Falcon LogScale 1.177.2 LTS (2025-04-23)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.177.2 | LTS | 2025-04-23 | Cloud On-Prem | 2026-03-31 | No | 1.150.0 | 1.171.1 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.177.2 to download the latest version
Hide file hashes
These notes include entries from the following previous releases: 1.177.1, 1.177.1, 1.177.1
Bug fixes and updates.
Breaking Changes
The following items create a breaking change in the behavior, response or operation of this release.
Automation and Triggers
Important Notice: Downgrade Considerations
Enhancements to Aggregate alerts in version 1.176 include additional state tracking for errors and warnings. While this is an improvement, it does require attention if you need to downgrade to an earlier version.
Potential Impact:
If you downgrade from 1.176 or above to 1.175 or below, you may encounter errors related to Aggregate Alerts, causing Aggregate Alerts to not run to completion.
Resolution Steps:
After downgrading, if you encounter errors containing Error message and error in phase must either both be set or not set, do the following:
Identify affected Aggregate Alerts by executing the following GraphQL query:
graphqlquery q1 { searchDomains { name aggregateAlerts {id, lastError, lastWarnings} } }Document the IDs of any affected alerts having warnings and no errors set.
Apply the resolution – for each identified alert with warnings (optionally and/or errors), apply this GraphQL mutation, replacing
INSERTwith your actual view name and alert ID:graphqlmutation m1 { clearErrorOnAggregateAlert(input:{viewName:"INSERT",id:"INSERT"}) {id} }Keep track of modified alert IDs for future reference.
Verify the resolution – confirm that the system returns to normal operation, and monitor for any additional error messages using a LogScale query and/or alert, such as:
logscale#kind=logs class="c.h.c.Context" "Error message and error in phase must either both be set or not set"These steps will reset the Aggregate Alerts and restore the system to normal operation.
Removed
Items that have been removed as of this release.
Storage
The file format for segment data has been updated. The compression ratio for segment data may increase and reduce the size of stored segments.
Configuration
The deprecated
QUERY_COORDINATORenvironment variable has now been removed.
Deprecation
Items that have been deprecated and may be removed in a future release.
The
colorfield on the Role type has been marked as deprecated (will be removed in version 1.195).The
storagetask of the GraphQL NodeTaskEnum is deprecated and scheduled to be removed in version 1.189. This affects the following items:
The
supportedTasksfield of the ClusterNode type.The
assignedTasksfield of the ClusterNode type.The
unassignedTasksfield of the ClusterNode type.The assignTasks() mutation.
The unassignTasks() mutation
The
INITIAL_DISABLED_NODE_TASKSconfiguration variable.LogScale is deprecating free-text searches that occur after the first aggregate function in a query. These searches likely did not and will not work as expected. Starting with version 1.190.0, this functionality will no longer be available. A free-text search after the first aggregate function refers to any text filter that is not specific to a field and appears after the query's first aggregate function. For example, this syntax is deprecated:
logscale Syntax"Lorem ipsum dolor" | tail(200) | "sit amet, consectetur"Some uses of the
wildcard()function, particularly those that do not specify afieldargument are also free-text-searches and therefore are deprecated as well. Regex literals that are not particular to a field, for example/(abra|kadabra)/are also free-text-searches and are thus also deprecated after the first aggregate function.To work around this issue, you can:
Move the free-text search in front of the first aggregate function.
Search specifically in the @rawstring field.
If you know the field that contains the value you're searching for, it's best to search that particular field. The field may have been added by either the log shipper or the parser, and the information might not appear in the @rawstring field.
Free-text searches before the first aggregate function continue to work as expected since they are not deprecated. Field-specific text searches work as expected as well: for example,
myField=/(abra|kadabra)/continue to work also after the first aggregate function.The use of the event functions
eventInternals(),eventFieldCount(), andeventSize()after the first aggregate function is deprecated. For example:Invalid Example for Demonstration - DO NOT USElogscaleeventSize() | tail(200) | eventInternals()Usage of these functions after the first aggregate function is deprecated because they work on the original events, which are not available after the first aggregate function.
Using these functions after the first aggregate function will be made unavailable in version 1.190.0 and onwards.
These functions will continue to work before the first aggregate function, for example:
logscaleeventSize() | tail(200)The removeLimit() GraphQL mutation is being deprecated and replaced by the new mutation removeLimitWithId().
The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
Upgrades
Changes that may occur or be required during an upgrade.
Installation and Deployment
The JDK included in container deployments has been upgraded to 23.0.2.
New features and improvements
Security
Fetching installed Package Management and Schedule PDF Reports now requires either the
Data read accessor, respectively, theChangePackagesandChange scheduled reportrepository & view permissions.
Administration and Management
The
Usagepage now uses the ingestAfterFieldRemovalSize metric for visualizing Average ingest per day. It's still possible to query the humio-usage repository for the legacy segmentWriteBytes metric as well asingestAfterFieldRemovalSize.
User Interface
It is now possible to opt for individual widget time selections when creating scheduled reports.
It is now possible to import a Field Aliasing schema from a YAML template. The option is available from the button when creating field aliasing schemas.
For more information, see Configuring Field Aliasing.
It is now possible to filter by source field, alias field and description when creating field aliases.
For more information, see Configuring Field Aliasing.
The available actions for managing field aliasing schemas have been reorganized in a renewed layout.
For more information, see Managing Field Aliasing.
Field Aliasing schemas now require unique names. If you create a schema with a name that has been utilized before, you'll be prompted to give the schema a different name.
The query editor warnings are now also displayed as runtime warnings. As a result, new warnings for some queries might be displayed. For example, queries that use experimental features will now show warnings. These warnings may trigger notifications for alerts and scheduled searches that use features with associated warnings. However, these queries should continue to run normally. Other hints and information in the query editor remain unchanged.
A new IOC Lookup field interaction is now available for IP fields (for example, ip_address). Invoking this interaction will generate a new query by calling the
ioc:lookup()query function. The new query will use the name of the selected IP field as thefieldargument for the function. For example:logscale Syntaxioc:lookup(field=[actor.ip], type="ip_address", confidenceThreshold="unverified", strict=true)For more information, see Field Interactions.
Automation and Triggers
Alerts and Scheduled searches now show additional warning types in the UI. Before, these warnings only appeared in the humio-activity logs.
GraphQL API
The refreshClusterManagementStats() GraphQL mutation has been added. When developing scripts to automate the unregistration of multiple evicted nodes at a time, this mutation can be called to validate that the node being unregistered can be terminated without risking data loss. As the mutation is expensive, it should not be called frequently.
A new, optional argument has been added to the restoreDeletedSearchDomain() GraphQL mutation. The purpose is to be able to restore a deleted search domain even though its limit has also been deleted, by specifying a new limit to use instead.
When fetching environment variables through GraphQL, most of the configuration variables were redacted. The list of non-secret environment variables that should not be redacted has now been updated with additional variables.
The s3ResetArchiving() GraphQL mutation now supports resetting cluster wide archiving on a repository through a new
archivalKindfield.The new
totalSearchDomainsfield has been added to the user.userOrGroupSearchDomainRoles() GraphQL query. This field indicates the amount of unique search domains in the result.A new token() GraphQL query now allows fetching a token based on its ID. Previously, you could only list tokens and filter by name.
Storage
To reduce load on global database, datasources now take longer to enter idle state when they stop receiving data.
Configuration
The new
METRIC_RETENTION_IN_DAYSenvironment variable now allows users to configure the humio-metrics repository retention.For more information, see
METRIC_RETENTION_IN_DAYS.The
Usagepage will now show updated ingest values which may differ from previous versions.A new configuration variable
MINISEGMENT_PREMERGE_MIN_FILES_WHEN_IDLEhas been added. This sets a lower limit (defaults to 4) on how many minisegments must be present before merging into larger minisegments, than those for non-idle datasources, where the limit is still controlled byMINISEGMENT_PREMERGE_MIN_FILES(defaults to 12). The merging is intended to reduce the global snapshot size.LogScale now provides environment variables to configure individual Kafka clients. The new environment variables have the following prefixes:
KAFKA_ADMINKAFKA_CHATTER_CONSUMERKAFKA_CHATTER_PRODUCERKAFKA_GLOBAL_CONSUMERKAFKA_GLOBAL_PRODUCERKAFKA_INGEST_QUEUE_CONSUMERKAFKA_INGEST_QUEUE_PRODUCER
In addition,
KAFKA_COMMONcan be utilized to pass the configuration to all clients; however, settings configured using the client-specific prefixes have precedence if the setting is present with both prefixes.Kafka configuration options, such as
request.timeout.mscan be passed with these prefixes using a simple rewrite:Uppercase the option name. Example:
REQUEST.TIMEOUT.MSReplace
.with_. Example:REQUEST_TIMEOUT_MS.Apply the prefix for the target client. Example:
KAFKA_INGEST_QUEUE_CONSUMER_REQUEST_TIMEOUT_MS.Pass this as an environment variable to LogScale on boot. Example:
KAFKA_INGEST_QUEUE_CONSUMER_REQUEST_TIMEOUT_MS=30000.
As a consequence,
EXTRA_KAFKA_CONFIGS_FILEhas been deprecated in favor of these new environment variables. This feature will be removed no earlier than version 1.225.0. The configuration passed viaEXTRA_KAFKA_CONFIGS_FILEcan be moved into the new environment variables using the procedure outlined above, while using theKAFKA_COMMON_prefix.After the
EXTRA_KAFKA_CONFIGS_FILEremoval, LogScale will not start if this variable is set. This behavior will help users recognize that they need to update their configuration, as described in this release note.The
enable.idempotencefeature for Kafka producers, which is configurable through theEXTRA_KAFKA_CONFIGS_FILEvariable, has been set tofalseby default due to stability issues reported in certain environments.
Ingestion
Clicking on the parser code page now produces events that are more similar to what an ingested event would look like in certain edge cases.
The details panel for test cases on the
Parserspage will now link to relevant error documentation where such documentation exists.
Dashboards and Widgets
The
Time Chartwidget has new tooltip options:The widget's tooltip now shows only the top 5 series and the hovered series.
The ⇧ key expands the tooltip and show all series.
The CTRL key activates both show full legend labels and show unformatted values features simultaneously.
Tooltip values are now aligned so that variables are left-aligned, and values are right-aligned.
It is now possible to configure series colors and names across dashboard widgets. Series configured on the widget level will overwrite dashboard level series.
For more information, see Customize Dashboards.
The
Tablewidget now supports multiple Markdown-formatted URLs within a single cell, so that it renders multiple clickable links separated by line breaks, improving upon the previous single-URL display.It is now possible to normalize data for a stacked
Bar Chart. In the styling properties of the widget:Set Type to
StackedUnder the Value axis section, set Type to
LinearSelect the
Normalizecheckbox that is being displayed.
The
Bar Chartwidget now offers new raw and abbreviated options for formatting numerical values.Row selection is now available in the
Tablewidget, on theSearchpage only: you can now select rows from a table and copy them to the clipboard.A new option to format the numerical values for the
Pie ChartandHeat Mapwidgets is now available.A new option to select value formatting for
Time Chartis now available. The resizing behavior of the chart has also been adjusted.New settings for formatting numerical values in the
Scatter Chartare now available.
Log Collector
LogScale Collector now handles a longer list of available downloads. Older versions which have reached end-of-life are marked as such.
Queries
Execution time is now included in the activity logs for the queries' execution information.
Main queries now support retry polling subqueries that are for example being restarted or otherwise temporarily unavailable (as for
defineTable()subqueries). This change is meant to address the Subquery not found on poll warning issue occurring when subqueries are being restarted.
Functions
Using the functions
eventSize(),eventFieldCount(), andeventInternals()after an aggregator will now give a warning, indicating that no result will be returned.Introducing the new query function
array:sort(), which sorts the element of a given array using a given sort type and order. This function is similar to thesort()function, but works on the array elements of a single event instead of multiple events.For more information, see
array:sort().The
varparameter of thearray:filter()function is now optional and defaults to the name of the input array.A new
prefixparameter has been added to thekvParse()function. The parameter is an alias for the existing parameterasparameter.The new query functions
array:exists()andobjectArray:exists()are now available. They are both used to filter events based on whether the given array contains an element that satisfies a given condition.For performance reasons, LogScale recommends using
array:exists(), but it can be used for flat arrays only (not for nested arrays). For nested arrays (for example JSON structures), useobjectArray:exists()instead.Both functions offer more flexibility compared to
array:contains()in cases where, for example, you need to compare array elements with values from other fields.Sequence functions for analyzing ordered event sequences are now available.
accumulate(). Apply cumulative aggregation; for example, running totals or averages.slidingWindow(). Apply aggregation over a moving window of specified event count. Suitable for trend analysis of recent events.slidingTimeWindow(). Apply aggregation over a moving window specified as a time span. Suitable for time-series analysis.partition(). Split a sequence of events into multiple partitions and apply an aggregation on each partition. Suitable for grouped analyses like user sessions.neighbor(). Access fields from preceding or succeeding events in a sequence. Suitable for comparing events in sequential data.
Usage guidelines:
Sequence functions must be used after an aggregator function to establish an ordering. LogScale recommends using the
sort()function before sequence functions to ensure meaningful event order.Sequence functions differ from other aggregator functions in that they typically annotate events with the aggregation results.
Combine sequence-functions for a more complex analysis.
For more information, see Sequence Query Functions.
The new query function
base64Encode()is now available. The function allows the user to base64-encode a field, and output the results in another field. For instance, the stringhello, worldwill encode asaGVsbG8sIHdvcmxk.Usage example:
base64Encode(fieldName)will produce events with a field named _base64Encode, containing the encoded value of the fieldName field.
Fixed in this release
Security
In rare cases, references would not be cleaned up properly when deleting a role. Any further attempts to remove these references would fail. This issue has now been fixed.
Installation and Deployment
Testing event forwarder connectivity would permanently consume a thread and TCP connection to the Kafka broker. This issue has now been fixed.
User Interface
Fixed an issue that only the first error for a field would be returned from the API and shown in the UI.
The error message used when LogScale fails to import a YAML template for an asset (dashboard, parser, etc.) has been changed because it didn't recognize the template schema.
Scheduled reports could assume the wrong execution time when generated with a delay with respect to the scheduled time. The issue has now been fixed so that the scheduled time is used, regardless of when the report is actually generated.
The event distribution chart toggle button has been removed from the Table tab on the
Searchview, as the event distribution chart does not apply for this tab.
Automation and Triggers
These issues on query warning handling have been fixed:
Filter and Aggregate alerts would sometimes wait too long on query warnings about missing data.
Filter alerts would stop retrying on query warnings about missing data completely, after having reached the timeout once.
Filter alerts would retry polling a finished static query due to query warnings about missing data, instead of restarting the query.
When viewing an Email action in the UI, the subject and body field would be swapped. If the action was saved from the UI showing them swapped, the fields would also be swapped on storage. The same would happen if testing the action from the UI, showing the fields swapped. This issue has now been fixed.
Listing actions on a trigger referencing a non-existing action would fail. This issue has been fixed.
GraphQL API
The
searchDomainRolesGraphQL field on the Group datatype could fail if given a view ID for which the group did not have any role assignments. This issue has now been fixed.
Storage
An issue related to undersized-merging of existing segments has been fixed. Previously, this process could create segments spanning up to 15 days, even in repositories with shorter retention periods (such as 30 days). Now, the merging process adheres to the
UndersizedMergingRetentionPercentagedynamic configuration. For example, in a repository with a 30-day retention period, the maximum span for undersized-merging output is now 6 days.Fixing a race condition that could cause removal of the topOffsets field from segments earlier than intended, risking the loss of the most recent data during digest reassignment.
A slow background cleanup work could block digest from starting, which could in turn cause nodes to crash on digest reassignment in large clusters. This issue has now been fixed.
A bug that was introduced in version 1.173.0 has been fixed. This bug could cause a node to crash when hash filter files were deleted during digest processing.
Configuration
The
bucket-storage-max-concurrent-delete-operationsmetric has been fixed with corrected values. Previously, this metric was decremented too often, resulting in negative values.
Ingestion
When ingesting events with additional tags, such as when using humio structured endpoint, tags that were specified in the parser for removal were discounted from ingest accounting, but not removed from the event. This issue has now been fixed.
Dashboards and Widgets
Errors were occurring in dashboard queries when dashboard filters contained parameters that were only used within the filter itself and nowhere else in the query. This issue has now been fixed.
A series configuration for a widget's title and color would not take immediate effect when updated in the side panel. This issue has now been fixed.
Updating invalid input patterns for a parameter would not create the typed values on enter. This issue has been fixed.
Renaming the Id of a parameter inside a panel on the dashboard would make it jump to the top panel. This issue has now been fixed.
A Query Editor error in one of the widgets on a dashboard could result in an error on the Query Editor of a parameter. This issue has now been fixed.
Log Collector
When computing group memberships in fleet management, a query timeout could result in collectors loosing their group memberships. This issue has now been fixed.
Queries
Queries did not restart when adding, changing, or removing view connections. This issue has now been fixed so that queries correctly restart at view connections updates.
The parsing of field values with large numbers (for example
92233720368547758) could in rare cases cause an integer overflow and turn to small negative values. This issue has now been fixed.Queries would sometimes be incorrectly reused even though they had a warning attached. This would mean that a new query would get the same warnings instead of running a new search. This issue has now been fixed.
A warning about unresponsive nodes would remain attached to a query even though it was no longer relevant. This issue has now been fixed.
Quadratic time complexity in queries could significantly slow down processing, causing query submission failures. This issue has now been fixed.
A Query Scheduling issue has been fixed: queries that encountered restrictions or errors would continue to execute on individual segment blocks, even if the errors would cause the query to cancel.
Some regular expressions would continue to run even if the query was cancelled. This issue has now been fixed.
An internal file verification job might not start correctly, which in turn may block digest. This issue has now been fixed.
The query-millis metric wrongly counted the time spent waiting for CPU. This has been fixed so that the metric now measures the CPU time used by the query only.
A query might be started on an incorrect node in case of a mixed version cluster. This would lead to failure in polling the query. This issue has now been fixed.
Simplifications around Query Coordination for cluster queries have been made internally to fix an issue which, in rare cases, could lead to a query that is handed over without a coordinator.
Functions
Matching on multiple rows in
mode=cidrmissed some matching rows. This happened in cases where there are rows with different subnets that match on the same event.Example of the bug, using a file
example.csv.column1 column2 1.2.3.4/25 one 1.2.3.4/24 two 1.2.3.4/24 three For the query:
logscalematch(example.csv, field=column1, mode=cidr, nrows=3)an event with the field column1=1.2.3.10 would only match on the last two rows. This change fixes this issue so that all three rows will match on the event.
In some cases the
parseLEEF()function could not parse the event if the devTimeFormat field did not match the corresponding devTime field. This issue has now been fixed.A query would not return a result if the query function encountered a
NaNvalue. This issue has now been fixed.
Packages
Live queries would not get restarted whenever a referenced saved query originating from a package was updated. For example, a live query like
$myPackage:mySavedQuery()would not get restarted whenever the contents ofmySavedQuerywas updated on the package. This issue has now been fixed.
Improvement
Automation and Triggers
Handling of query warnings for Alerts and Scheduled searches has been improved:
Filter alerts, Aggregate alerts and Scheduled searches no longer restart or keep polling a query with a query warning that is permanent.
Filter and Aggregate alerts now tries restarting the query for a while, if it has a warning that does not automatically clear when no longer applicable.
Storage
The ingest reader loop now marks datasources as idle more quickly when Kafka ingest flow is below maximum capacity.
The performance of writes to the chatter topic has been enhanced. This improvement addresses previous potential degraded performance of ingest on clusters with numerous ingest queue partitions.
In an effort to reduce load on global, datasources are further delayed in being marked as idle when they receive no data.
The load on Global Database could be slightly reduced by removing some unnecessary messages that were being sent by mistake.
Queries
Queries producing more events via its aggregators than the events configured by
AggregatorOutputRowLimitwill now get cancelled and not produce an output. Previously, queries would only produce a log and continue to run when the limit was exceeded. This can happen for instance when nesting multiplegroupBy()function calls with high cardinality results. This change is being introduced to protect the system against runaway queries that take up resources from the whole cluster.Regular expressions compiled using the new LogScale Regular Expression Engine v2 are now cached to avoid compiling the same regex multiple times.
Error recovery messages have been improved in the Query Editor. LogScale now informs about any missing or excessive arguments in queries when using for example
worldMap()andrename()functions.
Functions
Other
A timedOut field added to the request log now indicates whether the client received a
503response.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
fortinet/fortigate has been updated to v1.3.0.
Added support for REST API events
Enhanced event categorization for system and VPN events
Improved outcome detection for success/failure events
Added URL parsing capabilities for UTM events
Updated field mappings to align with ECS 8.16.0
For more information, see Package fortinet/fortigate Release Notes.
cisco/umbrella has been updated to v1.3.0.
Updates ECS version to 8.17.0
Improves event categorization using array append
Standardizes event action field to lowercase
Enhances field normalization for network traffic
For more information, see Package cisco/umbrella Release Notes.
aws/cloudtrail has been updated to v1.1.5.
Added fallback to userIdentity.userName for user.name field
Updated ECS version to 8.17.0
For more information, see Package aws/cloudtrail Release Notes.
broadcom/proxysg has been updated to v1.2.0.
Updated ECS version to 8.17.0
Added event.kind field set to "event"
Changed array handling for event.category[] and event.type[] to use array:append
The old parser syslog-utc is now officially removed from the Broadcom Symantec ProxySG package
For more information, see Package broadcom/proxysg Release Notes.
aws/guardduty has been updated to v1.1.1.
Updated severity mapping logic to generate alerts for high and critical findings
Updated ECS version to 8.17.0
Improved array handling for event categories and types
For more information, see Package aws/guardduty Release Notes.
zscaler/deception has been updated to v2.1.0.
The old parser deception is now officially removed from the ZScaler Deception package
Expanded field normalization to support more ZScaler Deception datasets
All field normalizations have removed the use of rename() in an effort to make vendor fields available
For more information, see Package zscaler/deception Release Notes.
cisco/meraki has been updated to v1.3.2.
Added support for content filtering block events
Added new field mappings for content filtering events
For more information, see Package cisco/meraki Release Notes.
darktrace/detect has been updated to v1.2.0.
Adds default of "event" of event.kind field.
Fixes regex to parse out alternative timestamp format.
Fixes gap error for Vendor.model.tags[] array.
Adds source.ip field.
For more information, see Package darktrace/detect Release Notes.
microsoft/windows-dns-debug has been updated to v1.3.1.
Improved regex patterns for timestamp parsing
Added support for error messages with socket failures
Enhanced field extraction for DNS packet information
Fixed array handling for DNS header flags
Updated parser version to 2.2.1
For more information, see Package microsoft/windows-dns-debug Release Notes.
forcepoint/dlp has been updated to v1.2.0.
Added severity mapping based on Forcepoint documentation
Improved user domain extraction
Enhanced array handling for event categories and types
Optimized field cleanup process
The old parser dlp-cef is now officially removed from the Forcepoint DLP package
For more information, see Package forcepoint/dlp Release Notes.
aws/s3-server-access has been updated to v1.2.0.
Updated ECS version to 8.17.0
Added new fields:
cloud.Storage.bucket_name
error.code
host.id
url.original
user_agent.original
Improved array handling for event category and type fields
Fixed field duplication issues
The old parser s3access-space-delimited is now officially removed from the AWS S3 package
For more information, see Package aws/s3-server-access Release Notes.
rubrik/security-cloud has been updated to v1.1.0.
Added severity normalization mapping
Added event categorization for vulnerability events
Added event type and kind fields
Updated ECS version to 8.17.0
For more information, see Package rubrik/security-cloud Release Notes.
haproxy/haproxy has been updated to v1.2.0.
Updated ECS version to 8.17.0
Added new field mappings for log.syslog fields
Added process.name and process.pid fields
Added host.name field mapping
Added source.port field mapping
The old parser haproxy-syslog is now officially removed from the HAProxy package
For more information, see Package haproxy/haproxy Release Notes.
claroty/ctd has been updated to v1.2.0.
Updated ECS version to 8.17.0
Improved event categorization using array:append
Added event severity mapping
Optimized field handling and cleanup
The old parser cef-latest is now officially removed from the Claroty CTD package
For more information, see Package claroty/ctd Release Notes.
aruba/clearpass has been updated to v1.2.2.
Enhanced initial regex to accomodate events with newline character at the end
Endhanced user.name and user.domain extraction for some events
For more information, see Package aruba/clearpass Release Notes.
cloudflare/zerotrust has been updated to v1.2.0.
Improved JSON parsing with support for message prefix removal
Enhanced event categorization with proper event.category and event.type arrays
Added comprehensive email attachment parsing for Area1 security logs
Improved HTTP response status code handling for better event outcome determination
Added support for bulk log processing with improved detection logic
For more information, see Package cloudflare/zerotrust Release Notes.
infoblox/nios has been updated to v1.3.0.
Improves event categorization.
Adds support for additional audit events
Enhances DNS field extraction
The old parser syslog-utc is now officially removed from the Infoblox Nios package
For more information, see Package infoblox/nios Release Notes.
okta/sso has been updated to v1.3.0.
Removes flatten array logic for nested target array
Utilizes objectArray:eval() to retrieve target array User and UserGroup data
For more information, see Package okta/sso Release Notes.
cisco/ios has been updated to v1.5.0.
Improved timestamp parsing for formats including year in different positions
Added support for MAC address extraction and normalization
Enhanced access list log parsing to handle MAC addresses in source fields
Added parsing for CFGLOG_LOGGEDCMD events to capture CLI commands
For more information, see Package cisco/ios Release Notes.
f5networks/bigip has been updated to v2.2.0.
Added support for F5 Advanced Firewall Module (AFM) logs
Improved ASM event categorization for better threat detection
Updated ECS version to 8.17.0
For more information, see Package f5networks/bigip Release Notes.
dell/isilon has been updated to v1.2.0.
Updated ECS version to 8.17.0
Added log.syslog fields for better syslog data representation
Improved array handling for event category and type fields
Removed deprecated isilon-syslog parser
The old parser isilon-syslog is now officially removed from the Dell Isilon package
For more information, see Package dell/isilon Release Notes.
cisco/meraki has been updated to v1.3.1.
Adds support for l7_firewall events
For more information, see Package cisco/meraki Release Notes.
cisco/ise has been updated to v1.2.2.
Bugfix to update timestamp parsing to accept + and - prefixed timezones
For more information, see Package cisco/ise Release Notes.
darktrace/detect has been updated to v1.3.0.
Added support for audit events with new event.dataset "detect.audit"
Fixed timezone handling for RFC 3164 syslog timestamps
For more information, see Package darktrace/detect Release Notes.
island/island has been updated to v1.2.0.
Added rule.name and rule.id fields for network events
Added event.kind field set to "event"
Updated array handling for event.category and event.type fields
Updated ECS version to 8.17.0
The old parser island is now officially removed from the Island package
For more information, see Package island/island Release Notes.
fortinet/fortigate has been updated to v1.3.1.
Added severity field mapping
For more information, see Package fortinet/fortigate Release Notes.
aws/waf has been updated to v1.1.1.
Fixed bug to handle events with trailing space in Vendor.httpRequest.httpVersion field
Migrated parser to utilize array:append()
For more information, see Package aws/waf Release Notes.
cisco/firepower has been updated to v1.6.3.
Updated field assignment syntax from rename() to direct assignment
Fixed regex pattern for teardown connections to handle optional fields
Improved lower() function usage for better performance
For more information, see Package cisco/firepower Release Notes.
cisco/firepower has been updated to v1.6.1.
Improved regex pattern for inbound TCP connections to handle probe connections
Enhanced regex pattern for teardown connections to handle optional fields
For more information, see Package cisco/firepower Release Notes.
cisco/firepower has been updated to v1.6.2.
Fixed regex pattern for session disconnection duration to handle complex duration formats
For more information, see Package cisco/firepower Release Notes.
microsoft/windows-dns-debug has been updated to v1.3.0.
Added support for additional log formats
Improved handling of DNS debug log header lines
Updated ECS version to 8.17.0
Enhanced field extraction for DNS packet information
Added support for self-referential DNS messages
The old parser windows-dns is now officially removed from the Microsoft Windows DNS package
For more information, see Package microsoft/windows-dns-debug Release Notes.
zoom/qss has been updated to v1.1.0.
Adds the following fields: event.category[], user.email, user.id, user.name, host.hostname, host.mac[]
Bumps ecs.version to 8.17.0
For more information, see Package zoom/qss Release Notes.
fortinet/fortigate has been updated to v1.3.3.
Updated event outcome handling to set failure when action is block or blocked
Fixed test cases to match updated outcome logic
For more information, see Package fortinet/fortigate Release Notes.
checkpoint/ngfw has been updated to v2.0.0.
Updated ECS version to 8.17.0
Improved event categorization with array-based approach
Enhanced field mapping for better data normalization
Optimized email field handling
Fixed field duplication issues
For more information, see Package checkpoint/ngfw Release Notes.
cisco/ise has been updated to v1.3.0.
Sets the event.outcome based on the Vendor.FailureReason field
The old parser cisco-ise-syslog is now officially removed from the Cisco Identity Services Engine (ISE) package
For more information, see Package cisco/ise Release Notes.
fortinet/fortigate has been updated to v1.3.2.
Updated field assignments to use direct assignment instead of rename function
Updated ECS version to 8.17.0
For more information, see Package fortinet/fortigate Release Notes.
aws/cloudtrail has been updated to v1.1.4.
Added support for Role type in user identity mapping
Added fallback to additionalEventData.UserName for user.name field
Added ECS field mapping for TLS fields
For more information, see Package aws/cloudtrail Release Notes.
cisco/ios has been updated to v1.4.0.
Improved regex pattern for broader raw log coverage
Added timestamp parsing support for formats including year
Added LOGIN_FAILED eventCode parsing
The old parser syslog-utc is now officially removed from the Cisco IOS package
Utilized array:append() function for array declarations.
For more information, see Package cisco/ios Release Notes.
cisco/firepower has been updated to v1.5.0.
Adds additional support to parser logs with rule 607002
The old parser firepower-syslog is now officially removed from the Cisco Firepower package
Improved array declaration within the parser
For more information, see Package cisco/firepower Release Notes.
cisco/meraki has been updated to v1.3.0.
Utilizes array:append() function for array declarations
Adds event.kind field to comply with CPS requirements
Removed indicator type from configuration category to comply with ECS
For more information, see Package cisco/meraki Release Notes.