Falcon LogScale 1.150.0 GA (2024-08-06)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.150.0 | GA | 2024-08-06 | Cloud | 2025-09-30 | No | 1.112.0 | 1.112.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.150.0 to download the latest version
Bug fixes and updates.
Deprecation
Items that have been deprecated and may be removed in a future release.
The
HUMIO_JVM_ARGSenvironment variable in the LogScale Launcher Script script will be removed in 1.154.0.The variable existed for migration from older deployments where the launcher script was not available. The launcher script replaces the need for manually setting parameters in this variable, so the use of this variable is no longer required. Using the launcher script is now the recommended method of launching LogScale. For more details on the launcher script, see LogScale Launcher Script. Clusters that still set this configuration should migrate to the other variables described at LogScale Launcher Script.
The
QUERY_COORDINATORenvironment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use thequerynode task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using theINITIAL_DISABLED_NODE_TASKSenvironment variable.For more information, see
INITIAL_DISABLED_NODE_TASKS.The
server.tar.gzrelease artifact has been deprecated. Users should switch to theOS/architecture-specific server-linux_x64.tar.gzorserver-alpine_x64.tar.gz, which include bundled JDKs. Users installing a Docker image do not need to make any changes. With this change, LogScale will no longer support bringing your own JDK, we will bundle one with releases instead.We are making this change for the following reasons:
By bundling a JDK specifically for LogScale, we can customize the JDK to contain only the functionality needed by LogScale. This is a benefit from a security perspective, and also reduces the size of release artifacts.
Bundling the JDK ensures that the JDK version in use is one we've tested with, which makes it more likely a customer install will perform similar to our own internal setups.
By bundling the JDK, we will only need to support one JDK version. This means we can take advantage of enhanced JDK features sooner, such as specific performance improvements, which benefits everyone.
The last release where
server.tar.gz artifactis included will be 1.154.0.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Functions
Prior to LogScale v1.147, the
array:length()function accepted a value in thearrayargument that did not contain brackets[ ]so thatarray:length("field")would always produce the result0(since there was no field named field). The function has now been updated to properly throw an exception if given a non-array field name in thearrayargument. Therefore, the function now requires the given array name to have[]brackets, since it only works on array fields.
New features and improvements
Installation and Deployment
The Docker containers have been configured to use the following environment variable values internally:
DIRECTORY=/data/humio-dataHUMIO_AUDITLOG_DIR=/data/logsHUMIO_DEBUGLOG_DIR=/data/logsJVM_LOG_DIR=/data/logsJVM_TMP_DIR=/data/humio-data/jvm-tmpThis configuration replaces the following chains of internal symlinks, which have been removed:/app/humio/humio/humio-datato/app/humio/humio-data/app/humio/humio-datato/data/humio-data/app/humio/humio/logs/app/humio/logs/app/humio/logsto/data/logs
This change is intended for allowing the tool scripts in
/app/humio/humio/binto work correctly, as they were previously failing due to the presence of dangling symlinks when invoked via docker run if nothing was mounted at/data.
User Interface
Sections can now be created inside dashboards, allowing for grouping relevant content together to maintain a clean and organized layout, making it easier for users to find and analyze related information. Sections can contain data visualizations as well as Parameter Panels. Additionally, they offer more flexibility when using the Time Selector, enabling users to apply a time setting across multiple widgets.
For more information, see Dashboard Sections.
An organization administrator can now update a user's role on a repository or view from the
Userspage.For more information, see Manage User Roles.
Automation and Triggers
The
{action_invocation_id}message template has been added: it contains a unique id for the invocation of the action that can be correlated with the activity logs.For more information, see Message Templates and Variables, Monitor Trigger Execution through the humio-activity Repository.
Users can now see warnings and errors associated to alerts in the
Alertspage opened in read-only mode.
Storage
Support is implemented for returning a result over 1GB in size on the
queryjobsendpoint. There is now a limit on the size of 8GB of the returned result. The limits on state sizes for queries remain unaltered, so the effect of this change is that some queries that previously failed returning their results due to reaching 1GB, even though the query completed, now work.
Functions
Fixed in this release
Falcon Data Replicator
Testing new FDR feeds using s3 aliasing would fail for valid credentials. This issue has now been fixed.
User Interface
The
Organizationsoverview page has been fixed as the Volume column width within a specific organization could not be adjusted.The display of Lookup Files metadata in the file editor for very long user names has now been fixed.
Storage
Throttling for bucket uploads/downloads could cause unintentionally harsh throttling of downloads in favor of running more uploads concurrently. This issue has now been fixed.
The throttling for segment rebalancing has been reworked, which should help rebalancing keep up without overwhelming the cluster.
Known Issues
Queries
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
cisco/firepower has been updated to v1.1.0.
Improves the field extraction and performance.
Sets the event.category, event.type and the event.outcome fields based on the source security event ids.
Adds observer.type, network.protocol, network.transport, event.reason, event.action fields and more.
Now the ClassName and ClassDefintion fields are set without referring to the lookup file.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
For more information, see Package cisco/firepower Release Notes.
cisco/ios has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Sets the event.category, event.type and event.outcome fields based on type of the event.
Adds the observer.type and event.kind fields.
Dropps the event.provider field.
For more information, see Package cisco/ios Release Notes.
checkpoint/ngfw has been updated to v1.1.0.
Adds more options for Action and Rule Action mappings
Adds default category and type as network/info to ensure all events are parsed to CPS standard
For more information, see Package checkpoint/ngfw Release Notes.
zscaler/internet-access has been updated to v1.0.1.
Updates dashboards and saved queries to use event.dataset and event.action instead of type and Vendor.action fields respectively.
For more information, see Package zscaler/internet-access Release Notes.