Falcon LogScale 1.213.0 GA (2025-11-04)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.213.0 | GA | 2025-11-04 | Cloud | 2026-12-31 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.213.0 to download the latest version
Bug fixes and updates
Breaking Changes
The following items create a breaking change in the behavior, response or operation of this release.
Functions
Renamed parameter
caseInsensitiveintext:editDistance()andtext:editDistanceAsArray()toignoreCasefor consistency with other functions.
Removed
Items that have been removed as of this release.
GraphQL API
Removed deprecated GraphQL elements:
Mutations:
addStarToAlertV2
removeStarFromAlertV2
addStarToScheduledSearch
removeStarFromScheduledSearch
Fields:
Alert.isStarred
ScheduledSearch.isStarred
UserSettings.starredAlerts
The GraphQL enum value
GraphQlDirectivesAmountLimitfrom enum DynamicConfig has also been removed.Metrics and Monitoring
Removed the deprecated metric datasource-count, which was responsible for continuously reporting the number of datasources per repository.
Repository datasource information is still available in the following ways:
When new datasources are created and deleted, that information is available to users via datasource logs.
Users can also obtain the datasource count using the query
GET api/v1/repositories/$DATASPACEto view a current list of datasources for a given repository.For more information, see Repository and View Settings, Datasources, Ingestion: Ingest Phase.
Deprecation
Items that have been deprecated and may be removed in a future release.
The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Dashboards and Widgets
Removed the support email link (logscalesupport@crowdstrike.com) from scheduled report email footers.
Metrics and Monitoring
The internal monitoring jobs that used to query the internal humio repository for metrics now query the humio-metrics repository instead.
To support this, the default value of
SEARCH_PIPELINE_MONITOR_QUERYhas been changed to#kind=logs | count()for clusters without metrics in the LogScale repository.
Upgrades
Changes that may occur or be required during an upgrade.
Installation and Deployment
Upgraded the bundled Java Development Kit (JDK) to Java 25.0.1.
For this upgrade, users should be aware that systems configured with Transparent Huge Pages (THP) mode as
madvise, the option-XX:+UseTransparentHugePagesdoes not enable huge pages when running with the default garbage collector G1. To address this, the following workaround is available:shell# echo always > /sys/kernel/mm/transparent_hugepage/enabled
New features and improvements
API
Added the parameter
dataspaceIdto the Missing Segments API to allow deletion of all missing segments in a specific dataspace.
Fixed in this release
API
A file's HTTP PATCH endpoint could get stuck while reading new data by imposing size restrictions and ensuring the stream is read properly using Pekko sinks. This issue has now been fixed.
Dashboards and Widgets
Added support for referencing parsers within queries, allowing parsers to be included and referenced from other parsers. The new format supports new macros for
$parser://and$query://.For more information, see Referencing Resources.
Shared dashboards containing widgets using anchored time points (for example:
calendar: 1w@wfor last week) would fail authorization and fail to display dashboard data. This issue has now been fixed.
Queries
Fixed an issue where the internal polling frequency of subqueries could result in slower result display.
Functions
The
parseTimestamp()function would cause an internal server error when used outside parsers and given format strings with insufficient date information. This issue has now been fixed.The serialization protocol in the
defineTable()function caused query failure. This issue has now been fixed.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
netgate/pfsense has been updated to v1.1.2.
Added support for RFC 5424 syslog format with ISO 8601 timestamps
Enhanced timestamp parsing to handle both BSD syslog and RFC 5424 formats
Updated parser version to 1.1.2
For more information, see Package netgate/pfsense Release Notes.
fortinet/fortigate has been updated to v1.4.1.
Updated parser version to 3.0.1
Removed timezone parameter from parseTimestamp function for date/time parsing
For more information, see Package fortinet/fortigate Release Notes.
infoblox/nios has been updated to v1.3.2.
Fixed DNS client IP extraction regex to improve parsing accuracy
Enhanced DNS message handling with proper @ symbol replacement
Updated ECS version to 9.1.0 and CPS version to 1.1.0
For more information, see Package infoblox/nios Release Notes.
zscaler/deception has been updated to v2.2.1.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Improved timestamp parsing by removing timezone parameter
For more information, see Package zscaler/deception Release Notes.
darktrace/detect has been updated to v2.0.1.
Updated ECS version to 9.1.0
Updated parser version to 3.0.1
Fixed timezone handling for RFC 3164 syslog timestamps by removing explicit UTC timezone setting
For more information, see Package darktrace/detect Release Notes.
cisco/ise has been updated to v2.0.0.
Major parser restructuring and optimization for improved performance
Enhanced field extraction and normalization with better error handling
Added support for new ISE event categories including CISE_Profiler, CISE_Guest, CISE_MyDevices
Improved parsing for CISE_Alarm events with support for misconfigured supplicant detection
Enhanced RADIUS and TACACS accounting event processing
Added comprehensive TLS certificate field mapping
Improved user field extraction with domain parsing
Enhanced server and client field identification
Added support for additional timestamp formats
Updated event categorization and outcome determination logic
Removed session_info log type, added network_access log type
Updated parser version to 3.0.0
For more information, see Package cisco/ise Release Notes.
palo-alto/prisma-sd-wan has been updated to v1.2.1.
Updated ECS version to 9.1.0
Improved timestamp parsing by removing timezone parameter for better compatibility
For more information, see Package palo-alto/prisma-sd-wan Release Notes.
f5networks/bigip has been updated to v2.5.2.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
For more information, see Package f5networks/bigip Release Notes.
claroty/ctd has been updated to v1.2.2.
Removed timezone parameter from parseTimestamp function to use automatic timezone detection
Updated parser version to 1.1.3
For more information, see Package claroty/ctd Release Notes.
forcepoint/dlp has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Removed timezone specifications from timestamp parsing
Enhanced field mapping documentation
For more information, see Package forcepoint/dlp Release Notes.
checkpoint/ngfw has been updated to v2.3.3.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
For more information, see Package checkpoint/ngfw Release Notes.
cisco/firepower has been updated to v1.7.3.
Updated parser version to 3.3.3
Fixed field name from http.response.code to http.response.status_code in event code 607002 for proper ECS compliance
For more information, see Package cisco/firepower Release Notes.
juniper/srx has been updated to v1.5.0.
Added event severity mapping based on threat severity levels
Added support for rshd command line extraction
Fixed duplicate event.kind assignments in IDP processing
Updated parser to version 3.0.0
Enhanced field mapping with IP address validation before normalization
Improved timestamp parsing with support for both ISO 8601 and BSD syslog timestamp formats
For more information, see Package juniper/srx Release Notes.
dell/isilon has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 1.1.3
Removed timezone specification from parseTimestamp function
Updated test case data with new sample values
For more information, see Package dell/isilon Release Notes.
zscaler/internet-access has been updated to v1.5.4.
Enhanced JSON parsing to handle escaped quotes in nested JSON structures
Added support for complex audit log events with nested preaction and postaction objects
Improved string replacement logic to preserve escaped quotes for proper JSON parsing
Updated parser version to 2.5.4
For more information, see Package zscaler/internet-access Release Notes.
zscaler/private-access has been updated to v1.3.3.
Updated ECS version to 9.1.0
Removed timezone parameter from parseTimestamp function
For more information, see Package zscaler/private-access Release Notes.
infoblox/nios has been updated to v1.3.3.
Removed timezone parameter from parseTimestamp functions to use system default timezone
Updated parser version to 2.2.3
For more information, see Package infoblox/nios Release Notes.
microsoft/sysmon has been updated to v1.1.3.
Updated ECS version to 9.1.0
Removed timezone parameter from parseTimestamp functions for improved timestamp handling
For more information, see Package microsoft/sysmon Release Notes.
zscaler/internet-access has been updated to v1.5.2.
Enhanced file field handling to support both upload and download file operations in web events
Improved file categorization logic with priority given to download files when both are present
Added support for upload file fields (upload_filename, upload_filesubtype, upload_filetype)
Updated ECS version to 9.1.0
Added new timestamp format support for Vendor.lastmodtime field
Updated parser version to 2.5.2
For more information, see Package zscaler/internet-access Release Notes.
fortinet/fortigate has been updated to v1.5.0.
Updated parser version to 4.0.0
Enhanced event categorization and type mapping with comprehensive coverage for all event types
Improved field mapping using coalesce function for better field consolidation
Added threat enrichment fields for UTM events including virus, IPS, and anomaly detection
Enhanced network protocol detection and application layer protocol mapping
Improved client/server field mapping based on connection direction
Added array deduplication for event.category and event.type fields
Enhanced MAC address formatting with colon-to-dash replacement
Improved IP address validation with CIDR filtering
Added comprehensive test cases for SSL, DNS, traffic, and system events
For more information, see Package fortinet/fortigate Release Notes.
juniper/srx has been updated to v1.5.1.
Updated minimum LogScale version requirement to 1.207.0
For more information, see Package juniper/srx Release Notes.
f5networks/bigip has been updated to v2.5.0.
Enhanced SSH session handling with improved user extraction for login success and failure events
Improved audit log parsing with better key-value pair handling for complex field structures
Fixed regex patterns for SSH connection events to properly handle multiple connection scenarios
Added support for additional OS logger formats including TLS version and cipher information
Enhanced field coalescing for better data extraction from multiple potential sources
For more information, see Package f5networks/bigip Release Notes.
f5networks/bigip has been updated to v2.5.1.
Updated ECS version to 9.1.0 and CPS version to 1.1.0
Enhanced audit log parsing to specifically extract cmd_data from Vendor.audit_info for complete command data capture
Added new test case for AUDIT log format with cmd_data field extraction
For more information, see Package f5networks/bigip Release Notes.
cisco/ios has been updated to v1.7.2.
Updated timestamp parsing to remove hardcoded timezone defaults for better flexibility
Enhanced parser to use system timezone when no timezone is specified
Improved timestamp handling for logs without explicit timezone information
For more information, see Package cisco/ios Release Notes.
microsoft/windows-dns-debug has been updated to v1.3.2.
Updated ECS version to 9.1.0
Removed timezone specification from timestamp parsing
Enhanced parser version to 2.2.2
For more information, see Package microsoft/windows-dns-debug Release Notes.
cisco/ios has been updated to v1.7.3.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 2.6.3
Fixed typo in observer.ingress.interface.name field extraction for IGMP events
For more information, see Package cisco/ios Release Notes.
cisco/meraki has been updated to v1.5.3.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
For more information, see Package cisco/meraki Release Notes.
aws/s3-server-access has been updated to v1.2.2.
Added cloud provider identification with cloud.provider field set to "aws"
Enhanced cloud resource tracking with cloud.target.Resource.type[] and cloud.target.Resource.id[] arrays
Improved cloud resource categorization for S3 buckets
For more information, see Package aws/s3-server-access Release Notes.
aws/waf has been updated to v2.0.0.
Breaking Change: If X-Forwarded-For header is present, normalize the original client IP to source.ip and Vendor.httpRequest.clientIp is now normalied to source.nat.ip.
Improved HTTP header extraction for referrer, host, and user-agent fields
Added URL domain and port parsing from Host header
Updated ECS version to 9.1.0 and CPS version to 1.1.0
For more information, see Package aws/waf Release Notes.
cisco/ise has been updated to v2.0.2.
Enhanced CISE_Profiler event parsing with comprehensive event code support
Added support for profiler event codes 80001-80019 including endpoint collection, SNMP operations, DNS requests, and Edda connector management
Improved event categorization for profiler events with specific outcomes and actions
Updated ECS version to 9.1.0
Updated parser version to 3.0.2
For more information, see Package cisco/ise Release Notes.
zscaler/internet-access has been updated to v1.5.3.
Updated ECS version to 9.1.0
Removed timezone parameter from parseTimestamp function
For more information, see Package zscaler/internet-access Release Notes.
aws/vpcflow has been updated to v1.2.2.
Updated timestamp parsing to remove explicit timezone parameter
Updated parser version to 1.2.2
For more information, see Package aws/vpcflow Release Notes.
nozomi/ids has been updated to v1.3.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 3.0.2
Removed timezone specification from timestamp parsing for MMM dd yyyy HH:mm:ss format
For more information, see Package nozomi/ids Release Notes.
checkpoint/ngfw has been updated to v2.4.0.
Added several new field normalizations
Enhanced field organization and grouping for better readability
Improved network protocol detection logic
Fixed event categorization for authentication events (Failed Log In now uses start type)
Added new event categorization patterns for system events
Updated parser version to 3.4.0
For more information, see Package checkpoint/ngfw Release Notes.
radware/alteon has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated parser version to 1.1.2
Removed timezone parameter from findTimestamp() function calls
For more information, see Package radware/alteon Release Notes.
haproxy/haproxy has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 1.1.3
Removed timezone parameter from parseTimestamp function
For more information, see Package haproxy/haproxy Release Notes.
cisco/firepower has been updated to v1.7.4.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
Updated parser version to 3.3.4
For more information, see Package cisco/firepower Release Notes.
netgate/pfsense has been updated to v1.1.3.
Updated minimum LogScale version requirement to 1.207.0
For more information, see Package netgate/pfsense Release Notes.
cisco/ise has been updated to v2.0.1.
Fixed timezone handling in timestamp parsing by removing hardcoded timezone parameter
Updated parser version to 3.0.1
For more information, see Package cisco/ise Release Notes.