Falcon LogScale 1.215.0 GA (2025-11-18)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.215.0 | GA | 2025-11-18 | Cloud | 2027-02-28 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.215.0 to download the latest version
Bug fixes and updates
Advance Warning
The following items are due to change in a future release.
User Interface
From version 1.225.0, LogScale will enforce a new limit of 10 labels that can be added or removed in bulk for assets such as dashboards, actions, alerts and scheduled searches.
Labels will also have a character limit of 60.
Existing assets that violate these newly imposed limits will continue to work until they are updated - users will then be forced to remove or reduce their labels to meet the requirement.
Deprecation
Items that have been deprecated and may be removed in a future release.
The Release Note Full Index page page has been deprecated. Please use the Search Release Notes page to search the release notes for any product.
The following GraphQL mutations have been deprecated:
addAlertLabel
removeAlertLabel
removeScheduledSearchLabelThe deprecated GraphQL mutations will be replaced by the following mutations:
The following GraphQL mutations are being added:
The following GraphQL APIs are deprecated and will be removed in version 1.225 or later:
In the updateSettings mutation, these input arguments are deprecated:
isPackageDocsMessageDismissed
isDarkModeMessageDismissed
isResizableQueryFieldMessageDismissed
On the UserSettings type, these fields are deprecated:
isPackageDocsMessageDismissed
isDarkModeMessageDismissed
Note
The deprecated input arguments will have no effect, and the deprecated fields will always return true until their removal.
The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Storage
LogScale now prevents start-up if a user's Azure endpoint base has not been configured for Azure bucket storage.
If
AZURE_STORAGE_BUCKET,AZURE_STORAGE_ACCOUNTNAME, andAZURE_STORAGE_ACCOUNTKEYvariables are specified andAZURE_STORAGE_ENDPOINT_BASEis not specified, LogScale will fail to start rather than delaying failure until an attempt to connect to the bucket is made.
Upgrades
Changes that may occur or be required during an upgrade.
Configuration
LogScale has upgraded its Netty version to 4.2.7.
New features and improvements
User Interface
The following bulk actions can now be performed on multiple assets:
as .zip file
Assets that support this feature include:
Actions
Dashboards
Interactions
Lookup files
Parsers
Triggers
LogScale now also supports enabling and disabling triggers in bulk.
Corresponding GraphQL Batch operations are also available.
For more information, see Table Components.
Documentation
The release note search system has been updated to provide more functionality across a wider range of products. Searching of release notes has been expanded to add support for searching multiple individual products (LogScale, Log Collector, Aux PDF and Humio Operator):
We now have full release notes for each of these products with their own dedicated page and entries.
Improved search speed and filtering
Release note searches can now be saved and shared
With this change, the Full Release Notes Index page has been deprecated as the new search page provides better functionality for searching the release note system. See RN Issue.
Dashboards and Widgets
A new styling option in the
Tablewidget now enables to configure custom column labels:Users can now rename column headers directly in the table widget's style configuration panel.
Custom column labels are preserved when switching between columns and refreshing the view.
For more information, see Table Property Reference.
A new styling option in the
Tablewidget now allows users to reorder columns. A reset button is also available for restoring the original columns order of the query result.For more information, see Table Property Reference.
Auditing and Monitoring
The following audit log types have been removed:
aggregateAlert.add-label
aggregateAlert.remove-label
filterAlert.add-label
filterAlert.remove-label
The following Audit Log types have been added:
saved-query.add-labels
saved-query.remove-labels
aggregateAlert.add-labels
aggregateAlert.remove-labels
filterAlert.add-labels
filterAlert.remove-labels
alert.add-labels
alert.remove-labels
scheduled-search.add-labels
scheduled-search.remove-labels
uploaded-file.add-labels
uploaded-file.remove-labels
action.add-labels
action.remove-labels
dashboard.add-labels
dashboard.remove-labels
Added audit logging to the Export to File functionality for query results.
This adds two new audit log entries:
dataspace.query.export-file: when a query is exported to a file.
dataspace.query.export-bucket: when a query is streamed to an external file bucket (if the
Export to bucketfeature flag is enabled).
All entries include the following data points:
actor - Export requester data
timestamp- Time of the loggingexportedFileName - Exported file name with the file extension chosen
queryId- The ID of the related query audit log found through dataspace.querycsvFieldsExported (optional) - When exporting a query to CSV, you must select specific fields to include.
If the query is streamed due to size, the selected fields are added directly to the query as a filter using
select().When streaming to a bucket, additional fields are added:
bucketProvider - The bucket provider used to stream the file to (for example, S3)
bucket - The bucket ID used to stream the file to
To fetch information regarding audits for exported query requests, you can run a join query like
defineTable()orcorrelate()on the queryId. For example:logscalecorrelate( exports: { type = /dataspace.query.export/ } include: *, queries: { type = "dataspace.query" | queryId <=> exports.queryId } include: [query.queryString, query.ingestStart, query.ingestEnd] )
Fixed in this release
Ingestion
Event forwarding rules that reference a saved query will now use the latest version of the saved query if it has been updated.
Log Collector
Fixed several
/api/v1/log-collectorendpoints to return proper status codes for invalid credentials.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
cisco/ise has been updated to v2.0.3.
Enhanced Response field parsing for cisco-av-pair attributes with improved regex pattern matching
Updated parser version to 3.0.3
For more information, see Package cisco/ise Release Notes.
cisco/firepower has been updated to v1.7.5.
Updated ECS version to 9.2.0
Updated parser version to 3.3.5
Added message field assignment from Vendor.message
For more information, see Package cisco/firepower Release Notes.
cloudflare/zerotrust has been updated to v1.6.0.
Updated ECS version to 9.2.0
Enhanced field mapping with improved global field normalizations
Added support for spectrum dataset
Improved DNS answer parsing with dynamic array handling
Enhanced client, destination, and source field processing with address/IP/domain logic
Added comprehensive threat indicator confidence mapping
Improved TLS version extraction with regex patterns
Enhanced event categorization for malware detection in gateway-http
Added new fields: file.extension, email.message_id, email.reply_to.address[], rule.description, network.iana_number, destination.as.number, source.as.number, source.nat.ip, cloud.account.id, server.as.number
Updated parser version to 3.0.0
For more information, see Package cloudflare/zerotrust Release Notes.
fortinet/fortigate has been updated to v1.4.1.
Updated parser version to 3.0.1
Removed timezone parameter from parseTimestamp function for date/time parsing
For more information, see Package fortinet/fortigate Release Notes.
zscaler/deception has been updated to v2.2.1.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Improved timestamp parsing by removing timezone parameter
For more information, see Package zscaler/deception Release Notes.
darktrace/detect has been updated to v2.0.1.
Updated ECS version to 9.1.0
Updated parser version to 3.0.1
Fixed timezone handling for RFC 3164 syslog timestamps by removing explicit UTC timezone setting
For more information, see Package darktrace/detect Release Notes.
f5networks/bigip has been updated to v2.5.2.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
For more information, see Package f5networks/bigip Release Notes.
palo-alto/prisma-sd-wan has been updated to v1.2.1.
Updated ECS version to 9.1.0
Improved timestamp parsing by removing timezone parameter for better compatibility
For more information, see Package palo-alto/prisma-sd-wan Release Notes.
claroty/ctd has been updated to v1.2.2.
Removed timezone parameter from parseTimestamp function to use automatic timezone detection
Updated parser version to 1.1.3
For more information, see Package claroty/ctd Release Notes.
forcepoint/dlp has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Removed timezone specifications from timestamp parsing
Enhanced field mapping documentation
For more information, see Package forcepoint/dlp Release Notes.
checkpoint/ngfw has been updated to v2.3.3.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
For more information, see Package checkpoint/ngfw Release Notes.
trellix/fireeye-nx has been updated to v1.2.1.
Updated parser schema to v0.3.0
For more information, see Package trellix/fireeye-nx Release Notes.
akamai/asec has been updated to v1.1.2.
Updated parser version to 1.1.2
Updated template to v0.3.0
For more information, see Package akamai/asec Release Notes.
microsoft/dhcp-server has been updated to v1.3.2.
Updated ECS version to 9.1.0
Updated parser version to 2.1.2
Removed timezone specification from parseTimestamp function
For more information, see Package microsoft/dhcp-server Release Notes.
dell/isilon has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 1.1.3
Removed timezone specification from parseTimestamp function
Updated test case data with new sample values
For more information, see Package dell/isilon Release Notes.
zscaler/internet-access has been updated to v1.5.4.
Enhanced JSON parsing to handle escaped quotes in nested JSON structures
Added support for complex audit log events with nested preaction and postaction objects
Improved string replacement logic to preserve escaped quotes for proper JSON parsing
Updated parser version to 2.5.4
For more information, see Package zscaler/internet-access Release Notes.
zscaler/private-access has been updated to v1.3.3.
Updated ECS version to 9.1.0
Removed timezone parameter from parseTimestamp function
For more information, see Package zscaler/private-access Release Notes.
infoblox/nios has been updated to v1.3.3.
Removed timezone parameter from parseTimestamp functions to use system default timezone
Updated parser version to 2.2.3
For more information, see Package infoblox/nios Release Notes.
microsoft/sysmon has been updated to v1.1.3.
Updated ECS version to 9.1.0
Removed timezone parameter from parseTimestamp functions for improved timestamp handling
For more information, see Package microsoft/sysmon Release Notes.
checkpoint/ngfw has been updated to v2.4.1.
Enhanced event categorization for "Redirect" action to include "denied" event type
Added event.outcome field for "Redirect" action with "success" value
Updated parser version to 3.4.1
For more information, see Package checkpoint/ngfw Release Notes.
fortinet/fortigate has been updated to v1.5.0.
Updated parser version to 4.0.0
Enhanced event categorization and type mapping with comprehensive coverage for all event types
Improved field mapping using coalesce function for better field consolidation
Added threat enrichment fields for UTM events including virus, IPS, and anomaly detection
Enhanced network protocol detection and application layer protocol mapping
Improved client/server field mapping based on connection direction
Added array deduplication for event.category and event.type fields
Enhanced MAC address formatting with colon-to-dash replacement
Improved IP address validation with CIDR filtering
Added comprehensive test cases for SSL, DNS, traffic, and system events
For more information, see Package fortinet/fortigate Release Notes.
juniper/srx has been updated to v1.5.1.
Updated minimum LogScale version requirement to 1.207.0
For more information, see Package juniper/srx Release Notes.
google/chrome-enterprise-security-events has been updated to v1.2.1.
Updated parser schema to v0.3.0
For more information, see Package google/chrome-enterprise-security-events Release Notes.
zscaler/private-access has been updated to v1.4.0.
Enhanced parser with comprehensive ECS field mappings for all ZPA log types
Added support for app connector metrics logs
Improved field normalization with proper source/destination/client/server mappings
Enhanced network traffic analysis with ingress/egress byte tracking
Added comprehensive event categorization and outcome determination
Improved timestamp handling across all log types
Enhanced user and authentication event processing
Added proper host infrastructure monitoring fields
Improved security inspection rule mapping
Enhanced geographic location tracking for all components
For more information, see Package zscaler/private-access Release Notes.
cisco/ios has been updated to v1.7.2.
Updated timestamp parsing to remove hardcoded timezone defaults for better flexibility
Enhanced parser to use system timezone when no timezone is specified
Improved timestamp handling for logs without explicit timezone information
For more information, see Package cisco/ios Release Notes.
nozomi/ids has been updated to v1.3.3.
Updated parser version to 3.0.3
Added new message pattern for cleartext password authentication requests
Enhanced event categorization for network and intrusion detection events
For more information, see Package nozomi/ids Release Notes.
microsoft/windows-dns-debug has been updated to v1.3.2.
Updated ECS version to 9.1.0
Removed timezone specification from timestamp parsing
Enhanced parser version to 2.2.2
For more information, see Package microsoft/windows-dns-debug Release Notes.
microsoft/dhcp-client has been updated to v1.1.2.
Updated parser schema to v0.3.0
For more information, see Package microsoft/dhcp-client Release Notes.
cisco/ios has been updated to v1.7.3.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 2.6.3
Fixed typo in observer.ingress.interface.name field extraction for IGMP events
For more information, see Package cisco/ios Release Notes.
cisco/meraki has been updated to v1.5.3.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
For more information, see Package cisco/meraki Release Notes.
aws/s3-server-access has been updated to v1.2.2.
Added cloud provider identification with cloud.provider field set to "aws"
Enhanced cloud resource tracking with cloud.target.Resource.type[] and cloud.target.Resource.id[] arrays
Improved cloud resource categorization for S3 buckets
For more information, see Package aws/s3-server-access Release Notes.
aws/waf has been updated to v2.0.0.
Breaking Change: If X-Forwarded-For header is present, normalize the original client IP to source.ip and Vendor.httpRequest.clientIp is now normalied to source.nat.ip.
Improved HTTP header extraction for referrer, host, and user-agent fields
Added URL domain and port parsing from Host header
Updated ECS version to 9.1.0 and CPS version to 1.1.0
For more information, see Package aws/waf Release Notes.
cisco/ise has been updated to v2.0.2.
Enhanced CISE_Profiler event parsing with comprehensive event code support
Added support for profiler event codes 80001-80019 including endpoint collection, SNMP operations, DNS requests, and Edda connector management
Improved event categorization for profiler events with specific outcomes and actions
Updated ECS version to 9.1.0
Updated parser version to 3.0.2
For more information, see Package cisco/ise Release Notes.
zscaler/internet-access has been updated to v1.5.3.
Updated ECS version to 9.1.0
Removed timezone parameter from parseTimestamp function
For more information, see Package zscaler/internet-access Release Notes.
aws/vpcflow has been updated to v1.2.2.
Updated timestamp parsing to remove explicit timezone parameter
Updated parser version to 1.2.2
For more information, see Package aws/vpcflow Release Notes.
nozomi/ids has been updated to v1.3.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 3.0.2
Removed timezone specification from timestamp parsing for MMM dd yyyy HH:mm:ss format
For more information, see Package nozomi/ids Release Notes.
checkpoint/ngfw has been updated to v2.4.0.
Added several new field normalizations
Enhanced field organization and grouping for better readability
Improved network protocol detection logic
Fixed event categorization for authentication events (Failed Log In now uses start type)
Added new event categorization patterns for system events
Updated parser version to 3.4.0
For more information, see Package checkpoint/ngfw Release Notes.
radware/alteon has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated parser version to 1.1.2
Removed timezone parameter from findTimestamp() function calls
For more information, see Package radware/alteon Release Notes.
cisco/ios has been updated to v1.7.4.
Added support for EEM (Embedded Event Manager) events with new parsing pattern
Enhanced parser to handle EEM event actions and messages
Updated parser version to 2.6.4
For more information, see Package cisco/ios Release Notes.
haproxy/haproxy has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 1.1.3
Removed timezone parameter from parseTimestamp function
For more information, see Package haproxy/haproxy Release Notes.
microsoft/windows-dns-debug has been updated to v1.4.0.
Added support for additional timestamp formats (dd.MM.yyyy HH:mm:ss and yyyy-MM-dd HH:mm:ss AM/PM)
Enhanced field mapping with separate address, IP, and domain fields for client, destination, server, and source
Updated ECS version to 9.2.0 and CPS version to 1.1.0
Improved DNS error message mapping with additional error codes
Enhanced network type detection for IPv6 addresses
Refactored parser logic for better field organization and performance
For more information, see Package microsoft/windows-dns-debug Release Notes.
cisco/firepower has been updated to v1.7.4.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
Updated parser version to 3.3.4
For more information, see Package cisco/firepower Release Notes.
netgate/pfsense has been updated to v1.1.3.
Updated minimum LogScale version requirement to 1.207.0
For more information, see Package netgate/pfsense Release Notes.
aws/guardduty has been updated to v1.2.2.
Updated ECS version to 9.2.0
Updated CPS version to 1.1.0
Added removePrefixes="detail." to parseJson function for improved field handling
Updated parser version to 1.3.2
For more information, see Package aws/guardduty Release Notes.
cisco/ise has been updated to v2.0.1.
Fixed timezone handling in timestamp parsing by removing hardcoded timezone parameter
Updated parser version to 3.0.1
For more information, see Package cisco/ise Release Notes.