Falcon LogScale 1.206.0 GA (2025-09-16)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.206.0 | GA | 2025-09-16 | Cloud | 2026-10-31 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.206.0 to download the latest version
Bug fixes and updates
Deprecation
Items that have been deprecated and may be removed in a future release.
The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Storage
Changed the default value for
AUTOSHARDING_MAXto 12,288 from 131,072 for a more conservative approach to prevent datasource explosion in Global Database. The new default value is based on observed autoshard maximums in cloud environments.Configuration
The
AUTOSHARDING_MAXconfiguration variable is no longer deprecated. It is retained as a safety measure against unlimited autoshard creation.
Upgrades
Changes that may occur or be required during an upgrade.
Installation and Deployment
Upgraded the Kafka client version to 4.1.0. This upgrade does not affect Kafka server version compatibility.
New features and improvements
GraphQL API
Added updateDashboardFromTemplate, updateParserFromTemplate and updateSavedQueryFromTemplate GraphQL mutations to allow the updating of dashboards, parsers, and saved queries using their YAML representation.
Metrics and Monitoring
Added new metrics
starvation-timer-<thread-pool>-<tid>andduration-timer-<thread-pool>-<tid>for default dispatchers, providing more detailed thread pool behavior analysis.Added new metrics to track the total time spent on segment operations:
decompress-segment-query-total: total time spent on segment decompression for queries
load-segment-query-total: total time spent on segment loading for queries
Added additional node-level metrics to the humio-metrics option time-livequery, which measures the amount of CPU time used in static searches as a fraction of wall clock time:
time-query-decompress-segment
time-query-read-segment
time-query-map-segment
Fixed in this release
GraphQL API
Fixed an issue where the GraphQL mutation createPersonalUserTokenV2 would fail with an unspecified error message.
For more information, see createPersonalUserTokenV2() .
Storage
Fixed an issue where merging segments could use excessive memory when processing events with large numbers of distinct fields. LogScale will now limit memory usage by stopping field extraction optimization when too many distinct field names are encountered.
For more information, see Creating Segment files.
Metrics and Monitoring
Fixed an issue with time unit conversions for meter values in internal metrics reporting (introduced in v1.196), where due to incorrect unit conversion, values were off by a factor of 10^9. Only internal metrics exports were affected - logged metrics and Prometheus metrics were unaffected. Histogram metric labels were also corrected to show as HISTOGRAM instead of TIMER.
The node-level metric load-segment-total has been fixed as the computation did not include the time spent loading segments for queries and segment merging.
For more information, see
load-segment-totalMetric.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Queries
Improved the stability of multi-cluster search by implementing the retry logic for failed polls on certain types of exceptions.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
zscaler/internet-access has been updated to v1.5.1.
Enhanced user email field handling to only set user.email when a valid email format is detected
Improved MD5 hash field processing for file.hash.md5
Fixed conditional logic for user field extraction across all dataset types
Updated parser version to 2.5.1
For more information, see Package zscaler/internet-access Release Notes.
tausight/ephi-risk-posture has been updated to v1.2.1.
Updated ECS version from 8.17.0 to 9.0.0
Updated CPS version from 1.0.0 to 1.1.0
Replaced rename() function calls with direct field assignments for improved performance
Fixed email.from.address field mapping to use array:append instead of direct array assignment
Added metadata-source.yaml file for package metadata
For more information, see Package tausight/ephi-risk-posture Release Notes.
okta/sso has been updated to v1.4.2.
Enhanced timestamp parsing to handle events without published timestamp field
Improved target array parsing with better regex matching for JSON structure
Fixed handling of error message events that lack timestamp information
Updated parser version to 2.4.2
For more information, see Package okta/sso Release Notes.
okta/sso has been updated to v1.4.4.
Enhanced actor type handling with conditional logic for IP addresses and Event Hooks
Fixed client.user.full_name field mapping to handle different actor types appropriately
For more information, see Package okta/sso Release Notes.
cisco/firepower has been updated to v1.7.1.
Updated CPS version to 1.1.0
Enhanced regex patterns for improved log parsing accuracy
Added support for user domain and username extraction in connection events
Improved multi-event code parsing for SSL VPN events (725001-9, 12, 13, 16, 21, 22)
Added event.outcome field for configuration and connection info events
Enhanced parsing for Group/User/IP patterns in VPN connection logs
Moved syslog severity code mapping to end of parser for better performance
For more information, see Package cisco/firepower Release Notes.
zscaler/internet-access has been updated to v1.5.0.
Added support for multi-event processing with event.original.hash.sha256 field for bulk events
Updated parser to preserve event.original field for the first event in multi-event logs
Enhanced event processing logic to handle concatenated JSON events more efficiently
Updated parser version to 2.5.0
For more information, see Package zscaler/internet-access Release Notes.
radware/alteon has been updated to v1.2.1.
Parser renaming and Deprecation noticeUpdated ECS version to 9.0.0
Removed deprecated alteon-syslog parser
Fixed field assignment operations to use direct assignment instead of rename operations
Updated parser version to 1.1.1
### Version 1.2.0
The old parser alteon-syslog is deprecated, and replaced by the new parser radware-alteon. While the old parser will remain available during a tranisition period, all future changes will only go into the new radware-alteon parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old alteon-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old alteon-syslog parser would duplicate certain fields, which the new radware-alteon parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
Vendor.keys.DstIP
Vendor.keys.DstPort
Vendor.keys.Method
Vendor.keys.ResponseCode
Vendor.keys.SrcIp
Vendor.keys.URL
Vendor.keys.UserAgent
Vendor.keys.WAFObservedIP
### Version 1.0.1
Adds logic to detect event.outcome for http requests based on status code
Adds comments to better explain the logic of the temporary fields
Bumps parser version to 1.0.1
### Version 1.0.0
Adds new event.module and Cps.version fields
Removes the Product field
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Bug fix: making event.category field an array
For more information, see Package radware/alteon Release Notes.
cisco/firepower has been updated to v1.7.2.
Updated parser version to 3.3.2
Enhanced regex pattern for event code 106015 to better capture flags field with multiple values
For more information, see Package cisco/firepower Release Notes.
checkpoint/ngfw has been updated to v2.3.1.
Fixed regex pattern for numerical action values to prevent backtracking issues
Updated parser version to 3.3.1
For more information, see Package checkpoint/ngfw Release Notes.
okta/sso has been updated to v1.4.3.
Enhanced target array parsing with improved regex pattern to handle whitespace variations in JSON structure
Fixed parsing of target arrays with flexible spacing between "target" field and array brackets
For more information, see Package okta/sso Release Notes.
aws/cloudtrail has been updated to v2.1.0.
Updated parser version to 4.0.0
Enhanced event categorization and typing for various AWS actions
Changed observer.type from "iam" to "identity" for IAM-related events
Updated AssumeRole and AssumeRoleWithSAML event categorization from authentication to iam
Modified ConsoleLogin event dataset from "cloudtrail.iam" to "cloudtrail.auth"
Added UserAuthentication event handling with authentication category
Improved event type mappings by removing "info" type from several actions
Enhanced StartInstances and RunInstances categorization from configuration to host
Added GenerateDataKey event handling with configuration category and creation type
Updated wildcard matching to be more specific and removed default fallback categorization
For more information, see Package aws/cloudtrail Release Notes.
checkpoint/ngfw has been updated to v2.3.0.
Enhanced observer name extraction from originsicname field using regex pattern
Improved source field handling for email addresses and IP addresses in 'from' field
Added service.id and service.name field mappings with protocol detection
Enhanced network protocol detection based on service identifiers
Updated parser version to 3.3.0 and CPS version to 1.1.0
For more information, see Package checkpoint/ngfw Release Notes.
cisco/ise has been updated to v1.4.0.
Added support for CISE_TACACS_Accounting events (codes 3300, 3301, 3302)
Added comprehensive TACACS+ diagnostics parsing for CISE_TACACS_Diagnostics category
Enhanced event categorization for TACACS+ authentication, authorization, and accounting events
Added support for TACACS+ network access control and user management events
Updated parser version to 2.1.0
For more information, see Package cisco/ise Release Notes.
aws/guardduty has been updated to v1.2.1.
Updated severity threshold logic to use >= instead of > for more accurate alert classification
Fixed severity mapping to properly categorize findings at exact threshold values (9.0, 7.0, 4.0)
Updated parser version to 1.3.1
For more information, see Package aws/guardduty Release Notes.
cisco/ise has been updated to v1.3.4.
Added parsing for CmdSet field to extract command line information into process.command_line field
Enhanced command parsing to filter and extract command arguments from TACACS authorization logs
Updated parser version to 2.0.7 and CPS version to 1.1.0
For more information, see Package cisco/ise Release Notes.