Falcon LogScale 1.151.1 GA (2024-08-15)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.151.1GA2024-08-15

Cloud

2025-09-30No1.112.01.112.0No

Hide file download links

Show file download links

Bug fixes recommended for all customers.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The HUMIO_JVM_ARGS environment variable in the LogScale Launcher Script script will be removed in 1.154.0.

    The variable existed for migration from older deployments where the launcher script was not available. The launcher script replaces the need for manually setting parameters in this variable, so the use of this variable is no longer required. Using the launcher script is now the recommended method of launching LogScale. For more details on the launcher script, see LogScale Launcher Script. Clusters that still set this configuration should migrate to the other variables described at LogScale Launcher Script.

  • The QUERY_COORDINATOR environment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use the query node task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using the INITIAL_DISABLED_NODE_TASKS environment variable.

    For more information, see INITIAL_DISABLED_NODE_TASKS.

  • The server.tar.gz release artifact has been deprecated. Users should switch to the OS/architecture-specific server-linux_x64.tar.gz or server-alpine_x64.tar.gz, which include bundled JDKs. Users installing a Docker image do not need to make any changes. With this change, LogScale will no longer support bringing your own JDK, we will bundle one with releases instead.

    We are making this change for the following reasons:

    • By bundling a JDK specifically for LogScale, we can customize the JDK to contain only the functionality needed by LogScale. This is a benefit from a security perspective, and also reduces the size of release artifacts.

    • Bundling the JDK ensures that the JDK version in use is one we've tested with, which makes it more likely a customer install will perform similar to our own internal setups.

    • By bundling the JDK, we will only need to support one JDK version. This means we can take advantage of enhanced JDK features sooner, such as specific performance improvements, which benefits everyone.

    The last release where server.tar.gz artifact is included will be 1.154.0.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Functions

    • Prior to LogScale v1.147, the array:length() function accepted a value in the array argument that did not contain brackets [ ] so that array:length("field") would always produce the result 0 (since there was no field named field). The function has now been updated to properly throw an exception if given a non-array field name in the array argument. Therefore, the function now requires the given array name to have [] brackets, since it only works on array fields.

Fixed in this release

  • Ingestion

    • Fixed an issue where queries with a large number of OR statements would crash the parser and cause a node to fail.

Known Issues

  • Queries

    • A known issue in the implementation of the match() function when using cidr option in the mode parameter, could cause a reduction in performance for the query, and block other queries from executing.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • cisco/ios has been updated to v1.2.0.

      • Improves the timestamp parsing.

      For more information, see Package cisco/ios Release Notes.

    • humio/activity has been updated to v1.5.0.

      • This version adds support for aggregate alerts - a new type of alert introduced in 1.147.0:

      • Minimum supported LogScale version bumped to 1.147.0.

      • Added new dashboard Alerts Overview. This shows an overview of all alerts with the possibility of filtering on the alert type. Eventually, this dashboard will replace the Filter Alerts Overview and Legacy Alerts Overview dashboards.

      • Added new dashboard Alert Details. This shows details of a single alert. Eventually, this dashboard will replace the Filter Alert Details and Legacy Alert Details dashboards.

      • Added new view interaction Edit Aggregate Alert. This allows navigation from event logs for an aggregate alert to the alert edit page.

      • Added new view interaction Alert Details. This allows navigation from event logs for an alert to the Alert Details dashboard.

      • Renamed the dashboard Standard Alerts Overview to Legacy Alerts Overview.

      • Renamed the dashboard Standard Alert Details to Legacy Alert Details.

      • Renamed the view interaction Edit Standard Alert to Edit Legacy Alert.

      • Removed the view interactions Show Standard Alert Details and Show Filter Alert Details, those are replaced by Show Alert Details.

      For more information, see Package humio/activity Release Notes.

    • cisco/firepower has been updated to v1.2.0.

      • Exludes the empty fields when parsing events with kvParse() function.

      For more information, see Package cisco/firepower Release Notes.

    • cisco/ios has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Sets the event.category, event.type and event.outcome fields based on type of the event.

      • Adds the observer.type and event.kind fields.

      • Dropps the event.provider field.

      For more information, see Package cisco/ios Release Notes.

    • imperva/cloud-waf has been updated to v1.1.0.

      • Sets the event.kind based on the attack name field.

      For more information, see Package imperva/cloud-waf Release Notes.

    • zscaler/internet-access has been updated to v1.0.1.

      • Updates dashboards and saved queries to use event.dataset and event.action instead of type and Vendor.action fields respectively.

      For more information, see Package zscaler/internet-access Release Notes.

    • cisco/meraki has been updated to v1.1.0.

      • Bug fix: updates the mapping for destination.port, source.port fields

      • Normalizing the mac addresses to keep the notation from RFC 7042

      For more information, see Package cisco/meraki Release Notes.