Falcon LogScale Collector 1.9.1 GA (2025-05-20)
| Version? | Type? | Release Date? | Config.Changes? |
|---|---|---|---|
| 1.9.1 | GA | 2025-05-20 | no |
Hide file hashes
| File | SHA256 Checksum | Hash File |
|---|---|---|
| linux_amd64.deb | 14b5431020f2a0e25e3df27d908c246ef469605b187b89a1199b09078f84b305 | |
| linux_amd64.rpm | 36549719ea511c95b5882118f3bcdef101c996e9dc55df19e8187117c6406e8e | |
| linux_arm64.deb | 6bc19a8bc85e637b95cfed0e83141df984f0f4d75ab719be700ab83add1e3acf | |
| linux_arm64.rpm | bf127f588a0c06794e256907a4ff525edefebc797f1faa4138925b48480efb5a | |
| macOS_universal.pkg | bda720401482726c2c477402182b8b8907a2da07a77411f08df18b5cd50f55c8 | |
| windows_amd64.msi | 305b00b87c552ca2e197965a1c44ef15560f718b2a46d8ea13ac849881ed911b |
| Docker Image | Architecture | SHA256 Checksum | Hash File |
|---|---|---|---|
| logscale-collector:1.9.1 | amd64 | 380d656332ff6424f4729d4dd6b8ba2584683cecb6e53c2d260b0c09cd79614 | |
| logscale-collector:1.9.1 | arm64 | 380d656332ff6424f4729d4dd6b8ba2584683cecb6e53c2d260b0c09cd79614 |
Improvements, new features and functionality
Collecting Data
Various performance and reliability improvements have been implemented in disk queue handling. Although not yet encountered, previously in theory corrupted data in disk queues could stop queue processing and thus ingest.
Proactively a new recovery mechanism has been added to ensure continuous queue processing in case corrupted data is encountered. Corrupted entries are now archived to compressed dead-letter files with timestamp-based naming
(deadletter-YYYYMMDDTHHMMSSZ-XXXX.gz).Warning notifications are logged every 5 minutes while dead-letter files are present.Performance when draining queues by sending batches to Falcon LogScale Collector/NG-SIEM has been improved. The batch bundling efficiency has been improved while maintaining configured limits. This will improve throughput and reduce overhead in high-volume event scenarios with disk queues.
Other
To take advantage of the latest optimisations and security updates the Go version has been updated.
Debugging
Improved internal logging for better traceability, for example disk queue - and Windows event source actions.
Bug Fixes
Collecting Data
A scenario has been identified in which customers collecting Windows Events from Forwarded Events on pre-Windows Server 2016 systems may experience FLC crashes when processing these events. The issue has been observed in environments with mixed Windows versions where older systems forward events to newer collectors.
The core issue involves compatibility problems when parsing forwarded events due to version mismatches between event templates.
While Windows Server 2016 and later versions resolve this through the RenderingInfo XML element (which includes pre-formatted messages), earlier versions relied on FormatMessage() calls, that have proven to be potentially unsafe and may cause crashes.
If this issue is encountered, it is possible to use a new configuration option
(disableFormatMessage: true)in the channel configuration. When enabled, this option prevents the use of FormatMessage() for rendering event messages, ensuring system stability but at the cost of not displaying complete message details for events from legacy systems.
Other
Fixed an issue with potential counter overflow in disk queue storage. The specific scenario which could cause this issue would only occur when there were more than 4 Billion events.
The syslog TCP source potentially did not honour configured limits for maxBatchSize. This could cause a scenario in which a queue could stop sending events to the configured sink, effectively stopping ingestion for all sources configured to use this sink. This has been corrected.
Debugging
On Windows, the interactive monitor had a visual issue where debug messages would flood the screen when the mouse cursor was moved over the terminal. This has been addressed.
The internal metric sink
time to sendwas not calculated correctly, this has been fixed.
Fleet Management
Fixed OS Version for Windows Server 2016/2019.
A
Systemstring describing the operating system on the host is displayed in Fleet Overview. For Windows systems the string consists of<ProductName> (<DisplayVersion>) (<Architecture>), e.g. Windows 10 Enterprise (21H2) (amd64).On Older Windows versions the Falcon LogScale Collector failed to fetch the DisplayVersion and reported the fallback string windows (amd64). This is now corrected and the string will consist of ProductName and architecture, for example, Windows Server 2016 (amd64).
Note that the displayed ProductName relies on the internal productname reported by Windows. Some Windows 11 versions identify with ProductName Windows 10.
Important
If the groups functionality has been used to define a group based upon the system string, and this group is relying on the old incorrect string, for example:
filter: system= windows*the filter needs to be updated tosystem= windows*orsystem=Windows*in order to match the new corrected system string.If not, the machines affected (Windows Server 2016 and 2019) will fall out of their group, leaving them without a config. and therefore they will stop ingesting.
Installation and Deployment
Fixed an issue where non-default umask settings during installation could cause the configuration file to be unreadable by the service user which would prevent the FLC from starting.
In this scenario the following would be logged on the host:
systemd[1]: The configuration file could not be read. Trying to read file/etc/logscale-collector/config.yaml.systemd[1]: The underlying problem was:open/etc/logscale-collector/config.yaml: permission denied.Corrected permission bit handling for systemd service files in Linux Installation scripts.
Previously installing Falcon LogScale Collector on linux could cause warnings to be reported on the host for example:
systemd[1]: Configuration file/usr/lib/systemd/system/logscale-collector.serviceis marked executable. Please remove executable permission parts. Proceeding anyway.