Falcon LogScale Collector 1.9.0 GA (2025-04-14)
| Version? | Type? | Release Date? | Config.Changes? |
|---|---|---|---|
| 1.9.0 | GA | 2025-04-14 | yes |
Hide file hashes
| File | SHA256 Checksum | Hash File |
|---|---|---|
| linux_amd64.deb | 02ee8357bafc405bcd32ffc92049941bd23cc7dfc219118b91416657de925a47 | |
| linux_amd64.rpm | 376cf5724f3464e91f6ab4c19097555060c72040cc51b67ca09b905e32cf04e3 | |
| linux_arm64.deb | 5b5da6c113c37f886dd2980f9fb28c37527a7ef6670b72a40b990cdd150e822f | |
| linux_arm64.rpm | 9c113a677e5f1b109aa1840a05b9487c20b9135925938ba94661422f18faae82 | |
| macOS_universal.pkg | d1dadebd4ed5cae4e89377375c16be640b922d67693347b2260774627861a3ba | |
| windows_amd64.msi | 936a197780271c05991bf45ddd55feabaa35aa92931ff3feaaff4bc0d79a678d |
| Docker Image | Architecture | SHA256 Checksum | Hash File |
|---|---|---|---|
| logscale-collector:1.9.0 | amd64 | 64a518dffa789e9609d2a1e97ff67c60f710249189bb43a4344c1f3356916158 | |
| logscale-collector:1.9.0 | arm64 | 64a518dffa789e9609d2a1e97ff67c60f710249189bb43a4344c1f3356916158 |
Various new data collection features, including more fine-grained control over the wineventlog source and support for UTF-16 encoded files in the file source.
Several new commands to improve troubleshooting and monitoring of the Falcon LogScale Collector.
Deprecation
These items have been deprecated and may be removed in a future release:
The includeXML property is now deprecated and will be removed in version 1.10.0. Users are strongly encouraged to transition to the new format property to ensure compatibility with future updates and to take advantage of the more flexible configuration options.
Improvements, new features and functionality
Collecting Data
Added support for UTF-16 encoded files in the file source. By default, encoding will be auto-detected by BOM (Byte Order Mark). Both UTF-16BE and UTF-16LE are supported.
BOM is also skipped in UTF-8 encoded files that start with the BOM.
When reading files that do not contain a BOM, it is necessary to specify the encoding in the file source config using:
encoding: UTF-16LE, orencoding: UTF-16BE
For wineventlog source this update allows more control over the collected data, potentially reducing data volume and improving performance by selecting only the necessary information for your use case.
A new parameter
formathas been introduced, providing more fine-grained control over the local rendering. This addition offers four options:xmlOnly: Collect events in XML format only using @rawstringxmlWithMessage: Collect events in XML format (@rawstring ) with the rendered message included (windows.Message)renderFieldsOnly: Collect events with rendered fields only (corresponding to includeXML: false)renderFieldsWithXML: Collect events with rendered fields and XML (corresponding the previous default behaviour)
Added a feature to the Syslog source in UDP mode, which makes it possible to combine events from separate datagrams that share a common message ID. The feature is useful to receive Syslog messages from Cisco devices that implement a header containing the following data:
`<ID> <Index> <Total>`describing the datagram's position in the final message and total number of datagrams.
Other
When reloading config the diff now ignores YAML indentation
On Linux, listening sockets are now kept active between config reloads that specify the same syslog sources. This reduces the amount of logs that are dropped due to config reloads.
To take advantage of the latest optimizations and security updates the Go version has been updated.
Debugging
This release introduces several new commands that improve troubleshooting and monitoring of the Falcon LogScale Collector.
For more information, see Debug Commands.
Fleet Management
Support for sending two new metrics - sources and problemsReport which contain configured log sources and collector errors. When enabled server side it replaces the usage of a deprecated system metric.
Installation and Deployment
Added a new config validation command to enhance configuration management. This feature allows users to verify the validity of YAML configuration files and ensures compatibility with Falcon LogScale Collector. While it confirms the config's structural correctness and Falcon LogScale Collector's ability to run with it, it does not guarantee successful data collection or transmission.
For more information, see Debug Commands.
Known Issues
Debugging
The debugging commands have a limitation on Linux and macOS that requires the dataDirectory max path length to be <80 to work.
On Windows, the new interactive monitor is experiencing a visual issue where debug messages flood the screen when the mouse cursor is moved over the terminal. The messages are in the format
<timestamp> Unknown msg: teag.MouseMsg{X: , Y:...}.To clear the screen, press thehkey twice. This will reset the display. A permanent fix for this issue is being addressed in the next release.The internal metric sink
time to sendis not calculated correctly.