Falcon LogScale 1.178.0 GA (2025-03-04)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.178.0 | GA | 2025-03-04 | Cloud | 2026-05-31 | No | 1.150.0 | 1.157.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.178.0 to download the latest version
Bug fixes and updates.
Breaking Changes
The following items create a breaking change in the behavior, response or operation of this release.
Automation and Triggers
Important Notice: Downgrade Considerations
Enhancements to Aggregate alerts in version 1.176 include additional state tracking for errors and warnings. While this is an improvement, it does require attention if you need to downgrade to an earlier version.
Potential Impact:
If you downgrade from 1.176 or above to 1.175 or below, you may encounter errors related to Aggregate Alerts, causing Aggregate Alerts to not run to completion.
Resolution Steps:
After downgrading, if you encounter errors containing Error message and error in phase must either both be set or not set, do the following:
Identify affected Aggregate Alerts by executing the following GraphQL query:
graphqlquery q1 { searchDomains { name aggregateAlerts {id, lastError, lastWarnings} } }Document the IDs of any affected alerts having warnings and no errors set.
Apply the resolution – for each identified alert with warnings (optionally and/or errors), apply this GraphQL mutation, replacing
INSERTwith your actual view name and alert ID:graphqlmutation m1 { clearErrorOnAggregateAlert(input:{viewName:"INSERT",id:"INSERT"}) {id} }Keep track of modified alert IDs for future reference.
Verify the resolution – confirm that the system returns to normal operation, and monitor for any additional error messages using a LogScale query and/or alert, such as:
logscale#kind=logs class="c.h.c.Context" "Error message and error in phase must either both be set or not set"These steps will reset the Aggregate Alerts and restore the system to normal operation.
Deprecation
Items that have been deprecated and may be removed in a future release.
The
colorfield on the Role type has been marked as deprecated (will be removed in version 1.195).The
storagetask of the GraphQL NodeTaskEnum is deprecated and scheduled to be removed in version 1.189. This affects the following items:
The
supportedTasksfield of the ClusterNode type.The
assignedTasksfield of the ClusterNode type.The
unassignedTasksfield of the ClusterNode type.The assignTasks() mutation.
The unassignTasks() mutation
The
INITIAL_DISABLED_NODE_TASKSconfiguration variable.LogScale is deprecating free-text searches that occur after the first aggregate function in a query. These searches likely did not and will not work as expected. Starting with version 1.190.0, this functionality will no longer be available. A free-text search after the first aggregate function refers to any text filter that is not specific to a field and appears after the query's first aggregate function. For example, this syntax is deprecated:
logscale Syntax"Lorem ipsum dolor" | tail(200) | "sit amet, consectetur"Some uses of the
wildcard()function, particularly those that do not specify afieldargument are also free-text-searches and therefore are deprecated as well. Regex literals that are not particular to a field, for example/(abra|kadabra)/are also free-text-searches and are thus also deprecated after the first aggregate function.To work around this issue, you can:
Move the free-text search in front of the first aggregate function.
Search specifically in the @rawstring field.
If you know the field that contains the value you're searching for, it's best to search that particular field. The field may have been added by either the log shipper or the parser, and the information might not appear in the @rawstring field.
Free-text searches before the first aggregate function continue to work as expected since they are not deprecated. Field-specific text searches work as expected as well: for example,
myField=/(abra|kadabra)/continue to work also after the first aggregate function.The use of the event functions
eventInternals(),eventFieldCount(), andeventSize()after the first aggregate function is deprecated. For example:Invalid Example for Demonstration - DO NOT USElogscaleeventSize() | tail(200) | eventInternals()Usage of these functions after the first aggregate function is deprecated because they work on the original events, which are not available after the first aggregate function.
Using these functions after the first aggregate function will be made unavailable in version 1.190.0 and onwards.
These functions will continue to work before the first aggregate function, for example:
logscaleeventSize() | tail(200)The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
New features and improvements
Functions
It is now possible to specify a
limit=maxargument insort()andtable()functions. The maximum limit is defined by theStateRowLimitdynamic configuration, which currently defaults to 20,000.
Fixed in this release
Security
Fixed an issue where it was not possible to edit an OIDC identity provider if it was configured as the default identity provider for the organization.
Administration and Management
Fix a bug in clusters where a file may be deleted once it is downloading from bucket storage if the confirmation message of currenthost can not write to global storage.
Automation and Triggers
Fix a bug that could prevent all aggregate and filter alerts from running.
Storage
Fix an issue where LogScale might not correct segment over-replication by removing replicas.
Fixed an issue where accidental over-replication could remain unhandled until the rebalancing job triggers.
Dashboards and Widgets
Fix an issue where the event distribution chart would be hidden by default if a repository was configured with automatic search disabled.
Queries
Fixed an issue where if a query was restarted it might, in some cases, be removed completely before it could be polled for results, leading to a 404 error on query poll.
Improvement
Administration and Management
A new labelled metric was created to track how often the S3AsyncClient has to retry API calls for S3 bucket operations.
The metric full name as reported by LogScale is s3-aws-retry-count/{operationName} where
operationNameis the S3 API call that was attempted, such as,PutObjectorGetObject.
Queries
The
readFile()function now takes an array of table/file names in itsfileparameter (or its alias parametertable). If multiple file or table names are given, they will be output in order.If a file/table does not have a column requested in the
includeparameter, the error message forreadFile()now indicates which file(s) do not have the specified column(s).
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
f5networks/bigip has been updated to v2.1.1.
Updates initial regex to accept events without processid
For more information, see Package f5networks/bigip Release Notes.
fortinet/fortigate has been updated to v1.3.0.
Added support for REST API events
Enhanced event categorization for system and VPN events
Improved outcome detection for success/failure events
Added URL parsing capabilities for UTM events
Updated field mappings to align with ECS 8.16.0
For more information, see Package fortinet/fortigate Release Notes.
aws/guardduty has been updated to v1.1.1.
Updated severity mapping logic to generate alerts for high and critical findings
Updated ECS version to 8.17.0
Improved array handling for event categories and types
For more information, see Package aws/guardduty Release Notes.
aws/cloudtrail has been updated to v1.1.3.
Expands support for more eventNames (adding category and type)
For more information, see Package aws/cloudtrail Release Notes.
cisco/ise has been updated to v1.2.1.
Utilizes array:append() function for array declarations.
Bumps ecs.version to 8.16.0.
Add custom parsing for CISE_MONITORING_DATA_PURGE_AUDIT events
For more information, see Package cisco/ise Release Notes.
darktrace/detect has been updated to v1.2.0.
Adds default of "event" of event.kind field.
Fixes regex to parse out alternative timestamp format.
Fixes gap error for Vendor.model.tags[] array.
Adds source.ip field.
For more information, see Package darktrace/detect Release Notes.
veeam/veeamdataplatform has been updated to v1.0.0.
Initial version of the Veeam package.
For more information, see Package veeam/veeamdataplatform Release Notes.
trellix/fireeye-nx has been updated to v1.1.1.
Migrated from manual array element declaration (e.g. event.category[0] := "value") to use the array:append() function (e.g. array:append(array="event.category[]", values=["values"])). This ensures that manual array element declarations won't collide with each other.
For more information, see Package trellix/fireeye-nx Release Notes.
zscaler/internet-access has been updated to v1.3.3.
Migrated from manual array element declaration (e.g. event.category[0] := "value") to use the array:append() function (e.g. array:append(array="event.category[]", values=["values"])). This ensures that manual array element declarations won't collide with each other.
For more information, see Package zscaler/internet-access Release Notes.
aruba/clearpass has been updated to v1.2.2.
Enhanced initial regex to accomodate events with newline character at the end
Endhanced user.name and user.domain extraction for some events
For more information, see Package aruba/clearpass Release Notes.
cisco/meraki has been updated to v1.3.1.
Adds support for l7_firewall events
For more information, see Package cisco/meraki Release Notes.
cisco/ise has been updated to v1.2.2.
Bugfix to update timestamp parsing to accept + and - prefixed timezones
For more information, see Package cisco/ise Release Notes.
fortinet/fortigate has been updated to v1.3.1.
Added severity field mapping
For more information, see Package fortinet/fortigate Release Notes.
zoom/qss has been updated to v1.1.0.
Adds the following fields: event.category[], user.email, user.id, user.name, host.hostname, host.mac[]
Bumps ecs.version to 8.17.0
For more information, see Package zoom/qss Release Notes.
zscaler/private-access has been updated to v1.3.1.
Migrated from manual array element declaration (e.g. event.category[0] := "value") to use the array:append() function (e.g. array:append(array="event.category[]", values=["values"])). This ensures that manual array element declarations won't collide with each other.
Deprecation and removal of several legacy ZScaler Private Access parsers in favor of the unified zscaler-private-access parser, including:
zscaler-zpa-app-connector-status-json
zscaler-zpa-app-protection-json
zscaler-zpa-audit-json
zscaler-zpa-browser-access-json
zscaler-zpa-user-activity-json
zscaler-zpa-user-status-json
For more information, see Package zscaler/private-access Release Notes.
aws/cloudtrail has been updated to v1.1.4.
Added support for Role type in user identity mapping
Added fallback to additionalEventData.UserName for user.name field
Added ECS field mapping for TLS fields
For more information, see Package aws/cloudtrail Release Notes.
cisco/meraki has been updated to v1.3.0.
Utilizes array:append() function for array declarations
Adds event.kind field to comply with CPS requirements
Removed indicator type from configuration category to comply with ECS
For more information, see Package cisco/meraki Release Notes.
aruba/clearpass has been updated to v1.2.1.
Utilizes array:append() function for array declarations.
Bumps ecs.version to 8.17.0.
Properly handles events with trailing special characters.
For more information, see Package aruba/clearpass Release Notes.