Falcon LogScale 1.216.0 GA (2025-11-25)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.216.0 | GA | 2025-11-25 | Cloud | 2027-02-28 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.216.0 to download the latest version
Bug fixes and updates
Advance Warning
The following items are due to change in a future release.
User Interface
From version 1.225.0, LogScale will enforce a new limit of 10 labels that can be added or removed in bulk for assets such as dashboards, actions, alerts and scheduled searches.
Labels will also have a character limit of 60.
Existing assets that violate these newly imposed limits will continue to work until they are updated - users will then be forced to remove or reduce their labels to meet the requirement.
Deprecation
Items that have been deprecated and may be removed in a future release.
In order to simplify and clean up older documentation and manuals that refer to past versions of LogScale and related products, the following manual versions will be archived after 15th December 2025:
This archiving will improve the efficiency of the site and navigability.
Archived manuals will be available in a download-only format in an archive area of the documentation. Manuals that have been archived will no longer be included in the search, or accessible to view online through the documentation portal.
The following GraphQL APIs are deprecated and will be removed in version 1.225 or later:
In the updateSettings mutation, these input arguments are deprecated:
isPackageDocsMessageDismissed
isDarkModeMessageDismissed
isResizableQueryFieldMessageDismissed
On the UserSettings type, these fields are deprecated:
isPackageDocsMessageDismissed
isDarkModeMessageDismissed
Note
The deprecated input arguments will have no effect, and the deprecated fields will always return true until their removal.
The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Storage
When a request to LogScale hits a timeout for updating the global database, it will now return HTTP status code 500 instead of status code 400.
Queries
Filter prefixes have been refactored to change the way they are validated - as a result, the diagnostic message for all prefixes has been changed.
A query prefix may only contain pure filters. Transformations, aggregations etc. are not allowed. Functions are also disallowed, even if their behavior is purely filtering.
New features and improvements
Dashboards and Widgets
Tablewidgets now support a new Column overflow setting with options to either truncate or wrap text content. Users can now control how to handle long text entries in table columns, improving readability and visual organization of various data and display preferences.The setting is available in the widget style panel under General.
For more information, see Table Widget.
Fixed in this release
Functions
Fixed an issue related to serialization where queries including
fieldstats()functions orcount()with thedistinctparameter set totruewould sometimes fail, causing the query to be cancelled.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Documentation
We have enabled a new search system for the main search pages which includes the following features:
Faster and more efficient searching
Defaults to searching only the current manuals covering the latest active releases
Searching of the full document set is available by selecting the checkbox on the search page
Auto-corrections and spelling mistakes are now automatically corrected during the search
Suggestions for alternative search terms (e.g. Virtual Private Network in place of VPN); clicking the links will search for the alternative term
Highlighting of found search terms on pages when you click through to a page; highlights can be removed by clicking the button at the top of the page
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
cisco/ise has been updated to v2.0.3.
Enhanced Response field parsing for cisco-av-pair attributes with improved regex pattern matching
Updated parser version to 3.0.3
For more information, see Package cisco/ise Release Notes.
cisco/firepower has been updated to v1.7.5.
Updated ECS version to 9.2.0
Updated parser version to 3.3.5
Added message field assignment from Vendor.message
For more information, see Package cisco/firepower Release Notes.
cloudflare/zerotrust has been updated to v1.6.0.
Updated ECS version to 9.2.0
Enhanced field mapping with improved global field normalizations
Added support for spectrum dataset
Improved DNS answer parsing with dynamic array handling
Enhanced client, destination, and source field processing with address/IP/domain logic
Added comprehensive threat indicator confidence mapping
Improved TLS version extraction with regex patterns
Enhanced event categorization for malware detection in gateway-http
Added new fields: file.extension, email.message_id, email.reply_to.address[], rule.description, network.iana_number, destination.as.number, source.as.number, source.nat.ip, cloud.account.id, server.as.number
Updated parser version to 3.0.0
For more information, see Package cloudflare/zerotrust Release Notes.
aws/fsx has been updated to v1.1.2.
Removed deprecated fsx-xml parser
For more information, see Package aws/fsx Release Notes.
trellix/fireeye-nx has been updated to v1.2.1.
Updated parser schema to v0.3.0
For more information, see Package trellix/fireeye-nx Release Notes.
akamai/asec has been updated to v1.1.2.
Updated parser version to 1.1.2
Updated template to v0.3.0
For more information, see Package akamai/asec Release Notes.
zscaler/internet-access has been updated to v1.5.4.
Enhanced JSON parsing to handle escaped quotes in nested JSON structures
Added support for complex audit log events with nested preaction and postaction objects
Improved string replacement logic to preserve escaped quotes for proper JSON parsing
Updated parser version to 2.5.4
For more information, see Package zscaler/internet-access Release Notes.
checkpoint/ngfw has been updated to v2.4.1.
Enhanced event categorization for "Redirect" action to include "denied" event type
Added event.outcome field for "Redirect" action with "success" value
Updated parser version to 3.4.1
For more information, see Package checkpoint/ngfw Release Notes.
fortinet/fortigate has been updated to v1.5.0.
Updated parser version to 4.0.0
Enhanced event categorization and type mapping with comprehensive coverage for all event types
Improved field mapping using coalesce function for better field consolidation
Added threat enrichment fields for UTM events including virus, IPS, and anomaly detection
Enhanced network protocol detection and application layer protocol mapping
Improved client/server field mapping based on connection direction
Added array deduplication for event.category and event.type fields
Enhanced MAC address formatting with colon-to-dash replacement
Improved IP address validation with CIDR filtering
Added comprehensive test cases for SSL, DNS, traffic, and system events
For more information, see Package fortinet/fortigate Release Notes.
google/chrome-enterprise-security-events has been updated to v1.2.1.
Updated parser schema to v0.3.0
For more information, see Package google/chrome-enterprise-security-events Release Notes.
zscaler/private-access has been updated to v1.4.0.
Enhanced parser with comprehensive ECS field mappings for all ZPA log types
Added support for app connector metrics logs
Improved field normalization with proper source/destination/client/server mappings
Enhanced network traffic analysis with ingress/egress byte tracking
Added comprehensive event categorization and outcome determination
Improved timestamp handling across all log types
Enhanced user and authentication event processing
Added proper host infrastructure monitoring fields
Improved security inspection rule mapping
Enhanced geographic location tracking for all components
For more information, see Package zscaler/private-access Release Notes.
nozomi/ids has been updated to v1.3.3.
Updated parser version to 3.0.3
Added new message pattern for cleartext password authentication requests
Enhanced event categorization for network and intrusion detection events
For more information, see Package nozomi/ids Release Notes.
microsoft/dhcp-client has been updated to v1.1.2.
Updated parser schema to v0.3.0
For more information, see Package microsoft/dhcp-client Release Notes.
cisco/ise has been updated to v2.0.2.
Enhanced CISE_Profiler event parsing with comprehensive event code support
Added support for profiler event codes 80001-80019 including endpoint collection, SNMP operations, DNS requests, and Edda connector management
Improved event categorization for profiler events with specific outcomes and actions
Updated ECS version to 9.1.0
Updated parser version to 3.0.2
For more information, see Package cisco/ise Release Notes.
checkpoint/ngfw has been updated to v2.4.0.
Added several new field normalizations
Enhanced field organization and grouping for better readability
Improved network protocol detection logic
Fixed event categorization for authentication events (Failed Log In now uses start type)
Added new event categorization patterns for system events
Updated parser version to 3.4.0
For more information, see Package checkpoint/ngfw Release Notes.
cisco/ios has been updated to v1.7.4.
Added support for EEM (Embedded Event Manager) events with new parsing pattern
Enhanced parser to handle EEM event actions and messages
Updated parser version to 2.6.4
For more information, see Package cisco/ios Release Notes.
microsoft/windows-dns-debug has been updated to v1.4.0.
Added support for additional timestamp formats (dd.MM.yyyy HH:mm:ss and yyyy-MM-dd HH:mm:ss AM/PM)
Enhanced field mapping with separate address, IP, and domain fields for client, destination, server, and source
Updated ECS version to 9.2.0 and CPS version to 1.1.0
Improved DNS error message mapping with additional error codes
Enhanced network type detection for IPv6 addresses
Refactored parser logic for better field organization and performance
For more information, see Package microsoft/windows-dns-debug Release Notes.
aws/guardduty has been updated to v1.2.2.
Updated ECS version to 9.2.0
Updated CPS version to 1.1.0
Added removePrefixes="detail." to parseJson function for improved field handling
Updated parser version to 1.3.2
For more information, see Package aws/guardduty Release Notes.