Falcon LogScale 1.183.0 GA (2025-04-08)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.183.0GA2025-04-08

Cloud

2026-05-31No1.150.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The color field on the Role type has been marked as deprecated (will be removed in version 1.195).

  • The storage task of the GraphQL NodeTaskEnum is deprecated and scheduled to be removed in version 1.189. This affects the following items:

  • LogScale is deprecating free-text searches that occur after the first aggregate function in a query. These searches likely did not and will not work as expected. Starting with version 1.190.0, this functionality will no longer be available. A free-text search after the first aggregate function refers to any text filter that is not specific to a field and appears after the query's first aggregate function. For example, this syntax is deprecated:

    logscale Syntax
    "Lorem ipsum dolor"
| tail(200)
| "sit amet, consectetur"

    Some uses of the wildcard() function, particularly those that do not specify a field argument are also free-text-searches and therefore are deprecated as well. Regex literals that are not particular to a field, for example /(abra|kadabra)/ are also free-text-searches and are thus also deprecated after the first aggregate function.

    To work around this issue, you can:

    • Move the free-text search in front of the first aggregate function.

    • Search specifically in the @rawstring field.

    If you know the field that contains the value you're searching for, it's best to search that particular field. The field may have been added by either the log shipper or the parser, and the information might not appear in the @rawstring field.

    Free-text searches before the first aggregate function continue to work as expected since they are not deprecated. Field-specific text searches work as expected as well: for example, myField=/(abra|kadabra)/ continue to work also after the first aggregate function.

  • The use of the event functions eventInternals(), eventFieldCount(), and eventSize() after the first aggregate function is deprecated. For example:

    Invalid Example for Demonstration - DO NOT USE
    logscale
    eventSize() 
| tail(200) 
| eventInternals()

    Usage of these functions after the first aggregate function is deprecated because they work on the original events, which are not available after the first aggregate function.

    Using these functions after the first aggregate function will be made unavailable in version 1.190.0 and onwards.

    These functions will continue to work before the first aggregate function, for example:

    logscale
    eventSize() 
| tail(200)

  • The setConsideredAliveUntil and setConsideredAliveFor GraphQL mutations are deprecated and will be removed in 1.195.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

  • The EXTRA_KAFKA_CONFIGS_FILE configuration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

Upgrades

Changes that may occur or be required during an upgrade.

  • Administration and Management

    • The minimum version to which LogScale can be downgraded to is now 1.177.0 (it was 1.157.0).

New features and improvements

  • Installation and Deployment

  • Administration and Management

    • LogScale has a new internal metric external-ingest-delay to help identifying upstream issues. The metric tracks the delay between an event being recorded and it being processed by LogScale, keyed by repository.

  • User Interface

    • A UI warning now informs whenever a query is being stopped due to internal issues.

    • Bucket size information is now displayed for Single Value in the widget header on the dashboard. For example, when a timeChart() query function is used.

  • Storage

Fixed in this release

  • Administration and Management

    • Inaccuracy issues have been fixed for the ingest-offset-lowest metric.

  • Storage

    • Fixed an issue where operations during repository deletion could trigger incorrect New dataspace is not empty log messages.

  • Queries

    • Queries with subqueries have been fixed in cases where they would not correctly report their max and latest state size.

  • Other

    • Some occurrences of duplicate stop words have been removed from the backend. For example, on on corrected to on in some error message.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • cisco/umbrella has been updated to v1.3.0.

      • Updates ECS version to 8.17.0

      • Improves event categorization using array append

      • Standardizes event action field to lowercase

      • Enhances field normalization for network traffic

      For more information, see Package cisco/umbrella Release Notes.

    • aws/cloudtrail has been updated to v1.1.5.

      • Added fallback to userIdentity.userName for user.name field

      • Updated ECS version to 8.17.0

      For more information, see Package aws/cloudtrail Release Notes.

    • broadcom/proxysg has been updated to v1.2.0.

      • Updated ECS version to 8.17.0

      • Added event.kind field set to "event"

      • Changed array handling for event.category[] and event.type[] to use array:append

      • The old parser syslog-utc is now officially removed from the Broadcom Symantec ProxySG package

      For more information, see Package broadcom/proxysg Release Notes.

    • zscaler/deception has been updated to v2.1.0.

      • The old parser deception is now officially removed from the ZScaler Deception package

      • Expanded field normalization to support more ZScaler Deception datasets

      • All field normalizations have removed the use of rename() in an effort to make vendor fields available

      For more information, see Package zscaler/deception Release Notes.

    • cisco/meraki has been updated to v1.4.0.

      • Added support for ip_flow_start and ip_flow_end events

      • Added new field mappings for network flow events

      • Updated ECS version to 8.17.0

      For more information, see Package cisco/meraki Release Notes.

    • aws/s3-server-access has been updated to v1.2.0.

      • Updated ECS version to 8.17.0

      • Added new fields:

        • cloud.Storage.bucket_name

        • error.code

        • host.id

        • url.original

        • user_agent.original

      • Improved array handling for event category and type fields

      • Fixed field duplication issues

      • The old parser s3access-space-delimited is now officially removed from the AWS S3 package

      For more information, see Package aws/s3-server-access Release Notes.

    • rubrik/security-cloud has been updated to v1.1.0.

      • Added severity normalization mapping

      • Added event categorization for vulnerability events

      • Added event type and kind fields

      • Updated ECS version to 8.17.0

      For more information, see Package rubrik/security-cloud Release Notes.

    • haproxy/haproxy has been updated to v1.2.0.

      • Updated ECS version to 8.17.0

      • Added new field mappings for log.syslog fields

      • Added process.name and process.pid fields

      • Added host.name field mapping

      • Added source.port field mapping

      • The old parser haproxy-syslog is now officially removed from the HAProxy package

      For more information, see Package haproxy/haproxy Release Notes.

    • infoblox/nios has been updated to v1.3.0.

      • Improves event categorization.

      • Adds support for additional audit events

      • Enhances DNS field extraction

      • The old parser syslog-utc is now officially removed from the Infoblox Nios package

      For more information, see Package infoblox/nios Release Notes.

    • okta/sso has been updated to v1.3.0.

      • Removes flatten array logic for nested target array

      • Utilizes objectArray:eval() to retrieve target array User and UserGroup data

      For more information, see Package okta/sso Release Notes.

    • dell/isilon has been updated to v1.2.0.

      • Updated ECS version to 8.17.0

      • Added log.syslog fields for better syslog data representation

      • Improved array handling for event category and type fields

      • Removed deprecated isilon-syslog parser

      • The old parser isilon-syslog is now officially removed from the Dell Isilon package

      For more information, see Package dell/isilon Release Notes.

    • tausight/ephi-risk-posture has been updated to v1.2.0.

      • Initial release with comprehensive ePHI event parsing

      • Support for file inspection, deletion, and copying events

      • Device attachment monitoring capabilities

      • Clipboard activity tracking

      • Email event processing

      • Process and file I/O activity monitoring

      For more information, see Package tausight/ephi-risk-posture Release Notes.

    • cisco/firepower has been updated to v1.6.0.

      • Adds additional support to parser logs with event ID 106023, 302013, 302014, 302015, 302016, 302020

      • Expands event.type for logs with event ID 109201, 109207, 109210

      For more information, see Package cisco/firepower Release Notes.

    • darktrace/detect has been updated to v1.3.0.

      • Added support for audit events with new event.dataset "detect.audit"

      • Fixed timezone handling for RFC 3164 syslog timestamps

      For more information, see Package darktrace/detect Release Notes.

    • island/island has been updated to v1.2.0.

      • Added rule.name and rule.id fields for network events

      • Added event.kind field set to "event"

      • Updated array handling for event.category and event.type fields

      • Updated ECS version to 8.17.0

      • The old parser island is now officially removed from the Island package

      For more information, see Package island/island Release Notes.

    • aws/waf has been updated to v1.1.1.

      • Fixed bug to handle events with trailing space in Vendor.httpRequest.httpVersion field

      • Migrated parser to utilize array:append()

      For more information, see Package aws/waf Release Notes.

    • cisco/firepower has been updated to v1.6.1.

      • Improved regex pattern for inbound TCP connections to handle probe connections

      • Enhanced regex pattern for teardown connections to handle optional fields

      For more information, see Package cisco/firepower Release Notes.

    • zscaler/deception has been updated to v2.1.1.

      • Fixed timestamp handling in post-normalization

      • Updated ECS version to 8.17.0

      • Updated parser version to 2.0.1

      For more information, see Package zscaler/deception Release Notes.

    • checkpoint/ngfw has been updated to v2.0.0.

      • Updated ECS version to 8.17.0

      • Improved event categorization with array-based approach

      • Enhanced field mapping for better data normalization

      • Optimized email field handling

      • Fixed field duplication issues

      For more information, see Package checkpoint/ngfw Release Notes.

    • cisco/ios has been updated to v1.4.0.

      • Improved regex pattern for broader raw log coverage

      • Added timestamp parsing support for formats including year

      • Added LOGIN_FAILED eventCode parsing

      • The old parser syslog-utc is now officially removed from the Cisco IOS package

      • Utilized array:append() function for array declarations.

      For more information, see Package cisco/ios Release Notes.

    • cisco/firepower has been updated to v1.5.0.

      • Adds additional support to parser logs with rule 607002

      • The old parser firepower-syslog is now officially removed from the Cisco Firepower package

      • Improved array declaration within the parser

      For more information, see Package cisco/firepower Release Notes.