Falcon LogScale 1.184.0 GA (2025-04-15)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.184.0 | GA | 2025-04-15 | Cloud | 2026-06-30 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.184.0 to download the latest version
Bug fixes and updates.
Removed
Items that have been removed as of this release.
Administration and Management
Humio-Usage v0.2.0 dashboard data has been removed and replaced with a note and link to the Usage Page.
GraphQL API
The deprecated
testParserGraphQL mutation has now been removed.Note that a number of parser CRUD APIs were deprecated alongside
testParserback in release 1.120, and these APIs will also be removed soon. Consider this as a reminder to move to the newer APIs if you have not already done so.
Deprecation
Items that have been deprecated and may be removed in a future release.
The Humio-Usage package has been deprecated and scheduled for removal in version 1.189 LTS.
The
colorfield on the Role type has been marked as deprecated (will be removed in version 1.195).The
storagetask of the GraphQL NodeTaskEnum is deprecated and scheduled to be removed in version 1.189. This affects the following items:
The
supportedTasksfield of the ClusterNode type.The
assignedTasksfield of the ClusterNode type.The
unassignedTasksfield of the ClusterNode type.The assignTasks() mutation.
The unassignTasks() mutation
The
INITIAL_DISABLED_NODE_TASKSconfiguration variable.LogScale is deprecating free-text searches that occur after the first aggregate function in a query. These searches likely did not and will not work as expected. Starting with version 1.190.0, this functionality will no longer be available. A free-text search after the first aggregate function refers to any text filter that is not specific to a field and appears after the query's first aggregate function. For example, this syntax is deprecated:
logscale Syntax"Lorem ipsum dolor" | tail(200) | "sit amet, consectetur"Some uses of the
wildcard()function, particularly those that do not specify afieldargument are also free-text-searches and therefore are deprecated as well. Regex literals that are not particular to a field, for example/(abra|kadabra)/are also free-text-searches and are thus also deprecated after the first aggregate function.To work around this issue, you can:
Move the free-text search in front of the first aggregate function.
Search specifically in the @rawstring field.
If you know the field that contains the value you're searching for, it's best to search that particular field. The field may have been added by either the log shipper or the parser, and the information might not appear in the @rawstring field.
Free-text searches before the first aggregate function continue to work as expected since they are not deprecated. Field-specific text searches work as expected as well: for example,
myField=/(abra|kadabra)/continue to work also after the first aggregate function.The use of the event functions
eventInternals(),eventFieldCount(), andeventSize()after the first aggregate function is deprecated. For example:Invalid Example for Demonstration - DO NOT USElogscaleeventSize() | tail(200) | eventInternals()Usage of these functions after the first aggregate function is deprecated because they work on the original events, which are not available after the first aggregate function.
Using these functions after the first aggregate function will be made unavailable in version 1.190.0 and onwards.
These functions will continue to work before the first aggregate function, for example:
logscaleeventSize() | tail(200)The
setConsideredAliveUntilandsetConsideredAliveForGraphQL mutations are deprecated and will be removed in 1.195.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Storage
When uploading to Bucket Storage, always use the first
ownerHostto do the upload. This is a preparatory change to allow later optimization.Configuration
Multi-cluster searches will now have a warning attached when submission has failed for 10 minutes or more, but continue to attempt submissions instead of stopping for the failing connection.
As a consequence, the environment variable
FEDERATED_SUBMISSION_TIMEOUT_MILLISis no longer used.Ingestion
When deleting a test case from a parser, and adding a new test case again without re-running tests, the new test will no longer have the test results of the previously removed test case.
Queries
The usage of
noResultUntilDonequery flag has been corrected. This flag was incorrectly unset which meant that needless computation was performed, for example in scheduled searches or subqueries defined bydefineTable(). Additionally, partial results were also returned to the clients, which is not the intended behavior whennoResultUntilDoneis used.
New features and improvements
Security
Asset sharing is now available for dashboards, triggers, actions, saved queries, scheduled PDF reports, and files. This means that:
It is now possible to grant permissions to users and groups for these assets at the individual asset level, so that others may collaborate on tasks involving these assets even though they don't have permission to edit or delete all of that type of asset in the view.
Any user who has permissions to the asset can grant up to the same permissions as they have to another user who has read permissions in the view.
Users who have the
Change user accesspermission orManage userspermission can add users or groups who did not previously have access to assets in the view to a particular asset and grant them permissions.
For more information about the general concept of asset permissions, see Asset permissions.
For information about granting permissions for each of the supported asset types, see:
Users can now successfully add roles to users or groups on the repository permissions page when they have the
Change user accesspermission. Previously, these users would encounter an error message stating roles could not be loaded.
User Interface
The Y-axis in the
Time Chartwidget has an added space before the suffix for all formats exceptMetricin the Format Value property.
GraphQL API
A new segment() GraphQL query is available. It provides access to information about a single segment specified by its identifier. This query is not a quick lookup and should be used only for troubleshooting or to help with data recovery. It requires the
ManageClusterpermission.
Configuration
Introduced a new environment variable
QUERY_COORDINATOR_EXECUTOR_CORESthat determines the size of the thread pool used by the query coordinator for heavy query related operations, such as merging results from workers. This makes query coordination more resilient when running queries with large and expensive states.
Log Collector
Introducing labels. Labels are key-value pairs defined in a Log Collector's local Fleet Management configuration. Label values can be dynamically set using environment variables. When Log Collectors connect to LogScale/NG-SIEM, they transmit their labels to the instance managing the fleet. The labels enable:
Grouping collectors
Searching across collectors
Configuring collectors based on shared characteristics
For example, a fleet management group defined as
labels.service=webincludes all collectors with label name:serviceand label value:web.This grouping allows administrators to create and apply reusable configurations specifically tailored to collectors sharing the same service type, streamlining fleet management and maintenance.
For more information, see Fleet Management (
fleetManagement).
Fixed in this release
Automation and Triggers
After a digest reassignment, aggregate alerts could use a partial query result and report a warning about ingest delay rather than wait for the new digester to catch up. This issue has now been fixed.
In rare cases, the information about the execution of filter and aggregate alerts could fail to be saved, potentially resulting in duplicate alerts. This issue has now been fixed.
Storage
An invalid bucket/region would not show the appropriate error message when trying to configure archiving. This issue has now been fixed.
Improvement
Security
Improved permission validation: the button is now disabled for users who lack sufficient permissions to complete the role creation process. This prevents users from starting a workflow that would ultimately fail, saving time and reducing frustration. Previously, users could begin creating a role only to encounter an error at the final step due to insufficient permissions.
Falcon Data Replicator
The FDR logging has been improved by adding some of the SQS metadata fields within the activity log. The metadata fields that are now included in the logs are:
Sent timestamp
Approximate receive count
Approximate first receive timestamp
Storage
Improve the memory estimate of multi-cluster searches to make them more accurately reflect the real usage.
Configuration
The primary & secondary disk usage health check descriptions have been corrected to indicate that the usage is measured in percentage, not seconds.
The new environment variables
HEALTH_CHECK__PRIMARY_DISK_USAGE__WARN_THRESHOLD_PCTandHEALTH_CHECK__SECONDARY_DISK_USAGE__WARN_THRESHOLD_PCThave been introduced to replaceHEALTH_CHECK__PRIMARY_DISK_USAGE__WARN_THRESHOLD_SECandHEALTH_CHECK__SECONDARY_DISK_USAGE__WARN_THRESHOLD_SEC. Their naming better indicates the nature of these environment variables. Note that the old variables ending in_SECare still supported but are superseded by the variables ending in_PCTif they are present.
Queries
Queries that combine different text searches with different tag filters now have an improved performance due to reduced volume of data scanned. For example, this change would improve the performance of a query like:
logscale#event=ConnectIP4 OR (#event=ReceiveAcceptIP4 AND RemoteAddressIP4=12.34.56.78
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
cisco/umbrella has been updated to v1.3.0.
Updates ECS version to 8.17.0
Improves event categorization using array append
Standardizes event action field to lowercase
Enhances field normalization for network traffic
For more information, see Package cisco/umbrella Release Notes.
aws/cloudtrail has been updated to v1.1.5.
Added fallback to userIdentity.userName for user.name field
Updated ECS version to 8.17.0
For more information, see Package aws/cloudtrail Release Notes.
broadcom/proxysg has been updated to v1.2.0.
Updated ECS version to 8.17.0
Added event.kind field set to "event"
Changed array handling for event.category[] and event.type[] to use array:append
The old parser syslog-utc is now officially removed from the Broadcom Symantec ProxySG package
For more information, see Package broadcom/proxysg Release Notes.
zscaler/deception has been updated to v2.1.0.
The old parser deception is now officially removed from the ZScaler Deception package
Expanded field normalization to support more ZScaler Deception datasets
All field normalizations have removed the use of rename() in an effort to make vendor fields available
For more information, see Package zscaler/deception Release Notes.
cisco/meraki has been updated to v1.4.0.
Added support for ip_flow_start and ip_flow_end events
Added new field mappings for network flow events
Updated ECS version to 8.17.0
For more information, see Package cisco/meraki Release Notes.
forcepoint/dlp has been updated to v1.2.0.
Added severity mapping based on Forcepoint documentation
Improved user domain extraction
Enhanced array handling for event categories and types
Optimized field cleanup process
The old parser dlp-cef is now officially removed from the Forcepoint DLP package
For more information, see Package forcepoint/dlp Release Notes.
aws/s3-server-access has been updated to v1.2.0.
Updated ECS version to 8.17.0
Added new fields:
cloud.Storage.bucket_name
error.code
host.id
url.original
user_agent.original
Improved array handling for event category and type fields
Fixed field duplication issues
The old parser s3access-space-delimited is now officially removed from the AWS S3 package
For more information, see Package aws/s3-server-access Release Notes.
rubrik/security-cloud has been updated to v1.1.0.
Added severity normalization mapping
Added event categorization for vulnerability events
Added event type and kind fields
Updated ECS version to 8.17.0
For more information, see Package rubrik/security-cloud Release Notes.
haproxy/haproxy has been updated to v1.2.0.
Updated ECS version to 8.17.0
Added new field mappings for log.syslog fields
Added process.name and process.pid fields
Added host.name field mapping
Added source.port field mapping
The old parser haproxy-syslog is now officially removed from the HAProxy package
For more information, see Package haproxy/haproxy Release Notes.
claroty/ctd has been updated to v1.2.0.
Updated ECS version to 8.17.0
Improved event categorization using array:append
Added event severity mapping
Optimized field handling and cleanup
The old parser cef-latest is now officially removed from the Claroty CTD package
For more information, see Package claroty/ctd Release Notes.
cloudflare/zerotrust has been updated to v1.2.0.
Improved JSON parsing with support for message prefix removal
Enhanced event categorization with proper event.category and event.type arrays
Added comprehensive email attachment parsing for Area1 security logs
Improved HTTP response status code handling for better event outcome determination
Added support for bulk log processing with improved detection logic
For more information, see Package cloudflare/zerotrust Release Notes.
infoblox/nios has been updated to v1.3.0.
Improves event categorization.
Adds support for additional audit events
Enhances DNS field extraction
The old parser syslog-utc is now officially removed from the Infoblox Nios package
For more information, see Package infoblox/nios Release Notes.
dell/isilon has been updated to v1.2.0.
Updated ECS version to 8.17.0
Added log.syslog fields for better syslog data representation
Improved array handling for event category and type fields
Removed deprecated isilon-syslog parser
The old parser isilon-syslog is now officially removed from the Dell Isilon package
For more information, see Package dell/isilon Release Notes.
tausight/ephi-risk-posture has been updated to v1.2.0.
Initial release with comprehensive ePHI event parsing
Support for file inspection, deletion, and copying events
Device attachment monitoring capabilities
Clipboard activity tracking
Email event processing
Process and file I/O activity monitoring
For more information, see Package tausight/ephi-risk-posture Release Notes.
cisco/firepower has been updated to v1.6.0.
Adds additional support to parser logs with event ID 106023, 302013, 302014, 302015, 302016, 302020
Expands event.type for logs with event ID 109201, 109207, 109210
For more information, see Package cisco/firepower Release Notes.
darktrace/detect has been updated to v1.3.0.
Added support for audit events with new event.dataset "detect.audit"
Fixed timezone handling for RFC 3164 syslog timestamps
For more information, see Package darktrace/detect Release Notes.
island/island has been updated to v1.2.0.
Added rule.name and rule.id fields for network events
Added event.kind field set to "event"
Updated array handling for event.category and event.type fields
Updated ECS version to 8.17.0
The old parser island is now officially removed from the Island package
For more information, see Package island/island Release Notes.
aws/waf has been updated to v1.1.1.
Fixed bug to handle events with trailing space in Vendor.httpRequest.httpVersion field
Migrated parser to utilize array:append()
For more information, see Package aws/waf Release Notes.
cisco/firepower has been updated to v1.6.1.
Improved regex pattern for inbound TCP connections to handle probe connections
Enhanced regex pattern for teardown connections to handle optional fields
For more information, see Package cisco/firepower Release Notes.
zscaler/deception has been updated to v2.1.1.
Fixed timestamp handling in post-normalization
Updated ECS version to 8.17.0
Updated parser version to 2.0.1
For more information, see Package zscaler/deception Release Notes.
cisco/firepower has been updated to v1.6.2.
Fixed regex pattern for session disconnection duration to handle complex duration formats
For more information, see Package cisco/firepower Release Notes.
microsoft/windows-dns-debug has been updated to v1.3.0.
Added support for additional log formats
Improved handling of DNS debug log header lines
Updated ECS version to 8.17.0
Enhanced field extraction for DNS packet information
Added support for self-referential DNS messages
The old parser windows-dns is now officially removed from the Microsoft Windows DNS package
For more information, see Package microsoft/windows-dns-debug Release Notes.
checkpoint/ngfw has been updated to v2.0.0.
Updated ECS version to 8.17.0
Improved event categorization with array-based approach
Enhanced field mapping for better data normalization
Optimized email field handling
Fixed field duplication issues
For more information, see Package checkpoint/ngfw Release Notes.
cisco/ise has been updated to v1.3.0.
Sets the event.outcome based on the Vendor.FailureReason field
The old parser cisco-ise-syslog is now officially removed from the Cisco Identity Services Engine (ISE) package
For more information, see Package cisco/ise Release Notes.
fortinet/fortigate has been updated to v1.3.2.
Updated field assignments to use direct assignment instead of rename function
Updated ECS version to 8.17.0
For more information, see Package fortinet/fortigate Release Notes.
cisco/ios has been updated to v1.4.0.
Improved regex pattern for broader raw log coverage
Added timestamp parsing support for formats including year
Added LOGIN_FAILED eventCode parsing
The old parser syslog-utc is now officially removed from the Cisco IOS package
Utilized array:append() function for array declarations.
For more information, see Package cisco/ios Release Notes.
cisco/firepower has been updated to v1.5.0.
Adds additional support to parser logs with rule 607002
The old parser firepower-syslog is now officially removed from the Cisco Firepower package
Improved array declaration within the parser
For more information, see Package cisco/firepower Release Notes.