Falcon LogScale 1.142.0 GA (2024-06-11)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.142.0GA2024-06-11

Cloud

2025-07-31No1.112.01.112.0No

Hide file download links

Show file download links

Bug fixes and updates.

Breaking Changes

The following items create a breaking change in the behavior, response or operation of this release.

  • Functions

    • The following changes have been made to sort():

      • It will no longer try to guess the type of the field values and instead default to number.

      • The number and hex options have been redefined to be total orders: values of the given type are sorted according to their natural order and those that could not be understood as the given type are sorted lexicographically. For instance, sorting the values 10, 100, 20, bcd, cde, abc in an ascending order with number will be rendered as: 10, 20, 100, abc, bcd, cde

    • The any argument in sort() has been removed. Queries where any is explicitly set will be rejected. Please change the argument to either number, hex or string, depending on which option is the best fit for the data your query operates on.

Advance Warning

The following items are due to change in a future release.

  • Installation and Deployment

    • The LogScale Launcher Script script for starting LogScale will be modified to change the way CPU core usage can be configured. The -XX:ActiveProcessorCount=n command-line option will be ignored if set. Users that need to configure the core count manually should set CORES=n environment variable instead. This will cause the launcher to configure both LogScale and the JVM properly.

      This change is scheduled for 1.148.0.

      For more information, see LogScale Launcher Script.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The following API endpoints are deprecated and marked for removal in 1.148.0:

    • POST /api/v1/clusterconfig/kafka-queues/partition-assignment

    • GET /api/v1/clusterconfig/kafka-queues/partition-assignment

    • POST /api/v1/clusterconfig/kafka-queues/partition-assignment/set-replication-defaults

    The deprecated methods are used for viewing and changing the partition assignment in Kafka for the ingest queue. Administrators should use Kafka's own tools for editing partition assignments instead, such as the bin/kafka-reassign-partitions.sh and bin/kafka-topics.sh scripts that ship with the Kafka install.

  • The HUMIO_JVM_ARGS environment variable in the LogScale Launcher Script script will be removed in 1.154.0.

    The variable existed for migration from older deployments where the launcher script was not available. The launcher script replaces the need for manually setting parameters in this variable, so the use of this variable is no longer required. Using the launcher script is now the recommended method of launching LogScale. For more details on the launcher script, see LogScale Launcher Script. Clusters that still set this configuration should migrate to the other variables described at LogScale Launcher Script.

  • We are deprecating the humio/kafka and humio/zookeeper Docker images due to low use. The planned final release for these images will be with LogScale 1.148.0.

    Better alternatives are available going forward. We recommend the following:

    • If your cluster is deployed on Kubernetes: STRIMZI

    • If your cluster is deployed to AWS: MSK

    If you still require humio/kafka or humio/zookeeper for needs that cannot be covered by these alternatives, please contact Support and share your concerns.

  • The QUERY_COORDINATOR environment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use the query node task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using the INITIAL_DISABLED_NODE_TASKS environment variable.

    For more information, see INITIAL_DISABLED_NODE_TASKS.

  • The server.tar.gz release artifact has been deprecated. Users should switch to the OS/architecture-specific server-linux_x64.tar.gz or server-alpine_x64.tar.gz, which include bundled JDKs. Users installing a Docker image do not need to make any changes. With this change, LogScale will no longer support bringing your own JDK, we will bundle one with releases instead.

    We are making this change for the following reasons:

    • By bundling a JDK specifically for LogScale, we can customize the JDK to contain only the functionality needed by LogScale. This is a benefit from a security perspective, and also reduces the size of release artifacts.

    • Bundling the JDK ensures that the JDK version in use is one we've tested with, which makes it more likely a customer install will perform similar to our own internal setups.

    • By bundling the JDK, we will only need to support one JDK version. This means we can take advantage of enhanced JDK features sooner, such as specific performance improvements, which benefits everyone.

    The last release where server.tar.gz artifact is included will be 1.154.0.

  • The any argument to the type parameter of sort() and table() has been deprecated and will be removed in version 1.142.

    Warnings prompts will be shown in queries that fall into either of these two cases:

    • If you are explicitly supplying an any argument, please either simply remove both the parameter and the argument, for example change sort(..., type=any) to sort(...) or supply the argument for type that corresponds to your data.

    • If you are sorting hexadecimal values by their equivalent numerical values, please change the argument of type parameter to hex e.g. sort(..., type=hex).

    In all other cases, no action is needed.

    The new default value for sort() and table() will be number. Both functions will fall back to lexicographical ordering for values that cannot be understood as the provided argument for type.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Storage

    • When a digest leader exceeds the PRIMARY_STORAGE_MAX_FILL_PERCENTAGE, instead of pausing by releasing leadership of all partitions, it will pause while holding on to leadership.

New features and improvements

  • Security

    • The new ManageViewConnections Organization Administration permission has been added. It grants access to:

      • List all views and repositories

      • Create views linked to any repository

      • Update Connections of any existing view.

  • Installation and Deployment

    • NUMA support for the Docker images is now enabled:

      • The launcher script has been updated to set -XX:+UseNUMA in the default HUMIO_JVM_PERFORMANCE_OPTS.

      • The Docker images have been updated to include libnuma.so.1, which allows the JDK to optimize for NUMA hardware.

  • Dashboards and Widgets

    • Widget-level time selection can now be adjusted when a dashboard is used in view mode. This change adds flexibility in working with time on the dashboard and allows for easy comparative analysis on the fly.

      For more information, see Widget Time Selector.

Fixed in this release

  • Storage

    • Pending merges of segments would contend with the verification of segments being transferred between nodes/bucket. This resulted in spuriously long transfer times, due to queueing of the verification step for the segment file. This issue has now been fixed.

    • A fix has been made to reduce contention on loading decompressMeta in segment files, resulting in performance improvement.

Improvement

  • Storage

    • The amount of work required for the local segment verifier at boot of nodes has been reduced.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • aruba/clearpass has been updated to v1.1.0.

      • Implements new fields:

        • client.mac

        • client.ip

        • server.ip

        • observer.version

        • observer.ip

        • observer.port

        • event.type

        • event.outcome

      • Parser tests have been improved by adding assertions to the test cases

      • Bumps minimum LogScale version to 1.139 to support parser assertions

      For more information, see Package aruba/clearpass Release Notes.

    • proofpoint/tap-siem-api has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Maps the clickTime field to @timestamp instead of threatTime field for ClicksBlocked and ClicksPermitted events.

      • Sets the event.category, event.type and the event.outcome fields based on the source data.

      • Adds observer.type field.

      For more information, see Package proofpoint/tap-siem-api Release Notes.

    • cisco/firepower has been updated to v1.0.1.

      • Fix issue with trailing newlines when ingesting over UDP

      For more information, see Package cisco/firepower Release Notes.

    • humio/activity has been updated to v1.4.0.

      • Minimum supported LogScale version bumped to 1.141.0.

      • Added new dashboard Scheduled Reports Overview. This dashboard shows an overview of all scheduled reports - a new feature added to LogScale from version 1.141.0.

      • Added new view interaction Show Scheduled Report Details. This allows navigation from event logs to the Scheduled Reports Overview dashboard with focus on that one report.

      • Added new view interaction Edit Scheduled Report. This allows navigation from event logs to the Scheduled Reports edit page.

      For more information, see Package humio/activity Release Notes.

    • zscaler/deception has been updated to v1.1.0.

      • Uses timestamp from the syslog header as an alternative to parse timestamp

      • Improves extraction of threat.indicator.ip and threat.indicator.name fields

      • Normalizes data to CrowdStrike Parsing Standard (CPS) for:

        • process.* fields, e.g process.name, process.user.name, process.pid, process.command

        • tls.* fields, e.g tls.version, tls.cipher

        • url.* fields, e.g url.full, url.scheme, url.domain

        • http.* fields, e.g http.request.method, http.response.status

        • network.protocol field

        • user_agent.name field

      For more information, see Package zscaler/deception Release Notes.

    • cisco/asa has been updated to v0.2.0.

      • Improves the field extraction and performance.

      For more information, see Package cisco/asa Release Notes.

    • zscaler/private-access has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Sets the event.category, event.type and the event.outcome fields based on the source data.

      • Adds observer.type, package.version, server.bytes, event.action fields and more.

      For more information, see Package zscaler/private-access Release Notes.

    • redhat/ansible has been updated to v1.1.0.

      • Adds Search interaction to find all relevant events for a given ansible process id

      • Improves the Investigate process interaction

      For more information, see Package redhat/ansible Release Notes.

    • juniper/srx has been updated to v1.1.0.

      • Improves the field extraction and performance

      • Sets the event.category, event.type and the event.outcome fields based on the source data

      • Adds observer.* fields, for example: observer.type, observer.product and more

      For more information, see Package juniper/srx Release Notes.

    • cisco/duo has been updated to v1.1.1.

      • Updates the duo-telephony-json parser to work with new log structure introduced in V2 Telephony API.

      For more information, see Package cisco/duo Release Notes.

    • cisco/duo has been updated to v1.1.2.

      • Sets a timestamp based on the isotimestamp field for the duo-authentication-json parser.

      For more information, see Package cisco/duo Release Notes.