Falcon LogScale 1.170.0 GA (2025-01-07)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.170.0 | GA | 2025-01-07 | Cloud | 2026-02-28 | No | 1.136.0 | 1.157.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.170.0 to download the latest version
Bug fixes and updates.
Deprecation
Items that have been deprecated and may be removed in a future release.
The
QUERY_COORDINATORenvironment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use thequerynode task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using theINITIAL_DISABLED_NODE_TASKSenvironment variable.For more information, see
INITIAL_DISABLED_NODE_TASKS.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Storage
Relocation of datasources after a partition count change will now be restarted if the Kafka partition count changes again while the cluster is executing relocations. This ensures datasource placement always reflects the latest partition count.
Upgrades
Changes that may occur or be required during an upgrade.
Installation and Deployment
Once LogScale has been upgraded to 1.162.0 with the
WriteNewSegmentFileFormatfeature flag enabled, LogScale cannot be downgraded to a version lower than 1.157.0.
New features and improvements
User Interface
You can now hide the event distribution histogram to get even more space for looking at your data. This new button is located in the toolbar above the Results tab in the
Searchinterface.For more information, see Display Results and Events.
GraphQL API
The analyzeQuery() GraphQL query now supports rejecting functions. This is done using the rejectFunctions input parameter, which takes a list of function names.
Queries
Added resultPipelineExecutionCount field to the following logs from the QuerySessions class, starting with:
live part of live query ended:static part of live query ended:static query ended:poll of live query:
This field captures how many times the result calculation pipeline has run for a given query, with the following remarks:
Join queries only count the main query, since execution counts for subqueries are logged separately.
Repeating queries sum up the execution counts for the individual queries to mimic the behavior of a single live query.
Make searching for
@id=Xefficient when there is exactly one such top level filter in the query andXis an actual event ID in the LogScale cluster, by automatically restricting the time span of the search to the 1 second interval designated by a substring ofX. To further improve efficiency, include the proper tag filters in the search.
Other
If feature flag
WriteNewSegmentFileFormatis enabled via built-in mechanisms, then raise the minimum version in global to 1.157.0 so that any potential roll back does not go to a version that cannot properly handle the feature being on-then-off; builds before 1.157.0 do not properly handle the feature being off if it has been on before.
Fixed in this release
User Interface
Large license limits would overflow in the UI, resulting in wrong limits being shown. This issue has been fixed.
Storage
In rare cases, the internal accounting of segment files used by queries and related metrics could be incorrect, which could lead to starved searches. This issue has been fixed.
GraphQL API
Instead of failing silently, GraphQL gives an error in the following two scenarios:
Disabling feature flags on an organization if the feature is enabled globally.
Disabling feature flags for a user if the feature is enabled globally or for the user's organization.
Queries
An issue has been fixed in the deserialization of queries, which prevented some queries from being handed over to another node in the cluster.
Other
Feature flags were marked experimental even if they were in rollout. This issue has been fixed so that the actual non-experimental features in the cluster are now correctly displayed in the side bar in the Organization overview page.
Known Issues
Ingestion
An issue has been identified where construction of parsers utilizing files may experience timeouts when the Ad-hoc tables feature is enabled. This issue potentially impacts clusters running versions 1.165 through 1.170.
Mitigation: temporarily disable the ad-hoc tables feature on affected clusters.
Solution: upgrade to version 1.171, where this issue has been resolved.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
zscaler/private-access has been updated to v1.3.0.
Improves the field extraction and performance.
Moves all x509.* fields under the tls.client namespace to comply with ECS.
Bumps ecs.version to 8.16.0.
For more information, see Package zscaler/private-access Release Notes.
f5networks/bigip has been updated to v2.1.0.
Improves the field extraction and performance.
Update invalid values for event.type field to comply with ECS.
Bumps ecs.version to 8.16.0.
For more information, see Package f5networks/bigip Release Notes.
paloalto/firewall has been updated to v1.2.0.
Adds additional mappings to ECS for: source.geo.country_name, destination.geo.country_name, rule.category, process.command_line, source.ip (for Config logs), network.packets fields.
Adds url.* ECS fields for subtype url
Adds the field observer.type
Adds additional options to Config logs to determine event.outcome
Enhancement to parsing for system auth logs
Decodes network.transport to include network.iana_numbers
Aliases client.ip/port to source.ip/port and server.ip/port to destination.ip/port
For more information, see Package paloalto/firewall Release Notes.
zscaler/internet-access has been updated to v1.3.0.
Duplicated vendor fields removedUpdated parser has been improved to handle field duplication more effeciently. Previously, certain fields were duplicated under both the Vendor namespace (e.g. Vendor.clt_sip) and a CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the updated parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the updated parser:
MiscellaneousVendor.ClientIP
Vendor.action
Vendor.actiontaken
Vendor.adminid
Vendor.clientip
Vendor.clt_sip
Vendor.clt_sport
Vendor.company
Vendor.contenttype
Vendor.csip
Vendor.csport
Vendor.destcountry
Vendor.destinationip
Vendor.destinationport
Vendor.dns_req
Vendor.dns_reqtype
Vendor.dns_resp
Vendor.elogin
Vendor.event
Vendor.eventreason
Vendor.filename
Vendor.filesource
Vendor.filesubtype
Vendor.filetype
Vendor.filetypename
Vendor.fullurl
Vendor.hostname
Vendor.inbytes
Vendor.location
Vendor.login
Vendor.nwapp
Vendor.outbytes
Vendor.owner
Vendor.policy
Vendor.reason
Vendor.recordid
Vendor.refererURL
Vendor.requestmethod
Vendor.requestsize
Vendor.responsesize
Vendor.riskscore
Vendor.rulelabel
Vendor.rulename
Vendor.ruletype
Vendor.rxbytes
Vendor.sdip
Vendor.sdport
Vendor.serverip
Vendor.sourceip
Vendor.sourceport
Vendor.srv_dip
Vendor.srv_dport
Vendor.status
Vendor.threatname
Vendor.txbytes
Vendor.url
Vendor.user
Adds support for bulk event processing.
Categorizes threat events.
Updates the dashboards and saved queries to utilize normalized fields.
Bumps the ecs.version to 8.16.0.
For more information, see Package zscaler/internet-access Release Notes.
palo-alto/prisma-sd-wan has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Sets the Vendor.type field based on the event type.
Sets the observer.address, observer.name, event.outcome fields and more.
Renames the parser to paloalto-prisma-sdwan.
For more information, see Package palo-alto/prisma-sd-wan Release Notes.
darktrace/detect has been updated to v1.1.1.
Updates rule.author field to an array to comply with ECS.
Bumps ecs.version to 8.16.0.
For more information, see Package darktrace/detect Release Notes.
cisco/duo has been updated to v2.1.0.
Adds normalization using the Vendor.auth_device.* fields.
Updates the field mapping for Cisco Duo Authentication events. To improve the accuracy and consistency of field normalization previously mapped source.user.* fields have been updated to user.* fields. This is a breaking change and some of the search queries, dasbhboards or alers that rely on the source.user.* fields may stop working. Update all affected search queries to use user.* fields to restore functionality.
For more information, see Package cisco/duo Release Notes.
infoblox/nios has been updated to v1.2.2.
Improves the dns.* fields extraction.
Bumps the ecs.version to 8.16.0
Enhacnes the regex to accept hashes in the host.domain field.
For more information, see Package infoblox/nios Release Notes.
paloalto/firewall has been updated to v1.2.1.
Adds an additional mapping to ECS for user_agent.original field.
Parses user.name out of Admin field from Config logs.
For more information, see Package paloalto/firewall Release Notes.