Falcon LogScale 1.189.3 LTS (2025-08-06)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.189.3 | LTS | 2025-08-06 | Cloud On-Prem | 2026-06-30 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.189.3 to download the latest version
Hide file hashes
These notes include entries from the following previous releases: 1.189.1, 1.189.2, 1.189.1, 1.189.2
Bug fixes and updates.
Breaking Changes
The following items create a breaking change in the behavior, response or operation of this release.
Packages
Previously, LogScale would allow dashboard YAML template files to not contain a $schema field, but this is no longer optional. The $schema field is what LogScale uses to determine how it should read the template file, so it is important that it is correct. Before this change, if the $schema field was missing from a dashboard template, LogScale would assume the file was a dashboard template, using the dashboard schema version 0.1.0, which was released in 2020. As this old schema version doesn't recognize any features released since then, using it as the default value can cause confusing error messages if you try to omit the $schema field. Therefore, the field is now required instead. If you now have a dashboard YAML template file that LogScale rejects due to this change, try adding the following line to the file:
$schema": "https://schemas.humio.com/dashboard/v0.1.0, which should make it work as before.
Advance Warning
The following items are due to change in a future release.
Functions
Starting from release 1.195, the query functions
asn()andipLocation()will display an error instead of a warning should an error occur with their external dependency. This change will align their behavior to functions using similar external resources, likematch(),iocLookup(), andcidr().
Removed
Items that have been removed as of this release.
Installation and Deployment
Support for the
HUMIO_DEBUG,JAVA_DEBUG_PORT,DEBUG_SUSPEND_FLAGandJAVA_DEBUG_OPTSenvironment variables in the LogScale Launcher Script has been removed. If the LogScale process needs to be started in debug mode, set the relevant flags in theHUMIO_OPTSenvironment variable instead.Administration and Management
Humio-Usage v0.2.0 dashboard data has been removed and replaced with a note and link to the Usage Page.
Removed assigned metrics:
segments-assigned-to-host-as-owner
segment-bytes-assigned-to-host-as-owner
These metrics provided incomplete data, tracking only post-merge segment assignments while excluding rebalancing-related segment movements.
GraphQL API
The following deprecated GraphQL mutations have been removed:
createParser
updateParser
removeParserThe following deprecated GraphQL fields have now been removed on the Parser output datatype:
assetType
sourceCode
tagFields
testData
The deprecated
testParserGraphQL mutation has now been removed.Note that a number of parser CRUD APIs were deprecated alongside
testParserback in release 1.120, and these APIs will also be removed soon. Consider this as a reminder to move to the newer APIs if you have not already done so.The deprecated
storagetask of the GraphQL NodeTaskEnum has been removed (deprecated since v1.173.0). For more information, see RN Issue.This removal affects hosts configured with node role
all:
Dynamic configuration to disable segment storage and search is no longer supported
Use existing node eviction mechanism instead for this functionality
getFilterAlertConfig GraphQL field has been removed on HumioMetadata datatype.
Deprecation
Items that have been deprecated and may be removed in a future release.
The Humio-Usage package has been deprecated and scheduled for removal in version 1.189 LTS.
The
colorfield on the Role type has been marked as deprecated (will be removed in version 1.195).The
setConsideredAliveUntilandsetConsideredAliveForGraphQL mutations are deprecated and will be removed in 1.195.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Storage
When uploading to Bucket Storage, always use the first
ownerHostto do the upload. This is a preparatory change to allow later optimization.The S3 SDK retry logic has been broadened:
LogScale will now do retries for bucket storage operations on a much broader range of exceptions (
SDKException).Segment uploads that fail after the SDK call will no longer be retried immediately, but will still be re-queued.
Uploads of global snapshots and uploaded files will still be retried implicitly, and the retry log lines now specify which type of upload is initiating it.
Configuration
Multi-cluster searches will now have a warning attached when submission has failed for 10 minutes or more, but continue to attempt submissions instead of stopping for the failing connection.
As a consequence, the environment variable
FEDERATED_SUBMISSION_TIMEOUT_MILLISis no longer used.Ingestion
When deleting a test case from a parser, and adding a new test case again without re-running tests, the new test will no longer have the test results of the previously removed test case.
Queries
The usage of
noResultUntilDonequery flag has been corrected. This flag was incorrectly unset which meant that needless computation was performed, for example in scheduled searches or subqueries defined bydefineTable(). Additionally, partial results were also returned to the clients, which is not the intended behavior whennoResultUntilDoneis used.
Upgrades
Changes that may occur or be required during an upgrade.
Installation and Deployment
The bundled JDK has been upgraded to version 24.0.1.
New features and improvements
Security
Asset sharing is now available for dashboards, triggers, actions, saved queries, scheduled PDF reports, and files. This means that:
It is now possible to grant permissions to users and groups for these assets at the individual asset level, so that others may collaborate on tasks involving these assets even though they don't have permission to edit or delete all of that type of asset in the view.
Any user who has permissions to the asset can grant up to the same permissions as they have to another user who has read permissions in the view.
Users who have the
Change user accesspermission orManage userspermission can add users or groups who did not previously have access to assets in the view to a particular asset and grant them permissions.
For more information about the general concept of asset permissions, see Asset permissions.
For information about granting permissions for each of the supported asset types, see:
Users can now successfully add roles to users or groups on the repository permissions page when they have the
Change user accesspermission. Previously, these users would encounter an error message stating roles could not be loaded.The view level permission
Query model for persistent querieshas been renamed toQuery ownership for persistent queries.
Installation and Deployment
LogScale is now available in an image based on Alpine Linux ARM. The image is tagged as
humio/humio-core:1.189.1--arm64.The
HUMIO_NON_HEAP_SIZE_MBlauncher variable now accounts for off-heap memory. Example: if you have 1 CPU core resulting in a reservation of 250MB for off-heap memory, 4GB RAM and have setHUMIO_NON_HEAP_SIZE_MB=500, the launcher will now reserve 3.25GB for the heap, and 250MB for off-heap, leaving 500MB free. Previously, LogScale would reserve 3.5GB for the heap, and 250MB for the off-heap, leaving 250MB free.
Administration and Management
A new internal metric data-ingester-parser-errors is now available in the humio-metrics repository to provide error tracking at parser level. Similar to existing data-ingester-errors, it tracks errors per parser per repository (versus only per repository).
User Interface
Added a failureOrigin field to all logs in the humio-activity repository for filter and aggregate alerts as well as scheduled searches, where
status=Failure. The value of the new field can be eitherSystemorUser, and indicates a best guess as to whether this failure is due to a system error or due to a user error, like for example errors in the query.Improved automatic indentation insertion in the Query Editor in bracket contexts. For example:
logscale SyntaxgroupBy( x, function=[ ] )will now auto-indent on newline insertions to:
logscale SyntaxgroupBy( x, function=[ ] )The Query model label has been renamed to Query ownership. This change applies to the current query model UI sections in triggers, packages and shared dashboards.
The Y-axis in the
Time Chartwidget has an added space before the suffix for all formats exceptMetricin the Format Value property.
Automation and Triggers
The Trigger Properties panel has some layout changes:
Section General renamed to General properties
Section Query renamed to Configuration
Section Actions moved above the Advanced settings section — now only visible when the trigger type is selected
Throttling moved to Configuration section
Trigger panel title changed
GraphQL API
A new segment() GraphQL query is available. It provides access to information about a single segment specified by its identifier. This query is not a quick lookup and should be used only for troubleshooting or to help with data recovery. It requires the
ManageClusterpermission.
Storage
LogScale now supports Azure bucket storage with account key-based authentication.
For more information, see Azure Bucket Storage.
Configuration
The default value for the
AUTOSHARDING_MAXconfiguration variable is now 128K (was 1k).Enabling
idempotencefor the Kafka producer:Set
enable.idempotence=truefor the global producer. This can't be overridden and is required to avoid the risk of message reordering in Kafka.Set
enable.idempotence=truefor the ingest queue producer. This can be overridden using theKAFKA_INGEST_QUEUE_PRODUCER_configuration variable, by adding the_ENABLE_IDEMPOTENCEsuffix as the Kafka producer configuration option.
While enabling the above configuration is not required for LogScale to work, it is however advisable in order to prevent reordering of messages and to reduce the frequency of duplicates in the ingest queue.
Introduced a new environment variable
QUERY_COORDINATOR_EXECUTOR_CORESthat determines the size of the thread pool used by the query coordinator for heavy query related operations, such as merging results from workers. This makes query coordination more resilient when running queries with large and expensive states.
Ingestion
Query warnings are now supported in Parsers and Event Forwarders. Warnings will be reported in the already existing error fields (@error, @event_parsed, @error_msg, and @error_msg[]).
For more information, see Event Forwarding Rules, Errors, Validation Checks, and Warnings.
Added ingest feeds for consuming data from Azure Event Hubs:
Available for Self-Hosted installations only at this time.
Follows the same configuration pattern as AWS ingest feeds
For more information, see Ingest Data from Azure Event Hubs.
Log Collector
Introducing labels. Labels are key-value pairs defined in a Log Collector's local Fleet Management configuration. Label values can be dynamically set using environment variables. When Log Collectors connect to LogScale/NG-SIEM, they transmit their labels to the instance managing the fleet. The labels enable:
Grouping collectors
Searching across collectors
Configuring collectors based on shared characteristics
For example, a fleet management group defined as
labels.service=webincludes all collectors with label name:serviceand label value:web.This grouping allows administrators to create and apply reusable configurations specifically tailored to collectors sharing the same service type, streamlining fleet management and maintenance.
For more information, see Fleet Management (
fleetManagement).Replacing Custom Install Legacy Fleet Management configuration snippet with supported enrollment mode
localConfig.
Queries
Added LogScale Multi-Cluster Search query handover support:
Enables automatic reconnection and continued polling of downstream remote clusters
Current limitation: local connection handovers are not supported, meaning that:
Progress on local connections will be lost after handover
Queries to local connections will be resubmitted, resulting in a potential temporary loss of progress.
Functions
Query functions using files will now report warnings for missing files or other file errors when used in parsers.
For more information, see Errors, Validation Checks, and Warnings.
The
SortNewDatastructurefeature flag is now enabled by default in Self-Hosted environments.The
ioc:lookup()query function now emits warnings in parsers when there are issues with the IOC service, instead of throwing an error. Errors are still thrown during query execution in case of errors.For more information, see Parser Behavior with Missing Database.
Fixed in this release
Installation and Deployment
The
java.loggingmodule has now been included in the bundled JDK. This dependency was erroneously missing and was throwing a NoClassDefFoundErrors error.
Administration and Management
A 401 Unauthorized authentication error was issued across all views and repositories for all users during file export, despite the token being valid. This issue has been fixed so that the authentication process has now been corrected and the file export functionality now works as expected with valid tokens.
In Multi-Cluster Search environments, queries could fail to start when attempting to fetch tables. This was caused by the worker cluster incorrectly reporting that the table already existed due to local filesystem/cache of the specific node handling the request, while the table coordinator node (where tables should be fetched from) did not actually have the table. With this fix, LogScale now first checks the availability of the table on the table coordinator node rather than checking on the local node, thus ensuring queries start correctly.
Falcon Data Replicator
A configuration issue prevented proper FDR publishing to Global Database. This issue affected job scheduling and might cause incorrect node allocation for FDR ingestion (for example, ingestion scheduled on more or fewer nodes than specified).
Fixed an issue where the check for which nodes should run an FDR feed didn't take node capabilities into account, potentially causing less nodes to actually run the feed.
User Interface
The as CSV option would fail or would yield an empty file when one of the exported fields is a tag field. This issue has now been fixed.
Fixed an issue where auto-completion for field names in the Query editor would sometimes be missing.
Links to the documentation in the LogScale UI have been fixed to point to the correct pages instead of the library homepage.
Fixed an issue where clicking Scroll to load more in the top banner of the Event list would not update the view if the event list itself was paused.
Automation and Triggers
After a digest reassignment, aggregate alerts could use a partial query result and report a warning about ingest delay rather than wait for the new digester to catch up. This issue has now been fixed.
In rare cases, the information about the execution of filter and aggregate alerts could fail to be saved, potentially resulting in duplicate alerts. This issue has now been fixed.
Large query results (more than 1GB) for alerts could cause the query to crash. This issue has been fixed to now handle large alert datasets.
Storage
An invalid bucket/region would not show the appropriate error message when trying to configure archiving. This issue has now been fixed.
LogScale no longer attempts to download MaxMind files when there is insufficient disk space.
Startup failed if a host contained a deprecated storage task in the global database. This issue has now been fixed.
Fixed a feature flag roll out issue on clusters where individual users or organizations were previously opted into the feature.
Important
Required Action:
If you previously disabled rolled-out features via API, you must reapply these opt-outs
This is necessary due to changes in how opt-outs are represented in Global Database.
A very rare race condition could cause global transactions to appear to have succeeded when they actually didn't. This issue has now been fixed.
Resolved an issue that could cause a Resetting minimum offset due to truncation of the ingest queue warning message.
An issue has been fixed that could cause unnecessary delays in uploading files to Bucket Storage.
API
Query Heartbeats in the Query Result Pagination API have been fixed as they would not keep the query alive.
Configuration
Changes to the
LookupTableSyncAwaitSecondsdynamic configuration were not reflected until the next server restart. This issue has been fixed so that changes in this configuration's value are now reflected immediately.
Dashboards and Widgets
The
Time Charttooltip legend could show unsorted values on query result update. This issue has now been fixed so that the list of top scores is now sorted.
Queries
When multiple events have the same timestamp, they are sorted by ID, which could cause an unstable order as well as internal errors for a few queries, due to violated assumptions. This issue has now been fixed.
Fixed an issue where a query using a lookup file might fail to start since query dependencies were not propagated in time to query workers. Such a query would be stopped with a Failed to load file or table. Try again shortly message.
Fixed an issue where query routing inside the cluster relied on original authentication from the client rather than internal authentication. This could lead to a situation where a user could submit a query, but was unable to then poll it.
ClusterHostAliveStatsin field class could drop logs in case of liveness changes occurring within one second. This issue has been fixed to now include changes that occur less than one second apart.Transferring tables between cluster nodes (either defined using
defineTable()or from Lookup Files) could lead to thread starvation and node crashes. This issue has now been fixed.If a query were to hit an internal error, such as failure to distribute tables, polling such a query would result in a 404 Not Found error. This issue has been fixed so that the correct 5** error is now propagated to the client.
Fixed race condition in LogScale Multi-Cluster Search. Previously, queries initiated simultaneously with a new connection addition to the multi-cluster view could exclude the new connection for the query. This synchronization issue has been resolved.
Fixed a race condition that could occur when states were merged in Query Coordination during the query handover process. This could result in corrupted query state or failed query handover.
Fixed an issue where a query might be marked as "cancelled" but not "done" when exceptions occurred during result calculation failures, such as RPC request failures.
Functions
The
readFile()function has been fixed to now correctly emit warnings that might occur from loading the files requested.In case of invalid input containing unescaped
=characters in theparseCEF()function, the entire query execution or parser execution would fail. This issue has been fixed so thatparseCEF()now properly recovers from the invalid input and adds an @error field to the event.
Other
Fixed an issue that could cause globally enabled features to appear to be disabled for individual organizations.
Improvement
Security
Improved permission validation: the button is now disabled for users who lack sufficient permissions to complete the role creation process. This prevents users from starting a workflow that would ultimately fail, saving time and reducing frustration. Previously, users could begin creating a role only to encounter an error at the final step due to insufficient permissions.
Falcon Data Replicator
The FDR logging has been improved by adding some of the SQS metadata fields within the activity log. The metadata fields that are now included in the logs are:
Sent timestamp
Approximate receive count
Approximate first receive timestamp
User Interface
It is now possible to resize the Fields panel flyout when selecting a field for inspection.
Storage
Improve the response time when there's a large number of datasources for:
GraphQL calls fetching repository.datasources field
api/v1/dataspacesorapi/v1/repositoriesendpoints
Made few minor adjustments to the global framework to avoid the possibility of bugs. These changes are not expected to impact the current behavior.
Improve the memory estimate of multi-cluster searches to make them more accurately reflect the real usage.
Heap memory estimation for digesters has been adjusted:
Reduced estimated heap memory requirement from 5MB to 1MB per datasource.
No impact on runtime behavior
Produced warning messages via the
DigesterHeapSizeEstimateLoggingif the estimated memory requirements are not met.
Configuration
The primary & secondary disk usage health check descriptions have been corrected to indicate that the usage is measured in percentage, not seconds.
The new environment variables
HEALTH_CHECK__PRIMARY_DISK_USAGE__WARN_THRESHOLD_PCTandHEALTH_CHECK__SECONDARY_DISK_USAGE__WARN_THRESHOLD_PCThave been introduced to replaceHEALTH_CHECK__PRIMARY_DISK_USAGE__WARN_THRESHOLD_SECandHEALTH_CHECK__SECONDARY_DISK_USAGE__WARN_THRESHOLD_SEC. Their naming better indicates the nature of these environment variables. Note that the old variables ending in_SECare still supported but are superseded by the variables ending in_PCTif they are present.
Queries
Implemented a change about how queries track segment merging, which should eliminate edge cases where queries miss data due to merges.
Queries that combine different text searches with different tag filters now have an improved performance due to reduced volume of data scanned. For example, this change would improve the performance of a query like:
logscale#event=ConnectIP4 OR (#event=ReceiveAcceptIP4 AND RemoteAddressIP4=12.34.56.78
Functions
The
groupBy()function now displays a more descriptive error message when the maximumlimitis exceeded, specifying the maximum allowed limit for your environment.The
parseCEF()query function has an improved output message in case of incorrect input conditions.
Packages
Improving error messages when installing a YAML template file (individually or through a package), where
$schemain the file is misconfigured.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
cisco/meraki has been updated to v1.5.2.
Enhanced authentication event parsing with improved regex pattern for authentication messages
Added support for AnyConnect VPN connection success and failure events with detailed field extraction
Added authentication event categorization with proper event types
For more information, see Package cisco/meraki Release Notes.
checkpoint/ngfw has been updated to v2.1.2.
Regex fix to stop backtracking errors for logs that use "=" as the key-value separator
Added event.kind field with default value "event"
Removed redundant case statement for event.kind assignment
Updated parser version to 3.1.2
For more information, see Package checkpoint/ngfw Release Notes.
cisco/ios has been updated to v1.6.1.
Added support for VTY access logs with new pattern matching
For more information, see Package cisco/ios Release Notes.
okta/sso has been updated to v1.4.1.
Fixed user agent field mapping from user_agent.device.name to user_agent.os.name
Updated CPS version to 1.1.0
For more information, see Package okta/sso Release Notes.
f5networks/bigip has been updated to v2.4.0.
Added support for F5 ASM Bot Defense logs
Fixed array handling for host.ip and observer.ip fields
Improved event severity mapping based on Vendor.severity field
Fixed source.ip extraction in APM invalid host header detection
Enhanced event type categorization for APM non-existent session events
Added lowercase normalization for network.transport field
For more information, see Package f5networks/bigip Release Notes.
nozomi/ids has been updated to v1.3.1.
Updated ECS version to 9.0.0
Improved field extraction for Mitre attack tactics and techniques
Fixed parser version to 3.0.1
For more information, see Package nozomi/ids Release Notes.
checkpoint/ngfw has been updated to v2.2.0.
Added support for additional log types including VPN-1 & FireWall-1, Application Control URL Filtering, and Log Update events
Enhanced event categorization for various product types
Fixed network direction handling to improve log classification
Added test cases for new log formats
Updated parser version to 3.2.0
For more information, see Package checkpoint/ngfw Release Notes.
juniper/srx has been updated to v1.4.0.
Added support for authentication events with UI_LOGIN_EVENT, DYNAMIC_VPN_AUTH_OK, REMOTE_ACCESS_VPN_AUTH_OK, DYNAMIC_VPN_AUTH_FAIL, and REMOTE_ACCESS_VPN_AUTH_FAIL message IDs
Enhanced source IP extraction with support for src-ip-str field
Added user.name field mapping from source.user.name when available
Fixed indentation in SSH authentication message parsing
For more information, see Package juniper/srx Release Notes.
darktrace/detect has been updated to v1.5.0.
Added support for email events
Updated parser to 2.3.0
For more information, see Package darktrace/detect Release Notes.
cisco/ios has been updated to v1.7.1.
Added support for additional timezone formats including BST, CEST, GMT, IST, JST, SAST, WAT, and WIB
For more information, see Package cisco/ios Release Notes.
cloudflare/zerotrust has been updated to v1.4.0.
Added severity mapping based on risk score
Added event.kind = alert for zone-scoped-http-requests when severity is present
Added event.action mapping from Vendor.SecurityAction
Added array deduplication for event.category[] and event.type[]
Updated email field normalization to convert all email addresses to lowercase
Enhanced DNS event action mapping to use coalesce function for better field resolution
Updated parser version to 2.3.0 and CPS version to 1.1.0
For more information, see Package cloudflare/zerotrust Release Notes.
asimily/iomt has been updated to v1.1.1.
Updated ECS version to 8.17.0
Removed rename() function calls for direct field assignments
Removed deprecated parser asimily-iomt-json
For more information, see Package asimily/iomt Release Notes.
zscaler/internet-access has been updated to v1.4.1.
Fixed conditional parsing of file.mtime field to handle cases when Vendor.lastmodtime is not present
Updated parser version to 2.4.1
For more information, see Package zscaler/internet-access Release Notes.
microsoft/dhcp-client has been updated to v1.1.1.
Updated ECS version to 9.0.0
Changed field mapping approach from rename() to direct assignment for event.id, process.pid, and user.id
For more information, see Package microsoft/dhcp-client Release Notes.
akamai/asec has been updated to v1.1.1.
Updated ECS version from 8.11.0 to 8.17.0
Replaced rename() function with direct assignments for field mappings
Removed deprecated parser asec-json.yaml
For more information, see Package akamai/asec Release Notes.
forcepoint/dlp has been updated to v1.2.1.
Updated field assignments to use direct assignment instead of rename function
Fixed parser version reference
For more information, see Package forcepoint/dlp Release Notes.
cisco/duo has been updated to v2.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 2.1.1
Updated parser to use array:append for array declaration
For more information, see Package cisco/duo Release Notes.
aws/waf has been updated to v1.1.2.
Updated field mapping to use direct assignment instead of rename() function
Removed deprecated waf-json.yaml parser
For more information, see Package aws/waf Release Notes.
aws/s3-server-access has been updated to v1.2.1.
Updated parser to use direct field assignments instead of rename() function
Fixed field mapping consistency
For more information, see Package aws/s3-server-access Release Notes.
nozomi/ids has been updated to v1.3.0.
Updated timestamp parsing to support MMM dd yyyy HH:mm:ss format
Added support for new message types including threat intelligence updates, link status changes, and network scans
Enhanced MAC address normalization with uppercase conversion and consistent delimiter formatting
Improved field extraction for domain and username parsing
Fixed lowercase normalization for various address fields
The old parser nozomi-syslog is now officially removed from the Nozomi IDS package
For more information, see Package nozomi/ids Release Notes.
cloudflare/zerotrust has been updated to v1.2.3.
Fixed handling of PROXY_CONN_REFUSED connection close reason
Improved bulk log processing by removing trailing newline characters
Updated parser version to 2.1.3
For more information, see Package cloudflare/zerotrust Release Notes.
fortinet/fortigate has been updated to v1.3.5.
Updated CPS version to 1.1.0
Updated parser version to 2.1.4
Removed drop statements for fields (Vendor.time, Vendor.eventtime, Vendor.date, Vendor.tz, Vendor.ts, Vendor.srcmac, Vendor.source_mac, Vendor.dir, Vendor.direction, Vendor.service)
For more information, see Package fortinet/fortigate Release Notes.
fortinet/fortigate has been updated to v1.3.4.
Updated ECS version to 9.0.0
Added message and rule.name fields for alert events
Fixed field mappings for UTM alert events
For more information, see Package fortinet/fortigate Release Notes.
cisco/meraki has been updated to v1.5.1.
Fixed regex patterns to handle multiline syslog messages
Fixed event severity handling for unknown values
For more information, see Package cisco/meraki Release Notes.
juniper/srx has been updated to v1.3.0.
Updated parser to use ECS 8.17.0
Improved field extraction with format() function
Enhanced array handling with array:append() for event categories and types
Added support for mgd login events with user roles and service type
Fixed field handling for null values
The old parser srx-syslog is now officially removed from the Juniper SRX package
For more information, see Package juniper/srx Release Notes.
darktrace/detect has been updated to v1.3.1.
Fixed timestamp parsing for Antigena events to use start time instead of end time
For more information, see Package darktrace/detect Release Notes.
aws/vpcflow has been updated to v1.2.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.2.1
Updated parser to use array:append for array declaration
For more information, see Package aws/vpcflow Release Notes.
aws/cloudtrail has been updated to v2.0.2.
Added support for IdentityCenterUser identity type
Improved handling of identity center user identities
For more information, see Package aws/cloudtrail Release Notes.
zscaler/private-access has been updated to v1.3.2.
Added support for private cloud controller status logs
Improved log type detection for logs without sourcetype field
Enhanced log format detection for various ZPA log types
For more information, see Package zscaler/private-access Release Notes.
darktrace/detect has been updated to v1.4.0.
Enhanced audit event parsing with improved categorization and field mapping
Added validation for source IP addresses using CIDR check
Updated ECS version to 9.0.0
Added support for syslog appname-based event classification
Updated parser to 2.2.0
For more information, see Package darktrace/detect Release Notes.
fortinet/fortimail has been updated to v2.0.0.
Improved parsing of key-value pairs with empty values
Enhanced event categorization for all log types
Added support for email address extraction from complex formats
Fixed handling of comma-separated recipient lists
Added URL parsing capabilities
Improved outcome determination logic
For more information, see Package fortinet/fortimail Release Notes.
fortinet/fortimail has been updated to v1.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.1.1
Updated parser to use array:append for array declaration
Updated client.ip to non-array field
The old parser fortimail is now officially removed from the Fortinet Fortimail package
For more information, see Package fortinet/fortimail Release Notes.
dell/isilon has been updated to v1.2.1.
Updated field mapping syntax from rename() to direct assignment for better performance
Fixed minor code formatting issues
For more information, see Package dell/isilon Release Notes.
veeam/veeamdataplatform has been updated to v1.0.1.
Updated field assignments to use direct assignment instead of rename() function
Improved field mapping consistency
For more information, see Package veeam/veeamdataplatform Release Notes.
aws/guardduty has been updated to v1.1.2.
Updated field mapping to use direct assignment instead of rename function
Removed deprecated guardduty-json.yaml parser
Updated parser version to 1.2.1
For more information, see Package aws/guardduty Release Notes.
cisco/ise has been updated to v1.3.3.
Enhanced parsing for CISE_Alarm messages with improved message extraction
Added event categorization and type for CISE_MONITORING_DATA_PURGE_AUDIT, CISE_System_Statistics
For more information, see Package cisco/ise Release Notes.
netgate/pfsense has been updated to v1.1.1.
Updated ECS version from 8.11.0 to 9.0.0
Removed rename() function from field mappings for direct assignments
Removed pfsense-syslog.yaml parser file
For more information, see Package netgate/pfsense Release Notes.
f5networks/bigip has been updated to v2.3.1.
Fixed VLAN ID parsing in connection error and SSL handshake failure events
For more information, see Package f5networks/bigip Release Notes.
aws/guardduty has been updated to v1.1.3.
Added event.reason field mapping from Vendor.title
Updated parser version to 1.2.2
For more information, see Package aws/guardduty Release Notes.
cloudflare/zerotrust has been updated to v1.3.0.
Enhanced JSON parsing with excludeEmpty and handleNull options
Updated event type categorization for email security logs
Added new test cases for improved coverage
Updated parser version to 2.2.0
For more information, see Package cloudflare/zerotrust Release Notes.
aws/cloudtrail has been updated to v1.1.6.
Updated parser version to 2.0.6
Updated CPS version to 1.0.0
Fixed TLS field handling by removing rename function and adding drop operations
For more information, see Package aws/cloudtrail Release Notes.
aruba/clearpass has been updated to v1.2.4.
Added support for additional syslog header formats
Enhanced event categorization for various event types
Added extensive field extraction from Description field
Added support for authentication, session, and configuration events
Improved field normalization for client IP and MAC addresses
For more information, see Package aruba/clearpass Release Notes.
microsoft/sysmon has been updated to v1.1.2.
Updated ECS version to 9.0.0
Simplified field assignments by removing unnecessary rename() functions
Improved code readability and maintainability
For more information, see Package microsoft/sysmon Release Notes.
asimily/iomt has been updated to v1.1.2.
Updated parser version to 1.1.2
Updated parser to use array:append for array declaration
For more information, see Package asimily/iomt Release Notes.
claroty/ctd has been updated to v1.2.1.
Fixed field mapping to use direct assignment instead of rename function
Improved case statement formatting for better readability
Updated parser version to 1.1.2
For more information, see Package claroty/ctd Release Notes.
microsoft/dhcp-server has been updated to v1.3.1.
Updated ECS version to 9.0.0
Updated parser version to 2.1.1
Changed field mapping from rename() to direct assignment for better performance
For more information, see Package microsoft/dhcp-server Release Notes.
broadcom/proxysg has been updated to v1.2.1.
Updated field mapping to use direct assignment instead of rename function
Fixed parser version to 1.1.2
For more information, see Package broadcom/proxysg Release Notes.
aws/cloudtrail has been updated to v2.0.1.
Updated parser to handle EventBridge events by removing "detail" prefix
Fixed JSON parsing to properly handle nested fields
For more information, see Package aws/cloudtrail Release Notes.
aws/fsx has been updated to v1.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.1.1
Updated parser to use array:append for array declaration
For more information, see Package aws/fsx Release Notes.
cisco/firepower has been updated to v1.6.4.
Fixed regex pattern for hop failure messages to handle interface names with spaces
For more information, see Package cisco/firepower Release Notes.
imperva/cloud-waf has been updated to v1.4.0.
Added regex pattern matching to filter CEF events and drop non-CEF log entries
Updated ECS version to 8.17.0
Removed rename() function calls for direct field assignment
Deleted cwaf-cef.yaml parser file
For more information, see Package imperva/cloud-waf Release Notes.
f5networks/bigip has been updated to v2.3.0.
Added support for F5 BIG-IP logs in Splunk format (HTTP traffic, load balancer failures, DNS requests/responses)
Fixed IP address field mapping to correctly populate source.ip, destination.ip, and server.ip fields
Improved timestamp parsing to support additional formats
Enhanced key-value parsing with better handling of empty fields
For more information, see Package f5networks/bigip Release Notes.
imperva/cloud-waf has been updated to v1.5.0.
Updated ECS version to 9.0.0
Updated parser version to 3.2.0
Enhanced severity handling with support for both numeric risk scores and text-based risk levels
Improved source IP handling with source.address field and proper CIDR validation
Updated array handling for event.category and event.type fields
For more information, see Package imperva/cloud-waf Release Notes.
aruba/clearpass has been updated to v1.2.3.
Updated field mapping to use format() function instead of rename() for better compatibility
Downgraded CPS version from 2.0.0 to 1.0.0
Removed deprecated clearpass-syslog.yaml parser file
For more information, see Package aruba/clearpass Release Notes.
zscaler/deception has been updated to v2.2.0.
Added support for authentication events with improved categorization
Enhanced severity normalization with numeric values
Improved field extraction for user information
Added event.dataset field to distinguish between threat and audit events
For more information, see Package zscaler/deception Release Notes.
cisco/ios has been updated to v1.7.0.
Added support for additional log formats including ACCOUNTING events and IGMP logs
Enhanced access list log parsing to support both denied and permitted traffic
Added support for timezone-specific timestamp parsing
Updated to ECS version 9.0.0
Updated parser version to 2.6.0
For more information, see Package cisco/ios Release Notes.
island/island has been updated to v1.2.1.
Updated field assignments to use direct assignment instead of rename() function
Fixed parser version to match package version
For more information, see Package island/island Release Notes.
google/chrome-enterprise-security-events has been updated to v1.2.0.
Updated ECS version from 8.11.0 to 8.17.0
Removed deprecated parser Google_Chrome_Enterprise.yaml
Simplified field assignments by removing unnecessary rename() functions
Updated parser version to 2.0.1
For more information, see Package google/chrome-enterprise-security-events Release Notes.
haproxy/haproxy has been updated to v1.2.1.
Updated field assignment syntax from rename() to direct assignment
Updated parser version to 1.1.2
For more information, see Package haproxy/haproxy Release Notes.
aws/guardduty has been updated to v1.2.0.
Improved source and destination port handling for network connections
Added support for port probe events with proper destination address mapping
Enhanced event categorization with network and connection type detection
Added event type classification (allowed/denied) based on blocked field
Added authentication category for RDS login attempts
Added API category for API call events
Updated ECS version to 9.0.0
For more information, see Package aws/guardduty Release Notes.
zscaler/internet-access has been updated to v1.4.0.
Updated parser to use direct field assignments instead of rename() function
Fixed base64 decoding for URL fields
For more information, see Package zscaler/internet-access Release Notes.
cisco/ise has been updated to v1.3.2.
Enhanced parsing for CISE_MONITORING_DATA_PURGE_AUDIT events to support additional message formats
Added support for "purging data older than" message format
Added support for "completed successfully" message format with event outcome set to success
Added support for CISE_Alarm messages with improved parsing
Enhanced field extraction for alarm messages
Added event categorization for SGT assignment and RADIUS authentication drop alarms
For more information, see Package cisco/ise Release Notes.
rubrik/security-cloud has been updated to v1.1.1.
Added support for additional timestamp format (yyyy-MM-dd HH:mm:ss[.SSS] Z z)
Updated ECS version to 9.0.0
For more information, see Package rubrik/security-cloud Release Notes.
checkpoint/ngfw has been updated to v2.1.0.
Added support for CEF formatted logs with and without headers
Enhanced timestamp handling for various formats
Added field mappings for additional Check Point fields
Improved event categorization and field normalization
Added support for additional network direction indicators
For more information, see Package checkpoint/ngfw Release Notes.