Falcon LogScale 1.208.0 GA (2025-09-30)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.208.0 | GA | 2025-09-30 | Cloud | 2026-12-31 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.208.0 to download the latest version
Bug fixes and updates
Deprecation
Items that have been deprecated and may be removed in a future release.
The updateUploadFileAction() GraphQL mutation is deprecated. Use instead updateUploadFileActionV2().
The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Queries
Made changes to
correlate()internals that are not backwards compatible. Clusters with mixed new and old LogScale versions will not be able to runcorrelate()queries until all nodes are upgraded. This limitation also applies to Multi-Cluster Search queries across clusters running different versions.Functions
The following function restrictions are now compile-time errors instead of runtime errors, making them detectable by GraphQL APIs and Language Service Protocol (LSP):
eval()now includes coverage for invalid usage within expressions
groupBy()now includes coverage for limiting parameter values exceeding maximum allowed value
series()includes coverage for collection parameters containing prohibited fields
regex(),replace(), andarray:regex()includes coverage for their use of Regular Expression Engine v2 when disabled at cluster level.
New features and improvements
Dashboards and Widgets
Added a default Series color palette option for dashboards. This new palette can be configured at dashboard level and can be inherited by those widgets that support multiple color palettes for differentiating between series.
Functions
The Upload file action has now been renamed to Lookup file action and improved with new upload functionalities:
Overwrite– Replaces entire file contents of existing file (existing behavior)Append– Adds new information to the end of existing fileUpdate– Updates specific rows based on selected key columns.
Note
The existing behavior for the
Lookup Fileaction isOverwrite, which replaces the entire contents of existing CSV files.For more information, see Action Type: Lookup File, Lookup Files.
Fixed in this release
Metrics and Monitoring
Fixed two issues with metrics:
Ingest queue offset metrics are now properly cleaned up when the job switches nodes, preventing stale metric reporting.
Falcon Data Replicator (FDR) queue metrics can now be re-registered after being unregistered, supporting re-enabled FDR feeds.
Affected metrics:
ingest-consumer-group-offset
ingest-consumer-group-offset-lag
ingest-offset-lowest
ingest-queue-lowest-offset-lag
fdr-message-count
fdr-inflight-message-count
For more information, see Ingesting FDR Data into a Repository.
Other
Fixed LDAP authentication bug.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Administration and Management
Re-introduced audit logging when overriding an existing Lookup file with identical content.
Queries
Added user-visible warnings to alert users when query polling fails repeatedly.
Functions
Improved
correlate()graph analysis performance. Users may notice changes to the query graph visualization.For more information, see Correlation Options, Display tabs.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
zscaler/internet-access has been updated to v1.5.1.
Enhanced user email field handling to only set user.email when a valid email format is detected
Improved MD5 hash field processing for file.hash.md5
Fixed conditional logic for user field extraction across all dataset types
Updated parser version to 2.5.1
For more information, see Package zscaler/internet-access Release Notes.
okta/sso has been updated to v1.4.4.
Enhanced actor type handling with conditional logic for IP addresses and Event Hooks
Fixed client.user.full_name field mapping to handle different actor types appropriately
For more information, see Package okta/sso Release Notes.
aruba/clearpass has been updated to v1.3.0.
Enhanced System category event handling with improved regex patterns for cleanup operations
Improved data integrity by using temporary field for rawstring processing
Updated parser version to 2.1.0 and CPS version to 1.1.0
For more information, see Package aruba/clearpass Release Notes.
zscaler/internet-access has been updated to v1.5.0.
Added support for multi-event processing with event.original.hash.sha256 field for bulk events
Updated parser to preserve event.original field for the first event in multi-event logs
Enhanced event processing logic to handle concatenated JSON events more efficiently
Updated parser version to 2.5.0
For more information, see Package zscaler/internet-access Release Notes.
cisco/firepower has been updated to v1.7.2.
Updated parser version to 3.3.2
Enhanced regex pattern for event code 106015 to better capture flags field with multiple values
For more information, see Package cisco/firepower Release Notes.
checkpoint/ngfw has been updated to v2.3.1.
Fixed regex pattern for numerical action values to prevent backtracking issues
Updated parser version to 3.3.1
For more information, see Package checkpoint/ngfw Release Notes.
checkpoint/ngfw has been updated to v2.3.0.
Enhanced observer name extraction from originsicname field using regex pattern
Improved source field handling for email addresses and IP addresses in 'from' field
Added service.id and service.name field mappings with protocol detection
Enhanced network protocol detection based on service identifiers
Updated parser version to 3.3.0 and CPS version to 1.1.0
For more information, see Package checkpoint/ngfw Release Notes.
cisco/ise has been updated to v1.4.0.
Added support for CISE_TACACS_Accounting events (codes 3300, 3301, 3302)
Added comprehensive TACACS+ diagnostics parsing for CISE_TACACS_Diagnostics category
Enhanced event categorization for TACACS+ authentication, authorization, and accounting events
Added support for TACACS+ network access control and user management events
Updated parser version to 2.1.0
For more information, see Package cisco/ise Release Notes.
checkpoint/ngfw has been updated to v2.3.2.
Enhanced IP address validation using CIDR function for source and destination fields
Improved handling of source.address and destination.address fields with proper IP validation
Updated parser version to 3.3.2
For more information, see Package checkpoint/ngfw Release Notes.
fortinet/fortigate has been updated to v1.4.0.
Updated parser version to 3.0.0
Enhanced event outcome determination for traffic and UTM events with expanded action mappings
Improved TLS certificate field handling using array:append for proper array construction
Fixed vulnerability category field mapping to use array:append
Added new test cases for VPN, IPS, and traffic events
Updated field assignments to use array operations for ECS compliance
For more information, see Package fortinet/fortigate Release Notes.