Falcon LogScale Collector 1.4.1 GA (2023-6-13)
| Version? | Type? | Release Date? | Config.Changes? |
|---|---|---|---|
| 1.4.1 | GA | 2023-6-13 | yes |
Hide file hashes
| File | SHA256 Checksum | Hash File |
|---|---|---|
| linux_amd64.deb | 788d7be0888c8527501e5ca90698b0fdc06745eeddc98c7b79c240d2505e2dfb | |
| linux_amd64.rpm | dee647d23060843c789360cc9ecf51fd8f59b9c9ae487c587bd2099dc11f2218 | |
| linux_arm64.deb | 59f55b0668f0462c1bcf257b771edf1ae4fa365e7b905a9acea5b1494d157723 | |
| linux_arm64.rpm | fcc2ee1d23f094e136e62e06d9ef55768b2dfcf2adbc6fe0ffe2467838351cd9 | |
| windows_amd64.msi | 43390b610233202f0c1808a65f05b701e4c141b2781a83a0885c5aa9b2613c3e |
Improvements to the handling of the Windows event log source.
Improvements, new features and functionality
Collecting Data
The Language for rendering Windows Event Logs is now configurable. Up to version 1.4.x, the Log Collector used the system language to render the event message, collected as @rawstring. This has the potential downside, that for fleets with Windows hosts using different system languages, the collected @rawstring will differ. This only applies for rendering of the event message (no other values) and only for local events.
In the case of forwarded events the message is rendered locally by the Windows Event Forwarded, and when collected on the Windows Event Forwarder, the message is sent as plain text to the Log Collector.
A new config parameter (language) for setting the render language using Windows LCID codes has been added. The default setting is 0, which corresponds to the previous behaviour, which is the active language on the host.
The approach for handling Windows Event Logs has been revised, as the previous versions of the Collector could cause field names to be misaligned.
The previous approach was solely based on using the Windows Event API for rendering the field names. This has shown to fail in cases where the event data has a parameter without a value.
The new approach parses the XML and for events containing EventData, the field names and values are directly extracted from the XML. For events containing UserData, the XML may not be sufficient, thus the parsing falls back to the Windows Event API to render the field names.
This has the following known impact on the collector data:
Corrects the misalignment of field names, found in earlier versions.
Events containing the Binary field, are now sent as their real names, for example, windows.EventData.Binary, which previously were sent as windows.EventData[n].
Bug Fixes
Collecting Data
Misalignment of field names for the Windows event log source has been corrected, see above.