Falcon LogScale 1.186.0 GA (2025-04-29)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.186.0GA2025-04-29

Cloud

2026-06-30No1.150.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates.

Breaking Changes

The following items create a breaking change in the behavior, response or operation of this release.

  • Packages

    • Previously, LogScale would allow dashboard YAML template files to not contain a $schema field, but this is no longer optional. The $schema field is what LogScale uses to determine how it should read the template file, so it is important that it is correct. Before this change, if the $schema field was missing from a dashboard template, LogScale would assume the file was a dashboard template, using the dashboard schema version 0.1.0, which was released in 2020. As this old schema version doesn't recognize any features released since then, using it as the default value can cause confusing error messages if you try to omit the $schema field. Therefore, the field is now required instead. If you now have a dashboard YAML template file that LogScale rejects due to this change, try adding the following line to the file: $schema": "https://schemas.humio.com/dashboard/v0.1.0, which should make it work as before.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The Humio-Usage package has been deprecated and scheduled for removal in version 1.189 LTS.

  • The color field on the Role type has been marked as deprecated (will be removed in version 1.195).

  • The storage task of the GraphQL NodeTaskEnum is deprecated and scheduled to be removed in version 1.189. This affects the following items:

  • LogScale is deprecating free-text searches that occur after the first aggregate function in a query. These searches likely did not and will not work as expected. Starting with version 1.190.0, this functionality will no longer be available. A free-text search after the first aggregate function refers to any text filter that is not specific to a field and appears after the query's first aggregate function. For example, this syntax is deprecated:

    logscale Syntax
    "Lorem ipsum dolor"
| tail(200)
| "sit amet, consectetur"

    Some uses of the wildcard() function, particularly those that do not specify a field argument are also free-text-searches and therefore are deprecated as well. Regex literals that are not particular to a field, for example /(abra|kadabra)/ are also free-text-searches and are thus also deprecated after the first aggregate function.

    To work around this issue, you can:

    • Move the free-text search in front of the first aggregate function.

    • Search specifically in the @rawstring field.

    If you know the field that contains the value you're searching for, it's best to search that particular field. The field may have been added by either the log shipper or the parser, and the information might not appear in the @rawstring field.

    Free-text searches before the first aggregate function continue to work as expected since they are not deprecated. Field-specific text searches work as expected as well: for example, myField=/(abra|kadabra)/ continue to work also after the first aggregate function.

  • The use of the event functions eventInternals(), eventFieldCount(), and eventSize() after the first aggregate function is deprecated. For example:

    Invalid Example for Demonstration - DO NOT USE
    logscale
    eventSize() 
| tail(200) 
| eventInternals()

    Usage of these functions after the first aggregate function is deprecated because they work on the original events, which are not available after the first aggregate function.

    Using these functions after the first aggregate function will be made unavailable in version 1.190.0 and onwards.

    These functions will continue to work before the first aggregate function, for example:

    logscale
    eventSize() 
| tail(200)

  • The setConsideredAliveUntil and setConsideredAliveFor GraphQL mutations are deprecated and will be removed in 1.195.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

  • The EXTRA_KAFKA_CONFIGS_FILE configuration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Storage

    • The S3 SDK retry logic has been broadened:

      • LogScale will now do retries for bucket storage operations on a much broader range of exceptions (SDKException).

      • Segment uploads that fail after the SDK call will no longer be retried immediately, but will still be re-queued.

      • Uploads of global snapshots and uploaded files will still be retried implicitly, and the retry log lines now specify which type of upload is initiating it.

Upgrades

Changes that may occur or be required during an upgrade.

  • Installation and Deployment

    • The bundled JDK has been upgraded to version 24.0.1.

New features and improvements

  • Security

    • The view level permission Query model for persistent queries has been renamed to Query ownership for persistent queries.

  • User Interface

    • The Query model label has been renamed to Query ownership. This change applies to the current query model UI sections in triggers, packages and shared dashboards.

  • Automation and Triggers

    • The Trigger Properties panel has some layout changes:

      • Section General renamed to General properties

      • Section Query renamed to Configuration

      • Section Actions moved above the Advanced settings section — now only visible when the trigger type is selected

      • Throttling moved to Configuration section

      • Trigger panel title changed

  • Configuration

    • The default value for the AUTOSHARDING_MAX configuration variable is now 128K (was 1k).

  • Log Collector

    • Replacing Custom Install Legacy Fleet Management configuration snippet with supported enrollment mode localConfig.

Fixed in this release

  • User Interface

    • Links to the documentation in the LogScale UI have been fixed to point to the correct pages instead of the library homepage.

  • Automation and Triggers

    • Large query results (more than 1GB) for alerts could cause the query to crash. This issue has been fixed to now handle large alert datasets.

  • Storage

    • A very rare race condition could cause global transactions to appear to have succeeded when they actually didn't. This issue has now been fixed.

    • Resolved an issue that could cause a Resetting minimum offset due to truncation of the ingest queue warning message.

  • Functions

    • In case of invalid input containing unescaped = characters in the parseCEF() function, the entire query execution or parser execution would fail. This issue has been fixed so that parseCEF() now properly recovers from the invalid input and adds an @error field to the event.

Improvement

  • Storage

    • Improve the response time when there's a large number of datasources for:

      • GraphQL calls fetching repository.datasources field

      • api/v1/dataspaces or api/v1/repositories endpoints

  • Functions

    • The groupBy() function now displays a more descriptive error message when the maximum limit is exceeded, specifying the maximum allowed limit for your environment.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • broadcom/proxysg has been updated to v1.2.0.

      • Updated ECS version to 8.17.0

      • Added event.kind field set to "event"

      • Changed array handling for event.category[] and event.type[] to use array:append

      • The old parser syslog-utc is now officially removed from the Broadcom Symantec ProxySG package

      For more information, see Package broadcom/proxysg Release Notes.

    • microsoft/windows-dns-debug has been updated to v1.3.1.

      • Improved regex patterns for timestamp parsing

      • Added support for error messages with socket failures

      • Enhanced field extraction for DNS packet information

      • Fixed array handling for DNS header flags

      • Updated parser version to 2.2.1

      For more information, see Package microsoft/windows-dns-debug Release Notes.

    • forcepoint/dlp has been updated to v1.2.0.

      • Added severity mapping based on Forcepoint documentation

      • Improved user domain extraction

      • Enhanced array handling for event categories and types

      • Optimized field cleanup process

      • The old parser dlp-cef is now officially removed from the Forcepoint DLP package

      For more information, see Package forcepoint/dlp Release Notes.

    • aws/s3-server-access has been updated to v1.2.0.

      • Updated ECS version to 8.17.0

      • Added new fields:

        • cloud.Storage.bucket_name

        • error.code

        • host.id

        • url.original

        • user_agent.original

      • Improved array handling for event category and type fields

      • Fixed field duplication issues

      • The old parser s3access-space-delimited is now officially removed from the AWS S3 package

      For more information, see Package aws/s3-server-access Release Notes.

    • rubrik/security-cloud has been updated to v1.1.0.

      • Added severity normalization mapping

      • Added event categorization for vulnerability events

      • Added event type and kind fields

      • Updated ECS version to 8.17.0

      For more information, see Package rubrik/security-cloud Release Notes.

    • haproxy/haproxy has been updated to v1.2.0.

      • Updated ECS version to 8.17.0

      • Added new field mappings for log.syslog fields

      • Added process.name and process.pid fields

      • Added host.name field mapping

      • Added source.port field mapping

      • The old parser haproxy-syslog is now officially removed from the HAProxy package

      For more information, see Package haproxy/haproxy Release Notes.

    • claroty/ctd has been updated to v1.2.0.

      • Updated ECS version to 8.17.0

      • Improved event categorization using array:append

      • Added event severity mapping

      • Optimized field handling and cleanup

      • The old parser cef-latest is now officially removed from the Claroty CTD package

      For more information, see Package claroty/ctd Release Notes.

    • cloudflare/zerotrust has been updated to v1.2.0.

      • Improved JSON parsing with support for message prefix removal

      • Enhanced event categorization with proper event.category and event.type arrays

      • Added comprehensive email attachment parsing for Area1 security logs

      • Improved HTTP response status code handling for better event outcome determination

      • Added support for bulk log processing with improved detection logic

      For more information, see Package cloudflare/zerotrust Release Notes.

    • infoblox/nios has been updated to v1.3.0.

      • Improves event categorization.

      • Adds support for additional audit events

      • Enhances DNS field extraction

      • The old parser syslog-utc is now officially removed from the Infoblox Nios package

      For more information, see Package infoblox/nios Release Notes.

    • cisco/ios has been updated to v1.5.0.

      • Improved timestamp parsing for formats including year in different positions

      • Added support for MAC address extraction and normalization

      • Enhanced access list log parsing to handle MAC addresses in source fields

      • Added parsing for CFGLOG_LOGGEDCMD events to capture CLI commands

      For more information, see Package cisco/ios Release Notes.

    • f5networks/bigip has been updated to v2.2.0.

      • Added support for F5 Advanced Firewall Module (AFM) logs

      • Improved ASM event categorization for better threat detection

      • Updated ECS version to 8.17.0

      For more information, see Package f5networks/bigip Release Notes.

    • dell/isilon has been updated to v1.2.0.

      • Updated ECS version to 8.17.0

      • Added log.syslog fields for better syslog data representation

      • Improved array handling for event category and type fields

      • Removed deprecated isilon-syslog parser

      • The old parser isilon-syslog is now officially removed from the Dell Isilon package

      For more information, see Package dell/isilon Release Notes.

    • cisco/ios has been updated to v1.5.1.

      • Removed test cases

      For more information, see Package cisco/ios Release Notes.

    • island/island has been updated to v1.2.0.

      • Added rule.name and rule.id fields for network events

      • Added event.kind field set to "event"

      • Updated array handling for event.category and event.type fields

      • Updated ECS version to 8.17.0

      • The old parser island is now officially removed from the Island package

      For more information, see Package island/island Release Notes.

    • cisco/firepower has been updated to v1.6.3.

      • Updated field assignment syntax from rename() to direct assignment

      • Fixed regex pattern for teardown connections to handle optional fields

      • Improved lower() function usage for better performance

      For more information, see Package cisco/firepower Release Notes.

    • cisco/firepower has been updated to v1.6.2.

      • Fixed regex pattern for session disconnection duration to handle complex duration formats

      For more information, see Package cisco/firepower Release Notes.

    • microsoft/windows-dns-debug has been updated to v1.3.0.

      • Added support for additional log formats

      • Improved handling of DNS debug log header lines

      • Updated ECS version to 8.17.0

      • Enhanced field extraction for DNS packet information

      • Added support for self-referential DNS messages

      • The old parser windows-dns is now officially removed from the Microsoft Windows DNS package

      For more information, see Package microsoft/windows-dns-debug Release Notes.

    • fortinet/fortigate has been updated to v1.3.3.

      • Updated event outcome handling to set failure when action is block or blocked

      • Fixed test cases to match updated outcome logic

      For more information, see Package fortinet/fortigate Release Notes.

    • checkpoint/ngfw has been updated to v2.0.0.

      • Updated ECS version to 8.17.0

      • Improved event categorization with array-based approach

      • Enhanced field mapping for better data normalization

      • Optimized email field handling

      • Fixed field duplication issues

      For more information, see Package checkpoint/ngfw Release Notes.

    • cisco/ise has been updated to v1.3.0.

      • Sets the event.outcome based on the Vendor.FailureReason field

      • The old parser cisco-ise-syslog is now officially removed from the Cisco Identity Services Engine (ISE) package

      For more information, see Package cisco/ise Release Notes.

    • fortinet/fortigate has been updated to v1.3.2.

      • Updated field assignments to use direct assignment instead of rename function

      • Updated ECS version to 8.17.0

      For more information, see Package fortinet/fortigate Release Notes.