Falcon LogScale 1.184.0 GA (2025-04-15)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.184.0GA2025-04-15

Cloud

Next LTSNo1.150.01.177.0No

Available for download two days after release.

Hide file download links

Show file download links

Bug fixes and updates.

Removed

Items that have been removed as of this release.

Administration and Management

  • Humio-Usage v0.2.0 dashboard data has been removed and replaced with a note and link to the Usage Page.

GraphQL API

  • The deprecated testParser GraphQL mutation has now been removed.

    Note that a number of parser CRUD APIs were deprecated alongside testParser back in release 1.120, and these APIs will also be removed soon. Consider this as a reminder to move to the newer APIs if you have not already done so.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The Humio-Usage package has been deprecated and scheduled for removal in version 1.189 LTS.

  • The color field on the Role type has been marked as deprecated (will be removed in version 1.195).

  • The storage task of the GraphQL NodeTaskEnum is deprecated and scheduled to be removed in version 1.185. This affects the following items:

  • LogScale is deprecating free-text searches that occur after the first aggregate function in a query. These searches likely did not and will not work as expected. Starting with version 1.189.0, this functionality will no longer be available. A free-text search after the first aggregate function refers to any text filter that is not specific to a field and appears after the query's first aggregate function. For example, this syntax is deprecated:

    logscale Syntax
    "Lorem ipsum dolor" 
| tail(200)         
| "sit amet, consectetur"

    Some uses of the wildcard() function, particularly those that do not specify a field argument are also free-text-searches and therefore are deprecated as well. Regex literals that are not particular to a field, for example /(abra|kadabra)/ are also free-text-searches and are thus also deprecated after the first aggregate function.

    To work around this issue, you can:

    • Move the free-text search in front of the first aggregate function.

    • Search specifically in the @rawstring field.

    If you know the field that contains the value you're searching for, it's best to search that particular field. The field may have been added by either the log shipper or the parser, and the information might not appear in the @rawstring field.

    Free-text searches before the first aggregate function continue to work as expected since they are not deprecated. Field-specific text searches work as expected as well: for example, myField=/(abra|kadabra)/ continue to work also after the first aggregate function.

  • The use of the event functions eventInternals(), eventFieldCount(), and eventSize() after the first aggregate function is deprecated. For example:

    Invalid Example for Demonstration - DO NOT USE
    logscale
    eventSize() | tail(200) | eventInternals()

    Usage of these functions after the first aggregate function is deprecated because they work on the original events, which are not available after the first aggregate function.

    Using these functions after the first aggregate function will be made unavailable in version 1.189.0 and onwards.

    These functions will continue to work before the first aggregate function, for example:

    logscale
    eventSize() | tail(200)

  • The setConsideredAliveUntil and setConsideredAliveFor GraphQL mutations are deprecated and will be removed in 1.195.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

  • The EXTRA_KAFKA_CONFIGS_FILE configuration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Storage

    • When uploading to Bucket Storage, always use the first ownerHost to do the upload. This is a preparatory change to allow later optimization.

  • Configuration

    • Multi-cluster searches will now have a warning attached when submission has failed for 10 minutes or more, but continue to attempt submissions instead of stopping for the failing connection.

      As a consequence, the environment variable FEDERATED_SUBMISSION_TIMEOUT_MILLIS is no longer used.

  • Ingestion

    • When deleting a test case from a parser, and adding a new test case again without re-running tests, the new test will no longer have the test results of the previously removed test case.

  • Queries

    • The usage of noResultUntilDone query flag has been corrected. This flag was incorrectly unset which meant that needless computation was performed, for example in scheduled searches or subqueries defined by defineTable(). Additionally, partial results were also returned to the clients, which is not the intended behavior when noResultUntilDone is used.

New features and improvements

  • Security

    • Asset sharing is now available for dashboards, triggers, actions, saved queries, scheduled PDF reports, and files. This means that:

      • It is now possible to grant permissions to users and groups for these assets at the individual asset level, so that others may collaborate on tasks involving these assets even though they don't have permission to edit or delete all of that type of asset in the view.

      • Any user who has permissions to the asset can grant up to the same permissions as they have to another user who has read permissions in the view.

      • Users who have the Change user access permission or Manage users permission can add users or groups who did not previously have access to assets in the view to a particular asset and grant them permissions.

      For more information about the general concept of asset permissions, see Asset permissions.

      For information about granting permissions for each of the supported asset types, see:

    • Users can now successfully add roles to users or groups on the repository permissions page when they have the Change user access permission. Previously, these users would encounter an error message stating roles could not be loaded.

  • User Interface

    • The Y-axis in the Time Chart widget has an added space before the suffix for all formats except Metric in the Format Value property.

  • GraphQL API

    • A new segment() GraphQL query is available. It provides access to information about a single segment specified by its identifier. This query is not a quick lookup and should be used only for troubleshooting or to help with data recovery. It requires the ManageCluster permission.

  • Configuration

    • Introduced a new environment variable QUERY_COORDINATOR_EXECUTOR_CORES that determines the size of the thread pool used by the query coordinator for heavy query related operations, such as merging results from workers. This makes query coordination more resilient when running queries with large and expensive states.

  • Log Collector

    • Labels are key-value pairs defined in a Log Collector's local Fleet Management configuration. Label values can be dynamically set using environment variables. When Log Collectors connect to LogScale/NG-SIEM, they transmit their labels to the instance managing the fleet. The labels enable:

      • Grouping collectors

      • Searching across collectors

      • Configuring collectors based on shared characteristics

      For example, a fleet management group defined as labels.service=web includes all collectors with label name: service and label value: web.

      This grouping allows administrators to create and apply reusable configurations specifically tailored to collectors sharing the same service type, streamlining fleet management and maintenance.

Fixed in this release

  • Automation and Alerts

    • In rare cases, the information about the execution of filter and aggregate alerts could fail to be saved, potentially resulting in duplicate alerts. This issue has now been fixed.

    • After a digest reassignment, aggregate alerts could use a partial query result and report a warning about ingest delay rather than wait for the new digester to catch up. This issue has now been fixed.

  • Storage

    • An invalid bucket/region would not show the appropriate error message when trying to configure archiving. This issue has now been fixed.

Improvement

  • Security

    • Improved permission validation: the Create Role button is now disabled for users who lack sufficient permissions to complete the role creation process. This prevents users from starting a workflow that would ultimately fail, saving time and reducing frustration. Previously, users could begin creating a role only to encounter an error at the final step due to insufficient permissions.

  • Falcon Data Replicator

    • The FDR logging has been improved by adding some of the SQS metadata fields within the activity log. The metadata fields that are now included in the logs are:

      • Sent timestamp

      • Approximate receive count

      • Approximate first receive timestamp

  • Storage

  • Configuration

  • Queries

    • Queries that combine different text searches with different tag filters now have an improved performance due to reduced volume of data scanned. For example, this change would improve the performance of a query like:

      logscale
      #event=ConnectIP4 OR (#event=ReceiveAcceptIP4 AND RemoteAddressIP4=12.34.56.78