Falcon LogScale 1.202.0 GA (2025-08-19)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.202.0 | GA | 2025-08-19 | Cloud | 2026-10-31 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.202.0 to download the latest version
Bug fixes and updates
Deprecation
Items that have been deprecated and may be removed in a future release.
The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
New features and improvements
Configuration
Added new configuration variable
MAXMIND_USE_HTTP_PROXYto control whether MaxMind database downloads for query functionsasn()andipLocation()should use the configured HTTP proxy. The default is to use the proxy, which is the same behaviour as before this change.For more information, see HTTP Proxy Client Configuration, MaxMind Configuration.
Ingestion
The Parser editor now reports parser errors if the function does not set @error_msg[] but only @error_msg. This solves an issue related to the
parseCEF()function.Parser errors that were previously not displayed as errors are now correctly indicated within the parser editor.
For more information, see Errors, Validation Checks, and Warnings.
Fixed in this release
Automation and Triggers
Fixed two issues with scheduled searches:
A failure to update a scheduled search could cause it to get stuck and not run until cluster restart.
A deleted scheduled search could cause the scheduled search job to continuously log that it was waiting for the scheduled search to finish.
For more information, see Scheduled searches.
Storage
Fixed an issue where the logs indicating which query took the longest to process a segment would appear long after query completion. Logging will now be delayed by no more than 10 seconds.
For more information, see LogScale Internal Logging.
Queries
Fixed an issue where a race condition was created between live query submission and digest start, in which the static part assigned to a worker cluster would be omitted if a live query coordinator submitted work to a worker cluster, starting a new digest session.
For more information, see Digest Rules.
Fixed an issue where certain regex patterns that could not be compiled by the JitRex engine would lead to very slow query submission and excessive resource usage.
For more information, see Regular Expression Syntax.
Fixed an issue where events would incorrectly remain unredacted when query strings used for redaction contained derived tags, such as #repo.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Queries
Improved performance by compiling queries once instead of twice when starting alert jobs.
Multi-cluster search worker clusters no longer execute the result calculation pipeline for multi-cluster queries. This eliminates external-function calls and reverse DNS calls on remote clusters in multi-cluster search queries, reducing resource consumption.
For more information, see Searches in a Multi-Cluster Setup.
Queries will now preferentially read segments from non-evicted hosts, avoiding reading data from hosts that are being decommissioned.
For more information, see Ingestion: Digest Phase.
Metrics and Monitoring
Added new metrics to help monitor/diagnose segment fetching queue issues:
segment-fetching-trigger-queue-hit-full-after-global-scan-countersegment-fetching-trigger-queue-offer-from-global-scan-countersegment-fetch-requested-but-already-in-progresssegment-fetch-requested-but-upstream-has-been-deletedsegment-changes-job-trigger-full-global-scan-counter
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
cisco/meraki has been updated to v1.5.2.
Enhanced authentication event parsing with improved regex pattern for authentication messages
Added support for AnyConnect VPN connection success and failure events with detailed field extraction
Added authentication event categorization with proper event types
For more information, see Package cisco/meraki Release Notes.
okta/sso has been updated to v1.4.1.
Fixed user agent field mapping from user_agent.device.name to user_agent.os.name
Updated CPS version to 1.1.0
For more information, see Package okta/sso Release Notes.
darktrace/detect has been updated to v2.0.0.
Added support for CEF-formatted DCIP logs with new event.dataset "darktrace.dcip"
Enhanced MITRE ATT&CK technique and tactic mapping using objectArray functions
Improved field mappings for threat intelligence data
Updated parser to 3.0.0
For more information, see Package darktrace/detect Release Notes.
darktrace/detect has been updated to v1.5.0.
Added support for email events
Updated parser to 2.3.0
For more information, see Package darktrace/detect Release Notes.
cloudflare/zerotrust has been updated to v1.4.0.
Added severity mapping based on risk score
Added event.kind = alert for zone-scoped-http-requests when severity is present
Added event.action mapping from Vendor.SecurityAction
Added array deduplication for event.category[] and event.type[]
Updated email field normalization to convert all email addresses to lowercase
Enhanced DNS event action mapping to use coalesce function for better field resolution
Updated parser version to 2.3.0 and CPS version to 1.1.0
For more information, see Package cloudflare/zerotrust Release Notes.
cisco/ios has been updated to v1.7.1.
Added support for additional timezone formats including BST, CEST, GMT, IST, JST, SAST, WAT, and WIB
For more information, see Package cisco/ios Release Notes.
cloudflare/zerotrust has been updated to v1.5.0.
Enhanced bulk log processing with improved batched event handling
Added SHA256 hash generation for batched events to track event relationships
Improved JSON parsing structure for better event separation
Updated parser version to 2.4.0
For more information, see Package cloudflare/zerotrust Release Notes.
cisco/firepower has been updated to v1.7.1.
Updated CPS version to 1.1.0
Enhanced regex patterns for improved log parsing accuracy
Added support for user domain and username extraction in connection events
Improved multi-event code parsing for SSL VPN events (725001-9, 12, 13, 16, 21, 22)
Added event.outcome field for configuration and connection info events
Enhanced parsing for Group/User/IP patterns in VPN connection logs
Moved syslog severity code mapping to end of parser for better performance
For more information, see Package cisco/firepower Release Notes.
fortinet/fortigate has been updated to v1.3.5.
Updated CPS version to 1.1.0
Updated parser version to 2.1.4
Removed drop statements for fields (Vendor.time, Vendor.eventtime, Vendor.date, Vendor.tz, Vendor.ts, Vendor.srcmac, Vendor.source_mac, Vendor.dir, Vendor.direction, Vendor.service)
For more information, see Package fortinet/fortigate Release Notes.
aws/cloudtrail has been updated to v2.0.2.
Added support for IdentityCenterUser identity type
Improved handling of identity center user identities
For more information, see Package aws/cloudtrail Release Notes.
aws/cloudtrail has been updated to v2.1.0.
Updated parser version to 4.0.0
Enhanced event categorization and typing for various AWS actions
Changed observer.type from "iam" to "identity" for IAM-related events
Updated AssumeRole and AssumeRoleWithSAML event categorization from authentication to iam
Modified ConsoleLogin event dataset from "cloudtrail.iam" to "cloudtrail.auth"
Added UserAuthentication event handling with authentication category
Improved event type mappings by removing "info" type from several actions
Enhanced StartInstances and RunInstances categorization from configuration to host
Added GenerateDataKey event handling with configuration category and creation type
Updated wildcard matching to be more specific and removed default fallback categorization
For more information, see Package aws/cloudtrail Release Notes.
cisco/duo has been updated to v3.0.0.
Vendor fields are now aliased to the client namespace where source was previously used, as client better describes the role of devices initiating authentication flows whereas source is intended for network details
client fields are aliased to source at the end of the parser to avoid a breaking change. This allows the source fields to be easily removed from the parser at a later date
event.dataset of duo.administrator is now assigned when Vendor.action = * AND Vendor.isotimestamp = * rather than when Vendor.description = * (as "description":null often occurs, meaning that the Vendor.description field is not created)
Categorization now matches on event.dataset first, then event.action to handle repeat event.action values across different log types (e.g., event.action of enrollment appears in both Authentication and Telephony logs)
Added use of user.target fields - with logic implemented to make sure this is only applied on applicable event
Added parsing of nested JSON in duo.activity logs from the fields: Vendor.actor.details/Vendor.target.details/Vendor.old_target.details
Removed the Host fields section for duo.authentication and duo.trustmonitor events. As auth_device is the MFA device used in the auth process - not the host on which the event happened. Also Vendor.target fields are not present in this log type. So this section was not accurate
Moved the determination of event.outcome after the default values are set in categorization - so that these default values can be overwritten when outcome information is available in the event
Updated the handling of object arrays to use objectArray:eval() instead of concatArray and splitString
Added observer.type := "identity"
Additional normalization of ECS fields
Updates to the assignment of event.category for cloudsso_update_routing_rule and user_restore events
Updated CPS version to 1.1.0
Updated ECS version to 9.0.0
Updated parser version to 3.0.0
For more information, see Package cisco/duo Release Notes.
cisco/ise has been updated to v1.3.4.
Added parsing for CmdSet field to extract command line information into process.command_line field
Enhanced command parsing to filter and extract command arguments from TACACS authorization logs
Updated parser version to 2.0.7 and CPS version to 1.1.0
For more information, see Package cisco/ise Release Notes.