Falcon LogScale 1.161.0 GA (2024-10-22)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.161.0 | GA | 2024-10-22 | Cloud | 2025-12-31 | No | 1.112.0 | 1.112.0 | Yes |
Hide file download links
Download
Use docker pull humio/humio-core:1.161.0 to download the latest version
Bug fixes and updates.
Deprecation
Items that have been deprecated and may be removed in a future release.
The
QUERY_COORDINATORenvironment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use thequerynode task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using theINITIAL_DISABLED_NODE_TASKSenvironment variable.For more information, see
INITIAL_DISABLED_NODE_TASKS.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.
Upgrades
Changes that may occur or be required during an upgrade.
Installation and Deployment
The JDK included in container deployments has been upgraded to 23.0.1
New features and improvements
User Interface
A custom dialog now helps users save their widget changes on the
Dashboardpage before continuing on theSearchpage.
Configuration
A new boolean dynamic configuration parameter,
DisableNewRegexEnginehas been added for disabling the LogScale Regular Expression Engine V2 globally on the cluster. This parameter does not stop queries that are already running and using the engine, but prevents the submission of new ones. See Setting a Dynamic Configuration Value for an example of how to set dynamic configurations.
Dashboards and Widgets
The
Bar Chartwidget can now be configured in the style panel with a horizontal or vertical orientation.
Functions
The new query functions
crypto:sha1()andcrypto:sha256()have been added. These functions compute a cryptographic SHA-hashing of the given fields and output ahexstring as the result.
Fixed in this release
Storage
Mini-segments would not be prioritized correctly when fetching them from bucket storage. This issue has now been fixed.
Dashboards and Widgets
Long values rendered in the
Single Valuewidget would overflow the widget container. This issue has now been fixed.
Queries
The query scheduler has been fixed for an issue that could cause queries to get stuck in rare cases.
Improvement
User Interface
Improving the information messages that are displayed in the query editor when errors with lookup files used in queries occur.
Queries
Worker query prioritization is improved in specific cases where a query starts off highly resource-consuming but becomes more efficient as it progresses. In such cases, the scheduler could severely penalize the query, leading to it being unfairly deprioritized.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
cisco/meraki has been updated to v1.2.0.
Adds the event.outcome field
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files
For more information, see Package cisco/meraki Release Notes.
infoblox/nios has been updated to v1.2.0.
Deprecation notice:
The old parser syslog-utc is deprecated, and replaced by the new parser infoblox-nios. In this release, the two parsers are exactly alike, except for the name, but all future changes will only go into the new infoblox-nios parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old syslog-utc parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
It extends the support of syslog format.
Adds following fields mapped to CPS: dns.question.name, dns.question.class, client.domain, client.ip amd server.ip.
For more information, see Package infoblox/nios Release Notes.
zscaler/private-access has been updated to v1.2.0.
Parser renaming and Deprecation noticeAs part of our continuous efforts to simplify and improve parser performance, we consolidated all existing parsers in this package into a single unified zscaler-privateaccess parser. This means the following parsers:
Misczscaler-zpa-app-connector-status-json
zscaler-zpa-app-protection-json
zscaler-zpa-audit-json
zscaler-zpa-browser-access-json
zscaler-zpa-user-activity-json
zscaler-zpa-user-status-json
are deprecated and all future changes will only go into the new zscaler-privateaccess parser. The new parser requires a change on the Zscaler side in the log format for Zscaler Private Access sources.
Follow the steps outlined below for the migration process:
Create new ingest token and associate it with the new zscaler-privateaccess parser
In the ZPA administration console:
create a new log receiver and configure it with your LogScale Collector's IP address, TCP port, and TLS encryption details (if required)
Under the Log Stream tab, set the new log format for a log type which you want to send into LogScale
Configure LogScale Collector to receive ZPA logs with new format
Confirm that data with new format is successfully ingested into LogScale
Delete the ingest tokens for old parsers
Delete the configuration for old parsers in the LogCollector
Remove the configuration for the old format in the ZPA console
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Improves the field extraction and performance.
For more information, see Package zscaler/private-access Release Notes.
infoblox/nios has been updated to v1.1.1.
Improves event categorization and outcomes via the event.category[] and event.type[] arrays and the event.outcome field.
For more information, see Package infoblox/nios Release Notes.
nozomi/ids has been updated to v1.1.0.
Sets the event categorization fields: event.category, event.type and event.outcome based on the message data coming from the source.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
For more information, see Package nozomi/ids Release Notes.
checkpoint/ngfw has been updated to v1.2.0.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Adds support for JSON format.
Fixes an issue where the timestamp wasn't working if it was +2:00.
Adds a couple of feilds, for example: host.ip, observer.egress.interface.name, observer.ingress.interface.name, destination.user.name and more.
Builds out the event.category and event.type fields.
For more information, see Package checkpoint/ngfw Release Notes.
imperva/cloud-waf has been updated to v1.2.0.
Sets the event.category and event.type to threat/indicator for events where an attack took place.
For more information, see Package imperva/cloud-waf Release Notes.