Falcon LogScale Collector 1.8.1 GA (2024-11-20)

Version?Type?Release Date?Config.Changes?
1.8.1GA2024-11-20no

Hide file hashes

Show file hashes

Highlights

Support for including or excluding events based on regular expressions has been introduced.

Behavior Changes

Scripts or environment which make use of these tools should be checked and update for the new configuration:

  • This release requires at least Windows 10 or Windows Server 2016.

  • Users running Falcon LogScale Collector version 1.3.4 or earlier must first update to version 1.6.6 before updating to version 1.8.1.

Improvements, new features and functionality

  • Collecting Data

    • Falcon LogScale Collector now supports filtering events based upon a regular expression. Filtering is available per source and is configured using a transform with type regex_filter. Two modes are available. Include, which will include only events matching a regex, and exclude, which will exclude all events matching a regex. For more information, see Configuration Elements.

    • Improved the syslog source for TCP/TLS by removing the 1024 connection limit, further enhancing the memory optimization introduced in 1.7.4.

    • The checkpointer has been optimized for improved performance and scalability with multiple file sources. This change includes a revised internal database structure, which affects how file identities are stored. An automatic migration is performed during upgrade, preserving existing file identities.

      Warning

      Downgrading from 1.8.0 to an older version, the collector will not be able to recognize the checkpoints for files identified in the new format, potentially causing re-ingestion. For more information, see How-To: Downgrading LogScale Collector from Version 1.8.1 to 1.7.x.

  • Other

    • To take advantage of the latest optimizations and security updates the Go version has been updated. With the latest update this requires at least Windows 10 or Windows Server 2016; support for previous versions has been discontinued.

    • The UserAgent string used in HTTP requests has been updated and aligned across platforms, it now includes OS and architecture.

  • Debugging

    • Internal log messages in the Falcon LogScale Collector have been improved. Some trace level messages regarding memory queue handling have been removed and some debug level messages regarding collector metrics have been added.

  • Installation and Deployment

    • The install scripts have been updated to replace legacy launchctl subcommands load and unload with newer commands in macOS and to install the Falcon LogScale Collector as a service in macOS,

Bug Fixes

  • Other

    • Windows only: Fixed a bug where the collector would fail to start after increasing the maxLimitInMB parameter for an already configured disk queue, due to a file rename error when re-allocating the disk memory storage file.

  • Fleet Management

    • We have identified some edge cases in which a reconfiguration of a sink could cause the error: "Could not send data to sink. Sending will be retried, context canceled" to be reported even though subsequent transmission has succeeded.

    • If a Falcon LogScale Collector instance encounters an error while sending data to a sink this error will be reported in Fleet Management and the status column in the Fleet Overview page will display error. If a subsequent transmission succeeds, status will return to ok.

    • A previously unhandled scenario where the Falcon LogScale Collector attempts to enroll into Fleet management would block indefinitely due to a missing HTTP response has been addressed. The Collector now times out after 60 seconds and logs a warning: "timeout awaiting response headers".

  • Installation and Deployment

    • The uninstall script for linux distributions would fail to remove the service user on RedHat distributions.