Falcon LogScale 1.190.0 GA (2025-05-27)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.190.0 | GA | 2025-05-27 | Cloud | 2026-07-31 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.190.0 to download the latest version
Bug fixes and updates
Advance Warning
The following items are due to change in a future release.
Functions
Starting from release 1.195, the query functions
asn()andipLocation()will display an error instead of a warning should an error occur with their external dependency. This change will align their behavior to functions using similar external resources, likematch(),iocLookup(), andcidr().
Removed
Items that have been removed as of this release.
Functions
Free-text search is no longer supported after the first aggregate function (as previously announced in RN Issue). For example, this query is no longer supported:
logscale Syntaxtail(200) | "Lorem ipsum dolor"You can still search for strings in specific fields after aggregation:
logscale Syntaxtail(200) | msg="Lorem ipsum dolor"Free-text search before the first aggregate function remains supported:
logscale"Lorem ipsum dolor" | tail(200)As previously announced in RN Issue, the following functions can no longer be used after the first aggregate function:
.
For example, this query is no longer valid:
Invalid Example for Demonstration - DO NOT USElogscalegroupBy(class) | eventSize()These functions can still be used before the first aggregate function:
logscaleeventSize() | tail(200)This change is necessary as these functions require access to original events, which are not available post-aggregation.
Deprecation
Items that have been deprecated and may be removed in a future release.
The
colorfield on the Role type has been marked as deprecated (will be removed in version 1.195).The
setConsideredAliveUntilandsetConsideredAliveForGraphQL mutations are deprecated and will be removed in 1.195.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Configuration
Modified the behavior of
S3_STORAGE_PREFERRED_COPY_SOURCEand related bucket provider variables. When enabled, these settings now completely disable node-to-node transfers within the cluster. All fetching between nodes will occur via bucket storage.This change better aligns with customer requirements for minimizing costs from node-to-node transfers in environments where such transfers are more expensive than bucket downloads.
The previous behavior can be maintained by setting
S3_BUCKET_STORAGE_PREFERRED_MEANS_FORCED=false. Please inform Support should you need to use this option. This option will be removed in version 1.201.0 unless specific use cases require its retention.The previously undocumented
S3_STORAGE_FORCED_COPY_SOURCEis now deprecated and will be removed in version 1.201.0. Users should useS3_STORAGE_PREFERRED_COPY_SOURCEinstead.
New features and improvements
Administration and Management
Enabling AWS Netty client as the default HTTP client for S3 Bucket operations, replacing the existing PekkoHttpClient. The AWS Netty client (based on the Netty project) is the default HTTP client for asynchronous operations in AWS SDK v2. It's possible to fallback to PekkoHttpClient by setting the
S3_NETTY_CLIENTconfiguration variable tofalseand restarting the cluster.This implementation provides additional metrics which can be used to monitor the client connection pool.
s3-aws-bucket-available-concurrency
s3-aws-bucket-leased-concurrency
s3-aws-bucket-max-concurrency
s3-aws-bucket-pending-concurrency-acquires
s3-aws-bucket-concurrency-acquire-duration
More information about each metric is available in the HTTP Metrics section of the AWS documentation page.
On clusters where non-humio thread dumps are available, it's also possible to look into the state of the client thread pool by searching for the thread name prefix
bucketstorage-netty.By default the client is set with sensible default values coming from the AWS SDK Netty client, but it's possible to tune the client further by setting the following environment variables:
More information about each setting is available at AWS SDK for Java API Reference.
Fixed in this release
User Interface
Links to the package template schemas documentation in the LogScale UI have been fixed to point to the correct pages instead of the library homepage.
Storage
Added disk space verification before downloading IOC files to prevent downloads when disk is full.
Added disk space verification before segment merging to prevent merges when disk is full.
Queries
Queries with specific tag and field configurations has been fixed as they could erroneously filter out events. The filtering issue occurred when queries met these conditions:
The query used tag-grouping
The query used field aliasing
The field aliasing rules included a tag-grouped tag
The query filtered results based on a field-aliased field
Example:
A field aliasing rule maps vendor123.bar to baz when
#foo=123The tag #foo uses tag-grouping
The query filters results based on the baz field
LogScale could not identify joins inside saved queries when
defineTable()was also used. Becausejoin()anddefineTable()functions cannot be used together in the same query, this fix now ensures that joins are no longer hidden within saved queries.
Fleet Management
Fixed a visibility issue where enrolled Log Collector instances that hadn't ingested metrics for over 30 days were not appearing in the fleet overview.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
asimily/iomt has been updated to v1.1.1.
Updated ECS version to 8.17.0
Removed rename() function calls for direct field assignments
Removed deprecated parser asimily-iomt-json
For more information, see Package asimily/iomt Release Notes.
zscaler/internet-access has been updated to v1.4.1.
Fixed conditional parsing of file.mtime field to handle cases when Vendor.lastmodtime is not present
Updated parser version to 2.4.1
For more information, see Package zscaler/internet-access Release Notes.
cloudflare/zerotrust has been updated to v1.2.2.
Fixed email attachment parsing by properly dropping temporary arrays
Updated ECS version to 8.17.0
Updated parser version to 2.1.2
For more information, see Package cloudflare/zerotrust Release Notes.
akamai/asec has been updated to v1.1.1.
Updated ECS version from 8.11.0 to 8.17.0
Replaced rename() function with direct assignments for field mappings
Removed deprecated parser asec-json.yaml
For more information, see Package akamai/asec Release Notes.
cisco/duo has been updated to v2.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 2.1.1
Updated parser to use array:append for array declaration
For more information, see Package cisco/duo Release Notes.
aws/waf has been updated to v1.1.2.
Updated field mapping to use direct assignment instead of rename() function
Removed deprecated waf-json.yaml parser
For more information, see Package aws/waf Release Notes.
aws/s3-server-access has been updated to v1.2.1.
Updated parser to use direct field assignments instead of rename() function
Fixed field mapping consistency
For more information, see Package aws/s3-server-access Release Notes.
okta/sso has been updated to v1.3.1.
Fixed source.user.full_name to use client.user.full_name instead of client.user.id
For more information, see Package okta/sso Release Notes.
nozomi/ids has been updated to v1.3.0.
Updated timestamp parsing to support MMM dd yyyy HH:mm:ss format
Added support for new message types including threat intelligence updates, link status changes, and network scans
Enhanced MAC address normalization with uppercase conversion and consistent delimiter formatting
Improved field extraction for domain and username parsing
Fixed lowercase normalization for various address fields
The old parser nozomi-syslog is now officially removed from the Nozomi IDS package
For more information, see Package nozomi/ids Release Notes.
juniper/srx has been updated to v1.3.0.
Updated parser to use ECS 8.17.0
Improved field extraction with format() function
Enhanced array handling with array:append() for event categories and types
Added support for mgd login events with user roles and service type
Fixed field handling for null values
The old parser srx-syslog is now officially removed from the Juniper SRX package
For more information, see Package juniper/srx Release Notes.
aws/vpcflow has been updated to v1.2.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.2.1
Updated parser to use array:append for array declaration
For more information, see Package aws/vpcflow Release Notes.
fortinet/fortimail has been updated to v1.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.1.1
Updated parser to use array:append for array declaration
Updated client.ip to non-array field
The old parser fortimail is now officially removed from the Fortinet Fortimail package
For more information, see Package fortinet/fortimail Release Notes.
cisco/meraki has been updated to v1.4.1.
Added support for BSD syslog format with MMM dd HH:mm:ss timestamp format
For more information, see Package cisco/meraki Release Notes.
veeam/veeamdataplatform has been updated to v1.0.1.
Updated field assignments to use direct assignment instead of rename() function
Improved field mapping consistency
For more information, see Package veeam/veeamdataplatform Release Notes.
aws/guardduty has been updated to v1.1.2.
Updated field mapping to use direct assignment instead of rename function
Removed deprecated guardduty-json.yaml parser
Updated parser version to 1.2.1
For more information, see Package aws/guardduty Release Notes.
cisco/ise has been updated to v1.3.1.
Fixed field mapping for service.name instead of service.type
Improved timestamp parsing for additional formats
Enhanced field formatting for fields with hyphens in names
For more information, see Package cisco/ise Release Notes.
f5networks/bigip has been updated to v2.3.1.
Fixed VLAN ID parsing in connection error and SSL handshake failure events
For more information, see Package f5networks/bigip Release Notes.
aws/cloudtrail has been updated to v1.1.6.
Updated parser version to 2.0.6
Updated CPS version to 1.0.0
Fixed TLS field handling by removing rename function and adding drop operations
For more information, see Package aws/cloudtrail Release Notes.
asimily/iomt has been updated to v1.1.2.
Updated parser version to 1.1.2
Updated parser to use array:append for array declaration
For more information, see Package asimily/iomt Release Notes.
broadcom/proxysg has been updated to v1.2.1.
Updated field mapping to use direct assignment instead of rename function
Fixed parser version to 1.1.2
For more information, see Package broadcom/proxysg Release Notes.
aws/fsx has been updated to v1.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.1.1
Updated parser to use array:append for array declaration
For more information, see Package aws/fsx Release Notes.
cisco/firepower has been updated to v1.6.4.
Fixed regex pattern for hop failure messages to handle interface names with spaces
For more information, see Package cisco/firepower Release Notes.
f5networks/bigip has been updated to v2.3.0.
Added support for F5 BIG-IP logs in Splunk format (HTTP traffic, load balancer failures, DNS requests/responses)
Fixed IP address field mapping to correctly populate source.ip, destination.ip, and server.ip fields
Improved timestamp parsing to support additional formats
Enhanced key-value parsing with better handling of empty fields
For more information, see Package f5networks/bigip Release Notes.
aruba/clearpass has been updated to v1.2.3.
Updated field mapping to use format() function instead of rename() for better compatibility
Downgraded CPS version from 2.0.0 to 1.0.0
Removed deprecated clearpass-syslog.yaml parser file
For more information, see Package aruba/clearpass Release Notes.
cisco/ios has been updated to v1.6.0.
Enhanced event type categorization for more accurate event classification
Added support for additional Cisco IOS event codes including SGACLHIT, FAIL, DHCP_SNOOPING_DENY, and more
Improved MAC address normalization for better consistency
Added deduplication of event categories and types
For more information, see Package cisco/ios Release Notes.
infoblox/nios has been updated to v1.3.1.
Fixed an issue with DNS answers containing quotes
For more information, see Package infoblox/nios Release Notes.
zscaler/internet-access has been updated to v1.4.0.
Updated parser to use direct field assignments instead of rename() function
Fixed base64 decoding for URL fields
For more information, see Package zscaler/internet-access Release Notes.
checkpoint/ngfw has been updated to v2.1.0.
Added support for CEF formatted logs with and without headers
Enhanced timestamp handling for various formats
Added field mappings for additional Check Point fields
Improved event categorization and field normalization
Added support for additional network direction indicators
For more information, see Package checkpoint/ngfw Release Notes.