windows Event Logs has been revised, as the previous versions of the Collector could cause field names to be misaligned.

      The previous approach was solely based on using the Windows Event API for rendering the field names. This has shown to fail in cases where the event data has a parameter without a value.

      The new approach parses the XML and for events containing EventData, the field names and values are directly extracted from the XML. For events containing UserData, the XML may not be sufficient, thus the parsing falls back to the Windows Event API to render the field names.

      This has the following known impact on the collector data:

      • Corrects the misalignment of field names, found in earlier versions.

      • Events containing the Binary field, are now sent as their real names, e.g, windows.EventData.Binary, which previously were sent as windows.EventData[n].

    • The Language for rendering Windows Event Logs is now configurable. Up to version 1.4.x The LogScale Collector used the system language to render the event message, collected as @rawstring. This has the potential downside, that for fleets with Windows hosts using different system languages, the collected @rawstring will differ. This only applies for rendering of the event message (no other values) and only for local events.

      In the case of forwarded events the message is rendered locally by the Windows Event Forwarded, and when collected on the Windows Event Forwarder, the message is sent as plain text to the LogScale Collector.

      A new config parameter (language) for setting the render language using Windows LCID codes has been added. The default setting is 0, which corresponds to the previous behaviour, which is the active language on the host.

Bug Fixes

  • Collecting Data

    • Misalignment of field names for the Windows event log source has been corrected, see above.

Falcon LogScale Log Collector 1.4.0 GA (2023-5-08)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

Bugfix for the Windows event log source, improvements to fleet Management.

Improvements, new features and functionality

  • Fleet Overview

    • Fleet Management Improvements

      • When enrolling a LogScale Collector to Fleet management, the enroll process will now stop and start the service during the enrollment process. This behaviour can be omitted by using the flag to the humio-log-collector enroll command.

      • After a successful enrollment, the LogScale Collector service will be configured to automatically start after a reboot. This behaviour can be omitted by using the --no-service flag to the humio-log-collector enroll command.

      • The LogScale Collector process will now exit if it receives an 401 Unauthorized error code during a Fleet management poll operation. The error code signals that the instance no longer has access to the LogScale cluster and cannot be managed. The service manager will automatically restart the LogScale Collector after exiting.

      • When enrolled in Fleet Management, the LogScale Collector will now collect diagnostics from the sinks and send them to Fleet management. The diagnostics will contain various warning and error states that might occur when sending events to LogScale. The diagnostics is available for viewing in the Fleet management tab in LogScale.

  • Other

    • Checkpointer has been improved

      In preparation for future improvements, the checkpoint database has been changed from a JSON file to a binary database format. The existing checkpoints.json file will be automatically imported into the new database. The LogScale Collector will now write a backwards compatible checkpoints.json file on shutdown, which will not be re-imported.

    • Command line arguments

      The LogScale Collector command line interface has been changed to use -- (double dash) for each option. Existing - (single dash) options will be converted in a transition period. A deprecation warning is emitted when options are provided with only a single dash.

Bug Fixes

  • Managing Data

    • Corrected the handling of subscription to more than 64 channels in a single Windows event log source.

      The wineventlog source sometimes encountered issues when configured with more than 64 channels in a single Windows event log source (type: wineventlog). In this scenario it would not collect any events, and the following error message was observed: "extNext: The operation identifier is not valid.". .

Falcon LogScale Log Collector 1.3.4 GA (2023-3-30)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

Bugfix for the Windows event log source, related to an issue with forwarded events.

Bug Fixes

  • Collecting Data

    • Using the enroll command, to enroll a new collector to fleet management in a linux environment,would previously cause an error if the collector had not been running before, i.e. if the enroll command is the first action.

      When enrolling a new collector, the collector would use an empty machine id value due to incorrect permissions set up by the enroll command. This is not a problem when enrolling collectors that have already been run.

      Starting with this release the enroll command no longer has this issue. In case the above error is encountered, a manual fix is required to give the service user the correct permissions:

      sudo chown humio-log-collector:humio-log-collector /var/lib/humio-log-collector/.machine-id

    • In a setup using the Windows event log source for collecting forwarded events, the collector has been seen to crash while parsing forwarded events.

      This may occur in a scenario where the remote WEF (Windows Event Forwarding client) and the WEC (Windows Event Collector) go online after a restart. The re-initiated event subscription causes an exception, which stops the collector. This has now been corrected.

Known Issues

  • Collecting Data

    • When collecting data from a Windows event, the collector extracts information from event data and maps the data to named fields in LogScale.

      In scenarios with forwarded events containing empty data values, the indexing of values and names can become misaligned. In this case the current parsing approach is not possible due to misalignment of field names and values. Previously this would result in incorrect values being assigned to field names.

      Starting with this release the Collector appends these values as indexed fields (windows.EventData[0..n]) instead of named fields, and introduces a new field @collect.error with the value: "wineventlog: couldn't parse names for event data".

Falcon LogScale Log Collector 1.3.3 Withdrawn (2023-3-21)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

This release has been withdrawn due to the introduction of a regression which could result in missing @rawstring for the Windows event log source.

If you are using this version we recommend you upgrade to 1.3.4.

Falcon LogScale Log Collector 1.3.2 GA (2023-3-16)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

Bugfix for the Fleet Management communication, eliminating excessive retries.

Bug Fixes

  • Fleet Overview

    • If Fleet Management communication with LogScale is unsuccessful the LogScale Collector will do exponential backoff.

      In some scenarios, an error in the backoff implementation caused the retry timeout to drop to zero, resulting in excessive retries. This is now corrected.

Falcon LogScale Log Collector 1.3.1 GA (2023-3-9)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

Bugfix for the Windows event log source, related to an issue with the event data fields.

Improvements, new features and functionality

  • Configuration

    • The behaviour in cases where the system HTTP proxy detection fails, has been changed.

      If no proxy is configured, the collector will attempt to detect and use the system HTTP proxy. Previously if detection failed the collector would stop, for example this sometimes occurred on older versions of Windows.

      Now in case of failure a warning will be logged, and the collector will continue without a proxy (corresponding to the configuration: proxy:none).

    • When installing on Linux the provided service file allowing to run the collector as a systemd service, now defaults to "Restart=always". This is to ensure that unless the service is stopped, the collector service will always be restarted in case of e.g. a crash.

  • Debugging

    • Usability improvement of the enroll command.

      The check for supplied command line arguments is improved and if incorrect/missing arguments are encountered usage is printed.

Bug Fixes

  • Fleet Overview

    • Corrected UserAgent in HTTP requests for fleet overview and fleet management (Internal improvement).

  • Collecting Data

    • Corrected handling of event templates version for the Windows event log source (type: wineventlog).

      When collecting data from a Windows Event, the collector extracts information from event data and maps the data to named fields in LogScale.

      Scenarios where an event has multiple versions of its XML template were not handled correctly, potentially resulting in incorrect values being assigned to field names.

Falcon LogScale Log Collector 1.3.0 GA (2023-2-7)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

Fleet management now supports remote configuration of LogScale Collectors. This gives an administrator the option of managing the configuration of LogScale Collector instances in LogScale, instead of managing configuration files directly on the device where LogScale Collector is installed.

Improvements, new features and functionality

  • Configuration

    • The configuration of LogScale Collectors can be managed in LogScale. This is accomplished using configurations and enrollment tokens stored in LogScale.

      To be able to manage the configuration of collectors in LogScale, collectors need to be enrolled to remote configuration, this is done using enrollment tokens.

      Two new pages have been added to the Fleet Management tab in the LogScale user interface.

      • The Config overview page, lists all available configurations and the number of LogScale Collectors using each configuration. The page furthermore allows you to create new configurations. See Managing Remote Configurations for more information.

      • The Enrollment tokens page lists all available enrollment tokens, and allows for creating new enrollment tokens.

        The actual enrollment of a LogScale Collector is performed by executing an enrollment command on the device with the installed LogScale collector instance. The command to be executed can be grabbed from the enrollment token page. See Managing LogScale Collector Instance Enrollment for more information.

      The Fleet overview page, which displays the status of all LogScale Collector instances, now includes the name of the assigned configuration to each LogScale Collector.

      It is still possible to use the Fleet Overview without enrolling LogScale Collector instances in remote configuration, in which case configuration will need to be managed directly on the device with installed collector. See LogScale Collector Fleet Management Overview for more information.

Falcon LogScale Log Collector 1.2.3 GA (2023-1-23)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

This version contains bug fixes.

Bug Fixes

  • Collecting Data

    • Fixed a bug on Windows where the Log Collector locks open log files, preventing applications from rotating log files via rename or delete.

Falcon LogScale Log Collector 1.2.2 GA (2023-1-16)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

Bug fixes, improvements and Windows log format collecting features.

Improvements, new features and functionality

  • Collecting Data

    • Moved default program data directory on Windows to prevent possible conflicts with Falcon Sensor.

    • Added an option to WinEventLog source for including/excluding the XML.

    • Improved performance of the WinEventLog source.

    • Added an option to WinEventLog source for excluding eventIDs.

Bug Fixes

  • Collecting Data

    • Fixed a bug which caused the checkpointer for WinEventLog source to not update all of the configured channels.

Falcon LogScale Log Collector 1.2.1 GA (2022-11-10)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

Bug fix for an issue related to file source which caused it to stop monitoring files.

Bug Fixes

  • Collecting Data

    • Fixed a bug which could cause the file source to stop monitoring files due to a race condition in file creation, update or deletion scenarios.

Falcon LogScale Log Collector 1.2.0 GA (2022-10-27)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

This version of the humio log collector offers the Fleet Overview functionality, which allows you to monitor the status of log collector instances and the following improvements:

  • Improved configuration file validation

  • Improved error logging

  • Reload configuration file feature

  • Using environment variables as the sink url

  • The file source now has more include and exclude patterns and uses less resources by waiting for changes to the file

  • the CMD source can now create single multiline events

  • the wineventlog can now filter events by provider and keep bookmarks of its progress

  • Performance improvements

  • improved batch handling

  • Enforces the use of HTTPS.

Improvements, new features and functionality

  • Configuration

    • Improved configuration file validation - The collector is now more thorough when validating its configuration file. An example of this is that unknown options in the configuration are invalid and will prevent running the program. Upon detection of an invalid configuration, the collecter will attempt to provide a descriptive error, some examples of this are:

      error reading config file "my_config.yaml" sources:
              name must consist of only alphanumeric characters or '.', '_'
              and '-'
                  error reading config file "my_config.yaml": 
                  sources.cmd_uname_scheduled.interval: invalid type string,
                  wanted int` 
                  error reading config file "my_config.yaml"
        : sources.dummy_logs.sink: missing value for required field`
    • The collector now reloads the configuration file when it receives a SIGHUP. This does not apply to the logLevel and dataDirectory options. If the new configuration is invalid, the program will stop.

    • The collector now enforces using https:// for URLs, this can be overridden by adding the -allow-insecure-http command line flag.

  • Debugging

    • The default log level is now set to warnings, previously only errors were logged by default.

  • Fleet Overview

    • The collector now supports reporting to the fleet overview of LogScale. Configure the fleetManagement part of the configuration to enable this feature, see Fleet Management (fleetManagement) for more information.

      When the feature is enabled, the collector will periodically send metrics to LogScale, including the OS version, the collector version, how much data is ingested, and a description of the configured log sources.

  • Collecting Data

    • Improved batch handling

      • The sinks now have additional configuration options to change the maximum event size maxEventSize (default 1MB) and the maximum batch size maxBatchSize (default: 16 MB). The limits are propagated to the queue, where it replaces the previous maxEventsPerRequest option. The limits are also propagated to all the sources that reference the sink.

      • The memory queue no longer supports configuration of maxEventsPerRequest, it inherits the maximum bytes per request from the sink maxBatchSize.

      • The memory queue no longer waits before flushing a batch that is larger than the maximum batch size.

      • The collector now warns you when a memory queue reaches 50% and 80% of capacity.

      • The collector now sends a warning after 2 retry attempts when sending events to a http sink.

    • The wineventlog source can now filter events based on the provider name. Set the option providers to an array of provider names that should be included to enable this feature. This source also keeps a bookmark of its progress in the Windows event log, and resumes from there when the collector is restarted.

    • The cmd source can now create a single multiline event when running in the schedule mode. Set the option consolidateOutput to true to enable this feature.

    • The file source can now have additional include and exclude patterns in the same configuration. Specifically, the options exclude and include can be either a string or an array of strings.

    • The url option in the sinks part of the configuration can now refer to an environment variable by using the ${ENVVAR} syntax.

  • Managing Data

    • If a file monitored by the file source is inactive (not written for a configurable period default: 60 seconds, the file descriptor is closed to release system resources, and watched for changes instead. Whenever the file changes, it is re-opened. This is configurable by the inactivityTimeout option in the file source.

    • Improved serialization performance in the humiosink leading to lower memory usage and faster serialization of events.

    • Improved memory usage of the memory queue component by removing an upfront buffer that caused it to store more events than specified by the maxLimitInMB option.

Bug Fixes

  • Collecting Data

    • Events from the wineventlog source which contain fields of the type hexadecimal integer were presented as a base 10 number, they are now presented as a base 16 number.

Humio Log Collector 1.1.4 GA (2022-10-12)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

Fixed a bug with the Windows event log source.

Bug Fixes

  • Collecting Data

    • Fixed a bug which made the log collector stop when it encountered a Windows event that contained a binary property of zero-length.

Humio Log Collector 1.1.3 GA (2022-10-03)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

Improved troubleshooting on Windows, improved checkpointing on disk and fix for a bug on the data sink type.

Improvements, new features and functionality

  • Debugging

    • Improved Checkpointing to disk -- In case of failure writing checkpoints to disk, an error will be logged and writing to disk will be retried with exponential backoff for up to 1 second. This avoids a potential race condition, in which an external program (e.g. an anti-virus program) locks a file that is being simultaneously accessed by the Log Collector.

    • Improved troubleshooting On Windows platforms -- the Log Collector will send errors and warnings to the Windows event log.

Bug Fixes

  • Collecting Data

    • When sending data to a configured sink the http-header: Content-Type is now set to application/json.

Humio Log Collector 1.1.2 Not Released (2022-09-29)

VersionTypeRelease DateConfig. Changes
1.1.2Not Released2022-09-29No


This release has been withdrawn due to an issue on Windows, where, in certain configurations, it will continuously log the same event.

If you upgraded to this version we recommend you downgrade to 1.1.1. If you have not installed 1.1.2 upgrade directly to 1.1.3 when it is available.

Humio Log Collector 1.1.1 GA (2022-09-19)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

Fixed issues on Syslog and JournalD data collection and improved the queue.

Improvements, new features and functionality

  • Managing Data

    • Improved the way events are being queued in order to better respect the maximum limit of the queue.

Bug Fixes

  • Collecting Data

    • The Syslog source now limits events to 2 KB (configurable via the maxEventSize parameter on the source).

    • Fixed an issue with Syslog data where the source would allocate more memory than was needed.

    • Fixed a JournalD source issue where the collector would stop collecting new events after journal files have been rotated.

    • Fixed an issue when using Syslog source where syslog messages were silently discarded.

Humio Log Collector 1.1.0 GA (2022-06-25)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

Extended support and functionalities.

Improvements, new features and functionality

  • Collecting Data

    • The log collector supports for reading gzip and bzip2 compressed files by default.

    • Support for Multiline logs

    • Updated cmd source support

    • JournalD source support

  • Managing Data

    • Disk queue support

    • The queue configuration option fullAction: deleteLatest has been removed are set to the default pause.

    • The user can use environment variables to configure:

      • ingest tokens

      • the field values in the static field transform

      • the environment for any command run through the cmd source

    • Transform Static fields

    • Filter Windows event log by EventID

Humio Log Collector 1.0.2 Stable (2022-05-05)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

Bug Fixes

  • Other

    • Automatically reload the systemd daemon after install on Linux.

    • Fixed a bug that caused the log collector to start from the beginning of all files after being restarted.

Humio Log Collector 1.0.1 Stable (2022-04-25)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum

Bug Fixes

  • Other

    • Fixed a bug where the log collector would get stuck when encountering a long line (131,072 B) and use 100 % CPU.

Humio Log Collector 1.0.0 Stable (2022-04-23)

VersionTypeRelease DateConfig. Changes
FileSHA256 Checksum
linux_amd64.rpm 8482625c6795954d137609b77737c7c719ce457d4a4b78aace0b5a2cd09df5e6

The first release of Humio Log Collector our native Log shipper which can be used to ship local files to a Humio repository by specifying an ingest token. This version of the log collector offers the following features.

Improvements, new features and functionality

  • Network

    • Supports HTTP(S) proxies.

    • Offers network compression which defaults to ON.

  • Managing Data

    • @collect.* metadata attached to the events including unique collector ID, hostname, @collect.timestamp etc

    • Offers a sub-second ingest lag between a line being written and sent to Humio (configurable)

    • Buffers in memory.

    • Collects from local files using a glob pattern (so single file, directory, recursive, etc) and from windows eventlogs and system logs.

    • Tails for new events in the file.

    • Only handles single line events

    • Ships all existing events in the file.