Falcon LogScale 1.199.0 GA (2025-07-29)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.199.0 | GA | 2025-07-29 | Cloud | 2026-09-30 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.199.0 to download the latest version
Deprecation
Items that have been deprecated and may be removed in a future release.
The datasource-count metric has been deprecated and will be removed in version 1.201 of LogScale.
The information about the total number of datasources is available via the logs by the
GlobalSegmentStatsLoggerJobin the datasources field. When a new datasource is created or marked as deleted, the total number of datasources is logged in the datasourceCount field.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Installation and Deployment
When using
KAFKA_MANAGED_BY_HUMIO=true, LogScale will now crash on boot if it fails to determine whether its topics exist in Kafka via Kafka's admin API. Previously, LogScale would assume the topics didn't exist and attempt to create them, resulting in confusing error messages if the topics actually existed.GraphQL API
Setting the MaxRelocatedDatasourcesInGlobal field of the DynamicConfig datatype to
0or negative value now sets the limit to0instead of resetting to the default value. Users wishing to return to the default value should use the API to unset the configuration.Packages
Custom packages now require a more strict folder structure to ensure consistency and reliability:
The
manifest.yamlfile can be located anywhere in the project, and its location defines the package root.All asset folders (such as parsers, alerts, and actions) must be directly located in the project root.
New features and improvements
Functions
Added
text:startsWith()which can be used to test whether a field or string constant contains a specific prefix.Added
text:endsWith()which can be used to test whether a field or string constant contains a specific suffix.
Fixed in this release
Functions
The
correlate()function has been fixed as conditional statements (such ascase/if) with field assignments incorrectly included fields from all branches in the output, rather than only fields from the executed branch.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
checkpoint/ngfw has been updated to v2.1.2.
Regex fix to stop backtracking errors for logs that use "=" as the key-value separator
Added event.kind field with default value "event"
Removed redundant case statement for event.kind assignment
Updated parser version to 3.1.2
For more information, see Package checkpoint/ngfw Release Notes.
f5networks/bigip has been updated to v2.4.0.
Added support for F5 ASM Bot Defense logs
Fixed array handling for host.ip and observer.ip fields
Improved event severity mapping based on Vendor.severity field
Fixed source.ip extraction in APM invalid host header detection
Enhanced event type categorization for APM non-existent session events
Added lowercase normalization for network.transport field
For more information, see Package f5networks/bigip Release Notes.
nozomi/ids has been updated to v1.3.1.
Updated ECS version to 9.0.0
Improved field extraction for Mitre attack tactics and techniques
Fixed parser version to 3.0.1
For more information, see Package nozomi/ids Release Notes.
checkpoint/ngfw has been updated to v2.2.0.
Added support for additional log types including VPN-1 & FireWall-1, Application Control URL Filtering, and Log Update events
Enhanced event categorization for various product types
Fixed network direction handling to improve log classification
Added test cases for new log formats
Updated parser version to 3.2.0
For more information, see Package checkpoint/ngfw Release Notes.
microsoft/dhcp-client has been updated to v1.1.1.
Updated ECS version to 9.0.0
Changed field mapping approach from rename() to direct assignment for event.id, process.pid, and user.id
For more information, see Package microsoft/dhcp-client Release Notes.
cisco/meraki has been updated to v1.5.1.
Fixed regex patterns to handle multiline syslog messages
Fixed event severity handling for unknown values
For more information, see Package cisco/meraki Release Notes.
darktrace/detect has been updated to v1.4.0.
Enhanced audit event parsing with improved categorization and field mapping
Added validation for source IP addresses using CIDR check
Updated ECS version to 9.0.0
Added support for syslog appname-based event classification
Updated parser to 2.2.0
For more information, see Package darktrace/detect Release Notes.
cisco/ise has been updated to v1.3.3.
Enhanced parsing for CISE_Alarm messages with improved message extraction
Added event categorization and type for CISE_MONITORING_DATA_PURGE_AUDIT, CISE_System_Statistics
For more information, see Package cisco/ise Release Notes.
netgate/pfsense has been updated to v1.1.1.
Updated ECS version from 8.11.0 to 9.0.0
Removed rename() function from field mappings for direct assignments
Removed pfsense-syslog.yaml parser file
For more information, see Package netgate/pfsense Release Notes.
microsoft/sysmon has been updated to v1.1.2.
Updated ECS version to 9.0.0
Simplified field assignments by removing unnecessary rename() functions
Improved code readability and maintainability
For more information, see Package microsoft/sysmon Release Notes.
aws/cloudtrail has been updated to v2.0.1.
Updated parser to handle EventBridge events by removing "detail" prefix
Fixed JSON parsing to properly handle nested fields
For more information, see Package aws/cloudtrail Release Notes.
imperva/cloud-waf has been updated to v1.5.0.
Updated ECS version to 9.0.0
Updated parser version to 3.2.0
Enhanced severity handling with support for both numeric risk scores and text-based risk levels
Improved source IP handling with source.address field and proper CIDR validation
Updated array handling for event.category and event.type fields
For more information, see Package imperva/cloud-waf Release Notes.
zscaler/deception has been updated to v2.2.0.
Added support for authentication events with improved categorization
Enhanced severity normalization with numeric values
Improved field extraction for user information
Added event.dataset field to distinguish between threat and audit events
For more information, see Package zscaler/deception Release Notes.
cisco/ios has been updated to v1.7.0.
Added support for additional log formats including ACCOUNTING events and IGMP logs
Enhanced access list log parsing to support both denied and permitted traffic
Added support for timezone-specific timestamp parsing
Updated to ECS version 9.0.0
Updated parser version to 2.6.0
For more information, see Package cisco/ios Release Notes.
aws/guardduty has been updated to v1.2.0.
Improved source and destination port handling for network connections
Added support for port probe events with proper destination address mapping
Enhanced event categorization with network and connection type detection
Added event type classification (allowed/denied) based on blocked field
Added authentication category for RDS login attempts
Added API category for API call events
Updated ECS version to 9.0.0
For more information, see Package aws/guardduty Release Notes.