Falcon LogScale 1.189.3 LTS (2025-08-06)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.189.3 | LTS | 2025-08-06 | Cloud On-Prem | 2026-06-30 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.189.3 to download the latest version
Hide file hashes
These notes include entries from the following previous releases: 1.189.1, 1.189.2, 1.189.1, 1.189.2
Bug fixes and updates.
Breaking Changes
The following items create a breaking change in the behavior, response or operation of this release.
Packages
Previously, LogScale would allow dashboard YAML template files to not contain a $schema field, but this is no longer optional. The $schema field is what LogScale uses to determine how it should read the template file, so it is important that it is correct. Before this change, if the $schema field was missing from a dashboard template, LogScale would assume the file was a dashboard template, using the dashboard schema version 0.1.0, which was released in 2020. As this old schema version doesn't recognize any features released since then, using it as the default value can cause confusing error messages if you try to omit the $schema field. Therefore, the field is now required instead. If you now have a dashboard YAML template file that LogScale rejects due to this change, try adding the following line to the file:
$schema": "https://schemas.humio.com/dashboard/v0.1.0, which should make it work as before.
Advance Warning
The following items are due to change in a future release.
Functions
Starting from release 1.195, the query functions
asn()andipLocation()will display an error instead of a warning should an error occur with their external dependency. This change will align their behavior to functions using similar external resources, likematch(),iocLookup(), andcidr().
Removed
Items that have been removed as of this release.
Installation and Deployment
Support for the
HUMIO_DEBUG,JAVA_DEBUG_PORT,DEBUG_SUSPEND_FLAGandJAVA_DEBUG_OPTSenvironment variables in the LogScale Launcher Script has been removed. If the LogScale process needs to be started in debug mode, set the relevant flags in theHUMIO_OPTSenvironment variable instead.Administration and Management
Humio-Usage v0.2.0 dashboard data has been removed and replaced with a note and link to the Usage Page.
Removed assigned metrics:
segments-assigned-to-host-as-owner
segment-bytes-assigned-to-host-as-owner
These metrics provided incomplete data, tracking only post-merge segment assignments while excluding rebalancing-related segment movements.
GraphQL API
The following deprecated GraphQL mutations have been removed:
createParser
updateParser
removeParserThe following deprecated GraphQL fields have now been removed on the Parser output datatype:
assetType
sourceCode
tagFields
testData
The deprecated
testParserGraphQL mutation has now been removed.Note that a number of parser CRUD APIs were deprecated alongside
testParserback in release 1.120, and these APIs will also be removed soon. Consider this as a reminder to move to the newer APIs if you have not already done so.The deprecated
storagetask of the GraphQL NodeTaskEnum has been removed (deprecated since v1.173.0). For more information, see RN Issue.This removal affects hosts configured with node role
all:
Dynamic configuration to disable segment storage and search is no longer supported
Use existing node eviction mechanism instead for this functionality
getFilterAlertConfig GraphQL field has been removed on HumioMetadata datatype.
Deprecation
Items that have been deprecated and may be removed in a future release.
The Humio-Usage package has been deprecated and scheduled for removal in version 1.189 LTS.
The
colorfield on the Role type has been marked as deprecated (will be removed in version 1.195).The
storagetask of the GraphQL NodeTaskEnum is deprecated and scheduled to be removed in version 1.189. This affects the following items:
The
supportedTasksfield of the ClusterNode type.The
assignedTasksfield of the ClusterNode type.The
unassignedTasksfield of the ClusterNode type.The assignTasks() mutation.
The unassignTasks() mutation
The
INITIAL_DISABLED_NODE_TASKSconfiguration variable.LogScale is deprecating free-text searches that occur after the first aggregate function in a query. These searches likely did not and will not work as expected. Starting with version 1.190.0, this functionality will no longer be available. A free-text search after the first aggregate function refers to any text filter that is not specific to a field and appears after the query's first aggregate function. For example, this syntax is deprecated:
logscale Syntax"Lorem ipsum dolor" | tail(200) | "sit amet, consectetur"Some uses of the
wildcard()function, particularly those that do not specify afieldargument are also free-text-searches and therefore are deprecated as well. Regex literals that are not particular to a field, for example/(abra|kadabra)/are also free-text-searches and are thus also deprecated after the first aggregate function.To work around this issue, you can:
Move the free-text search in front of the first aggregate function.
Search specifically in the @rawstring field.
If you know the field that contains the value you're searching for, it's best to search that particular field. The field may have been added by either the log shipper or the parser, and the information might not appear in the @rawstring field.
Free-text searches before the first aggregate function continue to work as expected since they are not deprecated. Field-specific text searches work as expected as well: for example,
myField=/(abra|kadabra)/continue to work also after the first aggregate function.The use of the event functions
eventInternals(),eventFieldCount(), andeventSize()after the first aggregate function is deprecated. For example:Invalid Example for Demonstration - DO NOT USElogscaleeventSize() | tail(200) | eventInternals()Usage of these functions after the first aggregate function is deprecated because they work on the original events, which are not available after the first aggregate function.
Using these functions after the first aggregate function will be made unavailable in version 1.190.0 and onwards.
These functions will continue to work before the first aggregate function, for example:
logscaleeventSize() | tail(200)The
setConsideredAliveUntilandsetConsideredAliveForGraphQL mutations are deprecated and will be removed in 1.195.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Storage
When uploading to Bucket Storage, always use the first
ownerHostto do the upload. This is a preparatory change to allow later optimization.The S3 SDK retry logic has been broadened:
LogScale will now do retries for bucket storage operations on a much broader range of exceptions (
SDKException).Segment uploads that fail after the SDK call will no longer be retried immediately, but will still be re-queued.
Uploads of global snapshots and uploaded files will still be retried implicitly, and the retry log lines now specify which type of upload is initiating it.
Configuration
Multi-cluster searches will now have a warning attached when submission has failed for 10 minutes or more, but continue to attempt submissions instead of stopping for the failing connection.
As a consequence, the environment variable
FEDERATED_SUBMISSION_TIMEOUT_MILLISis no longer used.Ingestion
When deleting a test case from a parser, and adding a new test case again without re-running tests, the new test will no longer have the test results of the previously removed test case.
Queries
The usage of
noResultUntilDonequery flag has been corrected. This flag was incorrectly unset which meant that needless computation was performed, for example in scheduled searches or subqueries defined bydefineTable(). Additionally, partial results were also returned to the clients, which is not the intended behavior whennoResultUntilDoneis used.
Upgrades
Changes that may occur or be required during an upgrade.
Installation and Deployment
The bundled JDK has been upgraded to version 24.0.1.
New features and improvements
Security
Asset sharing is now available for dashboards, triggers, actions, saved queries, scheduled PDF reports, and files. This means that:
It is now possible to grant permissions to users and groups for these assets at the individual asset level, so that others may collaborate on tasks involving these assets even though they don't have permission to edit or delete all of that type of asset in the view.
Any user who has permissions to the asset can grant up to the same permissions as they have to another user who has read permissions in the view.
Users who have the
Change user accesspermission orManage userspermission can add users or groups who did not previously have access to assets in the view to a particular asset and grant them permissions.
For more information about the general concept of asset permissions, see Asset permissions.
For information about granting permissions for each of the supported asset types, see:
Users can now successfully add roles to users or groups on the repository permissions page when they have the
Change user accesspermission. Previously, these users would encounter an error message stating roles could not be loaded.The view level permission
Query model for persistent querieshas been renamed toQuery ownership for persistent queries.
Installation and Deployment
LogScale is now available in an image based on Alpine Linux ARM. The image is tagged as
humio/humio-core:1.189.1--arm64.The
HUMIO_NON_HEAP_SIZE_MBlauncher variable now accounts for off-heap memory. Example: if you have 1 CPU core resulting in a reservation of 250MB for off-heap memory, 4GB RAM and have setHUMIO_NON_HEAP_SIZE_MB=500, the launcher will now reserve 3.25GB for the heap, and 250MB for off-heap, leaving 500MB free. Previously, LogScale would reserve 3.5GB for the heap, and 250MB for the off-heap, leaving 250MB free.
Administration and Management
A new internal metric data-ingester-parser-errors is now available in the humio-metrics repository to provide error tracking at parser level. Similar to existing data-ingester-errors, it tracks errors per parser per repository (versus only per repository).
User Interface
Added a failureOrigin field to all logs in the humio-activity repository for filter and aggregate alerts as well as scheduled searches, where
status=Failure. The value of the new field can be eitherSystemorUser, and indicates a best guess as to whether this failure is due to a system error or due to a user error, like for example errors in the query.Improved automatic indentation insertion in the Query Editor in bracket contexts. For example:
logscale SyntaxgroupBy( x, function=[ ] )will now auto-indent on newline insertions to:
logscale SyntaxgroupBy( x, function=[ ] )The Query model label has been renamed to Query ownership. This change applies to the current query model UI sections in triggers, packages and shared dashboards.
The Y-axis in the
Time Chartwidget has an added space before the suffix for all formats exceptMetricin the Format Value property.
Automation and Triggers
The Trigger Properties panel has some layout changes:
Section General renamed to General properties
Section Query renamed to Configuration
Section Actions moved above the Advanced settings section — now only visible when the trigger type is selected
Throttling moved to Configuration section
Trigger panel title changed
GraphQL API
A new segment() GraphQL query is available. It provides access to information about a single segment specified by its identifier. This query is not a quick lookup and should be used only for troubleshooting or to help with data recovery. It requires the
ManageClusterpermission.
Storage
LogScale now supports Azure bucket storage with account key-based authentication.
For more information, see Azure Bucket Storage.
Configuration
The default value for the
AUTOSHARDING_MAXconfiguration variable is now 128K (was 1k).Enabling
idempotencefor the Kafka producer:Set
enable.idempotence=truefor the global producer. This can't be overridden and is required to avoid the risk of message reordering in Kafka.Set
enable.idempotence=truefor the ingest queue producer. This can be overridden using theKAFKA_INGEST_QUEUE_PRODUCER_configuration variable, by adding the_ENABLE_IDEMPOTENCEsuffix as the Kafka producer configuration option.
While enabling the above configuration is not required for LogScale to work, it is however advisable in order to prevent reordering of messages and to reduce the frequency of duplicates in the ingest queue.
Introduced a new environment variable
QUERY_COORDINATOR_EXECUTOR_CORESthat determines the size of the thread pool used by the query coordinator for heavy query related operations, such as merging results from workers. This makes query coordination more resilient when running queries with large and expensive states.
Ingestion
Query warnings are now supported in Parsers and Event Forwarders. Warnings will be reported in the already existing error fields (@error, @event_parsed, @error_msg, and @error_msg[]).
For more information, see Event Forwarding Rules, Errors, Validation Checks, and Warnings.
Added ingest feeds for consuming data from Azure Event Hubs:
Available for Self-Hosted installations only at this time.
Follows the same configuration pattern as AWS ingest feeds
For more information, see Ingest Data from Azure Event Hubs.
Log Collector
Introducing labels. Labels are key-value pairs defined in a Log Collector's local Fleet Management configuration. Label values can be dynamically set using environment variables. When Log Collectors connect to LogScale/NG-SIEM, they transmit their labels to the instance managing the fleet. The labels enable:
Grouping collectors
Searching across collectors
Configuring collectors based on shared characteristics
For example, a fleet management group defined as
labels.service=webincludes all collectors with label name:serviceand label value:web.This grouping allows administrators to create and apply reusable configurations specifically tailored to collectors sharing the same service type, streamlining fleet management and maintenance.
For more information, see Fleet Management (
fleetManagement).Replacing Custom Install Legacy Fleet Management configuration snippet with supported enrollment mode
localConfig.
Queries
Added LogScale Multi-Cluster Search query handover support:
Enables automatic reconnection and continued polling of downstream remote clusters
Current limitation: local connection handovers are not supported, meaning that:
Progress on local connections will be lost after handover
Queries to local connections will be resubmitted, resulting in a potential temporary loss of progress.
Functions
Query functions using files will now report warnings for missing files or other file errors when used in parsers.
For more information, see Errors, Validation Checks, and Warnings.
The
SortNewDatastructurefeature flag is now enabled by default in Self-Hosted environments.The
ioc:lookup()query function now emits warnings in parsers when there are issues with the IOC service, instead of throwing an error. Errors are still thrown during query execution in case of errors.For more information, see Parser Behavior with Missing Database.
Fixed in this release
Installation and Deployment
The
java.loggingmodule has now been included in the bundled JDK. This dependency was erroneously missing and was throwing a NoClassDefFoundErrors error.
Administration and Management
A 401 Unauthorized authentication error was issued across all views and repositories for all users during file export, despite the token being valid. This issue has been fixed so that the authentication process has now been corrected and the file export functionality now works as expected with valid tokens.
In Multi-Cluster Search environments, queries could fail to start when attempting to fetch tables. This was caused by the worker cluster incorrectly reporting that the table already existed due to local filesystem/cache of the specific node handling the request, while the table coordinator node (where tables should be fetched from) did not actually have the table. With this fix, LogScale now first checks the availability of the table on the table coordinator node rather than checking on the local node, thus ensuring queries start correctly.
Falcon Data Replicator
A configuration issue prevented proper FDR publishing to Global Database. This issue affected job scheduling and might cause incorrect node allocation for FDR ingestion (for example, ingestion scheduled on more or fewer nodes than specified).
Fixed an issue where the check for which nodes should run an FDR feed didn't take node capabilities into account, potentially causing less nodes to actually run the feed.
User Interface
The as CSV option would fail or would yield an empty file when one of the exported fields is a tag field. This issue has now been fixed.
Fixed an issue where auto-completion for field names in the Query editor would sometimes be missing.
Links to the documentation in the LogScale UI have been fixed to point to the correct pages instead of the library homepage.
Fixed an issue where clicking Scroll to load more in the top banner of the Event list would not update the view if the event list itself was paused.
Automation and Triggers
After a digest reassignment, aggregate alerts could use a partial query result and report a warning about ingest delay rather than wait for the new digester to catch up. This issue has now been fixed.
In rare cases, the information about the execution of filter and aggregate alerts could fail to be saved, potentially resulting in duplicate alerts. This issue has now been fixed.
Large query results (more than 1GB) for alerts could cause the query to crash. This issue has been fixed to now handle large alert datasets.
Storage
An invalid bucket/region would not show the appropriate error message when trying to configure archiving. This issue has now been fixed.
LogScale no longer attempts to download MaxMind files when there is insufficient disk space.
Startup failed if a host contained a deprecated storage task in the global database. This issue has now been fixed.
Fixed a feature flag roll out issue on clusters where individual users or organizations were previously opted into the feature.
Important
Required Action:
If you previously disabled rolled-out features via API, you must reapply these opt-outs
This is necessary due to changes in how opt-outs are represented in Global Database.
A very rare race condition could cause global transactions to appear to have succeeded when they actually didn't. This issue has now been fixed.
Resolved an issue that could cause a Resetting minimum offset due to truncation of the ingest queue warning message.
An issue has been fixed that could cause unnecessary delays in uploading files to Bucket Storage.
API
Query Heartbeats in the Query Result Pagination API have been fixed as they would not keep the query alive.
Configuration
Changes to the
LookupTableSyncAwaitSecondsdynamic configuration were not reflected until the next server restart. This issue has been fixed so that changes in this configuration's value are now reflected immediately.
Dashboards and Widgets
The
Time Charttooltip legend could show unsorted values on query result update. This issue has now been fixed so that the list of top scores is now sorted.
Queries
When multiple events have the same timestamp, they are sorted by ID, which could cause an unstable order as well as internal errors for a few queries, due to violated assumptions. This issue has now been fixed.
Fixed an issue where a query using a lookup file might fail to start since query dependencies were not propagated in time to query workers. Such a query would be stopped with a Failed to load file or table. Try again shortly message.
Fixed an issue where query routing inside the cluster relied on original authentication from the client rather than internal authentication. This could lead to a situation where a user could submit a query, but was unable to then poll it.
ClusterHostAliveStatsin field class could drop logs in case of liveness changes occurring within one second. This issue has been fixed to now include changes that occur less than one second apart.Transferring tables between cluster nodes (either defined using
defineTable()or from Lookup Files) could lead to thread starvation and node crashes. This issue has now been fixed.If a query were to hit an internal error, such as failure to distribute tables, polling such a query would result in a 404 Not Found error. This issue has been fixed so that the correct 5** error is now propagated to the client.
Fixed race condition in LogScale Multi-Cluster Search. Previously, queries initiated simultaneously with a new connection addition to the multi-cluster view could exclude the new connection for the query. This synchronization issue has been resolved.
Fixed a race condition that could occur when states were merged in Query Coordination during the query handover process. This could result in corrupted query state or failed query handover.
Fixed an issue where a query might be marked as "cancelled" but not "done" when exceptions occurred during result calculation failures, such as RPC request failures.
Functions
The
readFile()function has been fixed to now correctly emit warnings that might occur from loading the files requested.In case of invalid input containing unescaped
=characters in theparseCEF()function, the entire query execution or parser execution would fail. This issue has been fixed so thatparseCEF()now properly recovers from the invalid input and adds an @error field to the event.
Other
Fixed an issue that could cause globally enabled features to appear to be disabled for individual organizations.
Improvement
Security
Improved permission validation: the button is now disabled for users who lack sufficient permissions to complete the role creation process. This prevents users from starting a workflow that would ultimately fail, saving time and reducing frustration. Previously, users could begin creating a role only to encounter an error at the final step due to insufficient permissions.
Falcon Data Replicator
The FDR logging has been improved by adding some of the SQS metadata fields within the activity log. The metadata fields that are now included in the logs are:
Sent timestamp
Approximate receive count
Approximate first receive timestamp
User Interface
It is now possible to resize the Fields panel flyout when selecting a field for inspection.
Storage
Improve the response time when there's a large number of datasources for:
GraphQL calls fetching repository.datasources field
api/v1/dataspacesorapi/v1/repositoriesendpoints
Made few minor adjustments to the global framework to avoid the possibility of bugs. These changes are not expected to impact the current behavior.
Improve the memory estimate of multi-cluster searches to make them more accurately reflect the real usage.
Heap memory estimation for digesters has been adjusted:
Reduced estimated heap memory requirement from 5MB to 1MB per datasource.
No impact on runtime behavior
Produced warning messages via the
DigesterHeapSizeEstimateLoggingif the estimated memory requirements are not met.
Configuration
The primary & secondary disk usage health check descriptions have been corrected to indicate that the usage is measured in percentage, not seconds.
The new environment variables
HEALTH_CHECK__PRIMARY_DISK_USAGE__WARN_THRESHOLD_PCTandHEALTH_CHECK__SECONDARY_DISK_USAGE__WARN_THRESHOLD_PCThave been introduced to replaceHEALTH_CHECK__PRIMARY_DISK_USAGE__WARN_THRESHOLD_SECandHEALTH_CHECK__SECONDARY_DISK_USAGE__WARN_THRESHOLD_SEC. Their naming better indicates the nature of these environment variables. Note that the old variables ending in_SECare still supported but are superseded by the variables ending in_PCTif they are present.
Queries
Implemented a change about how queries track segment merging, which should eliminate edge cases where queries miss data due to merges.
Queries that combine different text searches with different tag filters now have an improved performance due to reduced volume of data scanned. For example, this change would improve the performance of a query like:
logscale#event=ConnectIP4 OR (#event=ReceiveAcceptIP4 AND RemoteAddressIP4=12.34.56.78
Functions
The
groupBy()function now displays a more descriptive error message when the maximumlimitis exceeded, specifying the maximum allowed limit for your environment.The
parseCEF()query function has an improved output message in case of incorrect input conditions.
Packages
Improving error messages when installing a YAML template file (individually or through a package), where
$schemain the file is misconfigured.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
f5networks/bigip has been updated to v2.3.2.
Fixed field mapping to use direct assignment instead of rename function for better performance
For more information, see Package f5networks/bigip Release Notes.
cisco/meraki has been updated to v1.5.2.
Enhanced authentication event parsing with improved regex pattern for authentication messages
Added support for AnyConnect VPN connection success and failure events with detailed field extraction
Added authentication event categorization with proper event types
For more information, see Package cisco/meraki Release Notes.
checkpoint/ngfw has been updated to v2.1.2.
Regex fix to stop backtracking errors for logs that use "=" as the key-value separator
Added event.kind field with default value "event"
Removed redundant case statement for event.kind assignment
Updated parser version to 3.1.2
For more information, see Package checkpoint/ngfw Release Notes.
cisco/ios has been updated to v1.6.1.
Added support for VTY access logs with new pattern matching
For more information, see Package cisco/ios Release Notes.
cisco/umbrella has been updated to v1.3.0.
Updates ECS version to 8.17.0
Improves event categorization using array append
Standardizes event action field to lowercase
Enhances field normalization for network traffic
For more information, see Package cisco/umbrella Release Notes.
aws/cloudtrail has been updated to v1.1.5.
Added fallback to userIdentity.userName for user.name field
Updated ECS version to 8.17.0
For more information, see Package aws/cloudtrail Release Notes.
broadcom/proxysg has been updated to v1.2.0.
Updated ECS version to 8.17.0
Added event.kind field set to "event"
Changed array handling for event.category[] and event.type[] to use array:append
The old parser syslog-utc is now officially removed from the Broadcom Symantec ProxySG package
For more information, see Package broadcom/proxysg Release Notes.
okta/sso has been updated to v1.4.1.
Fixed user agent field mapping from user_agent.device.name to user_agent.os.name
Updated CPS version to 1.1.0
For more information, see Package okta/sso Release Notes.
f5networks/bigip has been updated to v2.4.0.
Added support for F5 ASM Bot Defense logs
Fixed array handling for host.ip and observer.ip fields
Improved event severity mapping based on Vendor.severity field
Fixed source.ip extraction in APM invalid host header detection
Enhanced event type categorization for APM non-existent session events
Added lowercase normalization for network.transport field
For more information, see Package f5networks/bigip Release Notes.
nozomi/ids has been updated to v1.3.1.
Updated ECS version to 9.0.0
Improved field extraction for Mitre attack tactics and techniques
Fixed parser version to 3.0.1
For more information, see Package nozomi/ids Release Notes.
checkpoint/ngfw has been updated to v2.2.0.
Added support for additional log types including VPN-1 & FireWall-1, Application Control URL Filtering, and Log Update events
Enhanced event categorization for various product types
Fixed network direction handling to improve log classification
Added test cases for new log formats
Updated parser version to 3.2.0
For more information, see Package checkpoint/ngfw Release Notes.
juniper/srx has been updated to v1.4.0.
Added support for authentication events with UI_LOGIN_EVENT, DYNAMIC_VPN_AUTH_OK, REMOTE_ACCESS_VPN_AUTH_OK, DYNAMIC_VPN_AUTH_FAIL, and REMOTE_ACCESS_VPN_AUTH_FAIL message IDs
Enhanced source IP extraction with support for src-ip-str field
Added user.name field mapping from source.user.name when available
Fixed indentation in SSH authentication message parsing
For more information, see Package juniper/srx Release Notes.
darktrace/detect has been updated to v1.5.0.
Added support for email events
Updated parser to 2.3.0
For more information, see Package darktrace/detect Release Notes.
cisco/ios has been updated to v1.7.1.
Added support for additional timezone formats including BST, CEST, GMT, IST, JST, SAST, WAT, and WIB
For more information, see Package cisco/ios Release Notes.
zscaler/deception has been updated to v2.1.0.
The old parser deception is now officially removed from the ZScaler Deception package
Expanded field normalization to support more ZScaler Deception datasets
All field normalizations have removed the use of rename() in an effort to make vendor fields available
For more information, see Package zscaler/deception Release Notes.
asimily/iomt has been updated to v1.1.1.
Updated ECS version to 8.17.0
Removed rename() function calls for direct field assignments
Removed deprecated parser asimily-iomt-json
For more information, see Package asimily/iomt Release Notes.
zscaler/internet-access has been updated to v1.4.1.
Fixed conditional parsing of file.mtime field to handle cases when Vendor.lastmodtime is not present
Updated parser version to 2.4.1
For more information, see Package zscaler/internet-access Release Notes.
microsoft/dhcp-client has been updated to v1.1.1.
Updated ECS version to 9.0.0
Changed field mapping approach from rename() to direct assignment for event.id, process.pid, and user.id
For more information, see Package microsoft/dhcp-client Release Notes.
cloudflare/zerotrust has been updated to v1.2.2.
Fixed email attachment parsing by properly dropping temporary arrays
Updated ECS version to 8.17.0
Updated parser version to 2.1.2
For more information, see Package cloudflare/zerotrust Release Notes.
akamai/asec has been updated to v1.1.1.
Updated ECS version from 8.11.0 to 8.17.0
Replaced rename() function with direct assignments for field mappings
Removed deprecated parser asec-json.yaml
For more information, see Package akamai/asec Release Notes.
forcepoint/dlp has been updated to v1.2.1.
Updated field assignments to use direct assignment instead of rename function
Fixed parser version reference
For more information, see Package forcepoint/dlp Release Notes.
microsoft/windows-dns-debug has been updated to v1.3.1.
Improved regex patterns for timestamp parsing
Added support for error messages with socket failures
Enhanced field extraction for DNS packet information
Fixed array handling for DNS header flags
Updated parser version to 2.2.1
For more information, see Package microsoft/windows-dns-debug Release Notes.
cisco/duo has been updated to v2.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 2.1.1
Updated parser to use array:append for array declaration
For more information, see Package cisco/duo Release Notes.
aws/waf has been updated to v1.1.2.
Updated field mapping to use direct assignment instead of rename() function
Removed deprecated waf-json.yaml parser
For more information, see Package aws/waf Release Notes.
cisco/meraki has been updated to v1.4.0.
Added support for ip_flow_start and ip_flow_end events
Added new field mappings for network flow events
Updated ECS version to 8.17.0
For more information, see Package cisco/meraki Release Notes.
aws/s3-server-access has been updated to v1.2.1.
Updated parser to use direct field assignments instead of rename() function
Fixed field mapping consistency
For more information, see Package aws/s3-server-access Release Notes.
okta/sso has been updated to v1.3.1.
Fixed source.user.full_name to use client.user.full_name instead of client.user.id
For more information, see Package okta/sso Release Notes.
forcepoint/dlp has been updated to v1.2.0.
Added severity mapping based on Forcepoint documentation
Improved user domain extraction
Enhanced array handling for event categories and types
Optimized field cleanup process
The old parser dlp-cef is now officially removed from the Forcepoint DLP package
For more information, see Package forcepoint/dlp Release Notes.
aws/s3-server-access has been updated to v1.2.0.
Updated ECS version to 8.17.0
Added new fields:
cloud.Storage.bucket_name
error.code
host.id
url.original
user_agent.original
Improved array handling for event category and type fields
Fixed field duplication issues
The old parser s3access-space-delimited is now officially removed from the AWS S3 package
For more information, see Package aws/s3-server-access Release Notes.
nozomi/ids has been updated to v1.3.0.
Updated timestamp parsing to support MMM dd yyyy HH:mm:ss format
Added support for new message types including threat intelligence updates, link status changes, and network scans
Enhanced MAC address normalization with uppercase conversion and consistent delimiter formatting
Improved field extraction for domain and username parsing
Fixed lowercase normalization for various address fields
The old parser nozomi-syslog is now officially removed from the Nozomi IDS package
For more information, see Package nozomi/ids Release Notes.
cloudflare/zerotrust has been updated to v1.2.3.
Fixed handling of PROXY_CONN_REFUSED connection close reason
Improved bulk log processing by removing trailing newline characters
Updated parser version to 2.1.3
For more information, see Package cloudflare/zerotrust Release Notes.
rubrik/security-cloud has been updated to v1.1.0.
Added severity normalization mapping
Added event categorization for vulnerability events
Added event type and kind fields
Updated ECS version to 8.17.0
For more information, see Package rubrik/security-cloud Release Notes.
fortinet/fortigate has been updated to v1.3.5.
Updated CPS version to 1.1.0
Updated parser version to 2.1.4
Removed drop statements for fields (Vendor.time, Vendor.eventtime, Vendor.date, Vendor.tz, Vendor.ts, Vendor.srcmac, Vendor.source_mac, Vendor.dir, Vendor.direction, Vendor.service)
For more information, see Package fortinet/fortigate Release Notes.
haproxy/haproxy has been updated to v1.2.0.
Updated ECS version to 8.17.0
Added new field mappings for log.syslog fields
Added process.name and process.pid fields
Added host.name field mapping
Added source.port field mapping
The old parser haproxy-syslog is now officially removed from the HAProxy package
For more information, see Package haproxy/haproxy Release Notes.
claroty/ctd has been updated to v1.2.0.
Updated ECS version to 8.17.0
Improved event categorization using array:append
Added event severity mapping
Optimized field handling and cleanup
The old parser cef-latest is now officially removed from the Claroty CTD package
For more information, see Package claroty/ctd Release Notes.
fortinet/fortigate has been updated to v1.3.4.
Updated ECS version to 9.0.0
Added message and rule.name fields for alert events
Fixed field mappings for UTM alert events
For more information, see Package fortinet/fortigate Release Notes.
cisco/meraki has been updated to v1.5.1.
Fixed regex patterns to handle multiline syslog messages
Fixed event severity handling for unknown values
For more information, see Package cisco/meraki Release Notes.
juniper/srx has been updated to v1.3.0.
Updated parser to use ECS 8.17.0
Improved field extraction with format() function
Enhanced array handling with array:append() for event categories and types
Added support for mgd login events with user roles and service type
Fixed field handling for null values
The old parser srx-syslog is now officially removed from the Juniper SRX package
For more information, see Package juniper/srx Release Notes.
darktrace/detect has been updated to v1.3.1.
Fixed timestamp parsing for Antigena events to use start time instead of end time
For more information, see Package darktrace/detect Release Notes.
cloudflare/zerotrust has been updated to v1.2.0.
Improved JSON parsing with support for message prefix removal
Enhanced event categorization with proper event.category and event.type arrays
Added comprehensive email attachment parsing for Area1 security logs
Improved HTTP response status code handling for better event outcome determination
Added support for bulk log processing with improved detection logic
For more information, see Package cloudflare/zerotrust Release Notes.
infoblox/nios has been updated to v1.3.0.
Improves event categorization.
Adds support for additional audit events
Enhances DNS field extraction
The old parser syslog-utc is now officially removed from the Infoblox Nios package
For more information, see Package infoblox/nios Release Notes.
aws/vpcflow has been updated to v1.2.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.2.1
Updated parser to use array:append for array declaration
For more information, see Package aws/vpcflow Release Notes.
aws/cloudtrail has been updated to v2.0.2.
Added support for IdentityCenterUser identity type
Improved handling of identity center user identities
For more information, see Package aws/cloudtrail Release Notes.
zscaler/private-access has been updated to v1.3.2.
Added support for private cloud controller status logs
Improved log type detection for logs without sourcetype field
Enhanced log format detection for various ZPA log types
For more information, see Package zscaler/private-access Release Notes.
cisco/ios has been updated to v1.5.0.
Improved timestamp parsing for formats including year in different positions
Added support for MAC address extraction and normalization
Enhanced access list log parsing to handle MAC addresses in source fields
Added parsing for CFGLOG_LOGGEDCMD events to capture CLI commands
For more information, see Package cisco/ios Release Notes.
f5networks/bigip has been updated to v2.2.0.
Added support for F5 Advanced Firewall Module (AFM) logs
Improved ASM event categorization for better threat detection
Updated ECS version to 8.17.0
For more information, see Package f5networks/bigip Release Notes.
darktrace/detect has been updated to v1.4.0.
Enhanced audit event parsing with improved categorization and field mapping
Added validation for source IP addresses using CIDR check
Updated ECS version to 9.0.0
Added support for syslog appname-based event classification
Updated parser to 2.2.0
For more information, see Package darktrace/detect Release Notes.
fortinet/fortimail has been updated to v2.0.0.
Improved parsing of key-value pairs with empty values
Enhanced event categorization for all log types
Added support for email address extraction from complex formats
Fixed handling of comma-separated recipient lists
Added URL parsing capabilities
Improved outcome determination logic
For more information, see Package fortinet/fortimail Release Notes.
dell/isilon has been updated to v1.2.0.
Updated ECS version to 8.17.0
Added log.syslog fields for better syslog data representation
Improved array handling for event category and type fields
Removed deprecated isilon-syslog parser
The old parser isilon-syslog is now officially removed from the Dell Isilon package
For more information, see Package dell/isilon Release Notes.
fortinet/fortimail has been updated to v1.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.1.1
Updated parser to use array:append for array declaration
Updated client.ip to non-array field
The old parser fortimail is now officially removed from the Fortinet Fortimail package
For more information, see Package fortinet/fortimail Release Notes.
cisco/ios has been updated to v1.5.1.
Removed test cases
For more information, see Package cisco/ios Release Notes.
cisco/meraki has been updated to v1.4.1.
Added support for BSD syslog format with MMM dd HH:mm:ss timestamp format
For more information, see Package cisco/meraki Release Notes.
dell/isilon has been updated to v1.2.1.
Updated field mapping syntax from rename() to direct assignment for better performance
Fixed minor code formatting issues
For more information, see Package dell/isilon Release Notes.
veeam/veeamdataplatform has been updated to v1.0.1.
Updated field assignments to use direct assignment instead of rename() function
Improved field mapping consistency
For more information, see Package veeam/veeamdataplatform Release Notes.
tausight/ephi-risk-posture has been updated to v1.2.0.
Initial release with comprehensive ePHI event parsing
Support for file inspection, deletion, and copying events
Device attachment monitoring capabilities
Clipboard activity tracking
Email event processing
Process and file I/O activity monitoring
For more information, see Package tausight/ephi-risk-posture Release Notes.
aws/guardduty has been updated to v1.1.2.
Updated field mapping to use direct assignment instead of rename function
Removed deprecated guardduty-json.yaml parser
Updated parser version to 1.2.1
For more information, see Package aws/guardduty Release Notes.
cisco/firepower has been updated to v1.6.0.
Adds additional support to parser logs with event ID 106023, 302013, 302014, 302015, 302016, 302020
Expands event.type for logs with event ID 109201, 109207, 109210
For more information, see Package cisco/firepower Release Notes.
cisco/ise has been updated to v1.3.3.
Enhanced parsing for CISE_Alarm messages with improved message extraction
Added event categorization and type for CISE_MONITORING_DATA_PURGE_AUDIT, CISE_System_Statistics
For more information, see Package cisco/ise Release Notes.
cisco/ise has been updated to v1.3.1.
Fixed field mapping for service.name instead of service.type
Improved timestamp parsing for additional formats
Enhanced field formatting for fields with hyphens in names
For more information, see Package cisco/ise Release Notes.
netgate/pfsense has been updated to v1.1.1.
Updated ECS version from 8.11.0 to 9.0.0
Removed rename() function from field mappings for direct assignments
Removed pfsense-syslog.yaml parser file
For more information, see Package netgate/pfsense Release Notes.
f5networks/bigip has been updated to v2.3.1.
Fixed VLAN ID parsing in connection error and SSL handshake failure events
For more information, see Package f5networks/bigip Release Notes.
aws/guardduty has been updated to v1.1.3.
Added event.reason field mapping from Vendor.title
Updated parser version to 1.2.2
For more information, see Package aws/guardduty Release Notes.
cloudflare/zerotrust has been updated to v1.3.0.
Enhanced JSON parsing with excludeEmpty and handleNull options
Updated event type categorization for email security logs
Added new test cases for improved coverage
Updated parser version to 2.2.0
For more information, see Package cloudflare/zerotrust Release Notes.
aws/cloudtrail has been updated to v1.1.6.
Updated parser version to 2.0.6
Updated CPS version to 1.0.0
Fixed TLS field handling by removing rename function and adding drop operations
For more information, see Package aws/cloudtrail Release Notes.
darktrace/detect has been updated to v1.3.0.
Added support for audit events with new event.dataset "detect.audit"
Fixed timezone handling for RFC 3164 syslog timestamps
For more information, see Package darktrace/detect Release Notes.
aruba/clearpass has been updated to v1.2.4.
Added support for additional syslog header formats
Enhanced event categorization for various event types
Added extensive field extraction from Description field
Added support for authentication, session, and configuration events
Improved field normalization for client IP and MAC addresses
For more information, see Package aruba/clearpass Release Notes.
island/island has been updated to v1.2.0.
Added rule.name and rule.id fields for network events
Added event.kind field set to "event"
Updated array handling for event.category and event.type fields
Updated ECS version to 8.17.0
The old parser island is now officially removed from the Island package
For more information, see Package island/island Release Notes.
microsoft/sysmon has been updated to v1.1.2.
Updated ECS version to 9.0.0
Simplified field assignments by removing unnecessary rename() functions
Improved code readability and maintainability
For more information, see Package microsoft/sysmon Release Notes.
aws/waf has been updated to v1.1.1.
Fixed bug to handle events with trailing space in Vendor.httpRequest.httpVersion field
Migrated parser to utilize array:append()
For more information, see Package aws/waf Release Notes.
asimily/iomt has been updated to v1.1.2.
Updated parser version to 1.1.2
Updated parser to use array:append for array declaration
For more information, see Package asimily/iomt Release Notes.
cisco/firepower has been updated to v1.6.3.
Updated field assignment syntax from rename() to direct assignment
Fixed regex pattern for teardown connections to handle optional fields
Improved lower() function usage for better performance
For more information, see Package cisco/firepower Release Notes.
claroty/ctd has been updated to v1.2.1.
Fixed field mapping to use direct assignment instead of rename function
Improved case statement formatting for better readability
Updated parser version to 1.1.2
For more information, see Package claroty/ctd Release Notes.
broadcom/proxysg has been updated to v1.2.1.
Updated field mapping to use direct assignment instead of rename function
Fixed parser version to 1.1.2
For more information, see Package broadcom/proxysg Release Notes.
cisco/firepower has been updated to v1.6.1.
Improved regex pattern for inbound TCP connections to handle probe connections
Enhanced regex pattern for teardown connections to handle optional fields
For more information, see Package cisco/firepower Release Notes.
aws/cloudtrail has been updated to v2.0.1.
Updated parser to handle EventBridge events by removing "detail" prefix
Fixed JSON parsing to properly handle nested fields
For more information, see Package aws/cloudtrail Release Notes.
aws/fsx has been updated to v1.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.1.1
Updated parser to use array:append for array declaration
For more information, see Package aws/fsx Release Notes.
zscaler/deception has been updated to v2.1.1.
Fixed timestamp handling in post-normalization
Updated ECS version to 8.17.0
Updated parser version to 2.0.1
For more information, see Package zscaler/deception Release Notes.
cisco/firepower has been updated to v1.6.4.
Fixed regex pattern for hop failure messages to handle interface names with spaces
For more information, see Package cisco/firepower Release Notes.
cisco/firepower has been updated to v1.6.2.
Fixed regex pattern for session disconnection duration to handle complex duration formats
For more information, see Package cisco/firepower Release Notes.
imperva/cloud-waf has been updated to v1.4.0.
Added regex pattern matching to filter CEF events and drop non-CEF log entries
Updated ECS version to 8.17.0
Removed rename() function calls for direct field assignment
Deleted cwaf-cef.yaml parser file
For more information, see Package imperva/cloud-waf Release Notes.
f5networks/bigip has been updated to v2.3.0.
Added support for F5 BIG-IP logs in Splunk format (HTTP traffic, load balancer failures, DNS requests/responses)
Fixed IP address field mapping to correctly populate source.ip, destination.ip, and server.ip fields
Improved timestamp parsing to support additional formats
Enhanced key-value parsing with better handling of empty fields
For more information, see Package f5networks/bigip Release Notes.
imperva/cloud-waf has been updated to v1.5.0.
Updated ECS version to 9.0.0
Updated parser version to 3.2.0
Enhanced severity handling with support for both numeric risk scores and text-based risk levels
Improved source IP handling with source.address field and proper CIDR validation
Updated array handling for event.category and event.type fields
For more information, see Package imperva/cloud-waf Release Notes.
aruba/clearpass has been updated to v1.2.3.
Updated field mapping to use format() function instead of rename() for better compatibility
Downgraded CPS version from 2.0.0 to 1.0.0
Removed deprecated clearpass-syslog.yaml parser file
For more information, see Package aruba/clearpass Release Notes.
microsoft/windows-dns-debug has been updated to v1.3.0.
Added support for additional log formats
Improved handling of DNS debug log header lines
Updated ECS version to 8.17.0
Enhanced field extraction for DNS packet information
Added support for self-referential DNS messages
The old parser windows-dns is now officially removed from the Microsoft Windows DNS package
For more information, see Package microsoft/windows-dns-debug Release Notes.
fortinet/fortigate has been updated to v1.3.3.
Updated event outcome handling to set failure when action is block or blocked
Fixed test cases to match updated outcome logic
For more information, see Package fortinet/fortigate Release Notes.
checkpoint/ngfw has been updated to v2.0.0.
Updated ECS version to 8.17.0
Improved event categorization with array-based approach
Enhanced field mapping for better data normalization
Optimized email field handling
Fixed field duplication issues
For more information, see Package checkpoint/ngfw Release Notes.
zscaler/deception has been updated to v2.2.0.
Added support for authentication events with improved categorization
Enhanced severity normalization with numeric values
Improved field extraction for user information
Added event.dataset field to distinguish between threat and audit events
For more information, see Package zscaler/deception Release Notes.
cisco/ise has been updated to v1.3.0.
Sets the event.outcome based on the Vendor.FailureReason field
The old parser cisco-ise-syslog is now officially removed from the Cisco Identity Services Engine (ISE) package
For more information, see Package cisco/ise Release Notes.
cisco/ios has been updated to v1.7.0.
Added support for additional log formats including ACCOUNTING events and IGMP logs
Enhanced access list log parsing to support both denied and permitted traffic
Added support for timezone-specific timestamp parsing
Updated to ECS version 9.0.0
Updated parser version to 2.6.0
For more information, see Package cisco/ios Release Notes.
fortinet/fortigate has been updated to v1.3.2.
Updated field assignments to use direct assignment instead of rename function
Updated ECS version to 8.17.0
For more information, see Package fortinet/fortigate Release Notes.
cisco/ios has been updated to v1.6.0.
Enhanced event type categorization for more accurate event classification
Added support for additional Cisco IOS event codes including SGACLHIT, FAIL, DHCP_SNOOPING_DENY, and more
Improved MAC address normalization for better consistency
Added deduplication of event categories and types
For more information, see Package cisco/ios Release Notes.
island/island has been updated to v1.2.1.
Updated field assignments to use direct assignment instead of rename() function
Fixed parser version to match package version
For more information, see Package island/island Release Notes.
google/chrome-enterprise-security-events has been updated to v1.2.0.
Updated ECS version from 8.11.0 to 8.17.0
Removed deprecated parser Google_Chrome_Enterprise.yaml
Simplified field assignments by removing unnecessary rename() functions
Updated parser version to 2.0.1
For more information, see Package google/chrome-enterprise-security-events Release Notes.
infoblox/nios has been updated to v1.3.1.
Fixed an issue with DNS answers containing quotes
For more information, see Package infoblox/nios Release Notes.
haproxy/haproxy has been updated to v1.2.1.
Updated field assignment syntax from rename() to direct assignment
Updated parser version to 1.1.2
For more information, see Package haproxy/haproxy Release Notes.
aws/guardduty has been updated to v1.2.0.
Improved source and destination port handling for network connections
Added support for port probe events with proper destination address mapping
Enhanced event categorization with network and connection type detection
Added event type classification (allowed/denied) based on blocked field
Added authentication category for RDS login attempts
Added API category for API call events
Updated ECS version to 9.0.0
For more information, see Package aws/guardduty Release Notes.
zscaler/internet-access has been updated to v1.4.0.
Updated parser to use direct field assignments instead of rename() function
Fixed base64 decoding for URL fields
For more information, see Package zscaler/internet-access Release Notes.
cisco/ios has been updated to v1.4.0.
Improved regex pattern for broader raw log coverage
Added timestamp parsing support for formats including year
Added LOGIN_FAILED eventCode parsing
The old parser syslog-utc is now officially removed from the Cisco IOS package
Utilized array:append() function for array declarations.
For more information, see Package cisco/ios Release Notes.
cisco/ise has been updated to v1.3.2.
Enhanced parsing for CISE_MONITORING_DATA_PURGE_AUDIT events to support additional message formats
Added support for "purging data older than" message format
Added support for "completed successfully" message format with event outcome set to success
Added support for CISE_Alarm messages with improved parsing
Enhanced field extraction for alarm messages
Added event categorization for SGT assignment and RADIUS authentication drop alarms
For more information, see Package cisco/ise Release Notes.
rubrik/security-cloud has been updated to v1.1.1.
Added support for additional timestamp format (yyyy-MM-dd HH:mm:ss[.SSS] Z z)
Updated ECS version to 9.0.0
For more information, see Package rubrik/security-cloud Release Notes.
cisco/firepower has been updated to v1.5.0.
Adds additional support to parser logs with rule 607002
The old parser firepower-syslog is now officially removed from the Cisco Firepower package
Improved array declaration within the parser
For more information, see Package cisco/firepower Release Notes.
checkpoint/ngfw has been updated to v2.1.0.
Added support for CEF formatted logs with and without headers
Enhanced timestamp handling for various formats
Added field mappings for additional Check Point fields
Improved event categorization and field normalization
Added support for additional network direction indicators
For more information, see Package checkpoint/ngfw Release Notes.