Falcon LogScale 1.212.0 GA (2025-10-28)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.212.0GA2025-10-28

Cloud

2026-12-31No1.150.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates

Breaking Changes

The following items create a breaking change in the behavior, response or operation of this release.

  • GraphQL API

    • The dashboard field in the ScheduledReport GraphQL type is now optional. When users lack dashboard access permissions, the field will return a null result instead of causing a request failure.

      Note

      Users should update their queries and type definitions to account for the optional nature of this field and that a null value exists.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The EXTRA_KAFKA_CONFIGS_FILE configuration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Functions

    • Changed liveness restrictions for selfJoin() and selfJoinFilter() functions to be enforced at compile time instead of runtime, enabling detection by the Language Service Protocol (LSP) and GraphQL validation endpoints.

    • Changed top-level restrictions for join-like query functions to be enforced at compile time instead of runtime, enabling detection by the Language Service Protocol (LSP) and GraphQL validation endpoints.

New features and improvements

  • GraphQL API

    • Enhanced the GraphQL entities search API to include scheduled reports as searchable assets. The entitiesSearch, entitiesPage, and entitiesLabels query endpoints now support scheduled reports with full metadata access and standard filtering capabilities.

      This change extends the entitiesSearch, entitiesPage, and entitiesLabels query endpoints to:

      • Return scheduled reports as part of search results when filtering by entity types

      • Provide full access to scheduled report metadata through the ScheduledReportResult datatype

      • Support the same filtering and pagination capabilities available for other asset types

      • Maintain proper view-level access controls for scheduled report visibility

  • Dashboards and Widgets

  • Metrics and Monitoring

    • Added the field window_count to Timer metrics. It tracks the number of measurements in the given window, usually 60 seconds.

Fixed in this release

  • Storage

    • Fixed an issue where multiple nodes would concurrently attempt to execute the same merges of mini-segments, creating waste. Future merges will now use one node consistently.

  • Queries

    • Fixed an issue where queries using the correlate() function within a federated search could experience a memory leak.

  • Metrics and Monitoring

    • Fixed an issue where the progress report for the metric ingest-queue-read-offset would erroneously log errors stating Ingest queue progress error approximately 90 minutes after cluster restart.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • User Interface

    • Enhanced Lookup files and Interactions asset types in the Resources page, as follows.

      Lookup files table component improvements:

      • Added table sorting

      • Implemented proper pagination

      • Added package column filtering

      • Updated package column to show versionless package string instead of with version

      Interactions table component improvements:

      • Added sort functionality

      • Implemented proper pagination

      • Added column filters for package and interaction type

      • Fixed the Language Server Protocol (LSP) features in the Details panel so the Query Editor for editing Search link interactions has LSP features (syntax highlighting, docs, suggestions, etc.)

  • Queries

    • Improved live query handling during high ingest latency. LogScale now avoids halting live queries when latency is not caused by digest node overload.

      To control this behavior, users can apply the environment variable LIVEQUERY_CANCEL_TRIGGER_INGEST_OCCUPANCY_LIMIT. This variable provides the amount of time spent waiting for events to be stored in segments and written to live queries compared to obtaining data from Kafka with a percentage value.

      Note

      Setting the default value to -1 disables the logic.

      Warning

      The maximum environment variable value is 100. If set to this value, live queries will not be stopped due to ingest delay.

  • Functions

    • Improved error handling resiliency for multi-pass functions like correlate() by creating an automatic stop for queries that would previously stall indefinitely. Future queries that stall will be stopped automatically.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • netgate/pfsense has been updated to v1.1.2.

      • Added support for RFC 5424 syslog format with ISO 8601 timestamps

      • Enhanced timestamp parsing to handle both BSD syslog and RFC 5424 formats

      • Updated parser version to 1.1.2

      For more information, see Package netgate/pfsense Release Notes.

    • fortinet/fortigate has been updated to v1.4.1.

      • Updated parser version to 3.0.1

      • Removed timezone parameter from parseTimestamp function for date/time parsing

      For more information, see Package fortinet/fortigate Release Notes.

    • infoblox/nios has been updated to v1.3.2.

      • Fixed DNS client IP extraction regex to improve parsing accuracy

      • Enhanced DNS message handling with proper @ symbol replacement

      • Updated ECS version to 9.1.0 and CPS version to 1.1.0

      For more information, see Package infoblox/nios Release Notes.

    • zscaler/deception has been updated to v2.2.1.

      • Updated ECS version to 9.1.0

      • Updated CPS version to 1.1.0

      • Improved timestamp parsing by removing timezone parameter

      For more information, see Package zscaler/deception Release Notes.

    • darktrace/detect has been updated to v2.0.1.

      • Updated ECS version to 9.1.0

      • Updated parser version to 3.0.1

      • Fixed timezone handling for RFC 3164 syslog timestamps by removing explicit UTC timezone setting

      For more information, see Package darktrace/detect Release Notes.

    • cisco/ise has been updated to v2.0.0.

      • Major parser restructuring and optimization for improved performance

      • Enhanced field extraction and normalization with better error handling

      • Added support for new ISE event categories including CISE_Profiler, CISE_Guest, CISE_MyDevices

      • Improved parsing for CISE_Alarm events with support for misconfigured supplicant detection

      • Enhanced RADIUS and TACACS accounting event processing

      • Added comprehensive TLS certificate field mapping

      • Improved user field extraction with domain parsing

      • Enhanced server and client field identification

      • Added support for additional timestamp formats

      • Updated event categorization and outcome determination logic

      • Removed session_info log type, added network_access log type

      • Updated parser version to 3.0.0

      For more information, see Package cisco/ise Release Notes.

    • palo-alto/prisma-sd-wan has been updated to v1.2.1.

      • Updated ECS version to 9.1.0

      • Improved timestamp parsing by removing timezone parameter for better compatibility

      For more information, see Package palo-alto/prisma-sd-wan Release Notes.

    • f5networks/bigip has been updated to v2.5.2.

      • Removed timezone parameter from timestamp parsing functions to use system default timezone handling

      For more information, see Package f5networks/bigip Release Notes.

    • claroty/ctd has been updated to v1.2.2.

      • Removed timezone parameter from parseTimestamp function to use automatic timezone detection

      • Updated parser version to 1.1.3

      For more information, see Package claroty/ctd Release Notes.

    • forcepoint/dlp has been updated to v1.2.2.

      • Updated ECS version to 9.1.0

      • Updated CPS version to 1.1.0

      • Removed timezone specifications from timestamp parsing

      • Enhanced field mapping documentation

      For more information, see Package forcepoint/dlp Release Notes.

    • checkpoint/ngfw has been updated to v2.3.3.

      • Removed timezone parameter from timestamp parsing functions to use system default timezone handling

      For more information, see Package checkpoint/ngfw Release Notes.

    • aruba/clearpass has been updated to v1.3.0.

      • Enhanced System category event handling with improved regex patterns for cleanup operations

      • Improved data integrity by using temporary field for rawstring processing

      • Updated parser version to 2.1.0 and CPS version to 1.1.0

      For more information, see Package aruba/clearpass Release Notes.

    • cisco/firepower has been updated to v1.7.3.

      • Updated parser version to 3.3.3

      • Fixed field name from http.response.code to http.response.status_code in event code 607002 for proper ECS compliance

      For more information, see Package cisco/firepower Release Notes.

    • juniper/srx has been updated to v1.5.0.

      • Added event severity mapping based on threat severity levels

      • Added support for rshd command line extraction

      • Fixed duplicate event.kind assignments in IDP processing

      • Updated parser to version 3.0.0

      • Enhanced field mapping with IP address validation before normalization

      • Improved timestamp parsing with support for both ISO 8601 and BSD syslog timestamp formats

      For more information, see Package juniper/srx Release Notes.

    • dell/isilon has been updated to v1.2.2.

      • Updated ECS version to 9.1.0

      • Updated CPS version to 1.1.0

      • Updated parser version to 1.1.3

      • Removed timezone specification from parseTimestamp function

      • Updated test case data with new sample values

      For more information, see Package dell/isilon Release Notes.

    • zscaler/internet-access has been updated to v1.5.4.

      • Enhanced JSON parsing to handle escaped quotes in nested JSON structures

      • Added support for complex audit log events with nested preaction and postaction objects

      • Improved string replacement logic to preserve escaped quotes for proper JSON parsing

      • Updated parser version to 2.5.4

      For more information, see Package zscaler/internet-access Release Notes.

    • zscaler/private-access has been updated to v1.3.3.

      • Updated ECS version to 9.1.0

      • Removed timezone parameter from parseTimestamp function

      For more information, see Package zscaler/private-access Release Notes.

    • infoblox/nios has been updated to v1.3.3.

      • Removed timezone parameter from parseTimestamp functions to use system default timezone

      • Updated parser version to 2.2.3

      For more information, see Package infoblox/nios Release Notes.

    • microsoft/sysmon has been updated to v1.1.3.

      • Updated ECS version to 9.1.0

      • Removed timezone parameter from parseTimestamp functions for improved timestamp handling

      For more information, see Package microsoft/sysmon Release Notes.

    • zscaler/internet-access has been updated to v1.5.2.

      • Enhanced file field handling to support both upload and download file operations in web events

      • Improved file categorization logic with priority given to download files when both are present

      • Added support for upload file fields (upload_filename, upload_filesubtype, upload_filetype)

      • Updated ECS version to 9.1.0

      • Added new timestamp format support for Vendor.lastmodtime field

      • Updated parser version to 2.5.2

      For more information, see Package zscaler/internet-access Release Notes.

    • fortinet/fortigate has been updated to v1.5.0.

      • Updated parser version to 4.0.0

      • Enhanced event categorization and type mapping with comprehensive coverage for all event types

      • Improved field mapping using coalesce function for better field consolidation

      • Added threat enrichment fields for UTM events including virus, IPS, and anomaly detection

      • Enhanced network protocol detection and application layer protocol mapping

      • Improved client/server field mapping based on connection direction

      • Added array deduplication for event.category and event.type fields

      • Enhanced MAC address formatting with colon-to-dash replacement

      • Improved IP address validation with CIDR filtering

      • Added comprehensive test cases for SSL, DNS, traffic, and system events

      For more information, see Package fortinet/fortigate Release Notes.

    • juniper/srx has been updated to v1.5.1.

      • Updated minimum LogScale version requirement to 1.207.0

      For more information, see Package juniper/srx Release Notes.

    • f5networks/bigip has been updated to v2.5.0.

      • Enhanced SSH session handling with improved user extraction for login success and failure events

      • Improved audit log parsing with better key-value pair handling for complex field structures

      • Fixed regex patterns for SSH connection events to properly handle multiple connection scenarios

      • Added support for additional OS logger formats including TLS version and cipher information

      • Enhanced field coalescing for better data extraction from multiple potential sources

      For more information, see Package f5networks/bigip Release Notes.

    • okta/sso has been updated to v1.4.5.

      • Updated ECS version to 9.1.0

      • Enhanced user.name field handling to automatically populate user.email when user.name contains @ symbol

      • Improved code formatting and consistency

      For more information, see Package okta/sso Release Notes.

    • f5networks/bigip has been updated to v2.5.1.

      • Updated ECS version to 9.1.0 and CPS version to 1.1.0

      • Enhanced audit log parsing to specifically extract cmd_data from Vendor.audit_info for complete command data capture

      • Added new test case for AUDIT log format with cmd_data field extraction

      For more information, see Package f5networks/bigip Release Notes.

    • cisco/ios has been updated to v1.7.2.

      • Updated timestamp parsing to remove hardcoded timezone defaults for better flexibility

      • Enhanced parser to use system timezone when no timezone is specified

      • Improved timestamp handling for logs without explicit timezone information

      For more information, see Package cisco/ios Release Notes.

    • checkpoint/ngfw has been updated to v2.3.2.

      • Enhanced IP address validation using CIDR function for source and destination fields

      • Improved handling of source.address and destination.address fields with proper IP validation

      • Updated parser version to 3.3.2

      For more information, see Package checkpoint/ngfw Release Notes.

    • microsoft/windows-dns-debug has been updated to v1.3.2.

      • Updated ECS version to 9.1.0

      • Removed timezone specification from timestamp parsing

      • Enhanced parser version to 2.2.2

      For more information, see Package microsoft/windows-dns-debug Release Notes.

    • cisco/ios has been updated to v1.7.3.

      • Updated ECS version to 9.1.0

      • Updated CPS version to 1.1.0

      • Updated parser version to 2.6.3

      • Fixed typo in observer.ingress.interface.name field extraction for IGMP events

      For more information, see Package cisco/ios Release Notes.

    • fortinet/fortigate has been updated to v1.4.0.

      • Updated parser version to 3.0.0

      • Enhanced event outcome determination for traffic and UTM events with expanded action mappings

      • Improved TLS certificate field handling using array:append for proper array construction

      • Fixed vulnerability category field mapping to use array:append

      • Added new test cases for VPN, IPS, and traffic events

      • Updated field assignments to use array operations for ECS compliance

      For more information, see Package fortinet/fortigate Release Notes.

    • cisco/meraki has been updated to v1.5.3.

      • Removed timezone parameter from timestamp parsing functions to use system default timezone handling

      For more information, see Package cisco/meraki Release Notes.

    • aws/s3-server-access has been updated to v1.2.2.

      • Added cloud provider identification with cloud.provider field set to "aws"

      • Enhanced cloud resource tracking with cloud.target.Resource.type[] and cloud.target.Resource.id[] arrays

      • Improved cloud resource categorization for S3 buckets

      For more information, see Package aws/s3-server-access Release Notes.

    • aws/waf has been updated to v2.0.0.

      • Breaking Change: If X-Forwarded-For header is present, normalize the original client IP to source.ip and Vendor.httpRequest.clientIp is now normalied to source.nat.ip.

      • Improved HTTP header extraction for referrer, host, and user-agent fields

      • Added URL domain and port parsing from Host header

      • Updated ECS version to 9.1.0 and CPS version to 1.1.0

      For more information, see Package aws/waf Release Notes.

    • cisco/ise has been updated to v2.0.2.

      • Enhanced CISE_Profiler event parsing with comprehensive event code support

      • Added support for profiler event codes 80001-80019 including endpoint collection, SNMP operations, DNS requests, and Edda connector management

      • Improved event categorization for profiler events with specific outcomes and actions

      • Updated ECS version to 9.1.0

      • Updated parser version to 3.0.2

      For more information, see Package cisco/ise Release Notes.

    • zscaler/internet-access has been updated to v1.5.3.

      • Updated ECS version to 9.1.0

      • Removed timezone parameter from parseTimestamp function

      For more information, see Package zscaler/internet-access Release Notes.

    • aws/vpcflow has been updated to v1.2.2.

      • Updated timestamp parsing to remove explicit timezone parameter

      • Updated parser version to 1.2.2

      For more information, see Package aws/vpcflow Release Notes.

    • nozomi/ids has been updated to v1.3.2.

      • Updated ECS version to 9.1.0

      • Updated CPS version to 1.1.0

      • Updated parser version to 3.0.2

      • Removed timezone specification from timestamp parsing for MMM dd yyyy HH:mm:ss format

      For more information, see Package nozomi/ids Release Notes.

    • checkpoint/ngfw has been updated to v2.4.0.

      • Added several new field normalizations

      • Enhanced field organization and grouping for better readability

      • Improved network protocol detection logic

      • Fixed event categorization for authentication events (Failed Log In now uses start type)

      • Added new event categorization patterns for system events

      • Updated parser version to 3.4.0

      For more information, see Package checkpoint/ngfw Release Notes.

    • radware/alteon has been updated to v1.2.2.

      • Updated ECS version to 9.1.0

      • Updated parser version to 1.1.2

      • Removed timezone parameter from findTimestamp() function calls

      For more information, see Package radware/alteon Release Notes.

    • haproxy/haproxy has been updated to v1.2.2.

      • Updated ECS version to 9.1.0

      • Updated CPS version to 1.1.0

      • Updated parser version to 1.1.3

      • Removed timezone parameter from parseTimestamp function

      For more information, see Package haproxy/haproxy Release Notes.

    • cisco/firepower has been updated to v1.7.4.

      • Removed timezone parameter from timestamp parsing functions to use system default timezone handling

      • Updated parser version to 3.3.4

      For more information, see Package cisco/firepower Release Notes.

    • netgate/pfsense has been updated to v1.1.3.

      • Updated minimum LogScale version requirement to 1.207.0

      For more information, see Package netgate/pfsense Release Notes.

    • cisco/ise has been updated to v2.0.1.

      • Fixed timezone handling in timestamp parsing by removing hardcoded timezone parameter

      • Updated parser version to 3.0.1

      For more information, see Package cisco/ise Release Notes.