Falcon LogScale 1.213.1 LTS (2025-12-09)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.213.1 | LTS | 2025-12-09 | Cloud On-Prem | 2026-12-31 | Yes | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.213.1 to download the latest version
Hide file hashes
These notes include entries from the following previous releases: 1.213.0, 1.212.0, 1.211.0, 1.210.0, 1.209.0, 1.208.0
Bug fixes and updates.
Breaking Changes
The following items create a breaking change in the behavior, response or operation of this release.
GraphQL API
The dashboard field in the ScheduledReport GraphQL type is now optional. When users lack dashboard access permissions, the field will return a
nullresult instead of causing a request failure.Note
Users should update their queries and type definitions to account for the optional nature of this field and that a
nullvalue exists.Functions
Renamed parameter
caseInsensitiveintext:editDistance()andtext:editDistanceAsArray()toignoreCasefor consistency with other functions.
Advance Warning
The following items are due to change in a future release.
Configuration
Cached data files mode, which allows users to configure a local cache directory for segment files, has been deprecated and will be removed in version 1.225.0. This configuration is no longer recommended, as using a local drive with bucket storage generally provides better performance.
The associated configuration variables have also been deprecated and are planned for removal in version 1.225.0:
Removed
Items that have been removed as of this release.
GraphQL API
Removed deprecated GraphQL elements:
Mutations:
addStarToAlertV2
removeStarFromAlertV2
addStarToScheduledSearch
removeStarFromScheduledSearch
Fields:
Alert.isStarred
ScheduledSearch.isStarred
UserSettings.starredAlerts
The GraphQL enum value
GraphQlDirectivesAmountLimitfrom enum DynamicConfig has also been removed.Metrics and Monitoring
Removed the deprecated metric datasource-count, which was responsible for continuously reporting the number of datasources per repository.
Repository datasource information is still available in the following ways:
When new datasources are created and deleted, that information is available to users via datasource logs.
Users can also obtain the datasource count using the query
GET api/v1/repositories/$DATASPACEto view a current list of datasources for a given repository.For more information, see Repository and View Settings, Datasources, Ingestion: Ingest Phase.
Deprecation
Items that have been deprecated and may be removed in a future release.
The updateUploadFileAction() GraphQL mutation is deprecated. Use instead updateUploadFileActionV2().
The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
User Interface
Updated the and dropdown menu items to direct users to the CrowdStrike Support Portal.
GraphQL API
GraphQL mutations used for updating actions will now preserve existing label values when the labels argument is omitted. Users who want to remove labels from an action will need to specifically assign the labels argument to an empty list, by entering a pair of brackets with nothing between them (i.e., labels: []).
Dashboards and Widgets
Removed the support email link (logscalesupport@crowdstrike.com) from scheduled report email footers.
Queries
Made changes to
correlate()internals that are not backwards compatible. Clusters with mixed new and old LogScale versions will not be able to runcorrelate()queries until all nodes are upgraded. This limitation also applies to Multi-Cluster Search queries across clusters running different versions.Metrics and Monitoring
The internal monitoring jobs that used to query the internal humio repository for metrics now query the humio-metrics repository instead.
To support this, the default value of
SEARCH_PIPELINE_MONITOR_QUERYhas been changed to#kind=logs | count()for clusters without metrics in the LogScale repository.Functions
The following function restrictions are now compile-time errors instead of runtime errors, making them detectable by GraphQL APIs and Language Service Protocol (LSP):
eval()now includes coverage for invalid usage within expressions
groupBy()now includes coverage for limiting parameter values exceeding maximum allowed value
series()includes coverage for collection parameters containing prohibited fields
regex(),replace(), andarray:regex()includes coverage for their use of Regular Expression Engine v2 when disabled at cluster level.
Changed liveness restrictions for
selfJoin()andselfJoinFilter()functions to be enforced at compile time instead of runtime, enabling detection by the Language Service Protocol (LSP) and GraphQL validation endpoints.Changed top-level restrictions for join-like query functions to be enforced at compile time instead of runtime, enabling detection by the Language Service Protocol (LSP) and GraphQL validation endpoints.
Upgrades
Changes that may occur or be required during an upgrade.
Installation and Deployment
Upgraded LogScale's Zstandard (ZSTD) compression library from version 1.5.6 to 1.5.7.
Upgraded the bundled Java Development Kit (JDK) to Java 25.0.1.
For this upgrade, users should be aware that systems configured with Transparent Huge Pages (THP) mode as
madvise, the option-XX:+UseTransparentHugePagesdoes not enable huge pages when running with the default garbage collector G1. To address this, the following workaround is available:shell# echo always > /sys/kernel/mm/transparent_hugepage/enabled
New features and improvements
Security
Added new environment variable
SAML_METADATA_ENDPOINT_URL, allowing users to specify where LogScale will fetch the IdP signing certificate. This provides an alternative to usingSAML_IDP_CERTIFICATEandSAML_ALTERNATIVE_IDP_CERTIFICATE, and enables easier certificate management without having to restart LogScale with a new set of variables.The existing certificate configuration options remain available, and when both methods are specified, certificates from both sources will be used.
GraphQL API
Enhanced the GraphQL entities search API to include scheduled reports as searchable assets. The entitiesSearch, entitiesPage, and entitiesLabels query endpoints now support scheduled reports with full metadata access and standard filtering capabilities.
This change extends the entitiesSearch, entitiesPage, and entitiesLabels query endpoints to:
Return scheduled reports as part of search results when filtering by entity types
Provide full access to scheduled report metadata through the
ScheduledReportResultdatatypeSupport the same filtering and pagination capabilities available for other asset types
Maintain proper view-level access controls for scheduled report visibility
Storage
Move bucket storage actions (for example, writing data to disk after bucket download, encryption/decryption when applicable) to a dedicated threadpool. This should result in less blocking on the threadpool responsible for handling HTTP requests (which could lead nodes to becoming unresponsive).
Added support for archiving ingested logs to Azure Storage. Logs that are archived using Azure Storage are available for further processing in any external system that integrates with Azure.
Users can configure Azure Storage archiving options using the following optional settings in the Egress repository:
Bucket (required) – destination bucket for archived logs
Format – choose between NDJSON or Raw formatting for the stored file (default: NDJSON)
Archiving start – select between archiving all segments or only those starting after a specified UTC timestamp
For more information, see Azure Archiving.
API
Extended a user's ability to control lookup file management with the creation of two REST API endpoints,
filefromqueryandfileoperation. Also extended the existing REST API endpointfileto support PATCH operations, and provide the ability for users to update existing files. Previously, users could only replace them in their entirety.The endpoint
filefromquerywill provide the following functionality:Support for creating and updating lookup files directly from the dropdown menu in the search results by clicking , see Create a lookup file in the Search interface for more information.
Support for updating lookup files via extensions to an existing file's REST API.
The endpoint
fileoperationwill provide the following functionality:Allows users to view the progress of operations started on other endpoints.
Updates the state of PATCH operations on the
filesendpoint.
For more information, see Lookup API.
Added the parameter
dataspaceIdto the Missing Segments API to allow deletion of all missing segments in a specific dataspace.
Dashboards and Widgets
Added a default Series color palette option for dashboards. This new palette can be configured at dashboard level and can be inherited by those widgets that support multiple color palettes for differentiating between series.
Added new styling option to adjust the size of axis and legend titles on
Time Chart,Pie Chart,Bar Chart,Scatter Chart, andHeat Mapwidgets.A new Sorting styling option is now available for the
Bar Chartand theHeat Mapwidgets, allowing for ordering the x and y axes with different methods.For more information, see Bar Chart Property Reference, Heat Map Property Reference.
Metrics and Monitoring
Added the field window_count to
Timermetrics. It tracks the number of measurements in the given window, usually 60 seconds.
Functions
Added query function
matchAsArray(), which matches multiple rows from a CSV or JSON file and adds them as object array fields. This is similar to thematch()function but with the following key differences:Only supports
ExactMatchmodeAdds multiple matches as structured arrays instead of creating separate events
Allows customization of the array name using the
asArrayparameter
The length of the structured arrays is limited by the
nrowsparameter. If the number of matches is larger thannrows, then the last matchingnrowsare put in the structured array. This is similar to how thematch()function deals with matches larger thannrows.For more information, see
matchAsArray().The Upload file action has now been renamed to Lookup file action and improved with new upload functionalities:
Overwrite– Replaces entire file contents of existing file (existing behavior)Append– Adds new information to the end of existing fileUpdate– Updates specific rows based on selected key columns.
Note
The existing behavior for the
Lookup Fileaction isOverwrite, which replaces the entire contents of existing CSV files.For more information, see Action Type: Lookup File, Lookup Files.
Added two new functions for calculating edit (Levenshtein) distances:
text:editDistance()– returns the edit distance between target and reference strings, capped atmaxDistancetext:editDistanceAsArray()– returns an object array containing edit distances between a target string and multiple reference strings
Fixed in this release
Storage
Fixed an issue where multiple nodes would concurrently attempt to execute the same merges of mini-segments, creating waste. Future merges will now use one node consistently.
Fixed an issue causing unbounded creation of global snapshots in temporary directories during periods of poor bucket storage performance.
API
A file's HTTP PATCH endpoint could get stuck while reading new data by imposing size restrictions and ensuring the stream is read properly using Pekko sinks. This issue has now been fixed.
Dashboards and Widgets
Added support for referencing parsers within queries, allowing parsers to be included and referenced from other parsers. The new format supports new macros for
$parser://and$query://.For more information, see Referencing Resources.
Shared dashboards containing widgets using anchored time points (for example:
calendar: 1w@wfor last week) would fail authorization and fail to display dashboard data. This issue has now been fixed.
Queries
Fixed an issue where anchored time points would cause import/export of dashboards and saved queries to fail. New schema versions for dashboards and saved queries (0.23.0 and 0.60 respectively) will now allow advanced time interval syntax.
For more information, see Anchored Time Points - Syntax.
Fixed an issue where queries using the
correlate()function within a federated search could experience a memory leak.Fixed an issue where the internal polling frequency of subqueries could result in slower result display.
Metrics and Monitoring
Fixed two issues with metrics:
Ingest queue offset metrics are now properly cleaned up when the job switches nodes, preventing stale metric reporting.
Falcon Data Replicator (FDR) queue metrics can now be re-registered after being unregistered, supporting re-enabled FDR feeds.
Affected metrics:
ingest-consumer-group-offset
ingest-consumer-group-offset-lag
ingest-offset-lowest
ingest-queue-lowest-offset-lag
fdr-message-count
fdr-inflight-message-count
For more information, see Ingesting FDR Data into a Repository.
Fixed an issue where the progress report for the metric ingest-queue-read-offset would erroneously log errors stating Ingest queue progress error approximately 90 minutes after cluster restart.
Functions
Fixed an issue where the
parseXml()function would output arrays incompatible with array functions due to the lack of a0element. Backward compatibility with existing queries is maintained by keeping the first element in the non-array field.For more information, see
parseXml().The
parseTimestamp()function would cause an internal server error when used outside parsers and given format strings with insufficient date information. This issue has now been fixed.The serialization protocol in the
defineTable()function caused query failure. This issue has now been fixed.
Other
Fixed LDAP authentication bug.
Fixed an issue where the process to delete messages from the ingest queue would sometimes trigger the error Skipping Kafka event deletion for this round since stripping topOffsets failed during the calculation phase without cause.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Administration and Management
Re-introduced audit logging when overriding an existing Lookup file with identical content.
User Interface
Updated the series formatting color picker for widgets and dashboards to support color selection from predefined color palettes.
Enhanced Lookup files and Interactions asset types in the
Resourcespage, as follows.Lookup filestable component improvements:Added table sorting
Implemented proper pagination
Added package column filtering
Updated package column to show versionless package string instead of with version
Interactionstable component improvements:Added sort functionality
Implemented proper pagination
Added column filters for package and interaction type
Fixed the Language Server Protocol (LSP) features in the panel so the Query Editor for editing Search link interactions has LSP features (syntax highlighting, docs, suggestions, etc.)
Ingestion
Added error logging for ingest queue progression issues. When the read offset metric for any ingest queue partition doesn't progress, logs will display an error message stating Ingest queue progress error: before providing the log data.
The criteria for an error message being provided are:
Ingest queue doesn't progress over a 10-minute period
Ingest queue shows no activity for over an hour
Note
LogScale clusters regularly send internal messages on every ingest partition. If the metric does not increase, there is an issue with the digester.
Queries
Added user-visible warnings to alert users when query polling fails repeatedly.
Query cost/work calculation no longer includes time the query spends waiting for work.
For more information, see Query stats.
Digest nodes now measure wall-clock time instead of CPU time when updating live queries with events, improving performance and reducing CPU usage.
Note
This improvement may introduce slight variations in live cost measurements due to thread scheduling.
Improved live query handling during high ingest latency. LogScale now avoids halting live queries when latency is not caused by digest node overload.
To control this behavior, users can apply the environment variable
LIVEQUERY_CANCEL_TRIGGER_INGEST_OCCUPANCY_LIMIT. This variable provides the amount of time spent waiting for events to be stored in segments and written to live queries compared to obtaining data from Kafka with a percentage value.Note
Setting the default value to
-1disables the logic.Warning
The maximum environment variable value is 100. If set to this value, live queries will not be stopped due to ingest delay.
Metrics and Monitoring
Added new metrics for live query execution monitoring:
total-live-events – provides an aggregate count of live events across all dataspaces
worker-live-queries – provides the number of live queries currently running on the worker node
worker-live-dataspace-queries – provides the total number of repository queries currently executing on the worker node
Functions
Improved
correlate()graph analysis performance. Users may notice changes to the query graph visualization.For more information, see Correlation Options, Display tabs.
Improved error handling resiliency for multi-pass functions like
correlate()by creating an automatic stop for queries that would previously stall indefinitely. Future queries that stall will be stopped automatically.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
infoblox/nios has been updated to v1.3.4.
Updated ECS version to 9.2.0
Fixed DNS answers type field mapping to use array notation (dns.answers[0].type)
Updated parser version to 2.2.4
For more information, see Package infoblox/nios Release Notes.
imperva/cloud-waf has been updated to v1.6.0.
Updated ECS version to 9.2.0
Updated CPS version to 1.1.0
Updated parser version to 4.0.0
Enhanced event categorization with improved event.category and event.type arrays
Added comprehensive client, server, and destination field mappings
Improved network type detection for IPv4 and IPv6 addresses
Added observer, network, and URL field mappings
For more information, see Package imperva/cloud-waf Release Notes.
cisco/ise has been updated to v2.0.3.
Enhanced Response field parsing for cisco-av-pair attributes with improved regex pattern matching
Updated parser version to 3.0.3
For more information, see Package cisco/ise Release Notes.
trellix/fireeye-nx has been updated to v1.2.2.
Updated package description in manifest
For more information, see Package trellix/fireeye-nx Release Notes.
cisco/umbrella has been updated to v1.4.1.
Updated parser version to 3.0.1
Added strict=false parameter to regex function for improved parsing reliability
For more information, see Package cisco/umbrella Release Notes.
haproxy/haproxy has been updated to v1.2.3.
Enhanced syslog parsing with improved BSD Syslog format support
Added comprehensive HTTP, TCP, and error log format parsing
Updated ECS version to 9.2.0
Improved field mappings for client, source, destination, and server fields
Added TLS version detection and SSL handshake failure parsing
Enhanced URL parsing with query parameter extraction
Added IP address validation for source and client fields
Improved event categorization and outcome determination
For more information, see Package haproxy/haproxy Release Notes.
microsoft/windows-dns-debug has been updated to v1.5.0.
Added support for new DNS log format with LOOKUP and RECURSE operations
Enhanced DNS answer record parsing with answer name and type extraction
Improved thread ID handling with both name and numeric ID fields
Added new DNS type classification for answer records
Updated parser version to 2.4.0
For more information, see Package microsoft/windows-dns-debug Release Notes.
netgate/pfsense has been updated to v1.1.2.
Added support for RFC 5424 syslog format with ISO 8601 timestamps
Enhanced timestamp parsing to handle both BSD syslog and RFC 5424 formats
Updated parser version to 1.1.2
For more information, see Package netgate/pfsense Release Notes.
zscaler/internet-access has been updated to v1.5.1.
Enhanced user email field handling to only set user.email when a valid email format is detected
Improved MD5 hash field processing for file.hash.md5
Fixed conditional logic for user field extraction across all dataset types
Updated parser version to 2.5.1
For more information, see Package zscaler/internet-access Release Notes.
fortinet/fortigate has been updated to v1.4.1.
Updated parser version to 3.0.1
Removed timezone parameter from parseTimestamp function for date/time parsing
For more information, see Package fortinet/fortigate Release Notes.
aws/fsx has been updated to v1.1.2.
Removed deprecated fsx-xml parser
For more information, see Package aws/fsx Release Notes.
infoblox/nios has been updated to v1.3.2.
Fixed DNS client IP extraction regex to improve parsing accuracy
Enhanced DNS message handling with proper @ symbol replacement
Updated ECS version to 9.1.0 and CPS version to 1.1.0
For more information, see Package infoblox/nios Release Notes.
zscaler/deception has been updated to v2.2.1.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Improved timestamp parsing by removing timezone parameter
For more information, see Package zscaler/deception Release Notes.
darktrace/detect has been updated to v2.0.1.
Updated ECS version to 9.1.0
Updated parser version to 3.0.1
Fixed timezone handling for RFC 3164 syslog timestamps by removing explicit UTC timezone setting
For more information, see Package darktrace/detect Release Notes.
cisco/umbrella has been updated to v1.4.0.
Updated parser to support Cisco Umbrella Log Schema Version 13
For more information, see Package cisco/umbrella Release Notes.
f5networks/bigip has been updated to v2.5.2.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
For more information, see Package f5networks/bigip Release Notes.
cisco/ise has been updated to v2.0.0.
Major parser restructuring and optimization for improved performance
Enhanced field extraction and normalization with better error handling
Added support for new ISE event categories including CISE_Profiler, CISE_Guest, CISE_MyDevices
Improved parsing for CISE_Alarm events with support for misconfigured supplicant detection
Enhanced RADIUS and TACACS accounting event processing
Added comprehensive TLS certificate field mapping
Improved user field extraction with domain parsing
Enhanced server and client field identification
Added support for additional timestamp formats
Updated event categorization and outcome determination logic
Removed session_info log type, added network_access log type
Updated parser version to 3.0.0
For more information, see Package cisco/ise Release Notes.
palo-alto/prisma-sd-wan has been updated to v1.2.1.
Updated ECS version to 9.1.0
Improved timestamp parsing by removing timezone parameter for better compatibility
For more information, see Package palo-alto/prisma-sd-wan Release Notes.
zscaler/deception has been updated to v2.3.0.
Updated parser version to 3.0.0
Updated ECS version to 9.2.0
Enhanced event categorization with comprehensive type matching for different log types
Improved field mappings for source, destination, client, and server fields
Added support for additional file operations and process tracking
Enhanced threat intelligence integration with abuse confidence scoring
Improved timestamp parsing from syslog headers
Added comprehensive network protocol and connection state handling
For more information, see Package zscaler/deception Release Notes.
okta/sso has been updated to v1.4.4.
Enhanced actor type handling with conditional logic for IP addresses and Event Hooks
Fixed client.user.full_name field mapping to handle different actor types appropriately
For more information, see Package okta/sso Release Notes.
claroty/ctd has been updated to v1.2.2.
Removed timezone parameter from parseTimestamp function to use automatic timezone detection
Updated parser version to 1.1.3
For more information, see Package claroty/ctd Release Notes.
forcepoint/dlp has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Removed timezone specifications from timestamp parsing
Enhanced field mapping documentation
For more information, see Package forcepoint/dlp Release Notes.
checkpoint/ngfw has been updated to v2.3.3.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
For more information, see Package checkpoint/ngfw Release Notes.
aruba/clearpass has been updated to v1.3.0.
Enhanced System category event handling with improved regex patterns for cleanup operations
Improved data integrity by using temporary field for rawstring processing
Updated parser version to 2.1.0 and CPS version to 1.1.0
For more information, see Package aruba/clearpass Release Notes.
veeam/veeamdataplatform has been updated to v1.0.2.
Updated ECS version to 9.2.0 and CPS version to 1.1.0
Consolidated user extraction logic for event ID 42405 with other InitiatorFullInfo events
Merged event ID ranges for UserName field extraction
Updated test cases with new sample data
For more information, see Package veeam/veeamdataplatform Release Notes.
microsoft/dhcp-server has been updated to v1.3.2.
Updated ECS version to 9.1.0
Updated parser version to 2.1.2
Removed timezone specification from parseTimestamp function
For more information, see Package microsoft/dhcp-server Release Notes.
cisco/firepower has been updated to v1.7.3.
Updated parser version to 3.3.3
Fixed field name from http.response.code to http.response.status_code in event code 607002 for proper ECS compliance
For more information, see Package cisco/firepower Release Notes.
juniper/srx has been updated to v1.5.0.
Added event severity mapping based on threat severity levels
Added support for rshd command line extraction
Fixed duplicate event.kind assignments in IDP processing
Updated parser to version 3.0.0
Enhanced field mapping with IP address validation before normalization
Improved timestamp parsing with support for both ISO 8601 and BSD syslog timestamp formats
For more information, see Package juniper/srx Release Notes.
dell/isilon has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 1.1.3
Removed timezone specification from parseTimestamp function
Updated test case data with new sample values
For more information, see Package dell/isilon Release Notes.
zscaler/internet-access has been updated to v1.5.4.
Enhanced JSON parsing to handle escaped quotes in nested JSON structures
Added support for complex audit log events with nested preaction and postaction objects
Improved string replacement logic to preserve escaped quotes for proper JSON parsing
Updated parser version to 2.5.4
For more information, see Package zscaler/internet-access Release Notes.
zscaler/private-access has been updated to v1.3.3.
Updated ECS version to 9.1.0
Removed timezone parameter from parseTimestamp function
For more information, see Package zscaler/private-access Release Notes.
infoblox/nios has been updated to v1.3.3.
Removed timezone parameter from parseTimestamp functions to use system default timezone
Updated parser version to 2.2.3
For more information, see Package infoblox/nios Release Notes.
microsoft/sysmon has been updated to v1.1.3.
Updated ECS version to 9.1.0
Removed timezone parameter from parseTimestamp functions for improved timestamp handling
For more information, see Package microsoft/sysmon Release Notes.
zscaler/internet-access has been updated to v1.5.0.
Added support for multi-event processing with event.original.hash.sha256 field for bulk events
Updated parser to preserve event.original field for the first event in multi-event logs
Enhanced event processing logic to handle concatenated JSON events more efficiently
Updated parser version to 2.5.0
For more information, see Package zscaler/internet-access Release Notes.
zscaler/internet-access has been updated to v1.5.2.
Enhanced file field handling to support both upload and download file operations in web events
Improved file categorization logic with priority given to download files when both are present
Added support for upload file fields (upload_filename, upload_filesubtype, upload_filetype)
Updated ECS version to 9.1.0
Added new timestamp format support for Vendor.lastmodtime field
Updated parser version to 2.5.2
For more information, see Package zscaler/internet-access Release Notes.
fortinet/fortigate has been updated to v1.5.0.
Updated parser version to 4.0.0
Enhanced event categorization and type mapping with comprehensive coverage for all event types
Improved field mapping using coalesce function for better field consolidation
Added threat enrichment fields for UTM events including virus, IPS, and anomaly detection
Enhanced network protocol detection and application layer protocol mapping
Improved client/server field mapping based on connection direction
Added array deduplication for event.category and event.type fields
Enhanced MAC address formatting with colon-to-dash replacement
Improved IP address validation with CIDR filtering
Added comprehensive test cases for SSL, DNS, traffic, and system events
For more information, see Package fortinet/fortigate Release Notes.
juniper/srx has been updated to v1.5.1.
Updated minimum LogScale version requirement to 1.207.0
For more information, see Package juniper/srx Release Notes.
f5networks/bigip has been updated to v2.5.0.
Enhanced SSH session handling with improved user extraction for login success and failure events
Improved audit log parsing with better key-value pair handling for complex field structures
Fixed regex patterns for SSH connection events to properly handle multiple connection scenarios
Added support for additional OS logger formats including TLS version and cipher information
Enhanced field coalescing for better data extraction from multiple potential sources
For more information, see Package f5networks/bigip Release Notes.
okta/sso has been updated to v1.4.5.
Updated ECS version to 9.1.0
Enhanced user.name field handling to automatically populate user.email when user.name contains @ symbol
Improved code formatting and consistency
For more information, see Package okta/sso Release Notes.
zscaler/private-access has been updated to v1.4.0.
Enhanced parser with comprehensive ECS field mappings for all ZPA log types
Added support for app connector metrics logs
Improved field normalization with proper source/destination/client/server mappings
Enhanced network traffic analysis with ingress/egress byte tracking
Added comprehensive event categorization and outcome determination
Improved timestamp handling across all log types
Enhanced user and authentication event processing
Added proper host infrastructure monitoring fields
Improved security inspection rule mapping
Enhanced geographic location tracking for all components
For more information, see Package zscaler/private-access Release Notes.
cisco/firepower has been updated to v1.7.2.
Updated parser version to 3.3.2
Enhanced regex pattern for event code 106015 to better capture flags field with multiple values
For more information, see Package cisco/firepower Release Notes.
checkpoint/ngfw has been updated to v2.3.1.
Fixed regex pattern for numerical action values to prevent backtracking issues
Updated parser version to 3.3.1
For more information, see Package checkpoint/ngfw Release Notes.
okta/sso has been updated to v1.4.6.
Updated ECS version to 9.2.0
Enhanced event outcome handling to include UNANSWERED and ABANDONED result types
Added support for additional event types including app.oauth2.token.grant, event_hook.delivery, system.push.send_factor_verify_push, and various system notification events
Improved code formatting and consistency throughout parser
Added new test cases for enhanced coverage
For more information, see Package okta/sso Release Notes.
cisco/firepower has been updated to v1.7.6.
Updated parser version to 3.3.6
Enhanced key-value parsing for events 430001-430007 to better handle UserAgent field extraction
Improved regex pattern to handle complex field values with commas and special characters
For more information, see Package cisco/firepower Release Notes.
f5networks/bigip has been updated to v2.5.1.
Updated ECS version to 9.1.0 and CPS version to 1.1.0
Enhanced audit log parsing to specifically extract cmd_data from Vendor.audit_info for complete command data capture
Added new test case for AUDIT log format with cmd_data field extraction
For more information, see Package f5networks/bigip Release Notes.
f5networks/bigip has been updated to v3.0.0.
Updated to support RFC 5424 syslog format
Added checks to ensure IPs are valid prior to assignment
Improved parsing around login/logout events
For more information, see Package f5networks/bigip Release Notes.
aws/waf has been updated to v2.0.0.
Breaking Change: If X-Forwarded-For header is present, normalize the original client IP to source.ip and Vendor.httpRequest.clientIp is now normalized to source.nat.ip.
Improved HTTP header extraction for referrer, host, and user-agent fields
Added URL domain and port parsing from Host header
Updated ECS version to 9.1.0 and CPS version to 1.1.0
For more information, see Package aws/waf Release Notes.
checkpoint/ngfw has been updated to v2.3.0.
Enhanced observer name extraction from originsicname field using regex pattern
Improved source field handling for email addresses and IP addresses in 'from' field
Added service.id and service.name field mappings with protocol detection
Enhanced network protocol detection based on service identifiers
Updated parser version to 3.3.0 and CPS version to 1.1.0
For more information, see Package checkpoint/ngfw Release Notes.
cisco/ios has been updated to v1.7.2.
Updated timestamp parsing to remove hardcoded timezone defaults for better flexibility
Enhanced parser to use system timezone when no timezone is specified
Improved timestamp handling for logs without explicit timezone information
For more information, see Package cisco/ios Release Notes.
cisco/ise has been updated to v1.4.0.
Added support for CISE_TACACS_Accounting events (codes 3300, 3301, 3302)
Added comprehensive TACACS+ diagnostics parsing for CISE_TACACS_Diagnostics category
Enhanced event categorization for TACACS+ authentication, authorization, and accounting events
Added support for TACACS+ network access control and user management events
Updated parser version to 2.1.0
For more information, see Package cisco/ise Release Notes.
nozomi/ids has been updated to v1.3.3.
Updated parser version to 3.0.3
Added new message pattern for cleartext password authentication requests
Enhanced event categorization for network and intrusion detection events
For more information, see Package nozomi/ids Release Notes.
checkpoint/ngfw has been updated to v2.3.2.
Enhanced IP address validation using CIDR function for source and destination fields
Improved handling of source.address and destination.address fields with proper IP validation
Updated parser version to 3.3.2
For more information, see Package checkpoint/ngfw Release Notes.
microsoft/windows-dns-debug has been updated to v1.3.2.
Updated ECS version to 9.1.0
Removed timezone specification from timestamp parsing
Enhanced parser version to 2.2.2
For more information, see Package microsoft/windows-dns-debug Release Notes.
cisco/ios has been updated to v1.7.3.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 2.6.3
Fixed typo in observer.ingress.interface.name field extraction for IGMP events
For more information, see Package cisco/ios Release Notes.
fortinet/fortigate has been updated to v1.4.0.
Updated parser version to 3.0.0
Enhanced event outcome determination for traffic and UTM events with expanded action mappings
Improved TLS certificate field handling using array:append for proper array construction
Fixed vulnerability category field mapping to use array:append
Added new test cases for VPN, IPS, and traffic events
Updated field assignments to use array operations for ECS compliance
For more information, see Package fortinet/fortigate Release Notes.
cisco/meraki has been updated to v1.5.3.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
For more information, see Package cisco/meraki Release Notes.
aws/s3-server-access has been updated to v1.2.2.
Added cloud provider identification with cloud.provider field set to "aws"
Enhanced cloud resource tracking with cloud.target.Resource.type[] and cloud.target.Resource.id[] arrays
Improved cloud resource categorization for S3 buckets
For more information, see Package aws/s3-server-access Release Notes.
zscaler/internet-access has been updated to v2.0.0.
Enhanced IP address and domain handling with improved address field mapping
Added client.* and server.* field mappings for better network visibility
Improved DNS answer field structure using indexed array format
Removed timezone parameter from file modification time parsing
Changed destination.ip to use Vendor.cdip instead of Vendor.sdip for consistency
Improved event.type categorization for file-related events
Added parsing for nested Vendor.category fields
Updated parser version to 3.0.0
For more information, see Package zscaler/internet-access Release Notes.
checkpoint/ngfw has been updated to v2.5.0.
Enhanced event categorization for network events to include "info" event type
Added support for Application Control product detection via ProductName field
Improved product matching for VPN-1 & FireWall-1 and Firewall products using in() function
Added Anti Malware product categorization with malware event category
Enhanced client/server field mapping for application control, URL filtering, and HTTPS inspection logs
Updated parser version to 3.5.0
For more information, see Package checkpoint/ngfw Release Notes.
cisco/ise has been updated to v2.0.2.
Enhanced CISE_Profiler event parsing with comprehensive event code support
Added support for profiler event codes 80001-80019 including endpoint collection, SNMP operations, DNS requests, and Edda connector management
Improved event categorization for profiler events with specific outcomes and actions
Updated ECS version to 9.1.0
Updated parser version to 3.0.2
For more information, see Package cisco/ise Release Notes.
zscaler/internet-access has been updated to v1.5.3.
Updated ECS version to 9.1.0
Removed timezone parameter from parseTimestamp function
For more information, see Package zscaler/internet-access Release Notes.
aws/vpcflow has been updated to v1.2.2.
Updated timestamp parsing to remove explicit timezone parameter
Updated parser version to 1.2.2
For more information, see Package aws/vpcflow Release Notes.
nozomi/ids has been updated to v1.3.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 3.0.2
Removed timezone specification from timestamp parsing for MMM dd yyyy HH:mm:ss format
For more information, see Package nozomi/ids Release Notes.
cloudflare/zerotrust has been updated to v2.0.0.
Added support for new datasets: email-security-alerts, browser-isolation, sinkhole-http, warp-changes, ssh, dex-application-tests, dlp-forensic-copies, dns-firewall, workers-trace, dex-device-state, ipsec
Enhanced timestamp parsing with additional timestamp fields (EventTimestampMs, ActionTimestamp)
Added support for SSO action in access-requests dataset
Improved audit event categorization with view action support
Enhanced source address handling with ActorIPAddress support
Updated event outcome logic for audit events to support success/fail patterns
Added comprehensive field mappings for new datasets including process, error, DNS, and network fields
Enhanced email security alerts with attachment processing and threat categorization
Added browser isolation event processing with decision-based outcomes
Implemented workers trace event handling with exception-based outcome determination
Added SSH session tracking with start/end event types
Enhanced DEX application tests with HTTP performance metrics
Added DLP forensic copies processing with rule-based categorization
Implemented DNS firewall event handling with query type and response code processing
Added IPsec event processing with connection status tracking
Enhanced device state monitoring with network and client metrics
Updated parser version to 4.0.0
For more information, see Package cloudflare/zerotrust Release Notes.
checkpoint/ngfw has been updated to v2.4.0.
Added several new field normalizations
Enhanced field organization and grouping for better readability
Improved network protocol detection logic
Fixed event categorization for authentication events (Failed Log In now uses start type)
Added new event categorization patterns for system events
Updated parser version to 3.4.0
For more information, see Package checkpoint/ngfw Release Notes.
radware/alteon has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated parser version to 1.1.2
Removed timezone parameter from findTimestamp() function calls
For more information, see Package radware/alteon Release Notes.
fortinet/fortigate has been updated to v2.1.0.
Enhanced CEF parsing with improved priority handling and format normalization
Fixed CEF header format by replacing "CEF: 0" with "CEF:0" for proper parsing
Reordered parsing logic to prioritize CEF format detection before syslog priority extraction
Improved source.address field mapping with enhanced coalesce logic to preserve existing values
Updated parser version to 4.2.0
For more information, see Package fortinet/fortigate Release Notes.
cisco/ios has been updated to v1.7.4.
Added support for EEM (Embedded Event Manager) events with new parsing pattern
Enhanced parser to handle EEM event actions and messages
Updated parser version to 2.6.4
For more information, see Package cisco/ios Release Notes.
haproxy/haproxy has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 1.1.3
Removed timezone parameter from parseTimestamp function
For more information, see Package haproxy/haproxy Release Notes.
cisco/firepower has been updated to v1.7.4.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
Updated parser version to 3.3.4
For more information, see Package cisco/firepower Release Notes.
netgate/pfsense has been updated to v1.1.3.
Updated minimum LogScale version requirement to 1.207.0
For more information, see Package netgate/pfsense Release Notes.
microsoft/windows-dns-debug has been updated to v1.5.1.
Enhanced timestamp parsing to support additional date format (d/M/yyyy HH:mm:ss)
Improved regex pattern for PACKET log entries to handle multiple timestamp formats
Fixed timestamp parsing for LOOKUP operation logs
Updated parser version to 2.4.1
For more information, see Package microsoft/windows-dns-debug Release Notes.
aws/guardduty has been updated to v1.2.2.
Updated ECS version to 9.2.0
Updated CPS version to 1.1.0
Added removePrefixes="detail." to parseJson function for improved field handling
Updated parser version to 1.3.2
For more information, see Package aws/guardduty Release Notes.
cisco/ise has been updated to v2.0.1.
Fixed timezone handling in timestamp parsing by removing hardcoded timezone parameter
Updated parser version to 3.0.1
For more information, see Package cisco/ise Release Notes.
fortinet/fortigate has been updated to v2.0.0.
Added CEF (Common Event Format) parsing support for Fortinet logs
Enhanced timestamp parsing with support for CEF header timestamps
Enhanced source and destination address handling with conditional logic for login events
Updated event.action field priority to use Vendor.action first, then Vendor.logdesc, then Vendor.eventtype
Added support for additional source fields including Vendor.spt for source port mapping
Improved URL handling in remip field with proper quoting for complex URLs
Updated parser version to 4.1.0
For more information, see Package fortinet/fortigate Release Notes.