Falcon LogScale 1.147.0 GA (2024-07-16)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.147.0GA2024-07-16

Cloud

2025-09-30No1.112.01.112.0No

Hide file download links

Show file download links

Bug fixes and updates.

Advance Warning

The following items are due to change in a future release.

  • Installation and Deployment

    • The LogScale Launcher Script script for starting LogScale will be modified to change the way CPU core usage can be configured. The -XX:ActiveProcessorCount=n command-line option will be ignored if set. Users that need to configure the core count manually should set CORES=n environment variable instead. This will cause the launcher to configure both LogScale and the JVM properly.

      This change is scheduled for 1.148.0.

      For more information, see LogScale Launcher Script.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The following API endpoints are deprecated and marked for removal in 1.148.0:

    • POST /api/v1/clusterconfig/kafka-queues/partition-assignment

    • GET /api/v1/clusterconfig/kafka-queues/partition-assignment

    • POST /api/v1/clusterconfig/kafka-queues/partition-assignment/set-replication-defaults

    The deprecated methods are used for viewing and changing the partition assignment in Kafka for the ingest queue. Administrators should use Kafka's own tools for editing partition assignments instead, such as the bin/kafka-reassign-partitions.sh and bin/kafka-topics.sh scripts that ship with the Kafka install.

  • The HUMIO_JVM_ARGS environment variable in the LogScale Launcher Script script will be removed in 1.154.0.

    The variable existed for migration from older deployments where the launcher script was not available. The launcher script replaces the need for manually setting parameters in this variable, so the use of this variable is no longer required. Using the launcher script is now the recommended method of launching LogScale. For more details on the launcher script, see LogScale Launcher Script. Clusters that still set this configuration should migrate to the other variables described at LogScale Launcher Script.

  • We are deprecating the humio/kafka and humio/zookeeper Docker images due to low use. The planned final release for these images will be with LogScale 1.148.0.

    Better alternatives are available going forward. We recommend the following:

    • If your cluster is deployed on Kubernetes: STRIMZI

    • If your cluster is deployed to AWS: MSK

    If you still require humio/kafka or humio/zookeeper for needs that cannot be covered by these alternatives, please contact Support and share your concerns.

  • The QUERY_COORDINATOR environment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use the query node task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using the INITIAL_DISABLED_NODE_TASKS environment variable.

    For more information, see INITIAL_DISABLED_NODE_TASKS.

  • The server.tar.gz release artifact has been deprecated. Users should switch to the OS/architecture-specific server-linux_x64.tar.gz or server-alpine_x64.tar.gz, which include bundled JDKs. Users installing a Docker image do not need to make any changes. With this change, LogScale will no longer support bringing your own JDK, we will bundle one with releases instead.

    We are making this change for the following reasons:

    • By bundling a JDK specifically for LogScale, we can customize the JDK to contain only the functionality needed by LogScale. This is a benefit from a security perspective, and also reduces the size of release artifacts.

    • Bundling the JDK ensures that the JDK version in use is one we've tested with, which makes it more likely a customer install will perform similar to our own internal setups.

    • By bundling the JDK, we will only need to support one JDK version. This means we can take advantage of enhanced JDK features sooner, such as specific performance improvements, which benefits everyone.

    The last release where server.tar.gz artifact is included will be 1.154.0.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Functions

    • Prior to LogScale v1.147, the array:length() function accepted a value in the array argument that did not contain brackets [ ] so that array:length("field") would always produce the result 0 (since there was no field named field). The function has now been updated to properly throw an exception if given a non-array field name in the array argument. Therefore, the function now requires the given array name to have [] brackets, since it only works on array fields.

New features and improvements

  • User Interface

  • Automation and Triggers

    • Standard Alerts have been renamed to Legacy Alerts. It is recommended using Filter Alerts or Triggers alerts instead of legacy alerts.

      For more information, see Triggers.

    • A new Disabled actions status is added and can be visible from the Alerts overview table. This status will be displayed when there is an alert (or scheduled search) with only disabled actions attached.

      For more information, see Triggers Overview.

    • A new aggregate alert type is introduced. The aggregate alert is now the recommended alert type for any queries containing aggregate functions. Like filter alerts, aggregate alerts use ingest timestamps and run back-to-back searches, guaranteeing at least once delivery to the actions for more robust results, even in case of ingest delays of up to 24 hours.

      For more information, see Triggers.

    • The following UI changes have been introduced for alerts:

      • The Alerts overview page now presents a table with search and filtering options.

      • An alert-specific version of the Search page is now available for creating and refining your query before saving it as an alert.

      • The alert's properties are opened in a side panel when creating or editing an alert.

      • In the side panel, the recommended alert type to choose is suggested based on the query.

      • For aggregate alerts, the side panel allows you to select the timestamp (@ingesttimestamp or @timestamp).

      For more information, see Create Triggers, Trigger Properties.

  • Log Collector

    • RemoteUpdate version dialog has been improved, with the ability to cancel pending and scheduled updates.

Fixed in this release

  • Ingestion

    • When shutting down a node, the process that load files used by a parser would be stopped before the parser itself. This could lead to ingested events not being parsed. This issue has now been fixed.

  • Functions

    • parseXml() would sometimes only partially extract text elements when the text contained newline characters. This issue has now been fixed.

    • Live queries using Field Aliasing on a repository with Tag Groupings enabled could fail. This issue has now been fixed.

    • Long running queries using window() could end up never completing. This issue has now been fixed.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • linux/system-logs has been updated to v0.2.0.

      • Updated this package to utilize the LogScale Collector instead of filebeat.

      • Improves the field extraction and performance.

      • Updates saved queries and dashboards to work with data sent through the LogScale Collector.

      • If you are upgrading from older version of this package, note that this update is a large breaking change, where the package uses LogScale Collector to ship logs. If you wish to keep the old parser and dashboard, feel free to keep using the old version of the package.

      • Renamed parser to linux-systemlogs.

      • Bumps minimum LogScale version to 1.40.

      For more information, see Package linux/system-logs Release Notes.

    • cisco/firepower has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Sets the event.category, event.type and the event.outcome fields based on the source security event ids.

      • Adds observer.type, network.protocol, network.transport, event.reason, event.action fields and more.

      • Now the ClassName and ClassDefintion fields are set without referring to the lookup file.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package cisco/firepower Release Notes.

    • checkpoint/ngfw has been updated to v1.1.0.

      • Adds more options for Action and Rule Action mappings

      • Adds default category and type as network/info to ensure all events are parsed to CPS standard

      For more information, see Package checkpoint/ngfw Release Notes.

    • aws/s3-server-access has been updated to v1.0.2.

      • Fixes the parser to no longer drop events which don't contain tls_version and request_uri fields

      For more information, see Package aws/s3-server-access Release Notes.

    • zscaler/internet-access has been updated to v1.0.1.

      • Updates dashboards and saved queries to use event.dataset and event.action instead of type and Vendor.action fields respectively.

      For more information, see Package zscaler/internet-access Release Notes.

    • citrix/netscaler has been updated to v1.0.1.

      • Bug fix: The citrix-netsaler-syslog parser no longer fails on parsing JSON input

      For more information, see Package citrix/netscaler Release Notes.