Falcon LogScale 1.193.0 GA (2025-06-17)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.193.0 | GA | 2025-06-17 | Cloud | 2026-07-31 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.193.0 to download the latest version
Bug fixes and updates
Advance Warning
The following items are due to change in a future release.
Functions
Starting from release 1.195, the query functions
asn()andipLocation()will display an error instead of a warning should an error occur with their external dependency. This change will align their behavior to functions using similar external resources, likematch(),iocLookup(), andcidr().
Deprecation
Items that have been deprecated and may be removed in a future release.
The
colorfield on the Role type has been marked as deprecated (will be removed in version 1.195).The
setConsideredAliveUntilandsetConsideredAliveForGraphQL mutations are deprecated and will be removed in 1.195.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Functions
When running on ingest time,
select()now retains @ingesttimestamp internally, even when this field is not selected in the function. This way, functions that require @ingesttimestamp continue to work even if this field is not selected.For example, this query works correctly even without selecting @ingesttimestamp:
logscaleselect([foo, bar]) | tail(100)Unless explicitly selected, @ingesttimestamp is not part of the query result. For instance:
logscaleselect([foo, bar, contextTimestamp]) | tail(200) | parseTimestamp(contextTimestamp, as=@ingesttimestamp)This query outputs foo and bar fields only, but not @ingesttimestamp because it is not explicitly included in
select().To include @ingesttimestamp in the results, you can either:
Add @ingesttimestamp to
select()explicitlyGive the parsed timestamp a different name.
This change makes the timestamp behaviour when using
select()consistent between queries running on @timestamp and @ingesttimestamp.
New features and improvements
Dashboards and Widgets
Fields that are used for constraints in a query using
correlate()now show as highlighted in theTablewidget when the Group fields by prefix option is enabled. Hovering a constraint field further highlights all connected fields.
Fixed in this release
Configuration
Fixed the feature flag implementation to prevent flags from entering temporary wrong states during boot.
Dashboards and Widgets
Fixed a display issue in widgets such as
Single Valuewhere Small multiples visualizations appeared empty.
Log Collector
Extracted fields, including fields from the Log Collector, could become removable if other fields could also be removed.
This issue resulted in inaccurate usage calculations, as extracted fields' sizes were subtracted from ingestion totals.
Queries
Fixed rare cases where stale query cache might have been reused for static queries with time-dependent functions.
Functions
Fixed an issue where the _count field from
fieldstats()could overflow to a negative value when the function was processing large event volumes.
Improvement
Functions
groupBy()has been improved with optimized results. In some special cases, the function have shown memory allocation reduced by up to 90% and CPU time reduced by over 60%.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
f5networks/bigip has been updated to v2.3.2.
Fixed field mapping to use direct assignment instead of rename function for better performance
For more information, see Package f5networks/bigip Release Notes.
cisco/ios has been updated to v1.6.1.
Added support for VTY access logs with new pattern matching
For more information, see Package cisco/ios Release Notes.
juniper/srx has been updated to v1.4.0.
Added support for authentication events with UI_LOGIN_EVENT, DYNAMIC_VPN_AUTH_OK, REMOTE_ACCESS_VPN_AUTH_OK, DYNAMIC_VPN_AUTH_FAIL, and REMOTE_ACCESS_VPN_AUTH_FAIL message IDs
Enhanced source IP extraction with support for src-ip-str field
Added user.name field mapping from source.user.name when available
Fixed indentation in SSH authentication message parsing
For more information, see Package juniper/srx Release Notes.
zscaler/internet-access has been updated to v1.4.1.
Fixed conditional parsing of file.mtime field to handle cases when Vendor.lastmodtime is not present
Updated parser version to 2.4.1
For more information, see Package zscaler/internet-access Release Notes.
forcepoint/dlp has been updated to v1.2.1.
Updated field assignments to use direct assignment instead of rename function
Fixed parser version reference
For more information, see Package forcepoint/dlp Release Notes.
cisco/duo has been updated to v2.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 2.1.1
Updated parser to use array:append for array declaration
For more information, see Package cisco/duo Release Notes.
aws/waf has been updated to v1.1.2.
Updated field mapping to use direct assignment instead of rename() function
Removed deprecated waf-json.yaml parser
For more information, see Package aws/waf Release Notes.
aws/s3-server-access has been updated to v1.2.1.
Updated parser to use direct field assignments instead of rename() function
Fixed field mapping consistency
For more information, see Package aws/s3-server-access Release Notes.
cloudflare/zerotrust has been updated to v1.2.3.
Fixed handling of PROXY_CONN_REFUSED connection close reason
Improved bulk log processing by removing trailing newline characters
Updated parser version to 2.1.3
For more information, see Package cloudflare/zerotrust Release Notes.
fortinet/fortigate has been updated to v1.3.4.
Updated ECS version to 9.0.0
Added message and rule.name fields for alert events
Fixed field mappings for UTM alert events
For more information, see Package fortinet/fortigate Release Notes.
juniper/srx has been updated to v1.3.0.
Updated parser to use ECS 8.17.0
Improved field extraction with format() function
Enhanced array handling with array:append() for event categories and types
Added support for mgd login events with user roles and service type
Fixed field handling for null values
The old parser srx-syslog is now officially removed from the Juniper SRX package
For more information, see Package juniper/srx Release Notes.
mimecast/email-security has been updated to v1.0.0.
Upgraded parser to align with CPS standards
Normalized email fields to ECS format
Added MITRE ATT&CK technique mappings
Enhanced threat detection capabilities
Improved dashboard visualizations with better field mappings
Updated all dashboards to use normalized fields
Renamed parser from mimecast-json to mimecast-emailsecurity. ***This is a breaking change***. Use the #type field with the new parser name in queries as #type="mimecast-emailsecurity". All fields in events will now be available with the Vendor prefix. Fields should be referenced as Vendor.<fieldname> in queries.
Added new *Awareness Training* dashboard to support following log types: awareness-training-performance-details, awareness-training-watchlist-details and awareness-training-user-data
For more information, see Package mimecast/email-security Release Notes.
darktrace/detect has been updated to v1.3.1.
Fixed timestamp parsing for Antigena events to use start time instead of end time
For more information, see Package darktrace/detect Release Notes.
cisco/meraki has been updated to v1.5.0.
Added support for JSON formatted logs with timestamps in ts and occurredAt fields
Added support for IDS Alert events with pass-through detections
Added support for File Scanned events
Added support for BGP, DHCP, VPN, and wireless association events
Updated ECS version to 9.0.0
For more information, see Package cisco/meraki Release Notes.
aws/vpcflow has been updated to v1.2.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.2.1
Updated parser to use array:append for array declaration
For more information, see Package aws/vpcflow Release Notes.
zscaler/private-access has been updated to v1.3.2.
Added support for private cloud controller status logs
Improved log type detection for logs without sourcetype field
Enhanced log format detection for various ZPA log types
For more information, see Package zscaler/private-access Release Notes.
okta/sso has been updated to v1.4.0.
Enhanced user target field handling to support multiple values
Added support for event hook delivery events
Improved event categorization with more comprehensive event type mappings
Added client fields including client.as.number and client.user fields
Added transaction.id and rule fields for better traceability
Added user_agent fields including device name and version
Updated ECS version to 9.0.0
For more information, see Package okta/sso Release Notes.
fortinet/fortimail has been updated to v2.0.0.
Improved parsing of key-value pairs with empty values
Enhanced event categorization for all log types
Added support for email address extraction from complex formats
Fixed handling of comma-separated recipient lists
Added URL parsing capabilities
Improved outcome determination logic
For more information, see Package fortinet/fortimail Release Notes.
fortinet/fortimail has been updated to v1.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.1.1
Updated parser to use array:append for array declaration
Updated client.ip to non-array field
The old parser fortimail is now officially removed from the Fortinet Fortimail package
For more information, see Package fortinet/fortimail Release Notes.
dell/isilon has been updated to v1.2.1.
Updated field mapping syntax from rename() to direct assignment for better performance
Fixed minor code formatting issues
For more information, see Package dell/isilon Release Notes.
aws/guardduty has been updated to v1.1.2.
Updated field mapping to use direct assignment instead of rename function
Removed deprecated guardduty-json.yaml parser
Updated parser version to 1.2.1
For more information, see Package aws/guardduty Release Notes.
f5networks/bigip has been updated to v2.3.1.
Fixed VLAN ID parsing in connection error and SSL handshake failure events
For more information, see Package f5networks/bigip Release Notes.
aws/guardduty has been updated to v1.1.3.
Added event.reason field mapping from Vendor.title
Updated parser version to 1.2.2
For more information, see Package aws/guardduty Release Notes.
aruba/clearpass has been updated to v1.2.4.
Added support for additional syslog header formats
Enhanced event categorization for various event types
Added extensive field extraction from Description field
Added support for authentication, session, and configuration events
Improved field normalization for client IP and MAC addresses
For more information, see Package aruba/clearpass Release Notes.
asimily/iomt has been updated to v1.1.2.
Updated parser version to 1.1.2
Updated parser to use array:append for array declaration
For more information, see Package asimily/iomt Release Notes.
claroty/ctd has been updated to v1.2.1.
Fixed field mapping to use direct assignment instead of rename function
Improved case statement formatting for better readability
Updated parser version to 1.1.2
For more information, see Package claroty/ctd Release Notes.
broadcom/proxysg has been updated to v1.2.1.
Updated field mapping to use direct assignment instead of rename function
Fixed parser version to 1.1.2
For more information, see Package broadcom/proxysg Release Notes.
checkpoint/ngfw has been updated to v2.1.1.
Fixed CEF log parsing regex to properly handle logs without trailing newlines
Updated ECS version to 9.0.0
Updated parser version to 3.1.1
For more information, see Package checkpoint/ngfw Release Notes.
aws/fsx has been updated to v1.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.1.1
Updated parser to use array:append for array declaration
For more information, see Package aws/fsx Release Notes.
cisco/firepower has been updated to v1.6.4.
Fixed regex pattern for hop failure messages to handle interface names with spaces
For more information, see Package cisco/firepower Release Notes.
imperva/cloud-waf has been updated to v1.4.0.
Added regex pattern matching to filter CEF events and drop non-CEF log entries
Updated ECS version to 8.17.0
Removed rename() function calls for direct field assignment
Deleted cwaf-cef.yaml parser file
For more information, see Package imperva/cloud-waf Release Notes.
island/island has been updated to v1.2.1.
Updated field assignments to use direct assignment instead of rename() function
Fixed parser version to match package version
For more information, see Package island/island Release Notes.
google/chrome-enterprise-security-events has been updated to v1.2.0.
Updated ECS version from 8.11.0 to 8.17.0
Removed deprecated parser Google_Chrome_Enterprise.yaml
Simplified field assignments by removing unnecessary rename() functions
Updated parser version to 2.0.1
For more information, see Package google/chrome-enterprise-security-events Release Notes.
haproxy/haproxy has been updated to v1.2.1.
Updated field assignment syntax from rename() to direct assignment
Updated parser version to 1.1.2
For more information, see Package haproxy/haproxy Release Notes.
cisco/ise has been updated to v1.3.2.
Enhanced parsing for CISE_MONITORING_DATA_PURGE_AUDIT events to support additional message formats
Added support for "purging data older than" message format
Added support for "completed successfully" message format with event outcome set to success
Added support for CISE_Alarm messages with improved parsing
Enhanced field extraction for alarm messages
Added event categorization for SGT assignment and RADIUS authentication drop alarms
For more information, see Package cisco/ise Release Notes.
checkpoint/ngfw has been updated to v2.1.0.
Added support for CEF formatted logs with and without headers
Enhanced timestamp handling for various formats
Added field mappings for additional Check Point fields
Improved event categorization and field normalization
Added support for additional network direction indicators
For more information, see Package checkpoint/ngfw Release Notes.