Falcon LogScale 1.211.0 GA (2025-10-21)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.211.0 | GA | 2025-10-21 | Cloud | 2026-12-31 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.211.0 to download the latest version
Bug fixes and updates
Deprecation
Items that have been deprecated and may be removed in a future release.
The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
New features and improvements
Security
Added new environment variable
SAML_METADATA_ENDPOINT_URL, allowing users to specify where LogScale will fetch the IdP signing certificate. This provides an alternative to usingSAML_IDP_CERTIFICATEandSAML_ALTERNATIVE_IDP_CERTIFICATE, and enables easier certificate management without having to restart LogScale with a new set of variables.The existing certificate configuration options remain available, and when both methods are specified, certificates from both sources will be used.
Storage
Move bucket storage actions (for example, writing data to disk after bucket download, encryption/decryption when applicable) to a dedicated threadpool. This should result in less blocking on the threadpool responsible for handling HTTP requests (which could lead nodes to becoming unresponsive).
Added support for archiving ingested logs to Azure Storage. Logs that are archived using Azure Storage are available for further processing in any external system that integrates with Azure.
Users can configure Azure Storage archiving options using the following optional settings in the Egress repository:
Bucket (required) โ destination bucket for archived logs
Format โ choose between NDJSON or Raw formatting for the stored file (default: NDJSON)
Archiving start โ select between archiving all segments or only those starting after a specified UTC timestamp
For more information, see Azure Archiving.
API
Extended a user's ability to control lookup file management with the creation of two REST API endpoints,
filefromqueryandfileoperation. Also extended the existing REST API endpointfileto support PATCH operations, and provide the ability for users to update existing files. Previously, users could only replace them in their entirety.The endpoint
filefromquerywill provide the following functionality:Support for creating and updating lookup files directly from the dropdown menu in the search results by clicking , see Create a lookup file in the Search interface for more information.
Support for updating lookup files via extensions to an existing file's REST API.
The endpoint
fileoperationwill provide the following functionality:Allows users to view the progress of operations started on other endpoints.
Updates the state of PATCH operations on the
filesendpoint.
For more information, see Lookup API.
Functions
Added two new functions for calculating edit (Levenshtein) distances:
text:editDistance()โ returns the edit distance between target and reference strings, capped atmaxDistancetext:editDistanceAsArray()โ returns an object array containing edit distances between a target string and multiple reference strings
Fixed in this release
Other
Fixed an issue where the process to delete messages from the ingest queue would sometimes trigger the error Skipping Kafka event deletion for this round since stripping topOffsets failed during the calculation phase without cause.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
netgate/pfsense has been updated to v1.1.2.
Added support for RFC 5424 syslog format with ISO 8601 timestamps
Enhanced timestamp parsing to handle both BSD syslog and RFC 5424 formats
Updated parser version to 1.1.2
For more information, see Package netgate/pfsense Release Notes.
fortinet/fortigate has been updated to v1.4.1.
Updated parser version to 3.0.1
Removed timezone parameter from parseTimestamp function for date/time parsing
For more information, see Package fortinet/fortigate Release Notes.
infoblox/nios has been updated to v1.3.2.
Fixed DNS client IP extraction regex to improve parsing accuracy
Enhanced DNS message handling with proper @ symbol replacement
Updated ECS version to 9.1.0 and CPS version to 1.1.0
For more information, see Package infoblox/nios Release Notes.
zscaler/deception has been updated to v2.2.1.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Improved timestamp parsing by removing timezone parameter
For more information, see Package zscaler/deception Release Notes.
darktrace/detect has been updated to v2.0.1.
Updated ECS version to 9.1.0
Updated parser version to 3.0.1
Fixed timezone handling for RFC 3164 syslog timestamps by removing explicit UTC timezone setting
For more information, see Package darktrace/detect Release Notes.
cisco/ise has been updated to v2.0.0.
Major parser restructuring and optimization for improved performance
Enhanced field extraction and normalization with better error handling
Added support for new ISE event categories including CISE_Profiler, CISE_Guest, CISE_MyDevices
Improved parsing for CISE_Alarm events with support for misconfigured supplicant detection
Enhanced RADIUS and TACACS accounting event processing
Added comprehensive TLS certificate field mapping
Improved user field extraction with domain parsing
Enhanced server and client field identification
Added support for additional timestamp formats
Updated event categorization and outcome determination logic
Removed session_info log type, added network_access log type
Updated parser version to 3.0.0
For more information, see Package cisco/ise Release Notes.
palo-alto/prisma-sd-wan has been updated to v1.2.1.
Updated ECS version to 9.1.0
Improved timestamp parsing by removing timezone parameter for better compatibility
For more information, see Package palo-alto/prisma-sd-wan Release Notes.
f5networks/bigip has been updated to v2.5.2.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
For more information, see Package f5networks/bigip Release Notes.
claroty/ctd has been updated to v1.2.2.
Removed timezone parameter from parseTimestamp function to use automatic timezone detection
Updated parser version to 1.1.3
For more information, see Package claroty/ctd Release Notes.
forcepoint/dlp has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Removed timezone specifications from timestamp parsing
Enhanced field mapping documentation
For more information, see Package forcepoint/dlp Release Notes.
checkpoint/ngfw has been updated to v2.3.3.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
For more information, see Package checkpoint/ngfw Release Notes.
aruba/clearpass has been updated to v1.3.0.
Enhanced System category event handling with improved regex patterns for cleanup operations
Improved data integrity by using temporary field for rawstring processing
Updated parser version to 2.1.0 and CPS version to 1.1.0
For more information, see Package aruba/clearpass Release Notes.
cisco/firepower has been updated to v1.7.3.
Updated parser version to 3.3.3
Fixed field name from http.response.code to http.response.status_code in event code 607002 for proper ECS compliance
For more information, see Package cisco/firepower Release Notes.
juniper/srx has been updated to v1.5.0.
Added event severity mapping based on threat severity levels
Added support for rshd command line extraction
Fixed duplicate event.kind assignments in IDP processing
Updated parser to version 3.0.0
Enhanced field mapping with IP address validation before normalization
Improved timestamp parsing with support for both ISO 8601 and BSD syslog timestamp formats
For more information, see Package juniper/srx Release Notes.
dell/isilon has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 1.1.3
Removed timezone specification from parseTimestamp function
Updated test case data with new sample values
For more information, see Package dell/isilon Release Notes.
zscaler/private-access has been updated to v1.3.3.
Updated ECS version to 9.1.0
Removed timezone parameter from parseTimestamp function
For more information, see Package zscaler/private-access Release Notes.
infoblox/nios has been updated to v1.3.3.
Removed timezone parameter from parseTimestamp functions to use system default timezone
Updated parser version to 2.2.3
For more information, see Package infoblox/nios Release Notes.
microsoft/sysmon has been updated to v1.1.3.
Updated ECS version to 9.1.0
Removed timezone parameter from parseTimestamp functions for improved timestamp handling
For more information, see Package microsoft/sysmon Release Notes.
zscaler/internet-access has been updated to v1.5.2.
Enhanced file field handling to support both upload and download file operations in web events
Improved file categorization logic with priority given to download files when both are present
Added support for upload file fields (upload_filename, upload_filesubtype, upload_filetype)
Updated ECS version to 9.1.0
Added new timestamp format support for Vendor.lastmodtime field
Updated parser version to 2.5.2
For more information, see Package zscaler/internet-access Release Notes.
juniper/srx has been updated to v1.5.1.
Updated minimum LogScale version requirement to 1.207.0
For more information, see Package juniper/srx Release Notes.
f5networks/bigip has been updated to v2.5.0.
Enhanced SSH session handling with improved user extraction for login success and failure events
Improved audit log parsing with better key-value pair handling for complex field structures
Fixed regex patterns for SSH connection events to properly handle multiple connection scenarios
Added support for additional OS logger formats including TLS version and cipher information
Enhanced field coalescing for better data extraction from multiple potential sources
For more information, see Package f5networks/bigip Release Notes.
okta/sso has been updated to v1.4.5.
Updated ECS version to 9.1.0
Enhanced user.name field handling to automatically populate user.email when user.name contains @ symbol
Improved code formatting and consistency
For more information, see Package okta/sso Release Notes.
f5networks/bigip has been updated to v2.5.1.
Updated ECS version to 9.1.0 and CPS version to 1.1.0
Enhanced audit log parsing to specifically extract cmd_data from Vendor.audit_info for complete command data capture
Added new test case for AUDIT log format with cmd_data field extraction
For more information, see Package f5networks/bigip Release Notes.
cisco/ios has been updated to v1.7.2.
Updated timestamp parsing to remove hardcoded timezone defaults for better flexibility
Enhanced parser to use system timezone when no timezone is specified
Improved timestamp handling for logs without explicit timezone information
For more information, see Package cisco/ios Release Notes.
checkpoint/ngfw has been updated to v2.3.2.
Enhanced IP address validation using CIDR function for source and destination fields
Improved handling of source.address and destination.address fields with proper IP validation
Updated parser version to 3.3.2
For more information, see Package checkpoint/ngfw Release Notes.
microsoft/windows-dns-debug has been updated to v1.3.2.
Updated ECS version to 9.1.0
Removed timezone specification from timestamp parsing
Enhanced parser version to 2.2.2
For more information, see Package microsoft/windows-dns-debug Release Notes.
cisco/ios has been updated to v1.7.3.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 2.6.3
Fixed typo in observer.ingress.interface.name field extraction for IGMP events
For more information, see Package cisco/ios Release Notes.
fortinet/fortigate has been updated to v1.4.0.
Updated parser version to 3.0.0
Enhanced event outcome determination for traffic and UTM events with expanded action mappings
Improved TLS certificate field handling using array:append for proper array construction
Fixed vulnerability category field mapping to use array:append
Added new test cases for VPN, IPS, and traffic events
Updated field assignments to use array operations for ECS compliance
For more information, see Package fortinet/fortigate Release Notes.
cisco/meraki has been updated to v1.5.3.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
For more information, see Package cisco/meraki Release Notes.
aws/s3-server-access has been updated to v1.2.2.
Added cloud provider identification with cloud.provider field set to "aws"
Enhanced cloud resource tracking with cloud.target.Resource.type[] and cloud.target.Resource.id[] arrays
Improved cloud resource categorization for S3 buckets
For more information, see Package aws/s3-server-access Release Notes.
aws/waf has been updated to v2.0.0.
Breaking Change: If X-Forwarded-For header is present, normalize the original client IP to source.ip and Vendor.httpRequest.clientIp is now normalied to source.nat.ip.
Improved HTTP header extraction for referrer, host, and user-agent fields
Added URL domain and port parsing from Host header
Updated ECS version to 9.1.0 and CPS version to 1.1.0
For more information, see Package aws/waf Release Notes.
zscaler/internet-access has been updated to v1.5.3.
Updated ECS version to 9.1.0
Removed timezone parameter from parseTimestamp function
For more information, see Package zscaler/internet-access Release Notes.
aws/vpcflow has been updated to v1.2.2.
Updated timestamp parsing to remove explicit timezone parameter
Updated parser version to 1.2.2
For more information, see Package aws/vpcflow Release Notes.
nozomi/ids has been updated to v1.3.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 3.0.2
Removed timezone specification from timestamp parsing for MMM dd yyyy HH:mm:ss format
For more information, see Package nozomi/ids Release Notes.
radware/alteon has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated parser version to 1.1.2
Removed timezone parameter from findTimestamp() function calls
For more information, see Package radware/alteon Release Notes.
haproxy/haproxy has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 1.1.3
Removed timezone parameter from parseTimestamp function
For more information, see Package haproxy/haproxy Release Notes.
cisco/firepower has been updated to v1.7.4.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
Updated parser version to 3.3.4
For more information, see Package cisco/firepower Release Notes.
netgate/pfsense has been updated to v1.1.3.
Updated minimum LogScale version requirement to 1.207.0
For more information, see Package netgate/pfsense Release Notes.
cisco/ise has been updated to v2.0.1.
Fixed timezone handling in timestamp parsing by removing hardcoded timezone parameter
Updated parser version to 3.0.1
For more information, see Package cisco/ise Release Notes.