Falcon LogScale 1.217.0 GA (2025-12-01)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.217.0 | GA | 2025-12-01 | Cloud | 2027-02-28 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.217.0 to download the latest version
Bug fixes and updates
Advance Warning
The following items are due to change in a future release.
Security
Starting from LogScale version 1.237, support for insecure
ldapconnections will be removed. Self-Hosted customers using LDAP will only be able to useldapssecure connections.User Interface
From version 1.225.0, LogScale will enforce a new limit of 10 labels that can be added or removed in bulk for assets such as dashboards, actions, alerts and scheduled searches.
Labels will also have a character limit of 60.
Existing assets that violate these newly imposed limits will continue to work until they are updated - users will then be forced to remove or reduce their labels to meet the requirement.
Removed
Items that have been removed as of this release.
Configuration
Removed
SEGMENT_TO_HOST_MAPPING_CRASH_SETTLING_TIME_SECONDSconfiguration as the logic is now handled internally according to Heartbeats.
Deprecation
Items that have been deprecated and may be removed in a future release.
In order to simplify and clean up older documentation and manuals that refer to past versions of LogScale and related products, the following manual versions will be archived after 15th December 2025:
This archiving will improve the efficiency of the site and navigability.
Archived manuals will be available in a download-only format in an archive area of the documentation. Manuals that have been archived will no longer be included in the search, or accessible to view online through the documentation portal.
The following GraphQL APIs are deprecated and will be removed in version 1.225 or later:
In the updateSettings mutation, these input arguments are deprecated:
isPackageDocsMessageDismissed
isDarkModeMessageDismissed
isResizableQueryFieldMessageDismissed
On the UserSettings type, these fields are deprecated:
isPackageDocsMessageDismissed
isDarkModeMessageDismissed
Note
The deprecated input arguments will have no effect, and the deprecated fields will always return true until their removal.
The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.
The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.The Secondary Storage feature is now deprecated and will be removed in LogScale 1.231.0.
The Bucket Storage feature provides superior functionality for storing rarely queried data in cheaper storage while keeping frequently queried data in hot storage (fast and expensive). For more information, see Bucket Storage.
Please contact LogScale support for any concerns about this deprecation.
New features and improvements
Automation and Triggers
Added a new system repository humio-trigger-execution-info, which contains information about the execution of triggers. This new system repository is meant to be consumed by other systems; for a human-readable version, refer to the humio-activity repository.
Currently, this new system repository only contains information about the execution of scheduled searches, not alerts.
A new message template for formatting timestamps is now available for providing more formatting options. It applies to
query_end,query_start, andtriggeredtimestamps. For example:{format_time(triggered, "yyyy-MM-dd'T'HH:mm:ssX")}.For more information, see Message Templates and Variables.
Configuration
Added a new dynamic configuration
GraphQLMaxErrorsCount, to configure the maximum number of errors returned in the GraphQL response errors array. Default value is100, with valid values between1and10000.
Log Collector
Added new configuration variables:
These variables control whether Log Collector should use the configured HTTP proxy when calling the update server and download endpoint, respectively. The default is to use the proxy, which maintains the same behavior as before this change.
Queries
Views can now be configured to resolve saved queries, lookup files and field aliases from a different view or repository.
For more information, see Referencing Resources.
Metrics and Monitoring
Added new metrics:
currently-submitted-fetches-for-prefetching - Counts the number of pending segment file fetches the prefetcher has requested from the fetching subsystem.
currently-submitted-fetches-for-archiving - Counts the number of pending segment file fetches the bucket archiving job has requested from the fetching subsystem.
Fixed in this release
Installation and Deployment
Fixed an issue in KafkaAdminUtils where a NullPointerException could occur if the code was accessed while a Kafka partition had no leader, causing unnecessary entries in the debug log. This problem has now been fixed.
Storage
Fixed a rare issue preventing segments from being merged.
A few issues have been fixed in idle datasource deletion code. The deletion code could delete the last datasource from a partition, which could cause digest to start from scratch on that partition in Kafka.
Fixed an issue where an InterruptedException could occur from
CurrentHostsSyncJobduring system termination, causing unnecessary entries in the debug log. This problem has now been fixed.Fixed an issue where a scala.MatchError could be thrown from the metrics system during node shutdown, causing unnecessary entries in the debug log. This problem has now been fixed.
Metrics and Monitoring
Fixed a bug in the
ingest-queue-read-offset-progress-jobthat prevented it from finding the ingest-queue-read-offset metric. This resolves the error message Ingest queue progress error: No ingest-queue-read-offset metrics found for partition that appeared about an hour after cluster restart.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Configuration
The following environment variables have been renamed to reflect their specific usage:
NUMBER_OF_ROWS_IN_SEGMENT_TO_HOST_MAPPING_TABLEchanged toNUMBER_OF_ROWS_IN_OWNER_HOSTS_TABLESEGMENT_TO_HOST_MAPPING_TOPOLOGY_CHANGE_SETTLING_TIME_SECONDSchanged toOWNER_HOSTS_TABLE_TOPOLOGY_CHANGE_SETTLING_TIME_SECONDS
Queries
Filter prefix validation has been strengthened: use of query parameters is now explicitly disallowed.
Added optimization related to tag filters. This improvement should slightly speed up
correlate()queries containing tag filters.Improved caching of query states to allow partial reuse of query results when querying by ingest time.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
cisco/ise has been updated to v2.0.3.
Enhanced Response field parsing for cisco-av-pair attributes with improved regex pattern matching
Updated parser version to 3.0.3
For more information, see Package cisco/ise Release Notes.
trellix/fireeye-nx has been updated to v1.2.2.
Updated package description in manifest
For more information, see Package trellix/fireeye-nx Release Notes.
cisco/firepower has been updated to v1.7.5.
Updated ECS version to 9.2.0
Updated parser version to 3.3.5
Added message field assignment from Vendor.message
For more information, see Package cisco/firepower Release Notes.
cloudflare/zerotrust has been updated to v1.6.0.
Updated ECS version to 9.2.0
Enhanced field mapping with improved global field normalizations
Added support for spectrum dataset
Improved DNS answer parsing with dynamic array handling
Enhanced client, destination, and source field processing with address/IP/domain logic
Added comprehensive threat indicator confidence mapping
Improved TLS version extraction with regex patterns
Enhanced event categorization for malware detection in gateway-http
Added new fields: file.extension, email.message_id, email.reply_to.address[], rule.description, network.iana_number, destination.as.number, source.as.number, source.nat.ip, cloud.account.id, server.as.number
Updated parser version to 3.0.0
For more information, see Package cloudflare/zerotrust Release Notes.
microsoft/windows-dns-debug has been updated to v1.5.0.
Added support for new DNS log format with LOOKUP and RECURSE operations
Enhanced DNS answer record parsing with answer name and type extraction
Improved thread ID handling with both name and numeric ID fields
Added new DNS type classification for answer records
Updated parser version to 2.4.0
For more information, see Package microsoft/windows-dns-debug Release Notes.
aws/fsx has been updated to v1.1.2.
Removed deprecated fsx-xml parser
For more information, see Package aws/fsx Release Notes.
veeam/veeamdataplatform has been updated to v1.0.2.
Updated ECS version to 9.2.0 and CPS version to 1.1.0
Consolidated user extraction logic for event ID 42405 with other InitiatorFullInfo events
Merged event ID ranges for UserName field extraction
Updated test cases with new sample data
For more information, see Package veeam/veeamdataplatform Release Notes.
trellix/fireeye-nx has been updated to v1.2.1.
Updated parser schema to v0.3.0
For more information, see Package trellix/fireeye-nx Release Notes.
akamai/asec has been updated to v1.1.2.
Updated parser version to 1.1.2
Updated template to v0.3.0
For more information, see Package akamai/asec Release Notes.
checkpoint/ngfw has been updated to v2.4.1.
Enhanced event categorization for "Redirect" action to include "denied" event type
Added event.outcome field for "Redirect" action with "success" value
Updated parser version to 3.4.1
For more information, see Package checkpoint/ngfw Release Notes.
google/chrome-enterprise-security-events has been updated to v1.2.1.
Updated parser schema to v0.3.0
For more information, see Package google/chrome-enterprise-security-events Release Notes.
zscaler/private-access has been updated to v1.4.0.
Enhanced parser with comprehensive ECS field mappings for all ZPA log types
Added support for app connector metrics logs
Improved field normalization with proper source/destination/client/server mappings
Enhanced network traffic analysis with ingress/egress byte tracking
Added comprehensive event categorization and outcome determination
Improved timestamp handling across all log types
Enhanced user and authentication event processing
Added proper host infrastructure monitoring fields
Improved security inspection rule mapping
Enhanced geographic location tracking for all components
For more information, see Package zscaler/private-access Release Notes.
okta/sso has been updated to v1.4.6.
Updated ECS version to 9.2.0
Enhanced event outcome handling to include UNANSWERED and ABANDONED result types
Added support for additional event types including app.oauth2.token.grant, event_hook.delivery, system.push.send_factor_verify_push, and various system notification events
Improved code formatting and consistency throughout parser
Added new test cases for enhanced coverage
For more information, see Package okta/sso Release Notes.
nozomi/ids has been updated to v1.3.3.
Updated parser version to 3.0.3
Added new message pattern for cleartext password authentication requests
Enhanced event categorization for network and intrusion detection events
For more information, see Package nozomi/ids Release Notes.
microsoft/dhcp-client has been updated to v1.1.2.
Updated parser schema to v0.3.0
For more information, see Package microsoft/dhcp-client Release Notes.
cisco/ios has been updated to v1.7.4.
Added support for EEM (Embedded Event Manager) events with new parsing pattern
Enhanced parser to handle EEM event actions and messages
Updated parser version to 2.6.4
For more information, see Package cisco/ios Release Notes.
microsoft/windows-dns-debug has been updated to v1.4.0.
Added support for additional timestamp formats (dd.MM.yyyy HH:mm:ss and yyyy-MM-dd HH:mm:ss AM/PM)
Enhanced field mapping with separate address, IP, and domain fields for client, destination, server, and source
Updated ECS version to 9.2.0 and CPS version to 1.1.0
Improved DNS error message mapping with additional error codes
Enhanced network type detection for IPv6 addresses
Refactored parser logic for better field organization and performance
For more information, see Package microsoft/windows-dns-debug Release Notes.
aws/guardduty has been updated to v1.2.2.
Updated ECS version to 9.2.0
Updated CPS version to 1.1.0
Added removePrefixes="detail." to parseJson function for improved field handling
Updated parser version to 1.3.2
For more information, see Package aws/guardduty Release Notes.