Falcon LogScale 1.198.0 GA (2025-07-22)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.198.0 | GA | 2025-07-22 | Cloud | 2026-09-30 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.198.0 to download the latest version
Removed
Items that have been removed as of this release.
Configuration
Removed the following deprecated environment variables:
WINDOW_ENABLED
Deprecation
Items that have been deprecated and may be removed in a future release.
The datasource-count metric has been deprecated and will be removed in version 1.201 of LogScale.
The information about the total number of datasources is available via the logs by the
GlobalSegmentStatsLoggerJobin the datasources field. When a new datasource is created or marked as deleted, the total number of datasources is logged in the datasourceCount field.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Storage
AWS Netty client is now the disabled as the default HTTP client for S3 Bucket operation, and now reverts to the existing PekkoHttpClient by setting the default value of
S3_NETTY_CLIENTtofalse. This change addresses performance issues identified when downloading significant amounts of data from the S3 Bucket for queries.Ingestion
Ingest-only nodes (
ingestonlynode role) will no longer be selected as table coordinators.
New features and improvements
Administration and Management
Added an election system to address hardware failures. A node can be elected using the REST endpoint
/api/v1/internal/hardware-failure, marking a node as being elected with a hardware failure for 60 minutes.There are three reasons a node can be elected as bad:
Slow query: Query coordinators have seen the same node operating up to 100 times slower at query execution than others.
Poll connection timeout: Polls have timed out across all nodes in the cluster when trying to query a node.
Hardware failure: When hardware has underlying issues such as disk corruption, a node can be elected through the
/api/v1/internal/hardware-failureendpoint, and eventually automatically evicted.
All votes can be tracked through the log line
Casting vote because a host is in a bad state. All elections can be tracked through the log lineThese nodes were deemed bad by the rest of the cluster.
User Interface
The following repository/view pages in the LogScale web interface now manage assets in a table layout format:
Dashboardsโ new page layout for listing repository dashboards under the top bar menu item .Parsersโ new page layout for listing repository parsers under the top bar menu item .Actionsโ new page layout for listing repository actions under the top bar menu item .Resourcesโ this is a new web interface page containing the following assets:Files (replaces the former top bar menu item; sorting capability not yet available at this time).
Interactions โ interactions have been moved from the repository menu to this
Resourcespage, with new columns for created/modified metadata (sorting capability not yet available at this time).Saved Searches โ a new page for managing saved searches with the table format layout.
These pages can now support scalable management of large asset volumes with improved search, filter and sort capabilities, making it easier to find the assets you're looking for.
Redesigned the experience of managing saved queries on the
Searchpage, by introducing new web interface items:tab โ allows recalling recent queries in an updated page.
tab โ opens a panel for saved searches with information like descriptions, labels, and last modified.
tab โ displays saved queries that users marked as favorites.
Action buttons for saved and favorite searches, notably the button.
Updated dialog where you can now add/edit description of the saved search as well as labels.
For more information, see Save Searches.
API
Added new GraphQL API capabilities for searching across different types of LogScale assets:
Extended entitiesSearch query endpoint to support sorting and filtering on specific asset properties. Use entitiesPage to navigate the results.
Specify argument(s) for paths to search in to narrow down search result to e.g. a specific view.
New entitiesLabels query endpoint to get all labels across asset types.
specify argument(s) for paths to search in to narrow down search result to e.g. a specific view.
New entitiesPackages query endpoint to get all package details across asset types.
Added new fields to various asset types including createdInfo , modifiedInfo , and labels .
Configuration
Added the configuration variable
AZURE_STORAGE_RESPONSE_TIMEOUT_SECONDS, which configures the response timeout for Azure Bucket Storage operations to prevent and reduce response timeouts depending on the connection.For more information, see
AZURE_STORAGE_RESPONSE_TIMEOUT_SECONDS.
Fixed in this release
Security
Creating a repository token with the
Change archiving settingspermission will no longer result in an error. Additionally, giving theChange S3 archiving settingspermission now gives the actual permission instead of theChange archiving settingspermission.
Storage
Corrected an issue where datasources migrating to new Kafka partitions during rebalancing carried over offsets from their original partitions, preventing LogScale from determining where to start digest.
Migrated datasources now start with an offset of -1 and are marked as idle upon creation. This allows LogScale to skip these datasources when determining where to start digest, and will continue to ignore them until receiving a message.
Ingestion
The data-ingester-parser-errors metric has been fixed as it was under-reporting, meaning it was showing fewer parser errors than were actually occurring (the data-ingester-errors metric reported errors as normal, though).
Queries
Fixed an issue where slow queries were unable to search bucketed and replaced non-mini segments, because they were deleted from the bucket earlier than intended.
Improvement
Storage
LogScale now validates segment file copies when creating them in secondary storage. This will help prevent file corruption during this type of transfer.
Queries
LogScale now allows distribution of large query state caches of arbitrary size to followers.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
checkpoint/ngfw has been updated to v2.1.2.
Regex fix to stop backtracking errors for logs that use "=" as the key-value separator
Added event.kind field with default value "event"
Removed redundant case statement for event.kind assignment
Updated parser version to 3.1.2
For more information, see Package checkpoint/ngfw Release Notes.
f5networks/bigip has been updated to v2.4.0.
Added support for F5 ASM Bot Defense logs
Fixed array handling for host.ip and observer.ip fields
Improved event severity mapping based on Vendor.severity field
Fixed source.ip extraction in APM invalid host header detection
Enhanced event type categorization for APM non-existent session events
Added lowercase normalization for network.transport field
For more information, see Package f5networks/bigip Release Notes.
nozomi/ids has been updated to v1.3.1.
Updated ECS version to 9.0.0
Improved field extraction for Mitre attack tactics and techniques
Fixed parser version to 3.0.1
For more information, see Package nozomi/ids Release Notes.
checkpoint/ngfw has been updated to v2.2.0.
Added support for additional log types including VPN-1 & FireWall-1, Application Control URL Filtering, and Log Update events
Enhanced event categorization for various product types
Fixed network direction handling to improve log classification
Added test cases for new log formats
Updated parser version to 3.2.0
For more information, see Package checkpoint/ngfw Release Notes.
microsoft/dhcp-client has been updated to v1.1.1.
Updated ECS version to 9.0.0
Changed field mapping approach from rename() to direct assignment for event.id, process.pid, and user.id
For more information, see Package microsoft/dhcp-client Release Notes.
cisco/meraki has been updated to v1.5.1.
Fixed regex patterns to handle multiline syslog messages
Fixed event severity handling for unknown values
For more information, see Package cisco/meraki Release Notes.
darktrace/detect has been updated to v1.4.0.
Enhanced audit event parsing with improved categorization and field mapping
Added validation for source IP addresses using CIDR check
Updated ECS version to 9.0.0
Added support for syslog appname-based event classification
Updated parser to 2.2.0
For more information, see Package darktrace/detect Release Notes.
cisco/ise has been updated to v1.3.3.
Enhanced parsing for CISE_Alarm messages with improved message extraction
Added event categorization and type for CISE_MONITORING_DATA_PURGE_AUDIT, CISE_System_Statistics
For more information, see Package cisco/ise Release Notes.
netgate/pfsense has been updated to v1.1.1.
Updated ECS version from 8.11.0 to 9.0.0
Removed rename() function from field mappings for direct assignments
Removed pfsense-syslog.yaml parser file
For more information, see Package netgate/pfsense Release Notes.
cloudflare/zerotrust has been updated to v1.3.0.
Enhanced JSON parsing with excludeEmpty and handleNull options
Updated event type categorization for email security logs
Added new test cases for improved coverage
Updated parser version to 2.2.0
For more information, see Package cloudflare/zerotrust Release Notes.
microsoft/sysmon has been updated to v1.1.2.
Updated ECS version to 9.0.0
Simplified field assignments by removing unnecessary rename() functions
Improved code readability and maintainability
For more information, see Package microsoft/sysmon Release Notes.
aws/cloudtrail has been updated to v2.0.1.
Updated parser to handle EventBridge events by removing "detail" prefix
Fixed JSON parsing to properly handle nested fields
For more information, see Package aws/cloudtrail Release Notes.
imperva/cloud-waf has been updated to v1.5.0.
Updated ECS version to 9.0.0
Updated parser version to 3.2.0
Enhanced severity handling with support for both numeric risk scores and text-based risk levels
Improved source IP handling with source.address field and proper CIDR validation
Updated array handling for event.category and event.type fields
For more information, see Package imperva/cloud-waf Release Notes.
zscaler/deception has been updated to v2.2.0.
Added support for authentication events with improved categorization
Enhanced severity normalization with numeric values
Improved field extraction for user information
Added event.dataset field to distinguish between threat and audit events
For more information, see Package zscaler/deception Release Notes.
cisco/ios has been updated to v1.7.0.
Added support for additional log formats including ACCOUNTING events and IGMP logs
Enhanced access list log parsing to support both denied and permitted traffic
Added support for timezone-specific timestamp parsing
Updated to ECS version 9.0.0
Updated parser version to 2.6.0
For more information, see Package cisco/ios Release Notes.
aws/guardduty has been updated to v1.2.0.
Improved source and destination port handling for network connections
Added support for port probe events with proper destination address mapping
Enhanced event categorization with network and connection type detection
Added event type classification (allowed/denied) based on blocked field
Added authentication category for RDS login attempts
Added API category for API call events
Updated ECS version to 9.0.0
For more information, see Package aws/guardduty Release Notes.
rubrik/security-cloud has been updated to v1.1.1.
Added support for additional timestamp format (yyyy-MM-dd HH:mm:ss[.SSS] Z z)
Updated ECS version to 9.0.0
For more information, see Package rubrik/security-cloud Release Notes.