Falcon LogScale 1.123.0 GA (2024-01-30)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.123.0GA2024-01-30

Cloud

2025-03-01No1.70.01.112.0No

Available for download two days after release.

Bug fixes and updates.

Advance Warning

The following items are due to change in a future release.

  • Installation and Deployment

    • We intend to drop support for Java 17, making Java 21 the minimum. We plan to make this change in March 2024.

    • We aim to stop publishing the jar distribution of LogScale (e.g. server-1.117.jar) as of LogScale version 1.130.0.

      Users deploying via Docker images are not affected. Users deploying on bare metal should ensure they deploy the tar artifact, and not the jar artifact.

      A migration guide for bare metal deployments is available at How-To: Migrating from server.jar to Launcher Startup.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • In the GraphQL API, the name argument to the parser field on the Repository datatype has been deprecated and will be removed in version 1.136 of LogScale.

  • We are deprecating the humio/kafka and humio/zookeeper Docker images due to low use. The planned final release for these images will be with LogScale 1.148.0.

    Better alternatives are available going forward. We recommend the following:

    • If your cluster is deployed on Kubernetes: STRIMZI

    • If your cluster is deployed to AWS: MSK

    If you still require humio/kafka or humio/zookeeper for needs that cannot be covered by these alternatives, please contact Support and share your concerns.

  • The assetType GraphQL field on Alert, Dashboard, Parser, SavedQuery and ViewInteraction datatypes has been deprecated and will be removed in version 1.136 of LogScale.

  • In the GraphQL API, the ChangeTriggersAndAction enum value for both the Permission and ViewAction enum is now deprecated and will be removed in version 1.136 of LogScale.

  • The humio Docker image is deprecated in favor of humio-core. humio is no longer considered suitable for production use, as it runs Kafka and ZooKeeper on the same host as LogScale, which our deployment guidelines no longer recommend. The final release of humio Docker image will be in version 1.130.0.

    The new humio-single-node-demo image is an all-in-one container suitable for quick and easy demonstration setups, but which is entirely unsupported for production use.

    For more information, see Installing Using Containers.

New features and improvements

  • User Interface

    • When Manage Users, it is now possible to filter users based also on their assigned roles (for example, type admin in the Users search field).

  • Automation and Triggers

    • A slow-query logging has been added when an alert is slow to start due to the query not having finished the historical part.

  • Storage

    • We have changed how LogScale handles being temporarily bottlenecked by bucket storage. Uploads are now prioritized ahead of downloads, which reduces the impact on ingest work.

  • Configuration

    • The meaning of S3_STORAGE_CONCURRENCY and GCP_STORAGE_CONCURRENCY configuration variables has slightly changed. The settings are used for throttling downloads and uploads for bucket storage. Previously, a setting of S3_STORAGE_CONCURRENCY=10 for example, meant that LogScale would allow 10 concurrent uploads, and 10 concurrent downloads. Now, it means that LogScale will allow a total of 10 transfers at a time, disregarding the transfer direction.

  • Log Collector

    • Groups have been added to Fleet Management for the LogScale Collector. This feature makes it possible to define dynamic groups using a filter based upon a subset of the LogScale Query Language Syntax. New Collectors enrolled into the fleet will automatically be configured based upon the groups filters they match, eliminating the need for manually assigning a configuration to every new LogScale Collector. Groups also allow you to combine multiple reusable configuration snippets.

      Additionally the management of instances has been simplified and merged into this new feature, and therefore the Assigned Instances page has been removed to favor use of the Group functions.

      For more information, see Manage Groups.

Fixed in this release

  • Automation and Triggers

    • After updating Scheduled searches where the action was failing, they would constantly fail with a None.get error until they were disabled and enabled again, or the LogScale cluster was restarted. This issue is now fixed.

  • Queries

    • Queries in some cases would be killed as if they were blocked even though they did not match the criteria of the block. This issue is now fixed.

  • Other

    • It was not possible to create a new repository with a time retention greater than 365 days. Now, the UI limit is the one that is set on the customer organization.

      Input validation on fields when creating new repositories is now also improved.

Improvement

  • Ingestion

    • The cancelling mechanism for specific costly queries has been improved to solve cases where those queries got restarted anyway: the query with the exact match on the query string is now blocked for 5 minutes. This will free enough CPU for ingest to catch up and avoid blocking queries for too long.