Falcon LogScale Collector 1.3.4 GA (2023-3-30)
| Version? | Type? | Release Date? | Config.Changes? |
|---|---|---|---|
| 1.3.4 | GA | 2023-3-30 | no |
Hide file hashes
| File | SHA256 Checksum | Hash File |
|---|---|---|
| linux_amd64.deb | f0a6612a103765ff2f54121d1520290dabac64aabbd21eca423f7cd79105f230 | |
| linux_amd64.rpm | a9e1d4174a8b7af93da72c01aae68e7d1a1db66fb29a40bc16bd3cafc62ef14a | |
| linux_arm64.deb | e82c6c21fe2a0704c42c564cddba39337044247e82cdd5f701658c35bce6bc20 | |
| linux_arm64.rpm | e70248e5caca2c2b8a44b39baf69136d2301dbdcab02269fb74a88084199c34c | |
| windows_amd64.msi | 3a925d65b753bdcf4ee5724c37925a32805943f8a75b5bddf82e874d3588ff8c |
Bugfix for the Windows event log source, related to an issue with forwarded events.
Bug Fixes
Collecting Data
Using the enroll command, to enroll a new collector to fleet management in a linux environment,would previously cause an error if the collector had not been running before, i.e. if the enroll command is the first action.
When enrolling a new collector, the collector would use an empty machine id value due to incorrect permissions set up by the enroll command. This is not a problem when enrolling collectors that have already been run.
Starting with this release the enroll command no longer has this issue. In case the above error is encountered, a manual fix is required to give the service user the correct permissions:
sudo chown humio-log-collector:humio-log-collector /var/lib/humio-log-collector/.machine-idIn a setup using the Windows event log source for collecting forwarded events, the collector has been seen to crash while parsing forwarded events.
This may occur in a scenario where the remote WEF (Windows Event Forwarding client) and the WEC (Windows Event Collector) go online after a restart. The re-initiated event subscription causes an exception, which stops the collector. This has now been corrected.
Known Issues
Collecting Data
When collecting data from a Windows event, the collector extracts information from event data and maps the data to named fields in LogScale.
In scenarios with forwarded events containing empty data values, the indexing of values and names can become misaligned. In this case the current parsing approach is not possible due to misalignment of field names and values. Previously this would result in incorrect values being assigned to field names.
Starting with this release the Collector appends these values as indexed fields (windows.EventData[0..n]) instead of named fields, and introduces a new field @collect.error with the value: "wineventlog: couldn't parse names for event data".