Falcon LogScale 1.181.0 GA (2025-03-25)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.181.0GA2025-03-25

Cloud

2026-05-31No1.150.01.157.0No

Hide file download links

Show file download links

Bug fixes and updates.

Breaking Changes

The following items create a breaking change in the behavior, response or operation of this release.

  • Automation and Triggers

    • Important Notice: Downgrade Considerations

      Enhancements to Aggregate alerts in version 1.176 include additional state tracking for errors and warnings. While this is an improvement, it does require attention if you need to downgrade to an earlier version.

      Potential Impact:

      If you downgrade from 1.176 or above to 1.175 or below, you may encounter errors related to Aggregate Alerts, causing Aggregate Alerts to not run to completion.

      Resolution Steps:

      After downgrading, if you encounter errors containing Error message and error in phase must either both be set or not set, do the following:

      1. Identify affected Aggregate Alerts by executing the following GraphQL query:

        graphql
        query q1 {
  searchDomains {
    name
    aggregateAlerts {id, lastError, lastWarnings}
  }
}

        Document the IDs of any affected alerts having warnings and no errors set.

      2. Apply the resolution – for each identified alert with warnings (optionally and/or errors), apply this GraphQL mutation, replacing INSERT with your actual view name and alert ID:

        graphql
        mutation m1 {
  clearErrorOnAggregateAlert(input:{viewName:"INSERT",id:"INSERT"}) {id}
}

        Keep track of modified alert IDs for future reference.

      3. Verify the resolution – confirm that the system returns to normal operation, and monitor for any additional error messages using a LogScale query and/or alert, such as:

        logscale
        #kind=logs
class="c.h.c.Context"
"Error message and error in phase must either both be set or not set"

      These steps will reset the Aggregate Alerts and restore the system to normal operation.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The color field on the Role type has been marked as deprecated (will be removed in version 1.195).

  • The storage task of the GraphQL NodeTaskEnum is deprecated and scheduled to be removed in version 1.189. This affects the following items:

  • LogScale is deprecating free-text searches that occur after the first aggregate function in a query. These searches likely did not and will not work as expected. Starting with version 1.190.0, this functionality will no longer be available. A free-text search after the first aggregate function refers to any text filter that is not specific to a field and appears after the query's first aggregate function. For example, this syntax is deprecated:

    logscale Syntax
    "Lorem ipsum dolor"
| tail(200)
| "sit amet, consectetur"

    Some uses of the wildcard() function, particularly those that do not specify a field argument are also free-text-searches and therefore are deprecated as well. Regex literals that are not particular to a field, for example /(abra|kadabra)/ are also free-text-searches and are thus also deprecated after the first aggregate function.

    To work around this issue, you can:

    • Move the free-text search in front of the first aggregate function.

    • Search specifically in the @rawstring field.

    If you know the field that contains the value you're searching for, it's best to search that particular field. The field may have been added by either the log shipper or the parser, and the information might not appear in the @rawstring field.

    Free-text searches before the first aggregate function continue to work as expected since they are not deprecated. Field-specific text searches work as expected as well: for example, myField=/(abra|kadabra)/ continue to work also after the first aggregate function.

  • The use of the event functions eventInternals(), eventFieldCount(), and eventSize() after the first aggregate function is deprecated. For example:

    Invalid Example for Demonstration - DO NOT USE
    logscale
    eventSize() 
| tail(200) 
| eventInternals()

    Usage of these functions after the first aggregate function is deprecated because they work on the original events, which are not available after the first aggregate function.

    Using these functions after the first aggregate function will be made unavailable in version 1.190.0 and onwards.

    These functions will continue to work before the first aggregate function, for example:

    logscale
    eventSize() 
| tail(200)

  • The setConsideredAliveUntil and setConsideredAliveFor GraphQL mutations are deprecated and will be removed in 1.195.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

  • The EXTRA_KAFKA_CONFIGS_FILE configuration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.

New features and improvements

  • Administration and Management

    • Updated how the losable-node-count-before-storage-over-capacity gauge metric is calculated, to consider secondary storage. When secondary storage is present, it takes precedence over primary storage to calculate the available storage capacity, taking into account the SECONDARY_STORAGE_MAX_FILL_PERCENTAGE configuration settings.

    • The new metric query-worker-queue-full is now available. This metric tracks the number of times a worker queue was full and a new query submission was rejected as a result.

  • User Interface

    • The Lookup Files preview feature in the User Interface now displays a maximum of 500 rows, reduced from 50,000. The lower limit improves the UI performance and matches the existing row limit for Ad-hoc tables previews.

  • Automation and Triggers

  • GraphQL API

    • Setting short-term stability on the following output fields available on the testParserV2 GraphQL mutation:

      • falselyTaggedFields

      • arraysWithGaps (and all subfields)

      • schemaViolations (and all subfields)

      These fields were previously only available in preview form.

  • Storage

    • LogScale now uses a fixed TCP receive buffer size for ingest consumers, which defaults to 32 MB. This change replaces the previous automatic buffer size calculation, which did not perform reliably. The operating system supplies buffer limits based on the value defined in the /proc/sys/net/core/rmem_max file. System administrators must modify this file to enable larger buffer sizes.

      To specify a different buffer size than the default, use the KAFKA_INGEST_QUEUE_CONSUMER_ variable as the prefix to pass these consumer configuration properties:

      • MAX_PARTITION_FETCH_BYTES

      • FETCH_MAX_BYTES

      • RECEIVE_BUFFER_BYTES

      Then set the desired buffer size, in bytes, in the new configuration variables thus created, e.g., KAFKA_INGEST_QUEUE_CONSUMER_MAX_PARTITION_FETCH_BYTES.

  • Configuration

  • Functions

Fixed in this release

  • Security

    • OAuth login failed when following certain links to LogScale queries, due to LogScale not being able to decode the OAuth state value.

  • Automation and Triggers

    • Previously, a fatal error in handling an Alert or Scheduled search could result in other Alerts or Scheduled searches failing to run. This issue has now been fixed.

  • Storage

    • Before this fix, the system incorrectly removed all currentHosts from segments during bucket storage upload when:

      Now currentHosts are only removed from segments when both settings are enabled.

  • Queries

    • The User Interface would show Query status: Done even for queries whose completion rate was less than 100%. This issue has now been fixed.

  • Functions

Improvement

  • User Interface

    • During group creation, LogScale incorrectly displayed a You have no roles yet message, despite roles always being present after the creation was completed.

      This behavior is now being removed internally from the group creation workflow, as this state can't occur in the system (organizations always have at least one default role).

      This change now improves the system as follows:

      • Improved workflow consistency. The roles list now appears correctly in the UI during group creation

      • Enhanced internal system stability

      • Users can still create new roles through the existing roles list view.

    • LogScale now provides enhanced accessibility for disabled icon buttons. Users can understand why an icon is unavailable through clear feedback from both tooltip and screen reader announcements. This improvement makes the interface more inclusive for keyboard navigation and screen reader users.

    • The Parsers UI menu is now hidden on those views where it is not applicable, instead of showing as disabled.

  • Dashboards and Widgets

    • Dashboards now benefit from enhanced field statistics computation. This optimization ensures better dashboard performances while processing query results.

  • Queries

    • Improving error handling when submitting queries: if an invalid query is submitted, submission is not retried internally anymore. This in particular improves error reporting for Alerts and Scheduled searches.

    • Queries run on behalf of an organization are now logged to the humio-audit and humio-activity repositories like other queries.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • fortinet/fortigate has been updated to v1.3.0.

      • Added support for REST API events

      • Enhanced event categorization for system and VPN events

      • Improved outcome detection for success/failure events

      • Added URL parsing capabilities for UTM events

      • Updated field mappings to align with ECS 8.16.0

      For more information, see Package fortinet/fortigate Release Notes.

    • cisco/umbrella has been updated to v1.3.0.

      • Updates ECS version to 8.17.0

      • Improves event categorization using array append

      • Standardizes event action field to lowercase

      • Enhances field normalization for network traffic

      For more information, see Package cisco/umbrella Release Notes.

    • aws/cloudtrail has been updated to v1.1.5.

      • Added fallback to userIdentity.userName for user.name field

      • Updated ECS version to 8.17.0

      For more information, see Package aws/cloudtrail Release Notes.

    • aws/guardduty has been updated to v1.1.1.

      • Updated severity mapping logic to generate alerts for high and critical findings

      • Updated ECS version to 8.17.0

      • Improved array handling for event categories and types

      For more information, see Package aws/guardduty Release Notes.

    • zscaler/deception has been updated to v2.1.0.

      • The old parser deception is now officially removed from the ZScaler Deception package

      • Expanded field normalization to support more ZScaler Deception datasets

      • All field normalizations have removed the use of rename() in an effort to make vendor fields available

      For more information, see Package zscaler/deception Release Notes.

    • cisco/meraki has been updated to v1.3.2.

      • Added support for content filtering block events

      • Added new field mappings for content filtering events

      For more information, see Package cisco/meraki Release Notes.

    • cisco/meraki has been updated to v1.4.0.

      • Added support for ip_flow_start and ip_flow_end events

      • Added new field mappings for network flow events

      • Updated ECS version to 8.17.0

      For more information, see Package cisco/meraki Release Notes.

    • aruba/clearpass has been updated to v1.2.2.

      • Enhanced initial regex to accomodate events with newline character at the end

      • Endhanced user.name and user.domain extraction for some events

      For more information, see Package aruba/clearpass Release Notes.

    • okta/sso has been updated to v1.3.0.

      • Removes flatten array logic for nested target array

      • Utilizes objectArray:eval() to retrieve target array User and UserGroup data

      For more information, see Package okta/sso Release Notes.

    • cisco/meraki has been updated to v1.3.1.

      • Adds support for l7_firewall events

      For more information, see Package cisco/meraki Release Notes.

    • tausight/ephi-risk-posture has been updated to v1.2.0.

      • Initial release with comprehensive ePHI event parsing

      • Support for file inspection, deletion, and copying events

      • Device attachment monitoring capabilities

      • Clipboard activity tracking

      • Email event processing

      • Process and file I/O activity monitoring

      For more information, see Package tausight/ephi-risk-posture Release Notes.

    • cisco/firepower has been updated to v1.6.0.

      • Adds additional support to parser logs with event ID 106023, 302013, 302014, 302015, 302016, 302020

      • Expands event.type for logs with event ID 109201, 109207, 109210

      For more information, see Package cisco/firepower Release Notes.

    • darktrace/detect has been updated to v1.3.0.

      • Added support for audit events with new event.dataset "detect.audit"

      • Fixed timezone handling for RFC 3164 syslog timestamps

      For more information, see Package darktrace/detect Release Notes.

    • fortinet/fortigate has been updated to v1.3.1.

      • Added severity field mapping

      For more information, see Package fortinet/fortigate Release Notes.

    • aws/waf has been updated to v1.1.1.

      • Fixed bug to handle events with trailing space in Vendor.httpRequest.httpVersion field

      • Migrated parser to utilize array:append()

      For more information, see Package aws/waf Release Notes.

    • cisco/firepower has been updated to v1.6.1.

      • Improved regex pattern for inbound TCP connections to handle probe connections

      • Enhanced regex pattern for teardown connections to handle optional fields

      For more information, see Package cisco/firepower Release Notes.

    • zscaler/deception has been updated to v2.1.1.

      • Fixed timestamp handling in post-normalization

      • Updated ECS version to 8.17.0

      • Updated parser version to 2.0.1

      For more information, see Package zscaler/deception Release Notes.

    • zoom/qss has been updated to v1.1.0.

      • Adds the following fields: event.category[], user.email, user.id, user.name, host.hostname, host.mac[]

      • Bumps ecs.version to 8.17.0

      For more information, see Package zoom/qss Release Notes.

    • aws/cloudtrail has been updated to v1.1.4.

      • Added support for Role type in user identity mapping

      • Added fallback to additionalEventData.UserName for user.name field

      • Added ECS field mapping for TLS fields

      For more information, see Package aws/cloudtrail Release Notes.

    • cisco/firepower has been updated to v1.5.0.

      • Adds additional support to parser logs with rule 607002

      • The old parser firepower-syslog is now officially removed from the Cisco Firepower package

      • Improved array declaration within the parser

      For more information, see Package cisco/firepower Release Notes.

    • cisco/meraki has been updated to v1.3.0.

      • Utilizes array:append() function for array declarations

      • Adds event.kind field to comply with CPS requirements

      • Removed indicator type from configuration category to comply with ECS

      For more information, see Package cisco/meraki Release Notes.