Falcon LogScale 1.201.0 GA (2025-08-12)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.201.0 | GA | 2025-08-12 | Cloud | 2026-09-30 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.201.0 to download the latest version
Bug fixes and updates
Removed
Items that have been removed as of this release.
GraphQL API
Removed the deprecated field lastScheduledSearch on the GraphQL datatype ScheduledSearch.
Deprecation
Items that have been deprecated and may be removed in a future release.
The datasource-count metric has been deprecated and will be removed in version 1.201 of LogScale.
The information about the total number of datasources is available via the logs by the
GlobalSegmentStatsLoggerJobin the datasources field. When a new datasource is created or marked as deleted, the total number of datasources is logged in the datasourceCount field.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Configuration
The default value of
TAG_HASHING_BUCKETSis now dependent on the value ofMAX_DISTINCT_TAG_VALUES. This change ensures optimal search performance when automatic tag grouping is applied.For more information, see How-To: Using Tag Grouping.
New features and improvements
Automation and Triggers
It is now possible for LogScale to distribute the execution of scheduled searches running more frequently than every hour across different minutes using H/n notation in cron schedules. For example, use
H/5for a search that should run every 5 minutes.Supported intervals: every 2, 3, 4, 5, 6, 10, 12, 15, 20, or 30 minutes.
Note
Changing an existing scheduled search from
*/5toH/5, for example, may result in two runs that either overlap or have a gap between them.For example, if the updated schedule for the scheduled search runs at 3 minutes, 8 minutes, and so on, and you make the change after the run at 0:00 with the old schedule, but before 0:03, then you will get a new run at 0:03. The time from 0:03 to 0:05 is covered by both runs. If you instead make the change after 0:03, but before 0:05, the next run will be at 0:08, meaning that the time between 0:05 and 0:08 is not searched by any run.
For more information, see Cron Scheduling.
GraphQL API
Added new GraphQL mutations for manipulating labels on filter and aggregate alerts:
These mutations are similar to what is available for scheduled searches and legacy alerts.
Fixed in this release
Storage
Fixed an issue causing the creation of 140,000 datasources in global when repositories hit the max datasource limit. When the limit is hit, LogScale now directs events into an "overflow datasource" with a fixed set of tags. This overflow datasource will now shard itself as necessary to keep up with digest, consistent with the behavior of all other datasources.
For more information, see Ingestion: Ingest Phase.
Functions
Fixed the
defineTable()andjoin()functions as subqueries would use an incorrect search interval when using @ingesttimestamp.Fixed an issue where identifiers with array indices (for example,
foo[0]andabc.foo[0].bar[2]) were incorrectly rejected on the right side of the link operator (<=>) when using thecorrelate()function.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Storage
Improved S3 download efficiency by optimizing data streaming and download management, delivering significant performance improvements across memory utilization, garbage collection, and network throughput.
Internal load tests show that memory usage no longer spikes and remains stable during heavy downloads, resulting in significantly less CPU load and approximately 20% faster download speeds.
For more information, see Ingestion: Storage Phase.
Queries
Improved performance by compiling queries once instead of twice when submitting a scheduled search job.
For more information, see Triggers.
Functions
Lifted the
maxrestriction on thelimitparameter forsort(),head(),tail(), andtable()functions in multi-cluster setups.For more information, see LogScale Multi-Cluster Search.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
cisco/meraki has been updated to v1.5.2.
Enhanced authentication event parsing with improved regex pattern for authentication messages
Added support for AnyConnect VPN connection success and failure events with detailed field extraction
Added authentication event categorization with proper event types
For more information, see Package cisco/meraki Release Notes.
okta/sso has been updated to v1.4.1.
Fixed user agent field mapping from user_agent.device.name to user_agent.os.name
Updated CPS version to 1.1.0
For more information, see Package okta/sso Release Notes.
f5networks/bigip has been updated to v2.4.0.
Added support for F5 ASM Bot Defense logs
Fixed array handling for host.ip and observer.ip fields
Improved event severity mapping based on Vendor.severity field
Fixed source.ip extraction in APM invalid host header detection
Enhanced event type categorization for APM non-existent session events
Added lowercase normalization for network.transport field
For more information, see Package f5networks/bigip Release Notes.
checkpoint/ngfw has been updated to v2.2.0.
Added support for additional log types including VPN-1 & FireWall-1, Application Control URL Filtering, and Log Update events
Enhanced event categorization for various product types
Fixed network direction handling to improve log classification
Added test cases for new log formats
Updated parser version to 3.2.0
For more information, see Package checkpoint/ngfw Release Notes.
darktrace/detect has been updated to v2.0.0.
Added support for CEF-formatted DCIP logs with new event.dataset "darktrace.dcip"
Enhanced MITRE ATT&CK technique and tactic mapping using objectArray functions
Improved field mappings for threat intelligence data
Updated parser to 3.0.0
For more information, see Package darktrace/detect Release Notes.
darktrace/detect has been updated to v1.5.0.
Added support for email events
Updated parser to 2.3.0
For more information, see Package darktrace/detect Release Notes.
cloudflare/zerotrust has been updated to v1.4.0.
Added severity mapping based on risk score
Added event.kind = alert for zone-scoped-http-requests when severity is present
Added event.action mapping from Vendor.SecurityAction
Added array deduplication for event.category[] and event.type[]
Updated email field normalization to convert all email addresses to lowercase
Enhanced DNS event action mapping to use coalesce function for better field resolution
Updated parser version to 2.3.0 and CPS version to 1.1.0
For more information, see Package cloudflare/zerotrust Release Notes.
cisco/ios has been updated to v1.7.1.
Added support for additional timezone formats including BST, CEST, GMT, IST, JST, SAST, WAT, and WIB
For more information, see Package cisco/ios Release Notes.
fortinet/fortigate has been updated to v1.3.5.
Updated CPS version to 1.1.0
Updated parser version to 2.1.4
Removed drop statements for fields (Vendor.time, Vendor.eventtime, Vendor.date, Vendor.tz, Vendor.ts, Vendor.srcmac, Vendor.source_mac, Vendor.dir, Vendor.direction, Vendor.service)
For more information, see Package fortinet/fortigate Release Notes.
cisco/meraki has been updated to v1.5.1.
Fixed regex patterns to handle multiline syslog messages
Fixed event severity handling for unknown values
For more information, see Package cisco/meraki Release Notes.
aws/cloudtrail has been updated to v2.0.2.
Added support for IdentityCenterUser identity type
Improved handling of identity center user identities
For more information, see Package aws/cloudtrail Release Notes.
cisco/ise has been updated to v1.3.3.
Enhanced parsing for CISE_Alarm messages with improved message extraction
Added event categorization and type for CISE_MONITORING_DATA_PURGE_AUDIT, CISE_System_Statistics
For more information, see Package cisco/ise Release Notes.
cisco/duo has been updated to v3.0.0.
Vendor fields are now aliased to the client namespace where source was previously used, as client better describes the role of devices initiating authentication flows whereas source is intended for network details
client fields are aliased to source at the end of the parser to avoid a breaking change. This allows the source fields to be easily removed from the parser at a later date
event.dataset of duo.administrator is now assigned when Vendor.action = * AND Vendor.isotimestamp = * rather than when Vendor.description = * (as "description":null often occurs, meaning that the Vendor.description field is not created)
Categorization now matches on event.dataset first, then event.action to handle repeat event.action values across different log types (e.g., event.action of enrollment appears in both Authentication and Telephony logs)
Added use of user.target fields - with logic implemented to make sure this is only applied on applicable event
Added parsing of nested JSON in duo.activity logs from the fields: Vendor.actor.details/Vendor.target.details/Vendor.old_target.details
Removed the Host fields section for duo.authentication and duo.trustmonitor events. As auth_device is the MFA device used in the auth process - not the host on which the event happened. Also Vendor.target fields are not present in this log type. So this section was not accurate
Moved the determination of event.outcome after the default values are set in categorization - so that these default values can be overwritten when outcome information is available in the event
Updated the handling of object arrays to use objectArray:eval() instead of concatArray and splitString
Added observer.type := "identity"
Additional normalization of ECS fields
Updates to the assignment of event.category for cloudsso_update_routing_rule and user_restore events
Updated CPS version to 1.1.0
Updated ECS version to 9.0.0
Updated parser version to 3.0.0
For more information, see Package cisco/duo Release Notes.
zscaler/deception has been updated to v2.2.0.
Added support for authentication events with improved categorization
Enhanced severity normalization with numeric values
Improved field extraction for user information
Added event.dataset field to distinguish between threat and audit events
For more information, see Package zscaler/deception Release Notes.
aws/guardduty has been updated to v1.2.0.
Improved source and destination port handling for network connections
Added support for port probe events with proper destination address mapping
Enhanced event categorization with network and connection type detection
Added event type classification (allowed/denied) based on blocked field
Added authentication category for RDS login attempts
Added API category for API call events
Updated ECS version to 9.0.0
For more information, see Package aws/guardduty Release Notes.