Falcon LogScale 1.200.0 GA (2025-08-05)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.200.0GA2025-08-05

Cloud

2026-09-30No1.150.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates

Removed

Items that have been removed as of this release.

Storage

  • Removed the ingest request backpressure mechanism introduced in 1.115. This mechanism throttled ingest requests on nodes running digest work while experiencing event latency. The implementation prevented clusters from properly using Kafka as a buffer for event backlogs. Additionally, it hid the existence of backlogs from administrators by delaying events on shippers rather than in Kafka where they are visible to LogScale.

    Administrators are advised to either:

    • Size nodes to handle temporary ingest rate spikes without falling behind on digest.

    • Run separate ingest and digest nodes to prevent ingest spikes from consuming capacity needed for digest work.

    This change also removes the following dynamic configurations:

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The datasource-count metric has been deprecated and will be removed in version 1.201 of LogScale.

    The information about the total number of datasources is available via the logs by the GlobalSegmentStatsLoggerJob in the datasources field. When a new datasource is created or marked as deleted, the total number of datasources is logged in the datasourceCount field.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

  • The EXTRA_KAFKA_CONFIGS_FILE configuration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Configuration

    • The MAX_DATASOURCES environment variable no longer controls the maximum datasources of system repositories. System repositories now have a default maximum of 50,000 datasources.

New features and improvements

  • Installation and Deployment

    • Added the environmental variable HUMIO_OPTS_FS, which can be set to override the field separator used when word-splitting using HUMIO_OPTS in the launcher script. This is useful when the options contain characters in $IFS (such as spaces), which would otherwise be split incorrectly.

      For more information, see LogScale Launcher Script.

  • Functions

    • The new percentage() query function is now available. It allows you to calculate the percentage of events that match a subquery.

      For more information, see percentage().

Fixed in this release

  • Storage

    • Indicators of Compromise (IoC) with more than 127 labels were unable to be stored. This issue has now been fixed.

    • Startup failed if a host contained a deprecated storage task in the global database. This issue has now been fixed.

  • Functions

    • The correlate() function has been fixed due to case statements within the query causing incorrect filter query generation for event tabs. Previously, filter queries extracted all conditions from different case branches, causing event tabs to appear empty even when correlate() found valid constellations. This fix now ensures that filter query generation correctly preserves the case statement structure in event tab filters.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • GraphQL API

    • Added support for partial time intervals for GraphQL endpoint analyzeQuery(). Default time interval values are now aligned with the query jobs API.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • cisco/meraki has been updated to v1.5.2.

      • Enhanced authentication event parsing with improved regex pattern for authentication messages

      • Added support for AnyConnect VPN connection success and failure events with detailed field extraction

      • Added authentication event categorization with proper event types

      For more information, see Package cisco/meraki Release Notes.

    • okta/sso has been updated to v1.4.1.

      • Fixed user agent field mapping from user_agent.device.name to user_agent.os.name

      • Updated CPS version to 1.1.0

      For more information, see Package okta/sso Release Notes.

    • f5networks/bigip has been updated to v2.4.0.

      • Added support for F5 ASM Bot Defense logs

      • Fixed array handling for host.ip and observer.ip fields

      • Improved event severity mapping based on Vendor.severity field

      • Fixed source.ip extraction in APM invalid host header detection

      • Enhanced event type categorization for APM non-existent session events

      • Added lowercase normalization for network.transport field

      For more information, see Package f5networks/bigip Release Notes.

    • checkpoint/ngfw has been updated to v2.2.0.

      • Added support for additional log types including VPN-1 & FireWall-1, Application Control URL Filtering, and Log Update events

      • Enhanced event categorization for various product types

      • Fixed network direction handling to improve log classification

      • Added test cases for new log formats

      • Updated parser version to 3.2.0

      For more information, see Package checkpoint/ngfw Release Notes.

    • darktrace/detect has been updated to v1.5.0.

      • Added support for email events

      • Updated parser to 2.3.0

      For more information, see Package darktrace/detect Release Notes.

    • cisco/ios has been updated to v1.7.1.

      • Added support for additional timezone formats including BST, CEST, GMT, IST, JST, SAST, WAT, and WIB

      For more information, see Package cisco/ios Release Notes.

    • fortinet/fortigate has been updated to v1.3.5.

      • Updated CPS version to 1.1.0

      • Updated parser version to 2.1.4

      • Removed drop statements for fields (Vendor.time, Vendor.eventtime, Vendor.date, Vendor.tz, Vendor.ts, Vendor.srcmac, Vendor.source_mac, Vendor.dir, Vendor.direction, Vendor.service)

      For more information, see Package fortinet/fortigate Release Notes.

    • cisco/meraki has been updated to v1.5.1.

      • Fixed regex patterns to handle multiline syslog messages

      • Fixed event severity handling for unknown values

      For more information, see Package cisco/meraki Release Notes.

    • aws/cloudtrail has been updated to v2.0.2.

      • Added support for IdentityCenterUser identity type

      • Improved handling of identity center user identities

      For more information, see Package aws/cloudtrail Release Notes.

    • cisco/ise has been updated to v1.3.3.

      • Enhanced parsing for CISE_Alarm messages with improved message extraction

      • Added event categorization and type for CISE_MONITORING_DATA_PURGE_AUDIT, CISE_System_Statistics

      For more information, see Package cisco/ise Release Notes.

    • aws/cloudtrail has been updated to v2.0.1.

      • Updated parser to handle EventBridge events by removing "detail" prefix

      • Fixed JSON parsing to properly handle nested fields

      For more information, see Package aws/cloudtrail Release Notes.

    • zscaler/deception has been updated to v2.2.0.

      • Added support for authentication events with improved categorization

      • Enhanced severity normalization with numeric values

      • Improved field extraction for user information

      • Added event.dataset field to distinguish between threat and audit events

      For more information, see Package zscaler/deception Release Notes.

    • aws/guardduty has been updated to v1.2.0.

      • Improved source and destination port handling for network connections

      • Added support for port probe events with proper destination address mapping

      • Enhanced event categorization with network and connection type detection

      • Added event type classification (allowed/denied) based on blocked field

      • Added authentication category for RDS login attempts

      • Added API category for API call events

      • Updated ECS version to 9.0.0

      For more information, see Package aws/guardduty Release Notes.