Falcon LogScale 1.165.3 LTS (2025-04-23)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.165.3LTS2025-04-23

Cloud

On-Prem

2025-12-31No1.112.01.157.0No

Hide file download links

Show file download links

Hide file hashes

Show file hashes

These notes include entries from the following previous releases: 1.165.2, 1.165.1, 1.165.2, 1.165.1, 1.165.2

Bug fixes and updates.

Removed

Items that have been removed as of this release.

GraphQL API

  • Removed the following deprecated fields from the Cluster GraphQL type:

    • ingestPartitionsWarnings

    • suggestedIngestPartitions

    • suggestedIngestPartitions

    • storagePartitions

    • storagePartitionsWarnings

    • suggestedStoragePartitions

Storage

  • The file format for segment data has been updated. The compression ratio for segment data may increase and reduce the size of stored segments.

Configuration

  • The dynamic configuration and related GraphQL API AstDepthLimit has been removed.

  • The UNSAFE_ALLOW_FEDERATED_CIDR, UNSAFE_ALLOW_FEDERATED_MATCH, and ALLOW_MULTI_CLUSTER_TABLE_SYNCHRONIZATION environment variables have been removed as they now react as if they are always enabled.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The QUERY_COORDINATOR environment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use the query node task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using the INITIAL_DISABLED_NODE_TASKS environment variable.

    For more information, see INITIAL_DISABLED_NODE_TASKS.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

Upgrades

Changes that may occur or be required during an upgrade.

  • Installation and Deployment

    • The JDK included in container deployments has been upgraded to 23.0.2.

    • Once LogScale has been upgraded to 1.162.0 with the WriteNewSegmentFileFormat feature flag enabled, LogScale cannot be downgraded to a version lower than 1.157.0.

    • The JDK included in container deployments has been upgraded to 23.0.1

New features and improvements

  • Security

    • Users can now view actions in restricted read-only mode when they have the Data read access permission on the repository or view.

    • Users can now see and use saved queries without needing the CreateSavedQueries and the UpdateSavedQueries permissions.

    • Users can now see actions in restricted read-only mode when they have the ReadAccess permission on the repository or view.

  • Installation and Deployment

  • User Interface

    • PDF Render Service now supports proxy communication between service and LogScale. Adding the environment variable http_proxy or https_proxy to the PDF render service environment will add a proxy agent to all requests from the service to LogScale.

    • Documentation is now displayed on hover in the LogScale query editor within Falcon. The full syntax usage and a link to the documentation is now visible for any keyword in a query.

    • The Files page now features a new table view with enhanced search and filtering, making it easier to find and manage your files. You can now import multiple files at once.

      For more information, see Lookup Files.

    • When Save Searches, saved queries now appear in sorted order and are also searchable.

    • Users with the ReadAccess permission on the repository or view can now view scheduled reports in read-only mode.

    • Files grouped by package are now displayed back again on the Files page including the Package Name column, which was temporarily unavailable after the recent page overhaul.

    • A custom dialog now helps users save their widget changes on the Dashboard page before continuing on the Search page.

  • Automation and Triggers

    • Three alert messages were deprecated and replaced with new, more accurate alert messages.

      • For Legacy Alerts: The query result is currently incomplete. The alert will not be polled in this loop replaces Starting the query for the alert has not finished. The alert will not be polled in this loop.

      • For Filter Alerts and Triggers: The query result is currently incomplete. The alert will not be polled in this run replaces Starting the alert query has not finished. The alert will not be polled in this run in some situations where it is more correct.

      • The alert message was updated for filter and aggregate alerts in some cases where the live query was stopped due to the alert being behind.

      For more information, see Monitor Trigger Execution through the humio-activity Repository.

    • In the activity logs, the exception field now only contains the name of the exception class, as the remainder of what used to be there is already present in the exceptionMessage field.

    • The queryStart and queryEnd fields has been added for two aggregate alerts log lines:

      • Alert found results, but no actions were invoked since the alert is throttled

      • Alert found no results and will not trigger

      and removed for three others as they did not contain the correct value:

      • Alert is behind. Will stop live query and start running historic queries to catch up

      • Alert query took too long to start and the result are now too old. LogScale will stop the live query and start running historic queries to catch up

      • Running a historic query to catch up took too long and the result is now outside the retry limit. LogScale will skip this data and start a query for events within the retry limit

    • The Alerts page now shows the following UI changes:

      • A new column Last modified is added in the Alerts overview to display when the alert was last updated and by whom.

      • The same above column is added either in the alert properties side panel and in the Search page.

      • The Package column is no longer displayed as default on the Alerts overview page.

      For more information, see Create a trigger from the Triggers overview.

  • GraphQL API

  • Storage

    • The amount of autoshard increase requests allowed has been reduced, to reduce pressure on global traffic from these requests.

  • API

    • Implemented support for returning a result over 1GB in size on the /api/v1/globalsubset/clustervhost endpoint. There is now a limit on the size of 8GB of the returned result.

  • Configuration

  • Dashboards and Widgets

    • Numbers in the Table widget can now be displayed with trailing zeros to maintain a consistent number of decimal places.

    • When configuring series for a widget, suggestions for series are now available in a dropdown list, rather than having to type the series out.

    • The Bar Chart widget can now be configured in the style panel with a horizontal or vertical orientation.

  • Ingestion

    • Query resources will now also account for reading segment files in addition to scanning files. This will enable better control of CPU resources between search and the data pipeline operations (ingest, digest, storage).

    • Increased a timeout for loading new CSV files used in parsers to reduce the likelihood of having the parser fail.

    • The way query resources are handled with respect to ingest occupancy has changed. If the maximum occupancy over all the ingest readers is less than the limit set (90 % by default), LogScale will not reduce resources for queries. The new configuration variable INGEST_OCCUPANCY_QUERY_PERMIT_LIMIT now allows to change such default limit of 90 % to adjust how busy ingest readers should be in order to limit query resources.

    • The toolbar of the Parser editor has been modified to be more in-line with the design of the LogScale layout. You can now find Duplicate, Settings and Export buttons under the ellipsis menu.

      For more information, see Parse Data.

    • Added logging when a parser fails to build and ingest defaults to ingesting without parsing. The log lines start with Failed compiling parser.

  • Log Collector

    • LogScale Collector can now enable internal loggin of instances through Fleet Management.

      For more information, see Internal Logging.

  • Queries

    • LogScale Regular Expression Engine V2 is now optimized to support character match within a single line, e.g. /.*/s.

    • Ad-hoc tables feature is introduced for easier joins. Use the defineTable() function to define temporary lookup tables. Then, join them with the results of the primary query using the match() function. The feature offers several benefits:

      • Intuitive approach that now allows for writing join-like queries in the order of execution

      • Step-by-step workflow to create complex, nested joins easily.

      • Workflow that is consistent to the model used when working with Lookup Files

      • Easy troubleshooting while building queries, using the readFile()function

      • Expanded join use cases, providing support for:

        • inner joins with match(... strict=true)

        • left joins with match(... strict=false)

        • right joins with readFile() | match(... strict=false)

      • Join capabilities in LogScale Multi-Cluster Search environments (Self-Hosted users only)

      When match() or similar functions are used, additional tabs from the files and/or tables used in the primary query now appear in order in Search next to the Results tab. The tab names are prefixed by \"Table: \" to make it more clear what they refer to.

      For more information, see Using Ad-hoc Tables.

    • Changed the internal submit endpoint such that the requests logs correct information on whether the request is internal or not.

  • Functions

    • Improvements in the sort(), head(), and tail() functions: the error message when entering an incorrect value in the limit parameter now mentions both the minimum and the maximum configured value for the limit.

    • Introducing the new query function array:rename(). This function renames all consecutive entries of an array starting at index 0.

      For more information, see array:rename().

    • A new parameter trim has been added to the parseCsv() function to ignore whitespace before and after values. In particular, it allows quotes to appear after whitespace. This is a non-standard extension useful for parsing data created by sources that do not adhere to the CSV standard.

    • The following new functions have been added:

    • bitfield:extractFlags() can now handle unsigned 64 bit input. It can also handle larger integers, but only the lowest 64 bits will be extracted.

    • The wildcard() function has an additional parameter: includeEverythingOnAsterisk. When this parameter is set to true, and pattern is set to *, the function will also match events that are missing the field specified in the field parameter.

      For more information, see wildcard().

    • The following query functions limits have now their minimum value set to 1. In particular:

      • The bucket() and timeChart() query functions now require that the value given as their bucket argument is at least 1. For example, bucket(buckets=0) will produce an error.

      • The collect(),hash(), readFile(), selfJoin(), top() and transpose() query functions now require their limit argument to be at least 1. For example, top([aid], limit=0) will produce an error.

      • The series() query function now requires the memlimit argument to be at least 1, if provided. For example, | series(collect=aid, memlimit=0) will produce an error.

    • The new query functions crypto:sha1() and crypto:sha256() have been added. These functions compute a cryptographic SHA-hashing of the given fields and output a hex string as the result.

  • Other

    • If feature flag WriteNewSegmentFileFormat is enabled via built-in mechanisms, then raise the minimum version in global to 1.157.0 so that any potential roll back does not go to a version that cannot properly handle the feature being on-then-off; builds before 1.157.0 do not properly handle the feature being off if it has been on before.

Fixed in this release

  • Security

    • OIDC authentication would fail if certain characters in the state variable were not properly URL-encoded when redirecting back to LogScale. This issue has been fixed.

  • User Interface

    • Event List has been fixed as it would not take sorting from query API into consideration when sorting events based on UI configuration.

    • The red border appearing in the Table widget when invalid changes are made to a dashboard interaction is now fixed as it would not display correctly.

    • Dragging would stop working on the Dashboard page in cases where invalid changes were made and saved to a widget and the user would then click Continue editing. This issue has been fixed and the dragging now works correctly also in this case.

  • Automation and Triggers

    • Fixed an issue where the Action overview page would not load if it contained a large number of actions.

  • GraphQL API

    • role.users() query has been fixed as it would return duplicate users in some cases.

  • Storage

    • Mini-segments would not be prioritized correctly when fetching them from bucket storage. This issue has now been fixed.

    • Segments were not being fetched on an owner node. This issue could lead to temporary under-replication and keeping events in Kafka.

    • Resolved a defect that could lead to corrupted JSON messages on the internal Kafka queue.

    • Several issues have been fixed, which could cause LogScale to replay either too much, or too little data from Kafka if segments with topOffsets were deleted at inopportune times. LogScale will now delay deleting newly written segments, even if they violate retention, until the topOffsets field has been cleared, which indicates that the segments cannot be replayed from Kafka later. Segment bytes being held onto in this way are logged by the RetentionJob as part of the periodic logging.

    • NullPointerException error occurring since version 1.156.0 when closing segment readers during redactEvent processing has now been fixed.

    • An extremely rare data loss issue has been fixed: file corruption on a digester could cause the cluster to delete all copies of the affected segments, even if some copies were not corrupt. When a digester detects a corrupt recently-written segment file during bootup, it will no longer delete that segment from Global. It will instead only remove the local file copy. If the segment needs to be deleted in Global because it's being replayed from Kafka, the new digest leader will handle that as part of taking over the partition.

    • Recently ingested data could be lost when the cluster has bucket storage enabled, USING_EPHEMERAL_DISKS is set to false, and a recently ingested segment only exists in bucket storage. This issue has now been fixed.

    • LogScale could spuriously log Found mini segment without replacedBy and a merge target that already exists errors when a repository is undeleted. This issue has been fixed.

  • API

    • An issue has been fixed in the computation of the digestFlow property of the query response. The information contained there would be stale in cases where the query started from a cached state or there were digest leadership changes (for example, in case of node restarts).

      For more information, see Polling a Query Job.

  • Dashboards and Widgets

    • Errors were occurring in dashboard queries when dashboard filters contained parameters that were only used within the filter itself and nowhere else in the query. This issue has now been fixed.

    • Long values rendered in the Single Value widget would overflow the widget container. This issue has now been fixed.

    • Dashboard parameter values were mistakenly not used by saved queries in scenarios with parameter naming overlap and no saved query arguments provided.

  • Ingestion

    • Parser Assertions have been fixed as some would be marked as passing, even though they should be failing.

    • An erroneous array gap detection has been fixed as it would detect gaps where there were none.

    • An error is no longer returned when running parser tests without test cases.

    • An issue has been fixed that could cause the starting position for digest to get stuck in rare cases.

  • Log Collector

    • When computing group memberships in fleet management, a query timeout could result in collectors loosing their group memberships. This issue has now been fixed.

  • Queries

    • Backtracking checks are now added to the optimized instructions for (?s).*? in the LogScale Regular Expression Engine V2. This prevents regexes of this type from getting stuck in infinite loops which are ultimately detrimental to a cluster's health.

    • Fixed an issue which could cause live query results from some workers being temporarily represented in the final result twice. The situation was transient and could only occur during digester changes.

    • Fixed an issue where a query would fail to start in some cases when the query cache was available. The user would see the error Recent events overlap span excluded from query using historicStartMin.

    • Some queries (especially live queries) would continuously send a warning about missing data. This could happen if the query was planned at a time when there were cluster topology changes. This issue has been fixed and, instead of sending the warning, the query will now automatically restart since there might be more data to search.

    • A performance regression in the query scheduler has been fixed as it could lead to query starvation and slow searches.

    • The query scheduler has been fixed for an issue that could cause queries to get stuck in rare cases.

    • Stopping alerts and scheduled searches could create a Could not cancel alert query entry in the activity logs. This issue has now been fixed. The queries were still correctly stopped previously, but this bug led to incorrect logging in the activity log.

  • Functions

    • In defineTable(), start and end parameters did not work correctly when the primary query's end time was a relative timestamp: the sub-query's time was relative to now, and it has now been fixed to be relative to the primary query's end time.

    • Error messages produced by the match() function could reference the wrong file. This issue has now been fixed.

  • Other

    • Query result highlighting would crash cluster nodes when getting filter matches for some regexes. This issue has been fixed.

Known Issues

  • Ingestion

    • An issue has been identified where construction of parsers utilizing files may experience timeouts when the Ad-hoc tables feature is enabled. This issue potentially impacts clusters running versions 1.165 through 1.170.

      Mitigation: temporarily disable the ad-hoc tables feature on affected clusters.

      Solution: upgrade to version 1.171, where this issue has been resolved.

  • Functions

    • The match() function misses some matching rows when matching on multiple rows in glob mode. This happens in cases where there are rows with different glob patterns matching on the same event. For example, using a file example.csv:

      Raw Events
      column1,column2
      ab*,one
      a*,two
      a*,three

      and the query:

      logscale
      match(example.csv, field=column1, mode=glob, nrows=3)

      An event with the field column1=abc will only match on the last two rows.

    • A known issue in the implementation of the defineTable() function means it is not possible to transfer generated tables larger than 128MB. The user receives an error if the generated table exceeds that size.

    • The match() function misses some matching rows when matching on multiple rows in cidr mode. This happens in cases where there are rows with different subnets matching the same event. For example, using a file example.csv:

      Raw Events
      subnet,value
      1.2.3.4/24,monkey
      1.2.3.4/25,horse

      and the query:

      logscale
      match(example.csv, field=subnet, mode=cidr, nrows=3)

      An input event with ip = 1.2.3.10 will only output:

      ipvalue
      1.2.3.10horse

      whereas the correct output should actually be:

      ipvalue
      1.2.3.10horse
      1.2.3.10monkey

Improvement

  • User Interface

    • Improving the information messages that are displayed in the query editor when errors with lookup files used in queries occur.

    • Improving the warnings given when performing multi-cluster searches across clusters running on different LogScale versions.

  • API

  • Queries

    • Queries that refer to fields in the event are now more efficient due to an improvement made in the query engine.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • aws/cloudtrail has been updated to v1.1.5.

      • Added fallback to userIdentity.userName for user.name field

      • Updated ECS version to 8.17.0

      For more information, see Package aws/cloudtrail Release Notes.

    • broadcom/proxysg has been updated to v1.2.0.

      • Updated ECS version to 8.17.0

      • Added event.kind field set to "event"

      • Changed array handling for event.category[] and event.type[] to use array:append

      • The old parser syslog-utc is now officially removed from the Broadcom Symantec ProxySG package

      For more information, see Package broadcom/proxysg Release Notes.

    • checkpoint/ngfw has been updated to v1.3.0.

      Duplicated vendor fields removed

      Updated parser has been improved to handle field duplication more efficiently. Previously, certain fields were duplicated under both the Vendor namespace (e.g. Vendor.srcIp) and a CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the updated parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the updated parser:

      • Vendor.action

      • Vendor.additional_info

      • Vendor.administrator

      • Vendor.app_risk

      • Vendor.app_rule_id

      • Vendor.app_rule_name

      • Vendor.application

      • Vendor.bytes

      • Vendor.categories

      • Vendor.client_inbound_interface

      • Vendor.client_ip

      • Vendor.conn_direction

      • Vendor.delivery_time

      • Vendor.description

      • Vendor.dlp_file_name

      • Vendor.dlp_rule_name

      • Vendor.dlp_rule_uid

      • Vendor.dns_message_type

      • Vendor.dns_type

      • Vendor.domain_name

      • Vendor.dst

      • Vendor.dst_user_name

      • Vendor.email_message_id

      • Vendor.email_queue_id

      • Vendor.email_subject

      • Vendor.endpoint_ip

      • Vendor.file_id

      • Vendor.file_name

      • Vendor.file_size

      • Vendor.file_type

      • Vendor.first_detection

      • Vendor.from

      • Vendor.ifdir

      • Vendor.ifname

      • Vendor.industry_reference

      • Vendor.information

      • Vendor.inzone

      • Vendor.last_detection

      • Vendor.lastupdatetime

      • Vendor.layer_name

      • Vendor.loguid

      • Vendor.mac_destination_address

      • Vendor.mac_source_address

      • Vendor.malware_action

      • Vendor.malware_rule_id

      • Vendor.malware_rule_name

      • Vendor.matched_category

      • Vendor.method

      • Vendor.objectname

      • Vendor.origin

      • Vendor.origin_ip

      • Vendor.os_name

      • Vendor.os_version

      • Vendor.outzone

      • Vendor.packet_capture

      • Vendor.packets

      • Vendor.parent_process_name

      • Vendor.policy

      • Vendor.process_name

      • Vendor.product

      • Vendor.proto

      • Vendor.received_bytes

      • Vendor.referrer

      • Vendor.resource

      • Vendor.rule_name

      • Vendor.rule_uid

      • Vendor.s_port

      • Vendor.security_outzone

      • Vendor.sent_bytes

      • Vendor.sequencenum

      • Vendor.server_outbound_bytes

      • Vendor.server_outbound_interface

      • Vendor.server_outbound_packets

      • Vendor.service

      • Vendor.service_id

      • Vendor.session_description

      • Vendor.session_uid

      • Vendor.severity

      • Vendor.smartdefence_profile

      • Vendor.sport_svc

      • Vendor.src

      • Vendor.src_user_group

      • Vendor.src_user_name

      • Vendor.start_time

      • Vendor.svc

      • Vendor.to

      • Vendor.type

      • Vendor.uid

      • Vendor.update_version

      • Vendor.url

      • Vendor.user

      • Vendor.user_agent

      • Vendor.user_group

      • Vendor.usercheck_incident_uid

      • Vendor.web_client_type

      • Vendor.xlatedport

      • Vendor.xlatedport_svc

      • Vendor.xlatedst

      • Vendor.xlatesport

      • Vendor.xlatesport_svc

      • Vendor.xlatesrc

      Miscellaneous

      • Bug fix: resolved an issue with the regex used to extract fields from rawstring.

      • Bumps the ecs.version to 8.16.0.

      • Corrects a typo in the event.type field values to comply with ECS. Changed conection to connection and delection to deletion.

      • Removes the destination.service.name field as it was not valid ECS field.

      • Renames the network.app_name to network.application to comply with ECS.

      • Updates the event.dataset from content-awareness to ngfw.content-awareness to comply with CPS.

      For more information, see Package checkpoint/ngfw Release Notes.

    • microsoft/sysmon has been updated to v1.1.1.

      • Removes the references to the lookup file from the parser.

      • Bumps the ecs.version to 8.16.0.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package microsoft/sysmon Release Notes.

    • microsoft/windows-dns-debug has been updated to v1.3.1.

      • Improved regex patterns for timestamp parsing

      • Added support for error messages with socket failures

      • Enhanced field extraction for DNS packet information

      • Fixed array handling for DNS header flags

      • Updated parser version to 2.2.1

      For more information, see Package microsoft/windows-dns-debug Release Notes.

    • imperva/cloud-waf has been updated to v1.3.1.

      • Removes the references to the lookup file from the parser.

      • Bumps the ecs.version to 8.16.0.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package imperva/cloud-waf Release Notes.

    • forcepoint/dlp has been updated to v1.2.0.

      • Added severity mapping based on Forcepoint documentation

      • Improved user domain extraction

      • Enhanced array handling for event categories and types

      • Optimized field cleanup process

      • The old parser dlp-cef is now officially removed from the Forcepoint DLP package

      For more information, see Package forcepoint/dlp Release Notes.

    • aws/s3-server-access has been updated to v1.2.0.

      • Updated ECS version to 8.17.0

      • Added new fields:

        • cloud.Storage.bucket_name

        • error.code

        • host.id

        • url.original

        • user_agent.original

      • Improved array handling for event category and type fields

      • Fixed field duplication issues

      • The old parser s3access-space-delimited is now officially removed from the AWS S3 package

      For more information, see Package aws/s3-server-access Release Notes.

    • rubrik/security-cloud has been updated to v1.1.0.

      • Added severity normalization mapping

      • Added event categorization for vulnerability events

      • Added event type and kind fields

      • Updated ECS version to 8.17.0

      For more information, see Package rubrik/security-cloud Release Notes.

    • haproxy/haproxy has been updated to v1.2.0.

      • Updated ECS version to 8.17.0

      • Added new field mappings for log.syslog fields

      • Added process.name and process.pid fields

      • Added host.name field mapping

      • Added source.port field mapping

      • The old parser haproxy-syslog is now officially removed from the HAProxy package

      For more information, see Package haproxy/haproxy Release Notes.

    • claroty/ctd has been updated to v1.2.0.

      • Updated ECS version to 8.17.0

      • Improved event categorization using array:append

      • Added event severity mapping

      • Optimized field handling and cleanup

      • The old parser cef-latest is now officially removed from the Claroty CTD package

      For more information, see Package claroty/ctd Release Notes.

    • cisco/firepower has been updated to v1.4.0.

      • Bumps the Parser.version to 3.0.0 and ecs.version to 8.16.0

      • Improves the field extraction and performance

      • Removes the event.code field as it does not conform to CPS standard

      • Further normalisation to ECS fields; observer.ingress.vlan.name, observer.egress.vlan.name, rule.ruleset, rule.category, user_agent.name, user_agent.original, user_agent.version, network.application, http.response.status_code, http.request.referrer

      For more information, see Package cisco/firepower Release Notes.

    • infoblox/nios has been updated to v1.2.1.

      • Adds event.kind field mapped to CPS

      For more information, see Package infoblox/nios Release Notes.

    • cloudflare/zerotrust has been updated to v1.2.0.

      • Improved JSON parsing with support for message prefix removal

      • Enhanced event categorization with proper event.category and event.type arrays

      • Added comprehensive email attachment parsing for Area1 security logs

      • Improved HTTP response status code handling for better event outcome determination

      • Added support for bulk log processing with improved detection logic

      For more information, see Package cloudflare/zerotrust Release Notes.

    • infoblox/nios has been updated to v1.3.0.

      • Improves event categorization.

      • Adds support for additional audit events

      • Enhances DNS field extraction

      • The old parser syslog-utc is now officially removed from the Infoblox Nios package

      For more information, see Package infoblox/nios Release Notes.

    • cisco/ios has been updated to v1.5.0.

      • Improved timestamp parsing for formats including year in different positions

      • Added support for MAC address extraction and normalization

      • Enhanced access list log parsing to handle MAC addresses in source fields

      • Added parsing for CFGLOG_LOGGEDCMD events to capture CLI commands

      For more information, see Package cisco/ios Release Notes.

    • f5networks/bigip has been updated to v2.2.0.

      • Added support for F5 Advanced Firewall Module (AFM) logs

      • Improved ASM event categorization for better threat detection

      • Updated ECS version to 8.17.0

      For more information, see Package f5networks/bigip Release Notes.

    • dell/isilon has been updated to v1.2.0.

      • Updated ECS version to 8.17.0

      • Added log.syslog fields for better syslog data representation

      • Improved array handling for event category and type fields

      • Removed deprecated isilon-syslog parser

      • The old parser isilon-syslog is now officially removed from the Dell Isilon package

      For more information, see Package dell/isilon Release Notes.

    • paloalto/firewall has been updated to v1.2.0.

      • Adds additional mappings to ECS for: source.geo.country_name, destination.geo.country_name, rule.category, process.command_line, source.ip (for Config logs), network.packets fields.

      • Adds url.* ECS fields for subtype url

      • Adds the field observer.type

      • Adds additional options to Config logs to determine event.outcome

      • Enhancement to parsing for system auth logs

      • Decodes network.transport to include network.iana_numbers

      • Aliases client.ip/port to source.ip/port and server.ip/port to destination.ip/port

      For more information, see Package paloalto/firewall Release Notes.

    • palo-alto/prisma-sd-wan has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Sets the Vendor.type field based on the event type.

      • Sets the observer.address, observer.name, event.outcome fields and more.

      • Renames the parser to paloalto-prisma-sdwan.

      For more information, see Package palo-alto/prisma-sd-wan Release Notes.

    • darktrace/detect has been updated to v1.3.0.

      • Added support for audit events with new event.dataset "detect.audit"

      • Fixed timezone handling for RFC 3164 syslog timestamps

      For more information, see Package darktrace/detect Release Notes.

    • island/island has been updated to v1.2.0.

      • Added rule.name and rule.id fields for network events

      • Added event.kind field set to "event"

      • Updated array handling for event.category and event.type fields

      • Updated ECS version to 8.17.0

      • The old parser island is now officially removed from the Island package

      For more information, see Package island/island Release Notes.

    • cisco/firepower has been updated to v1.6.3.

      • Updated field assignment syntax from rename() to direct assignment

      • Fixed regex pattern for teardown connections to handle optional fields

      • Improved lower() function usage for better performance

      For more information, see Package cisco/firepower Release Notes.

    • cisco/firepower has been updated to v1.6.1.

      • Improved regex pattern for inbound TCP connections to handle probe connections

      • Enhanced regex pattern for teardown connections to handle optional fields

      For more information, see Package cisco/firepower Release Notes.

    • cisco/firepower has been updated to v1.6.2.

      • Fixed regex pattern for session disconnection duration to handle complex duration formats

      For more information, see Package cisco/firepower Release Notes.

    • cisco/meraki has been updated to v1.2.1.

      • Removes the references to the lookup file from the parser

      • Bumps the ecs.version to 8.16.0

      For more information, see Package cisco/meraki Release Notes.

    • microsoft/windows-dns-debug has been updated to v1.3.0.

      • Added support for additional log formats

      • Improved handling of DNS debug log header lines

      • Updated ECS version to 8.17.0

      • Enhanced field extraction for DNS packet information

      • Added support for self-referential DNS messages

      • The old parser windows-dns is now officially removed from the Microsoft Windows DNS package

      For more information, see Package microsoft/windows-dns-debug Release Notes.

    • f5networks/bigip has been updated to v2.0.0.

      • Now supports all BIG-IP events: ASM, APM, DNS, LTM as well as BIG-IP System and OS logs.

      • Improves CPS categorization and normalization.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package f5networks/bigip Release Notes.

    • fortinet/fortigate has been updated to v1.3.3.

      • Updated event outcome handling to set failure when action is block or blocked

      • Fixed test cases to match updated outcome logic

      For more information, see Package fortinet/fortigate Release Notes.

    • checkpoint/ngfw has been updated to v2.0.0.

      • Updated ECS version to 8.17.0

      • Improved event categorization with array-based approach

      • Enhanced field mapping for better data normalization

      • Optimized email field handling

      • Fixed field duplication issues

      For more information, see Package checkpoint/ngfw Release Notes.

    • cisco/duo has been updated to v2.1.0.

      • Adds normalization using the Vendor.auth_device.* fields.

      • Updates the field mapping for Cisco Duo Authentication events. To improve the accuracy and consistency of field normalization previously mapped source.user.* fields have been updated to user.* fields. This is a breaking change and some of the search queries, dasbhboards or alers that rely on the source.user.* fields may stop working. Update all affected search queries to use user.* fields to restore functionality.

      For more information, see Package cisco/duo Release Notes.

    • darktrace/detect has been updated to v1.1.0.

      • The parser darktrace-detect is an aggregation of the three previous parsers: ai_analyst_alert-syslog, model_breach_alert-syslog, system_status_alert-syslog

      • Handles events with syslog headers in both the RFC 5424 and RFC 3164 formats

      • Deals with large JSON objects within the message

      • Handles the following log types and sets event.dataset accordingly: detect.aianalyst/detect.modelbreach/detect.modeltrigger/detect.systemstatus/detect.antigena

      • CPS normalization that was previously done in separate parsers is carried out based on event.dataset

      • CPS normalization carried out for additional data types - detect.modeltrigger and detect.antigena

      • Added santised examples of all variations of event.dataset and syslog header format

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package darktrace/detect Release Notes.

    • infoblox/nios has been updated to v1.2.2.

      • Improves the dns.* fields extraction.

      • Bumps the ecs.version to 8.16.0

      • Enhacnes the regex to accept hashes in the host.domain field.

      For more information, see Package infoblox/nios Release Notes.

    • cisco/ise has been updated to v1.3.0.

      • Sets the event.outcome based on the Vendor.FailureReason field

      • The old parser cisco-ise-syslog is now officially removed from the Cisco Identity Services Engine (ISE) package

      For more information, see Package cisco/ise Release Notes.

    • fortinet/fortigate has been updated to v1.3.2.

      • Updated field assignments to use direct assignment instead of rename function

      • Updated ECS version to 8.17.0

      For more information, see Package fortinet/fortigate Release Notes.

    • cisco/ise has been updated to v1.2.0.

      • Adds support for the CISE_Alarm messages.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package cisco/ise Release Notes.

    • humio/activity has been updated to v1.6.0.

      • Added new view interactions Open Alert Docs and Open Scheduled Search Docs which will open the online documentation for messages for alerts and scheduled searches.

      • Added a menu item on the table widgets on the dashboards containing a message for alerts and scheduled searches to open the online documentation for the message.

      For more information, see Package humio/activity Release Notes.

    • paloalto/firewall has been updated to v1.2.1.

      • Adds an additional mapping to ECS for user_agent.original field.

      • Parses user.name out of Admin field from Config logs.

      For more information, see Package paloalto/firewall Release Notes.

    • cisco/ios has been updated to v1.4.0.

      • Improved regex pattern for broader raw log coverage

      • Added timestamp parsing support for formats including year

      • Added LOGIN_FAILED eventCode parsing

      • The old parser syslog-utc is now officially removed from the Cisco IOS package

      • Utilized array:append() function for array declarations.

      For more information, see Package cisco/ios Release Notes.