Falcon LogScale 1.196.0 GA (2025-07-08)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.196.0 | GA | 2025-07-08 | Cloud | 2026-09-30 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.196.0 to download the latest version
Bug fixes and updates
Deprecation
Items that have been deprecated and may be removed in a future release.
The datasource-count metric has been deprecated and will be removed in version 1.201 of LogScale.
The information about the total number of datasources is available via the logs by the
GlobalSegmentStatsLoggerJobin the datasources field. When a new datasource is created or marked as deleted, the total number of datasources is logged in the datasourceCount field.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Ingestion
The fields @id and @ingesttimestamp can no longer be set by ingesting them. These fields are set internally by LogScale and LogScale depends upon them not being overwritten. If events are ingested with these fields, the field values are now ignored and a warning is added to the event.
Before this change, setting the @id field did not work: LogScale would just overwrite this field. Setting the @ingesttimestamp field worked partially; depending on your query, you could see the field value or the actual ingest time of the event.
The LogScale Repository action will no longer retain the value of the fields @id, @ingesttimestamp, @input_size, @event_parsed, @error, @error_msg and @error_msg[i] for any index
i, as these are special fields in LogScale and will be set automatically on the newly ingested events. Instead, the value of these fields from the events sent to the action will be stored in fields named @id.original, @ingesttimestamp.original, @input_size.original, @event_parsed.original, @error.original, @error_msg.original and @error_msg.original[i].If you need to restore the previous functionality, that is possible for most of the fields by updating the parser you use to revert these changes. Note, however, that you cannot do this for @id and @ingesttimestamp fields, as LogScale now ignores those fields on ingested events.
New features and improvements
User Interface
Adding Spanish locale to the platform so a cluster can now be initialized with Spanish translations.
API
Added a new field to the query API
namedFilterQueries.This will contain queries which can be executed to see the events that each subquery in a
correlate()function matches on. This field can be used to debug correlate queries.
Log Collector
The
Fleet overviewpage now displays the following new sections:Summary dashboards
Widgets for status (Error/Okay)
Collector counts by OS and top versions - including whether any collectors should be updated.
Ingest volume for the last 24h
Fixed in this release
Automation and Triggers
The Scheduling configuration for scheduled searches no longer flips to when a cron expression for specific months is specified.
Configuration
The automatic tag grouping threshold now calculates correctly.
Previously, LogScale incorrectly calculated
MAX_DISTINCT_TAG_VALUESas the maximum ofAUTOSHARDING_MAXand the configuredMAX_DISTINCT_TAG_VALUESvalue. WhenAUTOSHARDING_MAXincreased to131,072for backwards compatibility, automatic tag grouping stopped triggering at its intended threshold. To solve this,MAX_DISTINCT_TAG_VALUESnow uses only its configured value (default:1,000). This value operates independently from the deprecatedAUTOSHARDING_MAXsetting.
Dashboards and Widgets
Fixed an issue with the Look Up Events interaction in the
Tablewidget, which would in certain scenarios result in an invalid query.
Queries
In rare cases the query state cache files on disk was not cleaned up properly. This change fixes those cases along with better error handling and logging.
Functions
Fixed an issue where reuse of queries would not detect changes to saved queries used inside the
defineTable()query function.
Improvement
Storage
Optimized encryption during bucket uploads by reducing the amount of copying.
Queries
LogScale request logs no longer contain internal query poll or delete requests on the
queryjobsendpoint, unless those requests either fail or take more than 5 seconds.To increase visibility into query worker and coordinator communication, the new metrics internal-queryjobs-timing is being added, which tracks the response times for polls on the
queryjobsendpoint.
Functions
The Language Server Protocol (LSP) now provides enhanced code completion for the
correlate()function. The LSP now includes contextual suggestions for subquery snippets as well as relevant attribute suggestions based on the query context.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
checkpoint/ngfw has been updated to v2.1.2.
Regex fix to stop backtracking errors for logs that use "=" as the key-value separator
Added event.kind field with default value "event"
Removed redundant case statement for event.kind assignment
Updated parser version to 3.1.2
For more information, see Package checkpoint/ngfw Release Notes.
cisco/ios has been updated to v1.6.1.
Added support for VTY access logs with new pattern matching
For more information, see Package cisco/ios Release Notes.
nozomi/ids has been updated to v1.3.1.
Updated ECS version to 9.0.0
Improved field extraction for Mitre attack tactics and techniques
Fixed parser version to 3.0.1
For more information, see Package nozomi/ids Release Notes.
microsoft/dhcp-client has been updated to v1.1.1.
Updated ECS version to 9.0.0
Changed field mapping approach from rename() to direct assignment for event.id, process.pid, and user.id
For more information, see Package microsoft/dhcp-client Release Notes.
cloudflare/zerotrust has been updated to v1.2.3.
Fixed handling of PROXY_CONN_REFUSED connection close reason
Improved bulk log processing by removing trailing newline characters
Updated parser version to 2.1.3
For more information, see Package cloudflare/zerotrust Release Notes.
fortinet/fortigate has been updated to v1.3.4.
Updated ECS version to 9.0.0
Added message and rule.name fields for alert events
Fixed field mappings for UTM alert events
For more information, see Package fortinet/fortigate Release Notes.
mimecast/email-security has been updated to v1.0.0.
Upgraded parser to align with CPS standards
Normalized email fields to ECS format
Added MITRE ATT&CK technique mappings
Enhanced threat detection capabilities
Improved dashboard visualizations with better field mappings
Updated all dashboards to use normalized fields
Renamed parser from mimecast-json to mimecast-emailsecurity. ***This is a breaking change***. Use the #type field with the new parser name in queries as #type="mimecast-emailsecurity". All fields in events will now be available with the Vendor prefix. Fields should be referenced as Vendor.<fieldname> in queries.
Added new *Awareness Training* dashboard to support following log types: awareness-training-performance-details, awareness-training-watchlist-details and awareness-training-user-data
For more information, see Package mimecast/email-security Release Notes.
cisco/meraki has been updated to v1.5.0.
Added support for JSON formatted logs with timestamps in ts and occurredAt fields
Added support for IDS Alert events with pass-through detections
Added support for File Scanned events
Added support for BGP, DHCP, VPN, and wireless association events
Updated ECS version to 9.0.0
For more information, see Package cisco/meraki Release Notes.
okta/sso has been updated to v1.4.0.
Enhanced user target field handling to support multiple values
Added support for event hook delivery events
Improved event categorization with more comprehensive event type mappings
Added client fields including client.as.number and client.user fields
Added transaction.id and rule fields for better traceability
Added user_agent fields including device name and version
Updated ECS version to 9.0.0
For more information, see Package okta/sso Release Notes.
darktrace/detect has been updated to v1.4.0.
Enhanced audit event parsing with improved categorization and field mapping
Added validation for source IP addresses using CIDR check
Updated ECS version to 9.0.0
Added support for syslog appname-based event classification
Updated parser to 2.2.0
For more information, see Package darktrace/detect Release Notes.
netgate/pfsense has been updated to v1.1.1.
Updated ECS version from 8.11.0 to 9.0.0
Removed rename() function from field mappings for direct assignments
Removed pfsense-syslog.yaml parser file
For more information, see Package netgate/pfsense Release Notes.
cloudflare/zerotrust has been updated to v1.3.0.
Enhanced JSON parsing with excludeEmpty and handleNull options
Updated event type categorization for email security logs
Added new test cases for improved coverage
Updated parser version to 2.2.0
For more information, see Package cloudflare/zerotrust Release Notes.
aruba/clearpass has been updated to v1.2.4.
Added support for additional syslog header formats
Enhanced event categorization for various event types
Added extensive field extraction from Description field
Added support for authentication, session, and configuration events
Improved field normalization for client IP and MAC addresses
For more information, see Package aruba/clearpass Release Notes.
microsoft/sysmon has been updated to v1.1.2.
Updated ECS version to 9.0.0
Simplified field assignments by removing unnecessary rename() functions
Improved code readability and maintainability
For more information, see Package microsoft/sysmon Release Notes.
checkpoint/ngfw has been updated to v2.1.1.
Fixed CEF log parsing regex to properly handle logs without trailing newlines
Updated ECS version to 9.0.0
Updated parser version to 3.1.1
For more information, see Package checkpoint/ngfw Release Notes.
aws/cloudtrail has been updated to v2.0.1.
Updated parser to handle EventBridge events by removing "detail" prefix
Fixed JSON parsing to properly handle nested fields
For more information, see Package aws/cloudtrail Release Notes.
imperva/cloud-waf has been updated to v1.5.0.
Updated ECS version to 9.0.0
Updated parser version to 3.2.0
Enhanced severity handling with support for both numeric risk scores and text-based risk levels
Improved source IP handling with source.address field and proper CIDR validation
Updated array handling for event.category and event.type fields
For more information, see Package imperva/cloud-waf Release Notes.
cisco/ios has been updated to v1.7.0.
Added support for additional log formats including ACCOUNTING events and IGMP logs
Enhanced access list log parsing to support both denied and permitted traffic
Added support for timezone-specific timestamp parsing
Updated to ECS version 9.0.0
Updated parser version to 2.6.0
For more information, see Package cisco/ios Release Notes.
cisco/ise has been updated to v1.3.2.
Enhanced parsing for CISE_MONITORING_DATA_PURGE_AUDIT events to support additional message formats
Added support for "purging data older than" message format
Added support for "completed successfully" message format with event outcome set to success
Added support for CISE_Alarm messages with improved parsing
Enhanced field extraction for alarm messages
Added event categorization for SGT assignment and RADIUS authentication drop alarms
For more information, see Package cisco/ise Release Notes.
rubrik/security-cloud has been updated to v1.1.1.
Added support for additional timestamp format (yyyy-MM-dd HH:mm:ss[.SSS] Z z)
Updated ECS version to 9.0.0
For more information, see Package rubrik/security-cloud Release Notes.