Falcon LogScale 1.143.0 GA (2024-06-18)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.143.0GA2024-06-18

Cloud

2025-09-30No1.112.01.112.0No

Hide file download links

Show file download links

Bug fixes and updates.

Advance Warning

The following items are due to change in a future release.

  • Installation and Deployment

    • The LogScale Launcher Script script for starting LogScale will be modified to change the way CPU core usage can be configured. The -XX:ActiveProcessorCount=n command-line option will be ignored if set. Users that need to configure the core count manually should set CORES=n environment variable instead. This will cause the launcher to configure both LogScale and the JVM properly.

      This change is scheduled for 1.148.0.

      For more information, see LogScale Launcher Script.

Removed

Items that have been removed as of this release.

Other

  • Unnecessary digest-coordinator-changes and desired-digest-coordinator-changes metrics have been removed. Instead, the logging in the IngestPartitionCoordinator class has been improved, to allow monitoring of when reassignment of desired and current digesters happens — by searching for Wrote changes to desired digest partitions / Wrote changes to current digest partitions.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The following API endpoints are deprecated and marked for removal in 1.148.0:

    • POST /api/v1/clusterconfig/kafka-queues/partition-assignment

    • GET /api/v1/clusterconfig/kafka-queues/partition-assignment

    • POST /api/v1/clusterconfig/kafka-queues/partition-assignment/set-replication-defaults

    The deprecated methods are used for viewing and changing the partition assignment in Kafka for the ingest queue. Administrators should use Kafka's own tools for editing partition assignments instead, such as the bin/kafka-reassign-partitions.sh and bin/kafka-topics.sh scripts that ship with the Kafka install.

  • The HUMIO_JVM_ARGS environment variable in the LogScale Launcher Script script will be removed in 1.154.0.

    The variable existed for migration from older deployments where the launcher script was not available. The launcher script replaces the need for manually setting parameters in this variable, so the use of this variable is no longer required. Using the launcher script is now the recommended method of launching LogScale. For more details on the launcher script, see LogScale Launcher Script. Clusters that still set this configuration should migrate to the other variables described at LogScale Launcher Script.

  • We are deprecating the humio/kafka and humio/zookeeper Docker images due to low use. The planned final release for these images will be with LogScale 1.148.0.

    Better alternatives are available going forward. We recommend the following:

    • If your cluster is deployed on Kubernetes: STRIMZI

    • If your cluster is deployed to AWS: MSK

    If you still require humio/kafka or humio/zookeeper for needs that cannot be covered by these alternatives, please contact Support and share your concerns.

  • The QUERY_COORDINATOR environment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use the query node task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using the INITIAL_DISABLED_NODE_TASKS environment variable.

    For more information, see INITIAL_DISABLED_NODE_TASKS.

  • The server.tar.gz release artifact has been deprecated. Users should switch to the OS/architecture-specific server-linux_x64.tar.gz or server-alpine_x64.tar.gz, which include bundled JDKs. Users installing a Docker image do not need to make any changes. With this change, LogScale will no longer support bringing your own JDK, we will bundle one with releases instead.

    We are making this change for the following reasons:

    • By bundling a JDK specifically for LogScale, we can customize the JDK to contain only the functionality needed by LogScale. This is a benefit from a security perspective, and also reduces the size of release artifacts.

    • Bundling the JDK ensures that the JDK version in use is one we've tested with, which makes it more likely a customer install will perform similar to our own internal setups.

    • By bundling the JDK, we will only need to support one JDK version. This means we can take advantage of enhanced JDK features sooner, such as specific performance improvements, which benefits everyone.

    The last release where server.tar.gz artifact is included will be 1.154.0.

Upgrades

Changes that may occur or be required during an upgrade.

  • Installation and Deployment

    • The minimum version of Java compatible with LogScale is now 21. Docker users, and users installing the release artifacts that bundle the JDK, are not affected.

      It is recommended to switch to the release artifacts that bundle a JDK, because LogScale no longer supports bringing your own JDK as of release 1.138, see Falcon LogScale 1.138.0 GA (2024-05-14)

New features and improvements

  • Security

    • When extending Retention span or size, any segments that were marked for deletion — but where the files remain in the system — are automatically resurrected. How much data you reclaim via this depends on the backupAfterMillis configuration on the repository.

      For more information, see Audit Logging.

  • GraphQL API

  • Functions

    • The match() function now supports matching on multiple pairs of fields and columns.

      For more information, see match().

Fixed in this release

  • User Interface

    • In the Export to File dialog, when using the keyboard to switch between options, a different item than the one selected was highlighted. This issue has now been fixed.

  • Storage

    • Digest threads could fail to start digesting if global is very large, and if writing to global is slow. This issue has now been fixed.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • aruba/clearpass has been updated to v1.1.0.

      • Implements new fields:

        • client.mac

        • client.ip

        • server.ip

        • observer.version

        • observer.ip

        • observer.port

        • event.type

        • event.outcome

      • Parser tests have been improved by adding assertions to the test cases

      • Bumps minimum LogScale version to 1.139 to support parser assertions

      For more information, see Package aruba/clearpass Release Notes.

    • linux/system-logs has been updated to v0.2.0.

      • Updated this package to utilize the LogScale Collector instead of filebeat.

      • Improves the field extraction and performance.

      • Updates saved queries and dashboards to work with data sent through the LogScale Collector.

      • If you are upgrading from older version of this package, note that this update is a large breaking change, where the package uses LogScale Collector to ship logs. If you wish to keep the old parser and dashboard, feel free to keep using the old version of the package.

      • Renamed parser to linux-systemlogs.

      • Bumps minimum LogScale version to 1.40.

      For more information, see Package linux/system-logs Release Notes.

    • proofpoint/tap-siem-api has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Maps the clickTime field to @timestamp instead of threatTime field for ClicksBlocked and ClicksPermitted events.

      • Sets the event.category, event.type and the event.outcome fields based on the source data.

      • Adds observer.type field.

      For more information, see Package proofpoint/tap-siem-api Release Notes.

    • humio/activity has been updated to v1.4.0.

      • Minimum supported LogScale version bumped to 1.141.0.

      • Added new dashboard Scheduled Reports Overview. This dashboard shows an overview of all scheduled reports - a new feature added to LogScale from version 1.141.0.

      • Added new view interaction Show Scheduled Report Details. This allows navigation from event logs to the Scheduled Reports Overview dashboard with focus on that one report.

      • Added new view interaction Edit Scheduled Report. This allows navigation from event logs to the Scheduled Reports edit page.

      For more information, see Package humio/activity Release Notes.

    • zscaler/deception has been updated to v1.1.0.

      • Uses timestamp from the syslog header as an alternative to parse timestamp

      • Improves extraction of threat.indicator.ip and threat.indicator.name fields

      • Normalizes data to CrowdStrike Parsing Standard (CPS) for:

        • process.* fields, e.g process.name, process.user.name, process.pid, process.command

        • tls.* fields, e.g tls.version, tls.cipher

        • url.* fields, e.g url.full, url.scheme, url.domain

        • http.* fields, e.g http.request.method, http.response.status

        • network.protocol field

        • user_agent.name field

      For more information, see Package zscaler/deception Release Notes.

    • cisco/asa has been updated to v0.2.0.

      • Improves the field extraction and performance.

      For more information, see Package cisco/asa Release Notes.

    • zscaler/private-access has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Sets the event.category, event.type and the event.outcome fields based on the source data.

      • Adds observer.type, package.version, server.bytes, event.action fields and more.

      For more information, see Package zscaler/private-access Release Notes.

    • aws/s3-server-access has been updated to v1.0.2.

      • Fixes the parser to no longer drop events which don't contain tls_version and request_uri fields

      For more information, see Package aws/s3-server-access Release Notes.

    • juniper/srx has been updated to v1.1.0.

      • Improves the field extraction and performance

      • Sets the event.category, event.type and the event.outcome fields based on the source data

      • Adds observer.* fields, for example: observer.type, observer.product and more

      For more information, see Package juniper/srx Release Notes.

    • cisco/duo has been updated to v1.1.1.

      • Updates the duo-telephony-json parser to work with new log structure introduced in V2 Telephony API.

      For more information, see Package cisco/duo Release Notes.

    • cisco/duo has been updated to v1.1.2.

      • Sets a timestamp based on the isotimestamp field for the duo-authentication-json parser.

      For more information, see Package cisco/duo Release Notes.