Falcon LogScale 1.210.0 GA (2025-10-14)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.210.0 | GA | 2025-10-14 | Cloud | 2026-12-31 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.210.0 to download the latest version
Bug fixes and updates
Advance Warning
The following items are due to change in a future release.
Configuration
Cached data files mode, which allows users to configure a local cache directory for segment files, has been deprecated and will be removed in version 1.225.0. This configuration is no longer recommended, as using a local drive with bucket storage generally provides better performance.
The associated configuration variables have also been deprecated and are planned for removal in version 1.225.0:
Deprecation
Items that have been deprecated and may be removed in a future release.
The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Upgrades
Changes that may occur or be required during an upgrade.
Installation and Deployment
Upgraded LogScale's Zstandard (ZSTD) compression library from version 1.5.6 to 1.5.7.
New features and improvements
Dashboards and Widgets
Added new styling option to adjust the size of axis and legend titles on
Time Chart,Pie Chart,Bar Chart,Scatter Chart, andHeat Mapwidgets.
Functions
Added query function
matchAsArray(), which matches multiple rows from a CSV or JSON file and adds them as object array fields. This is similar to thematch()function but with the following key differences:Only supports
ExactMatchmodeAdds multiple matches as structured arrays instead of creating separate events
Allows customization of the array name using the
asArrayparameter
The length of the structured arrays is limited by the
nrowsparameter. If the number of matches is larger thannrows, then the last matchingnrowsare put in the structured array. This is similar to how thematch()function deals with matches larger thannrows.For more information, see
matchAsArray().
Fixed in this release
Storage
Fixed an issue causing unbounded creation of global snapshots in temporary directories during periods of poor bucket storage performance.
Queries
Fixed an issue where anchored time points would cause import/export of dashboards and saved queries to fail. New schema versions for dashboards and saved queries (0.23.0 and 0.60 respectively) will now allow advanced time interval syntax.
For more information, see Anchored Time Points - Syntax.
Functions
Fixed an issue where the
parseXml()function would output arrays incompatible with array functions due to the lack of a0element. Backward compatibility with existing queries is maintained by keeping the first element in the non-array field.For more information, see
parseXml().
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Ingestion
Added error logging for ingest queue progression issues. When the read offset metric for any ingest queue partition doesn't progress, logs will display an error message stating Ingest queue progress error: before providing the log data.
The criteria for an error message being provided are:
Ingest queue doesn't progress over a 10-minute period
Ingest queue shows no activity for over an hour
Note
LogScale clusters regularly send internal messages on every ingest partition. If the metric does not increase, there is an issue with the digester.
Queries
Digest nodes now measure wall-clock time instead of CPU time when updating live queries with events, improving performance and reducing CPU usage.
Note
This improvement may introduce slight variations in live cost measurements due to thread scheduling.
Metrics and Monitoring
Added new metrics for live query execution monitoring:
total-live-events – provides an aggregate count of live events across all dataspaces
worker-live-queries – provides the number of live queries currently running on the worker node
worker-live-dataspace-queries – provides the total number of repository queries currently executing on the worker node
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
netgate/pfsense has been updated to v1.1.2.
Added support for RFC 5424 syslog format with ISO 8601 timestamps
Enhanced timestamp parsing to handle both BSD syslog and RFC 5424 formats
Updated parser version to 1.1.2
For more information, see Package netgate/pfsense Release Notes.
infoblox/nios has been updated to v1.3.2.
Fixed DNS client IP extraction regex to improve parsing accuracy
Enhanced DNS message handling with proper @ symbol replacement
Updated ECS version to 9.1.0 and CPS version to 1.1.0
For more information, see Package infoblox/nios Release Notes.
cisco/ise has been updated to v2.0.0.
Major parser restructuring and optimization for improved performance
Enhanced field extraction and normalization with better error handling
Added support for new ISE event categories including CISE_Profiler, CISE_Guest, CISE_MyDevices
Improved parsing for CISE_Alarm events with support for misconfigured supplicant detection
Enhanced RADIUS and TACACS accounting event processing
Added comprehensive TLS certificate field mapping
Improved user field extraction with domain parsing
Enhanced server and client field identification
Added support for additional timestamp formats
Updated event categorization and outcome determination logic
Removed session_info log type, added network_access log type
Updated parser version to 3.0.0
For more information, see Package cisco/ise Release Notes.
aruba/clearpass has been updated to v1.3.0.
Enhanced System category event handling with improved regex patterns for cleanup operations
Improved data integrity by using temporary field for rawstring processing
Updated parser version to 2.1.0 and CPS version to 1.1.0
For more information, see Package aruba/clearpass Release Notes.
cisco/firepower has been updated to v1.7.3.
Updated parser version to 3.3.3
Fixed field name from http.response.code to http.response.status_code in event code 607002 for proper ECS compliance
For more information, see Package cisco/firepower Release Notes.
juniper/srx has been updated to v1.5.0.
Added event severity mapping based on threat severity levels
Added support for rshd command line extraction
Fixed duplicate event.kind assignments in IDP processing
Updated parser to version 3.0.0
Enhanced field mapping with IP address validation before normalization
Improved timestamp parsing with support for both ISO 8601 and BSD syslog timestamp formats
For more information, see Package juniper/srx Release Notes.
zscaler/internet-access has been updated to v1.5.2.
Enhanced file field handling to support both upload and download file operations in web events
Improved file categorization logic with priority given to download files when both are present
Added support for upload file fields (upload_filename, upload_filesubtype, upload_filetype)
Updated ECS version to 9.1.0
Added new timestamp format support for Vendor.lastmodtime field
Updated parser version to 2.5.2
For more information, see Package zscaler/internet-access Release Notes.
f5networks/bigip has been updated to v2.5.0.
Enhanced SSH session handling with improved user extraction for login success and failure events
Improved audit log parsing with better key-value pair handling for complex field structures
Fixed regex patterns for SSH connection events to properly handle multiple connection scenarios
Added support for additional OS logger formats including TLS version and cipher information
Enhanced field coalescing for better data extraction from multiple potential sources
For more information, see Package f5networks/bigip Release Notes.
okta/sso has been updated to v1.4.5.
Updated ECS version to 9.1.0
Enhanced user.name field handling to automatically populate user.email when user.name contains @ symbol
Improved code formatting and consistency
For more information, see Package okta/sso Release Notes.
f5networks/bigip has been updated to v2.5.1.
Updated ECS version to 9.1.0 and CPS version to 1.1.0
Enhanced audit log parsing to specifically extract cmd_data from Vendor.audit_info for complete command data capture
Added new test case for AUDIT log format with cmd_data field extraction
For more information, see Package f5networks/bigip Release Notes.
checkpoint/ngfw has been updated to v2.3.2.
Enhanced IP address validation using CIDR function for source and destination fields
Improved handling of source.address and destination.address fields with proper IP validation
Updated parser version to 3.3.2
For more information, see Package checkpoint/ngfw Release Notes.
fortinet/fortigate has been updated to v1.4.0.
Updated parser version to 3.0.0
Enhanced event outcome determination for traffic and UTM events with expanded action mappings
Improved TLS certificate field handling using array:append for proper array construction
Fixed vulnerability category field mapping to use array:append
Added new test cases for VPN, IPS, and traffic events
Updated field assignments to use array operations for ECS compliance
For more information, see Package fortinet/fortigate Release Notes.