Falcon LogScale 1.162.0 GA (2024-10-29)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.162.0GA2024-10-29

Cloud

2025-12-31No1.112.01.157.0Yes

Hide file download links

Show file download links

Bug fixes and updates.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The QUERY_COORDINATOR environment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use the query node task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using the INITIAL_DISABLED_NODE_TASKS environment variable.

    For more information, see INITIAL_DISABLED_NODE_TASKS.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

Upgrades

Changes that may occur or be required during an upgrade.

  • Installation and Deployment

    • Once LogScale has been upgraded to 1.162.0 with the WriteNewSegmentFileFormat feature flag enabled, LogScale cannot be downgraded to a version lower than 1.157.0.

New features and improvements

  • Security

    • Users can now view actions in restricted read-only mode when they have the Data read access permission on the repository or view.

  • Storage

    • WriteNewSegmentFileFormat feature flag is now removed and the feature enabled by default to improve compression of segment files.

  • Configuration

    • The default value for MINISEGMENT_PREMERGE_MIN_FILES has been increased from 4 to 12. This results in less global traffic from merges, and reduces churn in bucket storage from mini-segments being replaced.

  • Ingestion

    • The way query resources are handled with respect to ingest occupancy has changed. If the maximum occupancy over all the ingest readers is less than the limit set (90 % by default), LogScale will not reduce resources for queries. The new configuration variable INGEST_OCCUPANCY_QUERY_PERMIT_LIMIT now allows to change such default limit of 90 % to adjust how busy ingest readers should be in order to limit query resources.

  • Dashboards and Widgets

    • When configuring series for a widget, suggestions for series are now available in a dropdown list, rather than having to type the series out.

Fixed in this release

  • Storage

    • Several issues have been fixed, which could cause LogScale to replay either too much, or too little data from Kafka if segments with topOffsets were deleted at inopportune times. LogScale will now delay deleting newly written segments, even if they violate retention, until the topOffsets field has been cleared, which indicates that the segments cannot be replayed from Kafka later. Segment bytes being held onto in this way are logged by the RetentionJob as part of the periodic logging.

    • NullPointerException error occurring since version 1.156.0 when closing segment readers during redactEvent processing has now been fixed.

    • An extremely rare data loss issue has been fixed: file corruption on a digester could cause the cluster to delete all copies of the affected segments, even if some copies were not corrupt. When a digester detects a corrupt recently-written segment file during bootup, it will no longer delete that segment from Global. It will instead only remove the local file copy. If the segment needs to be deleted in Global because it's being replayed from Kafka, the new digest leader will handle that as part of taking over the partition.

  • Ingestion

    • An issue has been fixed that could cause the starting position for digest to get stuck in rare cases.

  • Queries

    • Backtracking checks are now added to the optimized instructions for (?s).*? in the LogScale Regular Expression Engine V2. This prevents regexes of this type from getting stuck in infinite loops which are ultimately detrimental to a cluster's health.

    • Stopping alerts and scheduled searches could create a Could not cancel alert query entry in the activity logs. This issue has now been fixed. The queries were still correctly stopped previously, but this bug led to incorrect logging in the activity log.

  • Functions

    • Error messages produced by the match() function could reference the wrong file. This issue has now been fixed.

Improvement

  • API

  • Queries

    • Queries that refer to fields in the event are now more efficient due to an improvement made in the query engine.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • infoblox/nios has been updated to v1.2.0.

      • Deprecation notice:

        • The old parser syslog-utc is deprecated, and replaced by the new parser infoblox-nios. In this release, the two parsers are exactly alike, except for the name, but all future changes will only go into the new infoblox-nios parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old syslog-utc parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      • It extends the support of syslog format.

      • Adds following fields mapped to CPS: dns.question.name, dns.question.class, client.domain, client.ip amd server.ip.

      For more information, see Package infoblox/nios Release Notes.

    • zscaler/private-access has been updated to v1.2.0.

      Parser renaming and Deprecation notice

      As part of our continuous efforts to simplify and improve parser performance, we consolidated all existing parsers in this package into a single unified zscaler-privateaccess parser. This means the following parsers:

      • zscaler-zpa-app-connector-status-json

      • zscaler-zpa-app-protection-json

      • zscaler-zpa-audit-json

      • zscaler-zpa-browser-access-json

      • zscaler-zpa-user-activity-json

      • zscaler-zpa-user-status-json

        are deprecated and all future changes will only go into the new zscaler-privateaccess parser. The new parser requires a change on the Zscaler side in the log format for Zscaler Private Access sources.

        Follow the steps outlined below for the migration process:

      • Create new ingest token and associate it with the new zscaler-privateaccess parser

      • In the ZPA administration console:

        • create a new log receiver and configure it with your LogScale Collector's IP address, TCP port, and TLS encryption details (if required)

        • Under the Log Stream tab, set the new log format for a log type which you want to send into LogScale

        • Configure LogScale Collector to receive ZPA logs with new format

        • Confirm that data with new format is successfully ingested into LogScale

        • Delete the ingest tokens for old parsers

        • Delete the configuration for old parsers in the LogCollector

        • Remove the configuration for the old format in the ZPA console

      Misc

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Improves the field extraction and performance.

      For more information, see Package zscaler/private-access Release Notes.

    • checkpoint/ngfw has been updated to v1.2.0.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Adds support for JSON format.

      • Fixes an issue where the timestamp wasn't working if it was +2:00.

      • Adds a couple of feilds, for example: host.ip, observer.egress.interface.name, observer.ingress.interface.name, destination.user.name and more.

      • Builds out the event.category and event.type fields.

      For more information, see Package checkpoint/ngfw Release Notes.