Falcon LogScale 1.195.1 LTS (2025-07-22)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.195.1 | LTS | 2025-07-22 | Cloud On-Prem | 2026-07-31 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.195.1 to download the latest version
Hide file hashes
These notes include entries from the following previous releases: 1.195.0, 1.194.0, 1.193.0, 1.192.0, 1.191.0, 1.190.0
Bug fixes and updates.
Advance Warning
The following items are due to change in a future release.
Functions
Starting from release 1.195, the query functions
asn()andipLocation()will display an error instead of a warning should an error occur with their external dependency. This change will align their behavior to functions using similar external resources, likematch(),iocLookup(), andcidr().
Removed
Items that have been removed as of this release.
Configuration
Removed server compatibility checks from multi-cluster searches. These checks became obsolete due to some internal implementation changes occurred in past versions. The new behavior is described at Multi-Cluster Compatibility Across Versions.
Additional related changes:
Removed the
UNSAFE_RELAX_FEDERATED_PROTOCOL_VERSION_CHECKenvironment variable.Deprecated the remoteServerCompatVersion field in the
RemoteClusterConnectionStatustype (returned by the checkRemoteClusterConnection() GraphQL query).Will remove the remoteServerCompatVersion field no earlier than version 1.207, following the
ShortTermAPI stability deprecation policy.The
QueryBacktrackingLimitfeature flag has been removed. Use theQueryBacktrackingLimitdynamic configuration to adjust the limit.Functions
Free-text search is no longer supported after the first aggregate function (as previously announced in RN Issue). For example, this query is no longer supported:
logscale Syntaxtail(200) | "Lorem ipsum dolor"You can still search for strings in specific fields after aggregation:
logscale Syntaxtail(200) | msg="Lorem ipsum dolor"Free-text search before the first aggregate function remains supported:
logscale"Lorem ipsum dolor" | tail(200)As previously announced in RN Issue, the following functions can no longer be used after the first aggregate function:
.
For example, this query is no longer valid:
Invalid Example for Demonstration - DO NOT USElogscalegroupBy(class) | eventSize()These functions can still be used before the first aggregate function:
logscaleeventSize() | tail(200)This change is necessary as these functions require access to original events, which are not available post-aggregation.
Deprecation
Items that have been deprecated and may be removed in a future release.
The datasource-count metric has been deprecated and will be removed in version 1.201 of LogScale.
The information about the total number of datasources is available via the logs by the
GlobalSegmentStatsLoggerJobin the datasources field. When a new datasource is created or marked as deleted, the total number of datasources is logged in the datasourceCount field.The
colorfield on the Role type has been marked as deprecated (will be removed in version 1.195).The
setConsideredAliveUntilandsetConsideredAliveForGraphQL mutations are deprecated and will be removed in 1.195.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.The updateScheduledSearchV2 GraphQL mutation has been deprecated in favor of updateScheduledSearchV3, which now includes field triggerOnEmptyResult .
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Storage
Changed segment upload behavior to use the first available
ownerHoststhat is alive instead of just the firstownerHost.Reverted a change from version 1.191.0 that increased the buffer size used for parsing global snapshots, as the change did not yield the expected performance improvements.
Configuration
Modified the behavior of
S3_STORAGE_PREFERRED_COPY_SOURCEand related bucket provider variables. When enabled, these settings now completely disable node-to-node transfers within the cluster. All fetching between nodes will occur via bucket storage.This change better aligns with customer requirements for minimizing costs from node-to-node transfers in environments where such transfers are more expensive than bucket downloads.
The previous behavior can be maintained by setting
S3_BUCKET_STORAGE_PREFERRED_MEANS_FORCED=false. Please inform Support should you need to use this option. This option will be removed in version 1.201.0 unless specific use cases require its retention.The previously undocumented
S3_STORAGE_FORCED_COPY_SOURCEis now deprecated and will be removed in version 1.201.0. Users should useS3_STORAGE_PREFERRED_COPY_SOURCEinstead.Ingestion
Parse Data now only report missing lookup files when the query statement using the file is actually evaluated. For example, when using case branching with a missing lookup file that the event doesn't hit, no warning will be generated for the missing file.
Queries
Changed HTTP status code from 400 to 503 when a query fails to start due to internal errors, such as query queue being full.
Functions
asn()andipLocation()functions now throws errors (instead of warnings) in query contexts where there are issues with external dependencies. This matches the error handling behavior of functions that also use external dependencies, likematch()andioc:lookup().When running on ingest time,
select()now retains @ingesttimestamp internally, even when this field is not selected in the function. This way, functions that require @ingesttimestamp continue to work even if this field is not selected.For example, this query works correctly even without selecting @ingesttimestamp:
logscaleselect([foo, bar]) | tail(100)Unless explicitly selected, @ingesttimestamp is not part of the query result. For instance:
logscaleselect([foo, bar, contextTimestamp]) | tail(200) | parseTimestamp(contextTimestamp, as=@ingesttimestamp)This query outputs foo and bar fields only, but not @ingesttimestamp because it is not explicitly included in
select().To include @ingesttimestamp in the results, you can either:
Add @ingesttimestamp to
select()explicitlyGive the parsed timestamp a different name.
This change makes the timestamp behaviour when using
select()consistent between queries running on @timestamp and @ingesttimestamp.
Upgrades
Changes that may occur or be required during an upgrade.
Installation and Deployment
Upgraded the Kafka clients to 3.9.1.
New features and improvements
Administration and Management
Enabling AWS Netty client as the default HTTP client for S3 Bucket operations, replacing the existing PekkoHttpClient. The AWS Netty client (based on the Netty project) is the default HTTP client for asynchronous operations in AWS SDK v2. It's possible to fallback to PekkoHttpClient by setting the
S3_NETTY_CLIENTconfiguration variable tofalseand restarting the cluster.This implementation provides additional metrics which can be used to monitor the client connection pool.
s3-aws-bucket-available-concurrency
s3-aws-bucket-leased-concurrency
s3-aws-bucket-max-concurrency
s3-aws-bucket-pending-concurrency-acquires
s3-aws-bucket-concurrency-acquire-duration
More information about each metric is available in the HTTP Metrics section of the AWS documentation page.
On clusters where non-humio thread dumps are available, it's also possible to look into the state of the client thread pool by searching for the thread name prefix
bucketstorage-netty.By default the client is set with sensible default values coming from the AWS SDK Netty client, but it's possible to tune the client further by setting the following environment variables:
More information about each setting is available at AWS SDK for Java API Reference.
Automation and Triggers
New options are available in the UI for Scheduled searches:
Added the hourly frequency for running scheduled searches. Previously, only daily, weekly, and monthly schedules were available when selecting the schedule configuration.
Scheduled searches now use the hourly configuration by default instead of cron expression.
For more information, see Scheduling.
Scheduled searches can now trigger actions even when no results are found. Previously, actions would only trigger when results were found. This is an optional feature that you can set in Advanced settings.
It is now possible to test Actions with an empty set of events. This feature allows for validating that actions work correctly when no events are found by a scheduled search, and helps prevent action configuration errors.
GraphQL API
Labels can now be added to files through the GraphQL mutations: newFile() and updateFile(), and can be queried on the File input datatype.
Added the ability to create a saved query from a yaml template via the new createSavedQueryFromTemplate GraphQL mutation.
Added new GraphQL mutation copySavedQuery(). This mutation allows copying a saved query, optionally into another repository.
Configuration
The new configuration option
QUERY_SCHEDULER_QUERY_QUEUE_SIZEnow determines the number of queries that can be enqueued on the query workers while waiting to start running.Introduced a configurable limit on the number of connections that can be attached to a Multi-Cluster View . The default limit is 50, but can be changed through the environment variable
MAX_FEDERATED_CONNECTIONS.Introduced a configurable limit on the number of tags that can be added to a Multi-Cluster View connection. The default limit is 25, but can be changed through the environment variable
MAX_FEDERATED_CONNECTION_TAGS.
Dashboards and Widgets
To support the output of the
correlate()function introduced in this version, theTablewidget has a new format setting Group fields by prefix to display fields from the same event in a single column.Fields that are used for constraints in a query using
correlate()now show as highlighted in theTablewidget when the Group fields by prefix option is enabled. Hovering a constraint field further highlights all connected fields.
Ingestion
Added ingest feeds for consuming data from Azure Event Hubs, this feature is now available on cloud and was released for self hosted as of 1.189.0.
For more information, see Ingest Data from Azure Event Hubs.
Custom ingest tokens are now generally available through the API (not in the UI). A minimum length restriction of 16 characters has been added for custom ingest tokens.
For more information, see Custom Tokens.
Functions
The new
correlate()function for advanced event pattern detection is now available. This feature enables users to identify specific sequences of events.Key capabilities:
Search for related event groups and patterns
Define temporal relationships
Configure custom detection criteria
Example use case: Search for a sequence where a user has three failed login attempts followed by a successful login within a five-minute window.
For detailed implementation guidelines and configuration options, please refer to the
correlate()function documentation.For more information, see
correlate().Introduced the new
reverseDns()query function for performing reverse DNS lookups, intended to replace the oldrdns()function.Administrators can control the function using the following configuration.
Dynamic configurations:
ReverseDnsDefaultTimeoutInMs– Default timeout for resolving IPsReverseDnsDefaultLimit– Default number of unique IPs resolvedReverseDnsMaxLimit– Maximum allowed number of unique IPs resolvedReverseDnsConcurrentRequests– Maximum number of concurrent requestsReverseDnsRequestsPerSecond– Maximum number of requests per second
Configuration variables:
IP_FILTER_RDNS_SERVER– IP filter for the allowed DNS serversIP_FILTER_RDNS– IP filter for the allowed IPs that can be resolvedRDNS_DEFAULT_SERVER– The default DNS server to be used
Fixed in this release
Administration and Management
Fixed an issue in the live-dashboard-query-count metric to improve accuracy.
Fixed incorrect registration of the segment-fetching-trigger-queue-size metric that was producing misleading values.
User Interface
Filtering on the result of an aggregation could lead to more rows in the UI than there should be. This issue has now been fixed.
Fixed an issue where some table columns would not get sorted properly.
Links to the package template schemas documentation in the LogScale UI have been fixed to point to the correct pages instead of the library homepage.
Automation and Triggers
Fixed a rare issue where information about the execution of Filter and Aggregate alerts could fail to be saved, potentially resulting in duplicate alerts.
The Time interval selector now correctly retains the timestamp selected in Advanced settings when editing a trigger in the
Searchpage. Previously, it would always default to @ingesttimestamp.
Storage
Added disk space verification before downloading IOC files to prevent downloads when disk is full.
Added disk space verification before segment merging to prevent merges when disk is full.
Configuration
Fixed the feature flag implementation to prevent flags from entering temporary wrong states during boot.
Dashboards and Widgets
Widgets now display the
Rawvalue format with better precision, as they no longer round/truncate significant digits: instead, raw values now keep the same precision that JavaScript floats can handle. For example, before the fix a chart would display a raw value format like 12345678 as 12,345,700; after the fix, the chart correctly displays the value as 12,345,678.Fixed an issue where clicking a preset interaction, such as link in the
Tablewidget to add a field filter to the end of a query, would convert a safe value into an incorrect regex.Fixed a display issue in widgets such as
Single Valuewhere Small multiples visualizations appeared empty.
Log Collector
Extracted fields, including fields from the Log Collector, could become removable if other fields could also be removed.
This issue resulted in inaccurate usage calculations, as extracted fields' sizes were subtracted from ingestion totals.
Queries
Queries with specific tag and field configurations has been fixed as they could erroneously filter out events. The filtering issue occurred when queries met these conditions:
The query used tag-grouping
The query used field aliasing
The field aliasing rules included a tag-grouped tag
The query filtered results based on a field-aliased field
Example:
A field aliasing rule maps vendor123.bar to baz when
#foo=123The tag #foo uses tag-grouping
The query filters results based on the baz field
LogScale could not identify joins inside saved queries when
defineTable()was also used. Becausejoin()anddefineTable()functions cannot be used together in the same query, this fix now ensures that joins are no longer hidden within saved queries.Fixed rare cases where stale query cache might have been reused for static queries with time-dependent functions.
Fixed an issue where during digest restart a query might receive duplicate events.
Fixed an issue that caused incorrect worker assignments to a query after handover operations. These incorrect assignments would lead to unnecessary query restarts.
During digest restart, live queries could miss some events in cases where the live query had dependencies, such as dependencies on a lookup file. This issue has now been fixed.
Fleet Management
Fixed a visibility issue where enrolled Log Collector instances that hadn't ingested metrics for over 30 days were not appearing in the fleet overview.
The
Fleet overviewpage has been fixed as collectors with errors in log sources would incorrectly show the Okay status instead of ERROR.
Functions
Fixed an issue where the _count field from
fieldstats()could overflow to a negative value when the function was processing large event volumes.
Other
LogScale shutdown could be delayed if errors occurred during a shutdown already in progress.
Improvement
Installation and Deployment
Updated PDF Render Service dependencies to eliminate vulnerabilities.
User Interface
The legend title can now be enabled and added to the
Time Chartwidget.
Automation and Triggers
For filter and aggregate alerts, values for field-based throttling are now being hashed to save space.
For Self-hosted only: this change enables storing more values for field-based throttling when using throttle fields with large values. See
FILTER_ALERT_MAX_THROTTLE_FIELD_VALUES_STOREDandAGGREGATE_ALERT_MAX_THROTTLE_FIELD_VALUES_STOREDconfiguration variables.For Self-hosted only: if you need to downgrade after upgrading to this version, you might lose all values stored for field-based throttling, causing alerts with field-based throttling to trigger again although they should have been throttled. This will occur at most once per throttling field value.
Storage
Made improvements to all bucket upload operations. Bucket storage upload operations (uploaded files/global snapshots/segments) now work more efficiently by utilizing the upload queue and callback functions to complete the upload. This ensures that configured concurrency limits are properly enforced.
Reduced memory usage when handling numerical values in internal JSON representation.
Reduced the log level of
OutOfOrderSequenceExceptionsin the ingest pipeline from ERROR to WARN.These exceptions occur either due to data loss in Kafka (requiring Kafka administrator investigation) or, more likely, due to a timeout on message delivery, which will prompt the exception following the timed out message.
The log level for writes to Global Database remains at ERROR, as it will cause the node to crash.
Reduced memory usage when working with large tables (for example, those defined by
defineTable()).
GraphQL API
Added support for labels in the GraphQL API for Actions. Labels can now be:
Added to Actions through the GraphQL mutations for creating and updating Actions
Queried on the "Action" type
Made the name input argument of createDashboardFromTemplateV2() mutation optional. If not supplied, the name will default to the name in the template.
Extended the analyzeQuery() endpoint with an optional time interval. This allows validating the interval for syntax errors.
Queries
Enhanced query handling to prevent execution of queries originating from timed-out HTTP requests.
Increased delays between repeated query restarts of the same static query.
Improved consistency in log message format between
slow queryandquery endedlogs.
Functions
Improved performance of
match(mode=glob). It now runs significantly faster in many situations. The performance impact depends on the situation; speed-ups of 4x-90x have been observed.groupBy()has been improved with optimized results. In some special cases, the function have shown memory allocation reduced by up to 90% and CPU time reduced by over 60%.The
correlate()function now generates a warning message when used in an unsupported, non-top-level context, such as in subqueries or when passed as an argument to a function.Searches using ID filters such as with
in(@id, values=[...])are now being optimized to run more efficiently. This improvement is especially noticeable when drilling down into results using thecorrelate()function.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
f5networks/bigip has been updated to v2.3.2.
Fixed field mapping to use direct assignment instead of rename function for better performance
For more information, see Package f5networks/bigip Release Notes.
checkpoint/ngfw has been updated to v2.1.2.
Regex fix to stop backtracking errors for logs that use "=" as the key-value separator
Added event.kind field with default value "event"
Removed redundant case statement for event.kind assignment
Updated parser version to 3.1.2
For more information, see Package checkpoint/ngfw Release Notes.
cisco/ios has been updated to v1.6.1.
Added support for VTY access logs with new pattern matching
For more information, see Package cisco/ios Release Notes.
f5networks/bigip has been updated to v2.4.0.
Added support for F5 ASM Bot Defense logs
Fixed array handling for host.ip and observer.ip fields
Improved event severity mapping based on Vendor.severity field
Fixed source.ip extraction in APM invalid host header detection
Enhanced event type categorization for APM non-existent session events
Added lowercase normalization for network.transport field
For more information, see Package f5networks/bigip Release Notes.
nozomi/ids has been updated to v1.3.1.
Updated ECS version to 9.0.0
Improved field extraction for Mitre attack tactics and techniques
Fixed parser version to 3.0.1
For more information, see Package nozomi/ids Release Notes.
checkpoint/ngfw has been updated to v2.2.0.
Added support for additional log types including VPN-1 & FireWall-1, Application Control URL Filtering, and Log Update events
Enhanced event categorization for various product types
Fixed network direction handling to improve log classification
Added test cases for new log formats
Updated parser version to 3.2.0
For more information, see Package checkpoint/ngfw Release Notes.
juniper/srx has been updated to v1.4.0.
Added support for authentication events with UI_LOGIN_EVENT, DYNAMIC_VPN_AUTH_OK, REMOTE_ACCESS_VPN_AUTH_OK, DYNAMIC_VPN_AUTH_FAIL, and REMOTE_ACCESS_VPN_AUTH_FAIL message IDs
Enhanced source IP extraction with support for src-ip-str field
Added user.name field mapping from source.user.name when available
Fixed indentation in SSH authentication message parsing
For more information, see Package juniper/srx Release Notes.
asimily/iomt has been updated to v1.1.1.
Updated ECS version to 8.17.0
Removed rename() function calls for direct field assignments
Removed deprecated parser asimily-iomt-json
For more information, see Package asimily/iomt Release Notes.
zscaler/internet-access has been updated to v1.4.1.
Fixed conditional parsing of file.mtime field to handle cases when Vendor.lastmodtime is not present
Updated parser version to 2.4.1
For more information, see Package zscaler/internet-access Release Notes.
microsoft/dhcp-client has been updated to v1.1.1.
Updated ECS version to 9.0.0
Changed field mapping approach from rename() to direct assignment for event.id, process.pid, and user.id
For more information, see Package microsoft/dhcp-client Release Notes.
cloudflare/zerotrust has been updated to v1.2.2.
Fixed email attachment parsing by properly dropping temporary arrays
Updated ECS version to 8.17.0
Updated parser version to 2.1.2
For more information, see Package cloudflare/zerotrust Release Notes.
akamai/asec has been updated to v1.1.1.
Updated ECS version from 8.11.0 to 8.17.0
Replaced rename() function with direct assignments for field mappings
Removed deprecated parser asec-json.yaml
For more information, see Package akamai/asec Release Notes.
forcepoint/dlp has been updated to v1.2.1.
Updated field assignments to use direct assignment instead of rename function
Fixed parser version reference
For more information, see Package forcepoint/dlp Release Notes.
cisco/duo has been updated to v2.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 2.1.1
Updated parser to use array:append for array declaration
For more information, see Package cisco/duo Release Notes.
aws/waf has been updated to v1.1.2.
Updated field mapping to use direct assignment instead of rename() function
Removed deprecated waf-json.yaml parser
For more information, see Package aws/waf Release Notes.
aws/s3-server-access has been updated to v1.2.1.
Updated parser to use direct field assignments instead of rename() function
Fixed field mapping consistency
For more information, see Package aws/s3-server-access Release Notes.
okta/sso has been updated to v1.3.1.
Fixed source.user.full_name to use client.user.full_name instead of client.user.id
For more information, see Package okta/sso Release Notes.
nozomi/ids has been updated to v1.3.0.
Updated timestamp parsing to support MMM dd yyyy HH:mm:ss format
Added support for new message types including threat intelligence updates, link status changes, and network scans
Enhanced MAC address normalization with uppercase conversion and consistent delimiter formatting
Improved field extraction for domain and username parsing
Fixed lowercase normalization for various address fields
The old parser nozomi-syslog is now officially removed from the Nozomi IDS package
For more information, see Package nozomi/ids Release Notes.
cloudflare/zerotrust has been updated to v1.2.3.
Fixed handling of PROXY_CONN_REFUSED connection close reason
Improved bulk log processing by removing trailing newline characters
Updated parser version to 2.1.3
For more information, see Package cloudflare/zerotrust Release Notes.
fortinet/fortigate has been updated to v1.3.4.
Updated ECS version to 9.0.0
Added message and rule.name fields for alert events
Fixed field mappings for UTM alert events
For more information, see Package fortinet/fortigate Release Notes.
cisco/meraki has been updated to v1.5.1.
Fixed regex patterns to handle multiline syslog messages
Fixed event severity handling for unknown values
For more information, see Package cisco/meraki Release Notes.
juniper/srx has been updated to v1.3.0.
Updated parser to use ECS 8.17.0
Improved field extraction with format() function
Enhanced array handling with array:append() for event categories and types
Added support for mgd login events with user roles and service type
Fixed field handling for null values
The old parser srx-syslog is now officially removed from the Juniper SRX package
For more information, see Package juniper/srx Release Notes.
mimecast/email-security has been updated to v1.0.0.
Upgraded parser to align with CPS standards
Normalized email fields to ECS format
Added MITRE ATT&CK technique mappings
Enhanced threat detection capabilities
Improved dashboard visualizations with better field mappings
Updated all dashboards to use normalized fields
Renamed parser from mimecast-json to mimecast-emailsecurity. ***This is a breaking change***. Use the #type field with the new parser name in queries as #type="mimecast-emailsecurity". All fields in events will now be available with the Vendor prefix. Fields should be referenced as Vendor.<fieldname> in queries.
Added new *Awareness Training* dashboard to support following log types: awareness-training-performance-details, awareness-training-watchlist-details and awareness-training-user-data
For more information, see Package mimecast/email-security Release Notes.
darktrace/detect has been updated to v1.3.1.
Fixed timestamp parsing for Antigena events to use start time instead of end time
For more information, see Package darktrace/detect Release Notes.
cisco/meraki has been updated to v1.5.0.
Added support for JSON formatted logs with timestamps in ts and occurredAt fields
Added support for IDS Alert events with pass-through detections
Added support for File Scanned events
Added support for BGP, DHCP, VPN, and wireless association events
Updated ECS version to 9.0.0
For more information, see Package cisco/meraki Release Notes.
aws/vpcflow has been updated to v1.2.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.2.1
Updated parser to use array:append for array declaration
For more information, see Package aws/vpcflow Release Notes.
zscaler/private-access has been updated to v1.3.2.
Added support for private cloud controller status logs
Improved log type detection for logs without sourcetype field
Enhanced log format detection for various ZPA log types
For more information, see Package zscaler/private-access Release Notes.
okta/sso has been updated to v1.4.0.
Enhanced user target field handling to support multiple values
Added support for event hook delivery events
Improved event categorization with more comprehensive event type mappings
Added client fields including client.as.number and client.user fields
Added transaction.id and rule fields for better traceability
Added user_agent fields including device name and version
Updated ECS version to 9.0.0
For more information, see Package okta/sso Release Notes.
darktrace/detect has been updated to v1.4.0.
Enhanced audit event parsing with improved categorization and field mapping
Added validation for source IP addresses using CIDR check
Updated ECS version to 9.0.0
Added support for syslog appname-based event classification
Updated parser to 2.2.0
For more information, see Package darktrace/detect Release Notes.
fortinet/fortimail has been updated to v2.0.0.
Improved parsing of key-value pairs with empty values
Enhanced event categorization for all log types
Added support for email address extraction from complex formats
Fixed handling of comma-separated recipient lists
Added URL parsing capabilities
Improved outcome determination logic
For more information, see Package fortinet/fortimail Release Notes.
fortinet/fortimail has been updated to v1.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.1.1
Updated parser to use array:append for array declaration
Updated client.ip to non-array field
The old parser fortimail is now officially removed from the Fortinet Fortimail package
For more information, see Package fortinet/fortimail Release Notes.
cisco/meraki has been updated to v1.4.1.
Added support for BSD syslog format with MMM dd HH:mm:ss timestamp format
For more information, see Package cisco/meraki Release Notes.
dell/isilon has been updated to v1.2.1.
Updated field mapping syntax from rename() to direct assignment for better performance
Fixed minor code formatting issues
For more information, see Package dell/isilon Release Notes.
veeam/veeamdataplatform has been updated to v1.0.1.
Updated field assignments to use direct assignment instead of rename() function
Improved field mapping consistency
For more information, see Package veeam/veeamdataplatform Release Notes.
aws/guardduty has been updated to v1.1.2.
Updated field mapping to use direct assignment instead of rename function
Removed deprecated guardduty-json.yaml parser
Updated parser version to 1.2.1
For more information, see Package aws/guardduty Release Notes.
cisco/ise has been updated to v1.3.3.
Enhanced parsing for CISE_Alarm messages with improved message extraction
Added event categorization and type for CISE_MONITORING_DATA_PURGE_AUDIT, CISE_System_Statistics
For more information, see Package cisco/ise Release Notes.
cisco/ise has been updated to v1.3.1.
Fixed field mapping for service.name instead of service.type
Improved timestamp parsing for additional formats
Enhanced field formatting for fields with hyphens in names
For more information, see Package cisco/ise Release Notes.
netgate/pfsense has been updated to v1.1.1.
Updated ECS version from 8.11.0 to 9.0.0
Removed rename() function from field mappings for direct assignments
Removed pfsense-syslog.yaml parser file
For more information, see Package netgate/pfsense Release Notes.
f5networks/bigip has been updated to v2.3.1.
Fixed VLAN ID parsing in connection error and SSL handshake failure events
For more information, see Package f5networks/bigip Release Notes.
aws/guardduty has been updated to v1.1.3.
Added event.reason field mapping from Vendor.title
Updated parser version to 1.2.2
For more information, see Package aws/guardduty Release Notes.
cloudflare/zerotrust has been updated to v1.3.0.
Enhanced JSON parsing with excludeEmpty and handleNull options
Updated event type categorization for email security logs
Added new test cases for improved coverage
Updated parser version to 2.2.0
For more information, see Package cloudflare/zerotrust Release Notes.
aws/cloudtrail has been updated to v1.1.6.
Updated parser version to 2.0.6
Updated CPS version to 1.0.0
Fixed TLS field handling by removing rename function and adding drop operations
For more information, see Package aws/cloudtrail Release Notes.
aruba/clearpass has been updated to v1.2.4.
Added support for additional syslog header formats
Enhanced event categorization for various event types
Added extensive field extraction from Description field
Added support for authentication, session, and configuration events
Improved field normalization for client IP and MAC addresses
For more information, see Package aruba/clearpass Release Notes.
microsoft/sysmon has been updated to v1.1.2.
Updated ECS version to 9.0.0
Simplified field assignments by removing unnecessary rename() functions
Improved code readability and maintainability
For more information, see Package microsoft/sysmon Release Notes.
asimily/iomt has been updated to v1.1.2.
Updated parser version to 1.1.2
Updated parser to use array:append for array declaration
For more information, see Package asimily/iomt Release Notes.
claroty/ctd has been updated to v1.2.1.
Fixed field mapping to use direct assignment instead of rename function
Improved case statement formatting for better readability
Updated parser version to 1.1.2
For more information, see Package claroty/ctd Release Notes.
broadcom/proxysg has been updated to v1.2.1.
Updated field mapping to use direct assignment instead of rename function
Fixed parser version to 1.1.2
For more information, see Package broadcom/proxysg Release Notes.
checkpoint/ngfw has been updated to v2.1.1.
Fixed CEF log parsing regex to properly handle logs without trailing newlines
Updated ECS version to 9.0.0
Updated parser version to 3.1.1
For more information, see Package checkpoint/ngfw Release Notes.
aws/cloudtrail has been updated to v2.0.1.
Updated parser to handle EventBridge events by removing "detail" prefix
Fixed JSON parsing to properly handle nested fields
For more information, see Package aws/cloudtrail Release Notes.
aws/fsx has been updated to v1.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.1.1
Updated parser to use array:append for array declaration
For more information, see Package aws/fsx Release Notes.
cisco/firepower has been updated to v1.6.4.
Fixed regex pattern for hop failure messages to handle interface names with spaces
For more information, see Package cisco/firepower Release Notes.
imperva/cloud-waf has been updated to v1.4.0.
Added regex pattern matching to filter CEF events and drop non-CEF log entries
Updated ECS version to 8.17.0
Removed rename() function calls for direct field assignment
Deleted cwaf-cef.yaml parser file
For more information, see Package imperva/cloud-waf Release Notes.
f5networks/bigip has been updated to v2.3.0.
Added support for F5 BIG-IP logs in Splunk format (HTTP traffic, load balancer failures, DNS requests/responses)
Fixed IP address field mapping to correctly populate source.ip, destination.ip, and server.ip fields
Improved timestamp parsing to support additional formats
Enhanced key-value parsing with better handling of empty fields
For more information, see Package f5networks/bigip Release Notes.
imperva/cloud-waf has been updated to v1.5.0.
Updated ECS version to 9.0.0
Updated parser version to 3.2.0
Enhanced severity handling with support for both numeric risk scores and text-based risk levels
Improved source IP handling with source.address field and proper CIDR validation
Updated array handling for event.category and event.type fields
For more information, see Package imperva/cloud-waf Release Notes.
aruba/clearpass has been updated to v1.2.3.
Updated field mapping to use format() function instead of rename() for better compatibility
Downgraded CPS version from 2.0.0 to 1.0.0
Removed deprecated clearpass-syslog.yaml parser file
For more information, see Package aruba/clearpass Release Notes.
zscaler/deception has been updated to v2.2.0.
Added support for authentication events with improved categorization
Enhanced severity normalization with numeric values
Improved field extraction for user information
Added event.dataset field to distinguish between threat and audit events
For more information, see Package zscaler/deception Release Notes.
cisco/ios has been updated to v1.7.0.
Added support for additional log formats including ACCOUNTING events and IGMP logs
Enhanced access list log parsing to support both denied and permitted traffic
Added support for timezone-specific timestamp parsing
Updated to ECS version 9.0.0
Updated parser version to 2.6.0
For more information, see Package cisco/ios Release Notes.
cisco/ios has been updated to v1.6.0.
Enhanced event type categorization for more accurate event classification
Added support for additional Cisco IOS event codes including SGACLHIT, FAIL, DHCP_SNOOPING_DENY, and more
Improved MAC address normalization for better consistency
Added deduplication of event categories and types
For more information, see Package cisco/ios Release Notes.
island/island has been updated to v1.2.1.
Updated field assignments to use direct assignment instead of rename() function
Fixed parser version to match package version
For more information, see Package island/island Release Notes.
google/chrome-enterprise-security-events has been updated to v1.2.0.
Updated ECS version from 8.11.0 to 8.17.0
Removed deprecated parser Google_Chrome_Enterprise.yaml
Simplified field assignments by removing unnecessary rename() functions
Updated parser version to 2.0.1
For more information, see Package google/chrome-enterprise-security-events Release Notes.
infoblox/nios has been updated to v1.3.1.
Fixed an issue with DNS answers containing quotes
For more information, see Package infoblox/nios Release Notes.
haproxy/haproxy has been updated to v1.2.1.
Updated field assignment syntax from rename() to direct assignment
Updated parser version to 1.1.2
For more information, see Package haproxy/haproxy Release Notes.
aws/guardduty has been updated to v1.2.0.
Improved source and destination port handling for network connections
Added support for port probe events with proper destination address mapping
Enhanced event categorization with network and connection type detection
Added event type classification (allowed/denied) based on blocked field
Added authentication category for RDS login attempts
Added API category for API call events
Updated ECS version to 9.0.0
For more information, see Package aws/guardduty Release Notes.
zscaler/internet-access has been updated to v1.4.0.
Updated parser to use direct field assignments instead of rename() function
Fixed base64 decoding for URL fields
For more information, see Package zscaler/internet-access Release Notes.
cisco/ise has been updated to v1.3.2.
Enhanced parsing for CISE_MONITORING_DATA_PURGE_AUDIT events to support additional message formats
Added support for "purging data older than" message format
Added support for "completed successfully" message format with event outcome set to success
Added support for CISE_Alarm messages with improved parsing
Enhanced field extraction for alarm messages
Added event categorization for SGT assignment and RADIUS authentication drop alarms
For more information, see Package cisco/ise Release Notes.
rubrik/security-cloud has been updated to v1.1.1.
Added support for additional timestamp format (yyyy-MM-dd HH:mm:ss[.SSS] Z z)
Updated ECS version to 9.0.0
For more information, see Package rubrik/security-cloud Release Notes.
checkpoint/ngfw has been updated to v2.1.0.
Added support for CEF formatted logs with and without headers
Enhanced timestamp handling for various formats
Added field mappings for additional Check Point fields
Improved event categorization and field normalization
Added support for additional network direction indicators
For more information, see Package checkpoint/ngfw Release Notes.