Falcon LogScale 1.112.1 LTS (2023-11-15)
Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Config. Changes? |
---|---|---|---|---|---|---|---|
1.112.1 | LTS | 2023-11-15 | Cloud | 2024-11-30 | No | 1.70.0 | No |
TAR Checksum | Value |
---|---|
MD5 | adc304d42f49666a11a9343ce0b1cf45 |
SHA1 | 2d46f12e23448be8e966780e3bbefb8c24706615 |
SHA256 | ee624502c5a88774ac03ca56984c4a1aa76186f4d848b878106189c45d4855e0 |
SHA512 | 9231d4e6a250d7d9eaeaaf67b99979c5cbfe070d0a8f57b816e9cb0a76c3d76a93957268ece8a6ad0d296816a4a08c3259f85dd7e075b739f8d7351243ec9842 |
Docker Image | Included JDK | SHA256 Checksum |
---|---|---|
humio | 21 | 307d54f45c193743e6ef1e6b81cb6e278b77460351a9f1a4b1b3c4b14c9dd198 |
humio-core | 21 | 73ff5f4ce9f0b4d5a7dace1f7858d06948ff9ea05cda2acd45ffd1c2ff1e055b |
kafka | 21 | 39b5cf13a792c55b935bfbff81de9c384bd8555fe0ebf572debb639eb5638390 |
zookeeper | 21 | ccb43bdf0b2ca238b79b98069b9cf050fc39a60a5bd55f5e7709e76b6bab72ea |
Download: https://repo.humio.com/repository/maven-releases/com/humio/server/1.112.1/server-1.112.1.tar.gz
Bug fixes and updates.
Advance Warning
The following items are due to change in a future release.
Installation and Deployment
We intend to drop support for Java 17, making Java 21 the minimum. We plan to make this change in March 2024.
Removed
Items that have been removed as of this release.
Installation and Deployment
All Zookeeper-related functionality for LogScale was deprecated in December 2022, and is now removed:
Removed the Zookeeper status page from the User Interface
Removed the Zookeeper related GraphQL mutations
Removed the migration support for node IDs created by Zookeeper, as we no longer support upgrading from version prior to 1.70.
Depending on your chosen Kafka deployment, ZooKeeper may still be required to support Kafka.
Running on Java 11, 12, 13, 14, 15 and 16 is no longer supported. The minimum supported Java version is 17 starting from this LogScale release.
GraphQL API
The deprecated client mutation ID concept is now being removed from the GraphQL API:
Removed the clientMutationId argument for a lot of mutations.
Removed the clientMutationId field from the returned type for a lot of mutations.
Renamed the ClientMutationID datatype, that was returned from some mutations to
BooleanResultType
datatype. Removed the clientMutationId field on the returned type and replaced it by a boolean field namedresult
.Most deprecated queries, mutations and fields have now been removed from the GraphQL API.
Storage
The unused
humio-backup
symlink inside Docker containers has been removed.Configuration
Some deprecated configuration variables have now been removed:
GCP_STORAGE_UPLOAD_CONCURRENCY
GCP_STORAGE_DOWNLOAD_CONCURRENCY
They have been replaced by
S3_STORAGE_CONCURRENCY
andGCP_STORAGE_CONCURRENCY
settings that internally handle rate-limiting responses from the bucket provider.
Deprecation
Items that have been deprecated and may be removed in a future release.
The following
REST
endpoints for deleting events have been deprecated:
/api/v1/dataspaces/
(Id)
/deleteevents
/api/v1/repositories/
(id)
/deleteeventsThe new GraphQL mutation redactEvents should be used instead.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Automation and Alerts
We have changed how Standard Alerts handle query warnings. Previously, LogScale only triggered alerts if there were no query warnings. Now, alerts will trigger despite most query warnings, and the alert status will show a warning instead of an error. Up until now, all query warnings were treated as errors. This meant that the alert did not trigger even though it produced results, and the alert was shown with an error in LogScale. Most query warnings mean that not all data was queried. The previous behaviour prevented the alert from triggering in cases where it would not have, if all data had been available. For instance, an alert that would trigger if a count of events dropped below a threshold. On the other hand, it made some alerts not trigger, even though they would still have if all data was available. That meant that previously you would almost never get an alert that you should not have gotten, but you would sometime not get an alert that you should have gotten. We have reverted this. With this change, we no longer recommend to set the configuration option
ALERT_DESPITE_WARNINGS
totrue
, since it treats all query warnings as non-errors, and there are a few query warnings that should make the alert fail.For more information, see Diagnosing Alerts.
Upgrades
Changes that may occur or be required during an upgrade.
Security
xmlsec has been upgraded to 2.3.4 to address CVE-2023-44483 issue.
Configuration
Docker containers have been upgraded to Java 21.
New features and improvements
Installation and Deployment
Configure LogScale to write fatal JVM error logs in the JVM logging directory, which is specified using
JVM_LOG_DIR
variable. The default directory is/logs/humio
.
UI Changes
Most tables inside the LogScale UI now supports resizing columns, except the
Table
widget used during search.The behavior of the ComboBox has changed: the drop-down is not filtered until the text in the filter field has been edited, allowing you to easily copy, alter or clear the text.
The list of permissions now has a specific custom order in the UI, as follows.
Organization:
Organization settings
Repository and view management
Permissions and user management
Fleet management
Query monitoring
Other
Cluster management:
Cluster management
Organization management
Subdomains
Others
A combined view of permissions is now available to show all roles listed together when there is more than one role under each repository, organization, or system.
For more information, see Aggregate Permissions.
It is now possible to highlight results based on the filters applied in queries. This helps significantly when trying to understand why a query matches the results or when looking for a specific part of the events text.
For more information, see Filter Match Highlighting.
Automation and Alerts
The new button Scheduled Searches form allowing importing a Scheduled Search from template or package.
has been added to theWhen creating or updating Scheduled Searches using the GraphQL API, it is now possible to refer to actions in Packages using a qualified name of
\"packagescope/packagename:actionname\"
. Actions in packages will no longer be found if using an unqualified name.When generating CSV files for attaching to emails or uploading to LogScale in actions, or when using the message template {events_html}, the field @ingesttimestamp is now formatted similar to how @timestamp is.
The UI flow for Scheduled Searches has been updated: when you click on it will directly go to the New Scheduled Search form.
The Alert forms will not show any errors when the alert is disabled.
GraphQL API
The contentHash field on the
File
output type has been reintroduced.
Storage
JVM_TMP_DIR
has been added to the launcher script. This option is used for configuringjava.io.tmpdir
andjna.tmpdir
for the JVM. The directory will default tojvm-tmp
inside the directory specified by theDIRECTORY
setting. This default should alleviate issues starting LogScale on some systems due to the/tmp
directory being marked asnoexec
.For more information, see Troubleshooting: Error Starting LogScale due to Exec permissions on /tmp.
Bucket storage cleaning of
tmp
files now only runs on a few nodes in the cluster rather than on all nodes.
Configuration
LOCAL_STORAGE_PREFILL_PERCENTAGE
new configuration option has been added.For more information, see
LOCAL_STORAGE_PREFILL_PERCENTAGE
.Query queueing based on the available memory in query coordinator is enabled by default by treating dynamic configuration
QueryCoordinatorMaxHeapFraction
as 0.5, if it has not been set. To disable queing, setQueryCoordinatorMaxHeapFraction
to 1000.Set the default value of
LOCAL_STORAGE_PERCENTAGE
to85
, and the minimum value to0
. The default was previously to leave this unset, which is not safe in clusters where bucket storage contains more data than will fit on local drives.The new environment variable
DISABLE_BUCKET_CLEANING_TMP_FILES
has been introduced. It allows to reduce the amount of listing oftmp
files in bucket.
Ingestion
When writing parsers, the fields produced by a test case are now available for autocompletion in the editor.
For more information, see Using the Parser Code Editor.
Dashboards and Widgets
You can enable the export of Dashboards to a PDF file, with many options available to control the output layout and formatting.
The feature is available to all users who already have access to dashboard data. This is the first of two feature releases, aiming to provide full schedulable PDF reporting capabilities to LogScale.
For more information, see Export Dashboards as PDF.
The new
Gauge
widget is introduced: it allows you to represent values on a fixed scale, offering a visual and intuitive way to monitor key performance metrics.For more information, see Gauge Widget.
A parameter configuration option has been added to support invalidation of parameter inputs. The format for this is a comma separated list of invalid input patterns (regexes).
Introduced a new style option Show 'Others' to the Time Chart Widget: it allows you to show/hide other series when there are more series than the maximum allowed in the chart.
A parameter configuration option has been added to allow setting a custom message when a parameter input is invalid.
New formatting options have been introduced for the
Table
widget, to get actionable insights from your data faster:Conditional formatting of table cells
Text wrapping and column resizing
Row numbering
Number formatting
Link formatting
Columns hiding
For more information, see Table Widget.
Log Collector
The Fleet Management tab on
Fleet Overview
page is now renamed to Data Ingest.
Functions
parseCEF()
andparseLEEF()
functions now have an option to change the prefix of the header fields.Field names with special characters are now supported in Array Query Functions using backtick quoting.
For more information, see Common Recommendations for Array Query Functions.
Packages
Filter alerts and Standard alerts are now shown in the same tab Alerts under Assets when installing or viewing installed Packages.
It is now possible to see the type of action in Packages (Marketplace, Installed and Create a package).
Fixed in this release
UI Changes
Queries could "flicker" for a short period causing "negative alerts" to trigger for no reason (negative alerts are alerts that check for the absence of events). This issue has been fixed.
The following issue has been fixed on the
Search
page: if regular expressions contained named groups with special characters (underscore_
for example) a recent change with the introduction of Filter Match Highlighting would cause a server error and hang the UI.The following items about Saving Queries have been fixed:
The Search... field for saved queries did not return what would be expected.
Upon reopening the Search... field, the text would still be present in the Search... field but not filter on the queries.
dropdown after having filled out theAdded focus on the Search... field when reopening the dropdown.
Automation and Alerts
Notifications on problems with Filter Alerts where not automatically removed when the problem was solved. This issue is now fixed.
Filter alerts that could fail right after a cluster restart have now been fixed.
When used with Filter Alerts, the {events_html} message template would not keep the order of the fields from the Alert query.
GraphQL API
When trying to delete an Alert, Scheduled Search or Dashboard using a mutation for one of the other types, it would end up in a state where it was not deleted, but could not run either. This issue is now fixed.
Storage
A workaround solution has been identified for those cases where segment files on local disk no longer pass their internal checksum test and are detected as "broken" by the background merge process.
Ensure a copy of the local file is present in the bucket storage, backing up the cluster
Delete the local copy
As a result, any merge attempt involving that file will succeed after the next restart of LogScale.
Ingestion
The buttons used for editing and deleting an ingest listener were overlapping in Safari on the Ingest Listeners page under a repository. This issue has been fixed.
Dashboards and Widgets
Field values containing
%
would not be resolved correctly in interactions. This issue has been fixed.
Functions
Results for empty buckets didn't include the steps after the first aggregator of the subquery. This issue has now been fixed.
match()
function using a json file and containing an object with a missing field, could lead to an internal error.The
regex()
function has been fixed for cases where\Q...\E
could cause problems for named capturing groups.The
array:filter()
function has been fixed for an issue that caused incorrect output element values in certain circumstances.
Other
A cluster with very little disk space left could result in excessive logging from
com.humio.distribution.RendezvousSegmentDistribution
.Fixing a race that can leave a query in a state where it will cause an excessive amount of 404 HTTP requests. This adds unnecessary noise and a bit of extra load to the system.
A minor logging issue has been fixed:
ClusterHostAliveStats
would log that hosts were "changed from being considered dead to alive" on hosts that had just rebooted, when such hosts actually consider all other nodes alive for a little while, to allow the booting node some time to hear heartbeats from others.A boot-time version checking issue could cause LogScale to crash on boot, if joining a fresh cluster, and the first node to join that cluster would crash.
Packages
Updating of a Package failed when using anything other than a personal user token. This issue has been fixed.
Updating a package with a lookup file and a parser/scheduled search/filter alert/alert containing match would fail if the new
column
parameter did not exist in the old lookup file. This issue has now been fixed.Aligned the requirements to allow all tokens (with the correct permissions) to install and update Packages.
Fixed a broken link from saved query asset in
Packages
toSearch
page.The alert types in Package Marketplace were showing twice — this is now fixed so it properly shows one type as expected.