Falcon LogScale 1.160.0 GA (2024-10-15)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.160.0GA2024-10-15

Cloud

2025-12-31No1.112.01.112.0Yes

Hide file download links

Show file download links

Bug fixes and updates.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The QUERY_COORDINATOR environment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use the query node task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using the INITIAL_DISABLED_NODE_TASKS environment variable.

    For more information, see INITIAL_DISABLED_NODE_TASKS.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

New features and improvements

  • User Interface

    • PDF Render Service now supports proxy communication between service and LogScale. Adding the environment variable http_proxy or https_proxy to the PDF render service environment will add a proxy agent to all requests from the service to LogScale.

    • Documentation is now displayed on hover in the LogScale query editor within Falcon. The full syntax usage and a link to the documentation is now visible for any keyword in a query.

  • Automation and Triggers

    • Three alert messages were deprecated and replaced with new, more accurate alert messages.

      • For Legacy Alerts: The query result is currently incomplete. The alert will not be polled in this loop replaces Starting the query for the alert has not finished. The alert will not be polled in this loop.

      • For Filter Alerts and Triggers: The query result is currently incomplete. The alert will not be polled in this run replaces Starting the alert query has not finished. The alert will not be polled in this run in some situations where it is more correct.

      • The alert message was updated for filter and aggregate alerts in some cases where the live query was stopped due to the alert being behind.

      For more information, see Monitor Trigger Execution through the humio-activity Repository.

    • The queryStart and queryEnd fields has been added for two aggregate alerts log lines:

      • Alert found results, but no actions were invoked since the alert is throttled

      • Alert found no results and will not trigger

      and removed for three others as they did not contain the correct value:

      • Alert is behind. Will stop live query and start running historic queries to catch up

      • Alert query took too long to start and the result are now too old. LogScale will stop the live query and start running historic queries to catch up

      • Running a historic query to catch up took too long and the result is now outside the retry limit. LogScale will skip this data and start a query for events within the retry limit

    • The Alerts page now shows the following UI changes:

      • A new column Last modified is added in the Alerts overview to display when the alert was last updated and by whom.

      • The same above column is added either in the alert properties side panel and in the Search page.

      • The Package column is no longer displayed as default on the Alerts overview page.

      For more information, see Create a trigger from the Triggers overview.

  • GraphQL API

    • GraphQL introspection queries now require authentication. Setting the configuration parameter API_EXPLORER_ENABLED to false will still reject all introspection queries.

  • Dashboards and Widgets

    • Numbers in the Table widget can now be displayed with trailing zeros to maintain a consistent number of decimal places.

  • Log Collector

    • LogScale Collector can now enable internal loggin of instances through Fleet Management.

      For more information, see Internal Logging.

  • Queries

  • Functions

    • Improvements in the sort(), head(), and tail() functions: the error message when entering an incorrect value in the limit parameter now mentions both the minimum and the maximum configured value for the limit.

    • Introducing the new query function array:rename(). This function renames all consecutive entries of an array starting at index 0.

      For more information, see array:rename().

Fixed in this release

  • User Interface

    • Event List has been fixed as it would not take sorting from query API into consideration when sorting events based on UI configuration.

    • The red border appearing in the Table widget when invalid changes are made to a dashboard interaction is now fixed as it would not display correctly.

    • Dragging would stop working on the Dashboard page in cases where invalid changes were made and saved to a widget and the user would then click Continue editing. This issue has been fixed and the dragging now works correctly also in this case.

  • Storage

    • A regression introduced with the upgrade to Java 23 in version 1.158.0 has now been fixed. The issue broke SASL support for Kafka, see Kafka documentation for more information.

  • API

    • An issue has been fixed in the computation of the digestFlow property of the query response. The information contained there would be stale in cases where the query started from a cached state or there were digest leadership changes (for example, in case of node restarts).

      For more information, see Polling a Query Job.

  • Ingestion

    • Parser Assertions have been fixed as some would be marked as passing, even though they should be failing.

    • An erroneous array gap detection has been fixed as it would detect gaps where there were none.

  • Queries

Improvement

  • User Interface

    • Improving the warnings given when performing multi-cluster searches across clusters running on different LogScale versions.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • cisco/meraki has been updated to v1.2.0.

      • Adds the event.outcome field

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files

      For more information, see Package cisco/meraki Release Notes.

    • infoblox/nios has been updated to v1.2.0.

      • Deprecation notice:

        • The old parser syslog-utc is deprecated, and replaced by the new parser infoblox-nios. In this release, the two parsers are exactly alike, except for the name, but all future changes will only go into the new infoblox-nios parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old syslog-utc parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      • It extends the support of syslog format.

      • Adds following fields mapped to CPS: dns.question.name, dns.question.class, client.domain, client.ip amd server.ip.

      For more information, see Package infoblox/nios Release Notes.

    • palo-alto/prisma-sd-wan has been updated to v1.0.0.

      • Adds new event.module and Cps.version fields

      • Removes the Product and related.ip fields

      • Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type

      For more information, see Package palo-alto/prisma-sd-wan Release Notes.

    • zscaler/private-access has been updated to v1.2.0.

      Parser renaming and Deprecation notice

      As part of our continuous efforts to simplify and improve parser performance, we consolidated all existing parsers in this package into a single unified zscaler-privateaccess parser. This means the following parsers:

      • zscaler-zpa-app-connector-status-json

      • zscaler-zpa-app-protection-json

      • zscaler-zpa-audit-json

      • zscaler-zpa-browser-access-json

      • zscaler-zpa-user-activity-json

      • zscaler-zpa-user-status-json

        are deprecated and all future changes will only go into the new zscaler-privateaccess parser. The new parser requires a change on the Zscaler side in the log format for Zscaler Private Access sources.

        Follow the steps outlined below for the migration process:

      • Create new ingest token and associate it with the new zscaler-privateaccess parser

      • In the ZPA administration console:

        • create a new log receiver and configure it with your LogScale Collector's IP address, TCP port, and TLS encryption details (if required)

        • Under the Log Stream tab, set the new log format for a log type which you want to send into LogScale

        • Configure LogScale Collector to receive ZPA logs with new format

        • Confirm that data with new format is successfully ingested into LogScale

        • Delete the ingest tokens for old parsers

        • Delete the configuration for old parsers in the LogCollector

        • Remove the configuration for the old format in the ZPA console

      Misc

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Improves the field extraction and performance.

      For more information, see Package zscaler/private-access Release Notes.

    • infoblox/nios has been updated to v1.1.1.

      • Improves event categorization and outcomes via the event.category[] and event.type[] arrays and the event.outcome field.

      For more information, see Package infoblox/nios Release Notes.

    • nozomi/ids has been updated to v1.1.0.

      • Sets the event categorization fields: event.category, event.type and event.outcome based on the message data coming from the source.

      • Improves the field extraction and performance.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package nozomi/ids Release Notes.

    • checkpoint/ngfw has been updated to v1.2.0.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Adds support for JSON format.

      • Fixes an issue where the timestamp wasn't working if it was +2:00.

      • Adds a couple of feilds, for example: host.ip, observer.egress.interface.name, observer.ingress.interface.name, destination.user.name and more.

      • Builds out the event.category and event.type fields.

      For more information, see Package checkpoint/ngfw Release Notes.

    • imperva/cloud-waf has been updated to v1.2.0.

      • Sets the event.category and event.type to threat/indicator for events where an attack took place.

      For more information, see Package imperva/cloud-waf Release Notes.