Falcon LogScale Collector 1.9.0 GA (2025-04-14)
| Version? | Type? | Release Date? | Config.Changes? |
|---|---|---|---|
| 1.9.0 | GA | 2025-04-14 | yes |
Hide file hashes
| File | SHA256 Checksum | Hash File |
|---|---|---|
| linux_amd64.deb | 02ee8357bafc405bcd32ffc92049941bd23cc7dfc219118b91416657de925a47 | |
| linux_amd64.rpm | 376cf5724f3464e91f6ab4c19097555060c72040cc51b67ca09b905e32cf04e3 | |
| linux_arm64.deb | 5b5da6c113c37f886dd2980f9fb28c37527a7ef6670b72a40b990cdd150e822f | |
| linux_arm64.rpm | 9c113a677e5f1b109aa1840a05b9487c20b9135925938ba94661422f18faae82 | |
| macOS_universal.pkg | d1dadebd4ed5cae4e89377375c16be640b922d67693347b2260774627861a3ba | |
| windows_amd64.msi | 936a197780271c05991bf45ddd55feabaa35aa92931ff3feaaff4bc0d79a678d |
| Docker Image | Architecture | SHA256 Checksum | Hash File |
|---|---|---|---|
| logscale-collector:1.9.0 | amd64 | 64a518dffa789e9609d2a1e97ff67c60f710249189bb43a4344c1f3356916158 | |
| logscale-collector:1.9.0 | arm64 | 64a518dffa789e9609d2a1e97ff67c60f710249189bb43a4344c1f3356916158 |
Various new data collection features, including more fine-grained control over the
wineventlogsource and support for UTF-16 encoded files in the file source.Several new commands to improve troubleshooting and monitoring of the Falcon LogScale Collector.
Deprecation
These items have been deprecated and may be removed in a future release:
The includeXML property is now deprecated and will be removed in version 1.10.0. Users are strongly encouraged to transition to the new format property to ensure compatibility with future updates and to take advantage of the more flexible configuration options.
Improvements, new features and functionality
Collecting Data
Added support for UTF-16 encoded files in the file source. By default, encoding will be auto-detected by BOM (Byte Order Mark). Both UTF-16BE and UTF-16LE are supported.
BOM is also skipped in UTF-8 encoded files that start with the BOM.
When reading files that do not contain a BOM, it is necessary to specify the encoding in the file source config using:
encoding: UTF-16LE, orencoding: UTF-16BE.
For
wineventlogsource this update allows more control over the collected data, potentially reducing data volume and improving performance by selecting only the necessary information for your use case.A new
formatparameter has been introduced, providing more fine-grained control over the local rendering. This addition offers four options:xmlOnly: Collect events in XML format only using @rawstringxmlWithMessage: Collect events in XML format (@rawstring ) with the rendered message included (windows.Message)renderFieldsOnly: Collect events with rendered fields only (corresponding toincludeXML: false)renderFieldsWithXML: Collect events with rendered fields and XML (corresponding the previous default behaviour)
Added a feature to the Syslog source in UDP mode, which makes it possible to combine events from separate datagrams that share a common message ID. The feature is useful to receive Syslog messages from Cisco devices that implement a header containing the following data:
<ID> <Index> <Total>describing the datagram's position in the final message and total number of datagrams.
Debugging
This release introduces several new commands that improve troubleshooting and monitoring of the Log Collector.
For more information, see Debug Commands.
Other
On Linux, listening sockets are now kept active between config reloads that specify the same Syslog sources. This reduces the amount of logs that are dropped due to config reloads.
When reloading config the diff now ignores YAML indentation.
To take advantage of the latest optimizations and security updates the Go version has been updated.
Fleet Management
Support for sending two new metrics - sources and problemsReport which contain configured log sources and collector errors. When enabled server side it replaces the usage of a deprecated system metric.
Installation and Deployment
Added a new config validation command to enhance configuration management. This feature allows users to verify the validity of YAML configuration files and ensures compatibility with Falcon LogScale Collector. While it confirms the config's structural correctness and Log Collector's ability to run with it, it does not guarantee successful data collection or transmission.
For more information, see Debug Commands.
Known Issues
Debugging
The internal metric sink
time to sendis not calculated correctly.On Windows, the new interactive monitor experiences a visual issue where debug messages flood the screen when the mouse cursor is moved over the terminal. The messages are in the format
<timestamp> Unknown msg: teag.MouseMsg{X: , Y:...}.To clear the screen, press thehkey twice. This resets the display. A permanent fix for this issue is being addressed in the next release.The debugging commands have a limitation on Linux and macOS that requires the
dataDirectorymax path length to be less than 80 to work.