Falcon LogScale 1.218.0 GA (2025-12-09)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.218.0GA2025-12-09

Cloud

2027-02-28No1.150.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates

Advance Warning

The following items are due to change in a future release.

  • Security

    • Starting from LogScale version 1.237, support for insecure ldap connections will be removed. Self-Hosted customers using LDAP will only be able to use ldaps secure connections.

  • User Interface

    • From version 1.225.0, LogScale will enforce a new limit of 10 labels that can be added or removed in bulk for assets such as dashboards, actions, alerts and scheduled searches.

      Labels will also have a character limit of 60.

      Existing assets that violate these newly imposed limits will continue to work until they are updated - users will then be forced to remove or reduce their labels to meet the requirement.

Removed

Items that have been removed as of this release.

Storage

  • Segment and lookup file bucket storage upload protocols have been improved in preparation for incoming changes. As a result, the metric bucket-storage-request-upload-queue-overflow has been removed, as the underlying logic this metric was measuring no longer exists.

Deprecation

Items that have been deprecated and may be removed in a future release.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Installation and Deployment

    • LogScale has temporarily downgraded its version of Java to v24 due to a potential regression in Java v25, which could affect digest when using zstd compression in Kafka. The downgrade will remain in effect until the issue is resolved, or Java v25 is confirmed benign.

  • Ingestion

    • The environment variable KAFKA_INGEST_QUEUE_SKIP_ON_ERROR must now be explicitly set to skip messages from the ingest queue. Previously, specific corrupt Kafka records would be automatically skipped, even if the variable was set to false.

New features and improvements

  • API

    • Added a new parameter nextRunInterval to the POST api/v1/queryjobs endpoint for query submission. This parameter provides a hint to the query engine about the next run's interval, improving performance through partial result reuse.

      Example usage:

      json
      {
  [...]

  "nextRunInterval": {
    "start": 1764765006226
    "end": 1764851406227,
  }
}

      Note

      This parameter and its capability is relevant only when users are submitting the same query over and over for different time intervals.

  • Fleet Management

    • Added support for optional expiration dates on Log Collector enrollment tokens. Users can now specify when tokens should expire during creation.

      Note

      The default behavior remains unchanged - tokens have no expiration unless explicitly configured.

Fixed in this release

  • Security

    • The Service Provider-initiated SAML login protocol has been corrected to route to the default provider instead of the first provider listed.

  • Configuration

    • Error messages that point to instructions to MaxMind configuration contained a wrong documentation URL. The URL has now been updated to the correct location.

  • Queries

    • Fixed an issue where the highlighting for query results where regexes with d or F flags displayed incorrect matches. For example, the regex /.*$/d would incorrectly highlight the last line of multi-line text instead of the entire text.

      Note

      This issue impacted the display only. It did not affect actual query results.

  • Functions

    • Fixed an issue with the match() function lookup structure that occurred when nrows > 1 and keys are prefixes of each other, leading to missing results.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • Storage

    • The global snapshot process has been improved to handle uploads one at a time using a dedicated thread. This ensures global snapshot uploads execute as planned and without delay from other uploads in the queue.

    • Bucket storage prefetch jobs will now download segments from bucket storage to attempt to hit the configured replication factor, even if another node in the cluster already possesses a copy.

  • Ingestion

    • Improved the handling of digest partitions assignment changes. The digest readers now attempt to update the consumed partitions when possible, instead of restarting on changed assignments.

  • Queries

    • Improved performance for the LogScale Regular Expression Engine V2 by optimizing concatenated repetitions of similar scope and body, i.e. greedy vs nongreedy repetitions. For example, the regex pattern .*.*Foo will now be optimized to .*Foo, resulting in significantly improved performance.

  • Metrics and Monitoring

    • Added two new metrics:

      • cluster-static-query-total-search-cost

      • cluster-static-query-reused-search-cost

      These metrics record the total cost of search and cost of reused parts for queries coordinated on a node.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • infoblox/nios has been updated to v1.3.4.

      • Updated ECS version to 9.2.0

      • Fixed DNS answers type field mapping to use array notation (dns.answers[0].type)

      • Updated parser version to 2.2.4

      For more information, see Package infoblox/nios Release Notes.

    • imperva/cloud-waf has been updated to v1.6.0.

      • Updated ECS version to 9.2.0

      • Updated CPS version to 1.1.0

      • Updated parser version to 4.0.0

      • Enhanced event categorization with improved event.category and event.type arrays

      • Added comprehensive client, server, and destination field mappings

      • Improved network type detection for IPv4 and IPv6 addresses

      • Added observer, network, and URL field mappings

      For more information, see Package imperva/cloud-waf Release Notes.

    • cisco/ise has been updated to v2.0.3.

      • Enhanced Response field parsing for cisco-av-pair attributes with improved regex pattern matching

      • Updated parser version to 3.0.3

      For more information, see Package cisco/ise Release Notes.

    • trellix/fireeye-nx has been updated to v1.2.2.

      • Updated package description in manifest

      For more information, see Package trellix/fireeye-nx Release Notes.

    • cisco/umbrella has been updated to v1.4.1.

      • Updated parser version to 3.0.1

      • Added strict=false parameter to regex function for improved parsing reliability

      For more information, see Package cisco/umbrella Release Notes.

    • haproxy/haproxy has been updated to v1.2.3.

      • Enhanced syslog parsing with improved BSD Syslog format support

      • Added comprehensive HTTP, TCP, and error log format parsing

      • Updated ECS version to 9.2.0

      • Improved field mappings for client, source, destination, and server fields

      • Added TLS version detection and SSL handshake failure parsing

      • Enhanced URL parsing with query parameter extraction

      • Added IP address validation for source and client fields

      • Improved event categorization and outcome determination

      For more information, see Package haproxy/haproxy Release Notes.

    • microsoft/windows-dns-debug has been updated to v1.5.0.

      • Added support for new DNS log format with LOOKUP and RECURSE operations

      • Enhanced DNS answer record parsing with answer name and type extraction

      • Improved thread ID handling with both name and numeric ID fields

      • Added new DNS type classification for answer records

      • Updated parser version to 2.4.0

      For more information, see Package microsoft/windows-dns-debug Release Notes.

    • aws/fsx has been updated to v1.1.2.

      • Removed deprecated fsx-xml parser

      For more information, see Package aws/fsx Release Notes.

    • cisco/umbrella has been updated to v1.4.0.

      • Updated parser to support Cisco Umbrella Log Schema Version 13

      For more information, see Package cisco/umbrella Release Notes.

    • zscaler/deception has been updated to v2.3.0.

      • Updated parser version to 3.0.0

      • Updated ECS version to 9.2.0

      • Enhanced event categorization with comprehensive type matching for different log types

      • Improved field mappings for source, destination, client, and server fields

      • Added support for additional file operations and process tracking

      • Enhanced threat intelligence integration with abuse confidence scoring

      • Improved timestamp parsing from syslog headers

      • Added comprehensive network protocol and connection state handling

      For more information, see Package zscaler/deception Release Notes.

    • veeam/veeamdataplatform has been updated to v1.0.2.

      • Updated ECS version to 9.2.0 and CPS version to 1.1.0

      • Consolidated user extraction logic for event ID 42405 with other InitiatorFullInfo events

      • Merged event ID ranges for UserName field extraction

      • Updated test cases with new sample data

      For more information, see Package veeam/veeamdataplatform Release Notes.

    • zscaler/private-access has been updated to v1.4.0.

      • Enhanced parser with comprehensive ECS field mappings for all ZPA log types

      • Added support for app connector metrics logs

      • Improved field normalization with proper source/destination/client/server mappings

      • Enhanced network traffic analysis with ingress/egress byte tracking

      • Added comprehensive event categorization and outcome determination

      • Improved timestamp handling across all log types

      • Enhanced user and authentication event processing

      • Added proper host infrastructure monitoring fields

      • Improved security inspection rule mapping

      • Enhanced geographic location tracking for all components

      For more information, see Package zscaler/private-access Release Notes.

    • okta/sso has been updated to v1.4.6.

      • Updated ECS version to 9.2.0

      • Enhanced event outcome handling to include UNANSWERED and ABANDONED result types

      • Added support for additional event types including app.oauth2.token.grant, event_hook.delivery, system.push.send_factor_verify_push, and various system notification events

      • Improved code formatting and consistency throughout parser

      • Added new test cases for enhanced coverage

      For more information, see Package okta/sso Release Notes.

    • cisco/firepower has been updated to v1.7.6.

      • Updated parser version to 3.3.6

      • Enhanced key-value parsing for events 430001-430007 to better handle UserAgent field extraction

      • Improved regex pattern to handle complex field values with commas and special characters

      For more information, see Package cisco/firepower Release Notes.

    • f5networks/bigip has been updated to v3.0.0.

      • Updated to support RFC 5424 syslog format

      • Added checks to ensure IPs are valid prior to assignment

      • Improved parsing around login/logout events

      For more information, see Package f5networks/bigip Release Notes.

    • nozomi/ids has been updated to v1.3.3.

      • Updated parser version to 3.0.3

      • Added new message pattern for cleartext password authentication requests

      • Enhanced event categorization for network and intrusion detection events

      For more information, see Package nozomi/ids Release Notes.

    • zscaler/internet-access has been updated to v2.0.0.

      • Enhanced IP address and domain handling with improved address field mapping

      • Added client.* and server.* field mappings for better network visibility

      • Improved DNS answer field structure using indexed array format

      • Removed timezone parameter from file modification time parsing

      • Changed destination.ip to use Vendor.cdip instead of Vendor.sdip for consistency

      • Improved event.type categorization for file-related events

      • Added parsing for nested Vendor.category fields

      • Updated parser version to 3.0.0

      For more information, see Package zscaler/internet-access Release Notes.

    • checkpoint/ngfw has been updated to v2.5.0.

      • Enhanced event categorization for network events to include "info" event type

      • Added support for Application Control product detection via ProductName field

      • Improved product matching for VPN-1 & FireWall-1 and Firewall products using in() function

      • Added Anti Malware product categorization with malware event category

      • Enhanced client/server field mapping for application control, URL filtering, and HTTPS inspection logs

      • Updated parser version to 3.5.0

      For more information, see Package checkpoint/ngfw Release Notes.

    • cloudflare/zerotrust has been updated to v2.0.0.

      • Added support for new datasets: email-security-alerts, browser-isolation, sinkhole-http, warp-changes, ssh, dex-application-tests, dlp-forensic-copies, dns-firewall, workers-trace, dex-device-state, ipsec

      • Enhanced timestamp parsing with additional timestamp fields (EventTimestampMs, ActionTimestamp)

      • Added support for SSO action in access-requests dataset

      • Improved audit event categorization with view action support

      • Enhanced source address handling with ActorIPAddress support

      • Updated event outcome logic for audit events to support success/fail patterns

      • Added comprehensive field mappings for new datasets including process, error, DNS, and network fields

      • Enhanced email security alerts with attachment processing and threat categorization

      • Added browser isolation event processing with decision-based outcomes

      • Implemented workers trace event handling with exception-based outcome determination

      • Added SSH session tracking with start/end event types

      • Enhanced DEX application tests with HTTP performance metrics

      • Added DLP forensic copies processing with rule-based categorization

      • Implemented DNS firewall event handling with query type and response code processing

      • Added IPsec event processing with connection status tracking

      • Enhanced device state monitoring with network and client metrics

      • Updated parser version to 4.0.0

      For more information, see Package cloudflare/zerotrust Release Notes.

    • fortinet/fortigate has been updated to v2.1.0.

      • Enhanced CEF parsing with improved priority handling and format normalization

      • Fixed CEF header format by replacing "CEF: 0" with "CEF:0" for proper parsing

      • Reordered parsing logic to prioritize CEF format detection before syslog priority extraction

      • Improved source.address field mapping with enhanced coalesce logic to preserve existing values

      • Updated parser version to 4.2.0

      For more information, see Package fortinet/fortigate Release Notes.

    • cisco/ios has been updated to v1.7.4.

      • Added support for EEM (Embedded Event Manager) events with new parsing pattern

      • Enhanced parser to handle EEM event actions and messages

      • Updated parser version to 2.6.4

      For more information, see Package cisco/ios Release Notes.

    • microsoft/windows-dns-debug has been updated to v1.5.1.

      • Enhanced timestamp parsing to support additional date format (d/M/yyyy HH:mm:ss)

      • Improved regex pattern for PACKET log entries to handle multiple timestamp formats

      • Fixed timestamp parsing for LOOKUP operation logs

      • Updated parser version to 2.4.1

      For more information, see Package microsoft/windows-dns-debug Release Notes.

    • aws/guardduty has been updated to v1.2.2.

      • Updated ECS version to 9.2.0

      • Updated CPS version to 1.1.0

      • Added removePrefixes="detail." to parseJson function for improved field handling

      • Updated parser version to 1.3.2

      For more information, see Package aws/guardduty Release Notes.

    • fortinet/fortigate has been updated to v2.0.0.

      • Added CEF (Common Event Format) parsing support for Fortinet logs

      • Enhanced timestamp parsing with support for CEF header timestamps

      • Enhanced source and destination address handling with conditional logic for login events

      • Updated event.action field priority to use Vendor.action first, then Vendor.logdesc, then Vendor.eventtype

      • Added support for additional source fields including Vendor.spt for source port mapping

      • Improved URL handling in remip field with proper quoting for complex URLs

      • Updated parser version to 4.1.0

      For more information, see Package fortinet/fortigate Release Notes.