Falcon LogScale 1.187.0 GA (2025-05-06)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.187.0 | GA | 2025-05-06 | Cloud | 2026-06-30 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.187.0 to download the latest version
Bug fixes and updates.
Advance Warning
The following items are due to change in a future release.
Functions
Starting from release 1.195, the query functions
asn()andipLocation()will display an error instead of a warning should an error occur with their external dependency. This change will align their behavior to functions using similar external resources, likematch(),iocLookup(), andcidr().
Removed
Items that have been removed as of this release.
Installation and Deployment
Support for the
HUMIO_DEBUG,JAVA_DEBUG_PORT,DEBUG_SUSPEND_FLAGandJAVA_DEBUG_OPTSenvironment variables in the LogScale Launcher Script has been removed. If the LogScale process needs to be started in debug mode, set the relevant flags in theHUMIO_OPTSenvironment variable instead.
Deprecation
Items that have been deprecated and may be removed in a future release.
The Humio-Usage package has been deprecated and scheduled for removal in version 1.189 LTS.
The
colorfield on the Role type has been marked as deprecated (will be removed in version 1.195).The
storagetask of the GraphQL NodeTaskEnum is deprecated and scheduled to be removed in version 1.189. This affects the following items:
The
supportedTasksfield of the ClusterNode type.The
assignedTasksfield of the ClusterNode type.The
unassignedTasksfield of the ClusterNode type.The assignTasks() mutation.
The unassignTasks() mutation
The
INITIAL_DISABLED_NODE_TASKSconfiguration variable.LogScale is deprecating free-text searches that occur after the first aggregate function in a query. These searches likely did not and will not work as expected. Starting with version 1.190.0, this functionality will no longer be available. A free-text search after the first aggregate function refers to any text filter that is not specific to a field and appears after the query's first aggregate function. For example, this syntax is deprecated:
logscale Syntax"Lorem ipsum dolor" | tail(200) | "sit amet, consectetur"Some uses of the
wildcard()function, particularly those that do not specify afieldargument are also free-text-searches and therefore are deprecated as well. Regex literals that are not particular to a field, for example/(abra|kadabra)/are also free-text-searches and are thus also deprecated after the first aggregate function.To work around this issue, you can:
Move the free-text search in front of the first aggregate function.
Search specifically in the @rawstring field.
If you know the field that contains the value you're searching for, it's best to search that particular field. The field may have been added by either the log shipper or the parser, and the information might not appear in the @rawstring field.
Free-text searches before the first aggregate function continue to work as expected since they are not deprecated. Field-specific text searches work as expected as well: for example,
myField=/(abra|kadabra)/continue to work also after the first aggregate function.The use of the event functions
eventInternals(),eventFieldCount(), andeventSize()after the first aggregate function is deprecated. For example:Invalid Example for Demonstration - DO NOT USElogscaleeventSize() | tail(200) | eventInternals()Usage of these functions after the first aggregate function is deprecated because they work on the original events, which are not available after the first aggregate function.
Using these functions after the first aggregate function will be made unavailable in version 1.190.0 and onwards.
These functions will continue to work before the first aggregate function, for example:
logscaleeventSize() | tail(200)The
setConsideredAliveUntilandsetConsideredAliveForGraphQL mutations are deprecated and will be removed in 1.195.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
New features and improvements
Installation and Deployment
The
HUMIO_NON_HEAP_SIZE_MBlauncher variable now accounts for off-heap memory. Example: if you have 1 CPU core resulting in a reservation of 250MB for off-heap memory, 4GB RAM and have setHUMIO_NON_HEAP_SIZE_MB=500, the launcher will now reserve 3.25GB for the heap, and 250MB for off-heap, leaving 500MB free. Previously, LogScale would reserve 3.5GB for the heap, and 250MB for the off-heap, leaving 250MB free.
User Interface
Added a failureOrigin field to all logs in the humio-activity repository for filter and aggregate alerts as well as scheduled searches, where
status=Failure. The value of the new field can be eitherSystemorUser, and indicates a best guess as to whether this failure is due to a system error or due to a user error, like for example errors in the query.
Storage
LogScale now supports Azure bucket storage with account key-based authentication.
For more information, see Azure Bucket Storage.
Ingestion
Query warnings are now supported in Parsers and Event Forwarders. Warnings will be reported in the already existing error fields (@error, @event_parsed, @error_msg, and @error_msg[]).
For more information, see Event Forwarding Rules, Errors, Validation Checks, and Warnings.
Functions
Query functions using files will now report warnings for missing files or other file errors when used in parsers.
For more information, see Errors, Validation Checks, and Warnings.
The
ioc:lookup()query function now emits warnings in parsers when there are issues with the IOC service, instead of throwing an error. Errors are still thrown during query execution in case of errors.For more information, see Parser Behavior with Missing Database.
Fixed in this release
Installation and Deployment
The
java.loggingmodule has now been included in the bundled JDK. This dependency was erroneously missing and was throwing a NoClassDefFoundErrors error.
Administration and Management
In Multi-Cluster Search environments, queries could fail to start when attempting to fetch tables. This was caused by the worker cluster incorrectly reporting that the table already existed due to local filesystem/cache of the specific node handling the request, while the table coordinator node (where tables should be fetched from) did not actually have the table. With this fix, LogScale now first checks the availability of the table on the table coordinator node rather than checking on the local node, thus ensuring queries start correctly.
User Interface
The as CSV option would fail or would yield an empty file when one of the exported fields is a tag field. This issue has now been fixed.
Fixed an issue where auto-completion for field names in the Query editor would sometimes be missing.
Queries
When multiple events have the same timestamp, they are sorted by ID, which could cause an unstable order as well as internal errors for a few queries, due to violated assumptions. This issue has now been fixed.
Fixed an issue where a query using a lookup file might fail to start since query dependencies were not propagated in time to query workers. Such a query would be stopped with a Failed to load file or table. Try again shortly message.
If a query were to hit an internal error, such as failure to distribute tables, polling such a query would result in a 404 Not Found error. This issue has been fixed so that the correct 5** error is now propagated to the client.
Functions
The
readFile()function has been fixed to now correctly emit warnings that might occur from loading the files requested.
Improvement
Storage
Heap memory estimation for digesters has been adjusted:
Reduced estimated heap memory requirement from 5MB to 1MB per datasource.
No impact on runtime behavior
Produced warning messages via the
DigesterHeapSizeEstimateLoggingif the estimated memory requirements are not met.
Functions
The
parseCEF()query function has an improved output message in case of incorrect input conditions.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
broadcom/proxysg has been updated to v1.2.0.
Updated ECS version to 8.17.0
Added event.kind field set to "event"
Changed array handling for event.category[] and event.type[] to use array:append
The old parser syslog-utc is now officially removed from the Broadcom Symantec ProxySG package
For more information, see Package broadcom/proxysg Release Notes.
cloudflare/zerotrust has been updated to v1.2.2.
Fixed email attachment parsing by properly dropping temporary arrays
Updated ECS version to 8.17.0
Updated parser version to 2.1.2
For more information, see Package cloudflare/zerotrust Release Notes.
microsoft/windows-dns-debug has been updated to v1.3.1.
Improved regex patterns for timestamp parsing
Added support for error messages with socket failures
Enhanced field extraction for DNS packet information
Fixed array handling for DNS header flags
Updated parser version to 2.2.1
For more information, see Package microsoft/windows-dns-debug Release Notes.
okta/sso has been updated to v1.3.1.
Fixed source.user.full_name to use client.user.full_name instead of client.user.id
For more information, see Package okta/sso Release Notes.
forcepoint/dlp has been updated to v1.2.0.
Added severity mapping based on Forcepoint documentation
Improved user domain extraction
Enhanced array handling for event categories and types
Optimized field cleanup process
The old parser dlp-cef is now officially removed from the Forcepoint DLP package
For more information, see Package forcepoint/dlp Release Notes.
aws/s3-server-access has been updated to v1.2.0.
Updated ECS version to 8.17.0
Added new fields:
cloud.Storage.bucket_name
error.code
host.id
url.original
user_agent.original
Improved array handling for event category and type fields
Fixed field duplication issues
The old parser s3access-space-delimited is now officially removed from the AWS S3 package
For more information, see Package aws/s3-server-access Release Notes.
haproxy/haproxy has been updated to v1.2.0.
Updated ECS version to 8.17.0
Added new field mappings for log.syslog fields
Added process.name and process.pid fields
Added host.name field mapping
Added source.port field mapping
The old parser haproxy-syslog is now officially removed from the HAProxy package
For more information, see Package haproxy/haproxy Release Notes.
claroty/ctd has been updated to v1.2.0.
Updated ECS version to 8.17.0
Improved event categorization using array:append
Added event severity mapping
Optimized field handling and cleanup
The old parser cef-latest is now officially removed from the Claroty CTD package
For more information, see Package claroty/ctd Release Notes.
cloudflare/zerotrust has been updated to v1.2.0.
Improved JSON parsing with support for message prefix removal
Enhanced event categorization with proper event.category and event.type arrays
Added comprehensive email attachment parsing for Area1 security logs
Improved HTTP response status code handling for better event outcome determination
Added support for bulk log processing with improved detection logic
For more information, see Package cloudflare/zerotrust Release Notes.
infoblox/nios has been updated to v1.3.0.
Improves event categorization.
Adds support for additional audit events
Enhances DNS field extraction
The old parser syslog-utc is now officially removed from the Infoblox Nios package
For more information, see Package infoblox/nios Release Notes.
cisco/ios has been updated to v1.5.0.
Improved timestamp parsing for formats including year in different positions
Added support for MAC address extraction and normalization
Enhanced access list log parsing to handle MAC addresses in source fields
Added parsing for CFGLOG_LOGGEDCMD events to capture CLI commands
For more information, see Package cisco/ios Release Notes.
f5networks/bigip has been updated to v2.2.0.
Added support for F5 Advanced Firewall Module (AFM) logs
Improved ASM event categorization for better threat detection
Updated ECS version to 8.17.0
For more information, see Package f5networks/bigip Release Notes.
dell/isilon has been updated to v1.2.0.
Updated ECS version to 8.17.0
Added log.syslog fields for better syslog data representation
Improved array handling for event category and type fields
Removed deprecated isilon-syslog parser
The old parser isilon-syslog is now officially removed from the Dell Isilon package
For more information, see Package dell/isilon Release Notes.
cisco/ios has been updated to v1.5.1.
Removed test cases
For more information, see Package cisco/ios Release Notes.
cisco/meraki has been updated to v1.4.1.
Added support for BSD syslog format with MMM dd HH:mm:ss timestamp format
For more information, see Package cisco/meraki Release Notes.
cisco/ise has been updated to v1.3.1.
Fixed field mapping for service.name instead of service.type
Improved timestamp parsing for additional formats
Enhanced field formatting for fields with hyphens in names
For more information, see Package cisco/ise Release Notes.
island/island has been updated to v1.2.0.
Added rule.name and rule.id fields for network events
Added event.kind field set to "event"
Updated array handling for event.category and event.type fields
Updated ECS version to 8.17.0
The old parser island is now officially removed from the Island package
For more information, see Package island/island Release Notes.
cisco/firepower has been updated to v1.6.3.
Updated field assignment syntax from rename() to direct assignment
Fixed regex pattern for teardown connections to handle optional fields
Improved lower() function usage for better performance
For more information, see Package cisco/firepower Release Notes.
cisco/firepower has been updated to v1.6.2.
Fixed regex pattern for session disconnection duration to handle complex duration formats
For more information, see Package cisco/firepower Release Notes.
microsoft/windows-dns-debug has been updated to v1.3.0.
Added support for additional log formats
Improved handling of DNS debug log header lines
Updated ECS version to 8.17.0
Enhanced field extraction for DNS packet information
Added support for self-referential DNS messages
The old parser windows-dns is now officially removed from the Microsoft Windows DNS package
For more information, see Package microsoft/windows-dns-debug Release Notes.
fortinet/fortigate has been updated to v1.3.3.
Updated event outcome handling to set failure when action is block or blocked
Fixed test cases to match updated outcome logic
For more information, see Package fortinet/fortigate Release Notes.
checkpoint/ngfw has been updated to v2.0.0.
Updated ECS version to 8.17.0
Improved event categorization with array-based approach
Enhanced field mapping for better data normalization
Optimized email field handling
Fixed field duplication issues
For more information, see Package checkpoint/ngfw Release Notes.
cisco/ise has been updated to v1.3.0.
Sets the event.outcome based on the Vendor.FailureReason field
The old parser cisco-ise-syslog is now officially removed from the Cisco Identity Services Engine (ISE) package
For more information, see Package cisco/ise Release Notes.
fortinet/fortigate has been updated to v1.3.2.
Updated field assignments to use direct assignment instead of rename function
Updated ECS version to 8.17.0
For more information, see Package fortinet/fortigate Release Notes.
cisco/ios has been updated to v1.6.0.
Enhanced event type categorization for more accurate event classification
Added support for additional Cisco IOS event codes including SGACLHIT, FAIL, DHCP_SNOOPING_DENY, and more
Improved MAC address normalization for better consistency
Added deduplication of event categories and types
For more information, see Package cisco/ios Release Notes.
infoblox/nios has been updated to v1.3.1.
Fixed an issue with DNS answers containing quotes
For more information, see Package infoblox/nios Release Notes.