Falcon LogScale 1.171.0 GA (2025-01-14)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.171.0GA2025-01-14

Cloud

2026-02-28No1.150.01.157.0No

Hide file download links

Show file download links

Bug fixes and updates.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The QUERY_COORDINATOR environment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use the query node task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using the INITIAL_DISABLED_NODE_TASKS environment variable.

    For more information, see INITIAL_DISABLED_NODE_TASKS.

  • The color field on the Role type has been marked as deprecated (will be removed in version 1.195).

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

Upgrades

Changes that may occur or be required during an upgrade.

  • Installation and Deployment

    • Once LogScale has been upgraded to 1.162.0 with the WriteNewSegmentFileFormat feature flag enabled, LogScale cannot be downgraded to a version lower than 1.157.0.

  • Other

    • Increased the minimum version requirement to 1.150.0. This version update is due to a new store in global for groups allowing for multiple roles mappings to a single view.

New features and improvements

  • Security

    • A new default role named Reader is now visible in the UI. The role only grants the ReadAccess permission. Unlike the existing default roles, the Reader role is not editable and cannot be deleted.

  • GraphQL API

    • Adding a new @stability directive to the GraphQL API:

      • The @stability directive has been added on all non-deprecated output fields.

      • The @stability directive has a level argument with three possible enum values: Preview, ShortTerm and LongTerm. A field can now either have the @deprecated or the @stability directive. The level Preview corresponds to the old @preview directive (which has been removed), the level ShortTerm corresponds to the previous stability promise of at least 12 weeks. The level LongTerm means that the field is kept stable for at least 1 year.

      • Input fields without the @stability directive "inherit" the stability level from the query or mutation that the input type is used for, enum values without the directive "inherit" the stability level from the field that returns the enum type.

      • Some fields that were previously written as being in preview, but without the @preview directive, are now marked properly as in preview (@stability directive with level Preview).

      • Usage of fields or enum values in Preview when calling the GraphQL endpoint is still shown in the extensions part of the response, but the format has changed.

      • For all existing deprecated fields that were deemed to have had LongTerm stability, the version to be removed in has been updated to reflect a 1-year deprecation period.

  • Functions

    • The new query function setTimeInterval() is now available. This function overwrites the time interval otherwise set in the UI/API. Example usage:

      logscale
      setTimeInterval(start=7d, end=12h, timezone="Europe/Copenhagen")

      For more information, see setTimeInterval().

  • Other

    • The new metric globalsnapshot-pct-of-max-heap has been added. It reports the size of the recent global-snapshot.json file written as percentage of maximum heap size.

Fixed in this release

  • Storage

    • Fixed a crash that could occur on boot if global contains dataspaces marked for deletion.

    • A fix has been made to prevent leaking empty datasource directories, by announcing in global that they are deleted some time before they are actually deleted from global.

    • Made adjustments to handling of in-memory local datasource state, which should help ensure the local state is in sync with global.

  • Configuration

    • The dynamic configuration lookup-table-sync-await-seconds has been fixed as it would require a restart to take effect.

  • Dashboards and Widgets

    • Value and label of the Gauge widget could overflow. This issue has been fixed.

  • Ingestion

    • The changes to parser's test that enabled the parser code page to produce events that are more similar to an ingested event, have been reverted due to unspecified errors for some users.

  • Queries

    • A misalignment issue between primary and subquery relative intervals has been fixed. Previously, a subquery's relative time interval did not align correctly with the primary query interval. This misalignment could cause slight differences in the relative now reference point between the primary query and subquery.

  • Functions

    • The array:dedup() function has been fixed as it would not write the output array if there were no duplicate elements in the input array, and the output array was different from the input array.

  • Other

    • The type for deprecated package schema fields has been renamed from valid to null.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • okta/sso has been updated to v1.2.0.

      • Categorizes "security.attack.start", "security.attack.end", and "security.breached_credential.detected" as alerts.

      • Utilizes array:append() function for array declarations.

      • Enhances categorization logic for policy user and authentication events.

      • Updates parser to handle more event types and improves field mappings.

      • Bumps ecs.version to 8.17.0.

      For more information, see Package okta/sso Release Notes.

    • zscaler/private-access has been updated to v1.3.0.

      • Improves the field extraction and performance.

      • Moves all x509.* fields under the tls.client namespace to comply with ECS.

      • Bumps ecs.version to 8.16.0.

      For more information, see Package zscaler/private-access Release Notes.

    • f5networks/bigip has been updated to v2.1.0.

      • Improves the field extraction and performance.

      • Update invalid values for event.type field to comply with ECS.

      • Bumps ecs.version to 8.16.0.

      For more information, see Package f5networks/bigip Release Notes.

    • paloalto/firewall has been updated to v1.2.0.

      • Adds additional mappings to ECS for: source.geo.country_name, destination.geo.country_name, rule.category, process.command_line, source.ip (for Config logs), network.packets fields.

      • Adds url.* ECS fields for subtype url

      • Adds the field observer.type

      • Adds additional options to Config logs to determine event.outcome

      • Enhancement to parsing for system auth logs

      • Decodes network.transport to include network.iana_numbers

      • Aliases client.ip/port to source.ip/port and server.ip/port to destination.ip/port

      For more information, see Package paloalto/firewall Release Notes.

    • zscaler/internet-access has been updated to v1.3.0.

      Duplicated vendor fields removed

      Updated parser has been improved to handle field duplication more effeciently. Previously, certain fields were duplicated under both the Vendor namespace (e.g. Vendor.clt_sip) and a CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the updated parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the updated parser:

      • Vendor.ClientIP

      • Vendor.action

      • Vendor.actiontaken

      • Vendor.adminid

      • Vendor.clientip

      • Vendor.clt_sip

      • Vendor.clt_sport

      • Vendor.company

      • Vendor.contenttype

      • Vendor.csip

      • Vendor.csport

      • Vendor.destcountry

      • Vendor.destinationip

      • Vendor.destinationport

      • Vendor.dns_req

      • Vendor.dns_reqtype

      • Vendor.dns_resp

      • Vendor.elogin

      • Vendor.event

      • Vendor.eventreason

      • Vendor.filename

      • Vendor.filesource

      • Vendor.filesubtype

      • Vendor.filetype

      • Vendor.filetypename

      • Vendor.fullurl

      • Vendor.hostname

      • Vendor.inbytes

      • Vendor.location

      • Vendor.login

      • Vendor.nwapp

      • Vendor.outbytes

      • Vendor.owner

      • Vendor.policy

      • Vendor.reason

      • Vendor.recordid

      • Vendor.refererURL

      • Vendor.requestmethod

      • Vendor.requestsize

      • Vendor.responsesize

      • Vendor.riskscore

      • Vendor.rulelabel

      • Vendor.rulename

      • Vendor.ruletype

      • Vendor.rxbytes

      • Vendor.sdip

      • Vendor.sdport

      • Vendor.serverip

      • Vendor.sourceip

      • Vendor.sourceport

      • Vendor.srv_dip

      • Vendor.srv_dport

      • Vendor.status

      • Vendor.threatname

      • Vendor.txbytes

      • Vendor.url

      • Vendor.user

      Miscellaneous

      • Adds support for bulk event processing.

      • Categorizes threat events.

      • Updates the dashboards and saved queries to utilize normalized fields.

      • Bumps the ecs.version to 8.16.0.

      For more information, see Package zscaler/internet-access Release Notes.

    • darktrace/detect has been updated to v1.1.1.

      • Updates rule.author field to an array to comply with ECS.

      • Bumps ecs.version to 8.16.0.

      For more information, see Package darktrace/detect Release Notes.

    • paloalto/firewall has been updated to v1.2.1.

      • Adds an additional mapping to ECS for user_agent.original field.

      • Parses user.name out of Admin field from Config logs.

      For more information, see Package paloalto/firewall Release Notes.