Falcon LogScale 1.219.0 GA (2025-12-16)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.219.0 | GA | 2025-12-16 | Cloud | 2027-02-28 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.219.0 to download the latest version
Bug fixes and updates
Breaking Changes
The following items create a breaking change in the behavior, response or operation of this release.
Automation and Triggers
LogScale now enforces a limit of 10 actions per trigger (alert or scheduled search). Existing triggers exceeding this limit will continue to run, but must comply with the limit when edited.
Advance Warning
The following items are due to change in a future release.
Security
Starting from LogScale version 1.237, support for insecure
ldapconnections will be removed. Self-Hosted customers using LDAP will only be able to useldapssecure connections.User Interface
From version 1.225.0, LogScale will enforce a new limit of 10 labels that can be added or removed in bulk for assets such as dashboards, actions, alerts and scheduled searches.
Labels will also have a character limit of 60.
Existing assets that violate these newly imposed limits will continue to work until they are updated - users will then be forced to remove or reduce their labels to meet the requirement.
Queries
Due to various upcoming changes to LogScale and the recently introduced regex engine, the following regex features will be removed in version 1.225:
Octal notation
Quantification of unquantifiable constructs
Octal notation is being removed due to logic application difficulties and its tendency to make typographical errors easier to overlook.
Here is an example of a common octal notation issue:
regex/10\.26.\122\.128/In this example,
\122is interpreted as the octal escape forRrather than the intended literal122. Similarly, the.matches not just the punctuation itself but also any single character except for new lines.Any construction of
\xwherexis a number from 1 to 9 will always be interpreted as a backreference to a capture group. If the corresponding capture group does not exist, it will be an error.Quantification of unquantifiable constructs is being removed due to lack of appropriate semantic logic, leading to redundancy and errors.
Unquantifiable constructs being removed include:
^(the start of string/start of line)
$(the end of string/end of line)
?=(a positive lookahead)
?!(a negative lookahead)?<= (a positive lookbehind)
<?<!> (a negative lookbehind)
\b(a word boundary)
\B(a non-word boundary)For example, the end-of-text construct
$*only has meaning for a limited number of occurrences. There can never be more than one occurrence of the end of the text at any given position, making elements like$redundant.A common pitfall that causes this warning is when users copy and paste a glob pattern like
*abc*in as a regex, but delimit the regex with start of text and end of text anchors:regex/^*abc*$/The proper configuration should look like this:
regex/abc/For more information, see LogScale Regular Expression Engine V2.
Removed
Items that have been removed as of this release.
Configuration
Removed the following deprecated configuration variables:
S3_STORAGE_FORCED_COPY_SOURCE
S3_BUCKET_STORAGE_PREFERRED_MEANS_FORCEDUsers previously using
S3_STORAGE_FORCED_COPY_SOURCEshould now useS3_STORAGE_PREFERRED_COPY_SOURCEinstead.
Deprecation
Items that have been deprecated and may be removed in a future release.
In order to simplify and clean up older documentation and manuals that refer to past versions of LogScale and related products, the following manual versions will be archived after 15th December 2025:
This archiving will improve the efficiency of the site and navigability.
Archived manuals will be available in a download-only format in an archive area of the documentation. Manuals that have been archived will no longer be included in the search, or accessible to view online through the documentation portal.
The following GraphQL APIs are deprecated and will be removed in version 1.225 or later:
In the updateSettings mutation, these input arguments are deprecated:
isPackageDocsMessageDismissed
isDarkModeMessageDismissed
isResizableQueryFieldMessageDismissed
On the UserSettings type, these fields are deprecated:
isPackageDocsMessageDismissed
isDarkModeMessageDismissed
Note
The deprecated input arguments will have no effect, and the deprecated fields will always return true until their removal.
The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.
The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.The Secondary Storage feature is now deprecated and will be removed in LogScale 1.231.0.
The Bucket Storage feature provides superior functionality for storing rarely queried data in cheaper storage while keeping frequently queried data in hot storage (fast and expensive). For more information, see Bucket Storage.
Please contact LogScale support for any concerns about this deprecation.
New features and improvements
Storage
Enabled new bucket queue implementation by default. It can be disabled via the
NewFileTransferQueuingfeature flag.
API
Added a new admin-level API for unsetting a segment's bucketId field. This is for segments that are on disk but not in bucket storage. In cases where a bucket storage has lost data, this API can be used to remove corresponding metadata from LogScale, ending repeated attempts to download the missing files.
Usage requires a POST call to the following endpoint, where bucketField specifies which bucket field to unset (e.g.,"primary" or "secondary"):
/api/v1/dataspaces/${dataspaceId}/datasources/${datasourceId}/segments/${segmentId}/unset-bucket-id?bucketField=${bucketField}Here's an example:
shellcurl https://${clusterUrl}/api/v1/dataspaces/${dataspaceId}/datasources/${datasourceId}/segments/${segmentId}/unset-bucket-id&bucketField=primary -H "Authorization: Bearer ${token}"Added the parameter
queryKindto the GraphQL mutation analyzeQuery, which indicates what kind of query program is being validated/analyzed.Valid values for a standard search query are:
graphql{standardSearch: {} }Valid values for a filter-prefix are:
graphql{ filterPrefix: {} }
Queries
Added support in the LogScale Regular Expression Engine V2 for hexadecimal escape sequences up to 4 digits in length using the following formats:
\x{n}\x{nn}\x{nnn}\x{nnnn}
Note
Curly brackets are required for this syntax. This is in addition to the existing
\xnnand\unnnnnotations.Added support for repeated backreferences in the LogScale Regular Expression Engine V2 engine. For example, the pattern
regex(.)\1{2,3}can now be used to detect sequences of repeated characters.
Metrics and Monitoring
Added new metrics for measuring free slots in the transfer queue:
bucket-storage-transfer-free-slots: Measures the number of available slots for bucket transfers within the limits imposed by environment variables such asS3_STORAGE_CONCURRENCYnode-to-node-transfer-free-slots: Measures the number of available slots for segment downloads within the limit imposed by the environment variableSEGMENTMOVER_EXECUTOR_CORES
Added the metric
currently-submitted-fetches-for-queries, which measures the number of segment downloads the query scheduler is actively waiting to complete.This metric differs from
bucket-storage-fetch-for-query-queuein that the latter counts all fetches the scheduler is planning to do for currently running queries, including those the scheduler has not yet requested.
Fixed in this release
Storage
Fixed a bug in the ordering of segment downloads. Downloads for queries now get priority over other downloads.
An issue found in version 1.218.0 could cause bucket uploads to become stuck. This issue has now been fixed.
Queries
Fixed an issue where warnings produced when merging worker states, such as
groupBy()function limit breaches, were not consistently attached to a user's query results.
Fleet Management
Adjusted Fleet and Group Management processing to continue applying valid groups when encountering malformed filter queries. Previously, a single group with an invalid filter would prevent all subsequent groups from being processed.
Note
The user interface prevents creation of invalid filters, but filters created before LogScale v1.158.0 may contain malformed queries.
Packages
Fixed an issue where failed package installations or updates could incorrectly produce audit log events, indicating triggers were created or updated.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Storage
AWS' Netty-based HTTP client is now the default for S3 bucket operations. It is also the default client for asynchronous operations in AWS SDK v2.
Users who wish to continue using Apache's Pekko HTTP client can revert by setting
S3_NETTY_CLIENTtoFALSE, then restarting the cluster.This implementation provides the following additional metrics for monitoring the client connection pool:
s3-aws-bucket-available-concurrency
s3-aws-bucket-leased-concurrency
s3-aws-bucket-max-concurrency
s3-aws-bucket-pending-concurrency-acquires
s3-aws-bucket-concurrency-acquire-duration
On clusters where non-humio thread dumps are available, it is also possible to look into the state of the client thread pool by searching for the thread name prefix
bucketstorage-netty.The client is set with default values originating from AWS' SDK Netty client. However, users can fine-tune the client further with the following environment variables:
Improved internal queueing logic for bucket uploads and downloads to adjust the order of transfer when there is contention. Transfer order is now as follows:
Segment uploads
Lookup file uploads
Segment downloads
Packages
Improved error messages for package assets violating the latest package schema to better identify which asset specifically is causing validation errors. Error messages now contain the name and type of the offending asset.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
infoblox/nios has been updated to v1.3.4.
Updated ECS version to 9.2.0
Fixed DNS answers type field mapping to use array notation (dns.answers[0].type)
Updated parser version to 2.2.4
For more information, see Package infoblox/nios Release Notes.
imperva/cloud-waf has been updated to v1.6.0.
Updated ECS version to 9.2.0
Updated CPS version to 1.1.0
Updated parser version to 4.0.0
Enhanced event categorization with improved event.category and event.type arrays
Added comprehensive client, server, and destination field mappings
Improved network type detection for IPv4 and IPv6 addresses
Added observer, network, and URL field mappings
For more information, see Package imperva/cloud-waf Release Notes.
cisco/ise has been updated to v2.0.3.
Enhanced Response field parsing for cisco-av-pair attributes with improved regex pattern matching
Updated parser version to 3.0.3
For more information, see Package cisco/ise Release Notes.
trellix/fireeye-nx has been updated to v1.2.2.
Updated package description in manifest
For more information, see Package trellix/fireeye-nx Release Notes.
cisco/umbrella has been updated to v1.4.1.
Updated parser version to 3.0.1
Added strict=false parameter to regex function for improved parsing reliability
For more information, see Package cisco/umbrella Release Notes.
haproxy/haproxy has been updated to v1.2.3.
Enhanced syslog parsing with improved BSD Syslog format support
Added comprehensive HTTP, TCP, and error log format parsing
Updated ECS version to 9.2.0
Improved field mappings for client, source, destination, and server fields
Added TLS version detection and SSL handshake failure parsing
Enhanced URL parsing with query parameter extraction
Added IP address validation for source and client fields
Improved event categorization and outcome determination
For more information, see Package haproxy/haproxy Release Notes.
microsoft/windows-dns-debug has been updated to v1.5.0.
Added support for new DNS log format with LOOKUP and RECURSE operations
Enhanced DNS answer record parsing with answer name and type extraction
Improved thread ID handling with both name and numeric ID fields
Added new DNS type classification for answer records
Updated parser version to 2.4.0
For more information, see Package microsoft/windows-dns-debug Release Notes.
aws/fsx has been updated to v1.1.2.
Removed deprecated fsx-xml parser
For more information, see Package aws/fsx Release Notes.
cisco/umbrella has been updated to v1.4.0.
Updated parser to support Cisco Umbrella Log Schema Version 13
For more information, see Package cisco/umbrella Release Notes.
zscaler/deception has been updated to v2.3.0.
Updated parser version to 3.0.0
Updated ECS version to 9.2.0
Enhanced event categorization with comprehensive type matching for different log types
Improved field mappings for source, destination, client, and server fields
Added support for additional file operations and process tracking
Enhanced threat intelligence integration with abuse confidence scoring
Improved timestamp parsing from syslog headers
Added comprehensive network protocol and connection state handling
For more information, see Package zscaler/deception Release Notes.
veeam/veeamdataplatform has been updated to v1.0.2.
Updated ECS version to 9.2.0 and CPS version to 1.1.0
Consolidated user extraction logic for event ID 42405 with other InitiatorFullInfo events
Merged event ID ranges for UserName field extraction
Updated test cases with new sample data
For more information, see Package veeam/veeamdataplatform Release Notes.
okta/sso has been updated to v1.4.6.
Updated ECS version to 9.2.0
Enhanced event outcome handling to include UNANSWERED and ABANDONED result types
Added support for additional event types including app.oauth2.token.grant, event_hook.delivery, system.push.send_factor_verify_push, and various system notification events
Improved code formatting and consistency throughout parser
Added new test cases for enhanced coverage
For more information, see Package okta/sso Release Notes.
cisco/firepower has been updated to v1.7.6.
Updated parser version to 3.3.6
Enhanced key-value parsing for events 430001-430007 to better handle UserAgent field extraction
Improved regex pattern to handle complex field values with commas and special characters
For more information, see Package cisco/firepower Release Notes.
f5networks/bigip has been updated to v3.0.0.
Updated to support RFC 5424 syslog format
Added checks to ensure IPs are valid prior to assignment
Improved parsing around login/logout events
For more information, see Package f5networks/bigip Release Notes.
cloudflare/zerotrust has been updated to v2.1.0.
Modified risk score to severity mapping: 1-20 (severity 70), 21-50 (severity 50), 51-80 (severity 30), 81-100 (severity 10)
Updatedparser version to 4.1.0
For more information, see Package cloudflare/zerotrust Release Notes.
zscaler/internet-access has been updated to v2.0.0.
Enhanced IP address and domain handling with improved address field mapping
Added client.* and server.* field mappings for better network visibility
Improved DNS answer field structure using indexed array format
Removed timezone parameter from file modification time parsing
Changed destination.ip to use Vendor.cdip instead of Vendor.sdip for consistency
Improved event.type categorization for file-related events
Added parsing for nested Vendor.category fields
Updated parser version to 3.0.0
For more information, see Package zscaler/internet-access Release Notes.
cisco/meraki has been updated to v1.5.4.
Enhanced firewall flow parsing with improved regex pattern for better action extraction
Added support for pattern-based action determination (0/1 and allow/deny patterns)
Improved handling of firewall events with more robust field extraction
For more information, see Package cisco/meraki Release Notes.
checkpoint/ngfw has been updated to v2.5.0.
Enhanced event categorization for network events to include "info" event type
Added support for Application Control product detection via ProductName field
Improved product matching for VPN-1 & FireWall-1 and Firewall products using in() function
Added Anti Malware product categorization with malware event category
Enhanced client/server field mapping for application control, URL filtering, and HTTPS inspection logs
Updated parser version to 3.5.0
For more information, see Package checkpoint/ngfw Release Notes.
fortinet/fortigate has been updated to v2.2.0.
Enhanced event categorization with improved network session and connection type mapping
Added comprehensive event.type array population based on event.action and session context
Improved source and destination address handling with lowercase normalization
Enhanced destination port mapping to include additional vendor fields (Vendor.dpt)
Updated event.action priority logic to handle UTM block actions specifically
Refined network protocol detection and event type classification
Updated parser version to 5.0.0
For more information, see Package fortinet/fortigate Release Notes.
zscaler/internet-access has been updated to v2.1.0.
Enhanced firewall event categorization with improved event.type arrays for connection events
Added event.outcome field mapping for web events based on action types
Improved file field handling logic with better conditional checks for filename presence
Updated file.name field to use coalesce function for better fallback handling
Enhanced firewall events with intrusion detection categorization for IPS actions
Enhanced HTTP response status code validation to exclude wildcard and "NA" values
Added event.type arrays for DNS and tunnel events to improve event classification
Updated parser version to 4.0.0
For more information, see Package zscaler/internet-access Release Notes.
cloudflare/zerotrust has been updated to v2.0.0.
Added support for new datasets: email-security-alerts, browser-isolation, sinkhole-http, warp-changes, ssh, dex-application-tests, dlp-forensic-copies, dns-firewall, workers-trace, dex-device-state, ipsec
Enhanced timestamp parsing with additional timestamp fields (EventTimestampMs, ActionTimestamp)
Added support for SSO action in access-requests dataset
Improved audit event categorization with view action support
Enhanced source address handling with ActorIPAddress support
Updated event outcome logic for audit events to support success/fail patterns
Added comprehensive field mappings for new datasets including process, error, DNS, and network fields
Enhanced email security alerts with attachment processing and threat categorization
Added browser isolation event processing with decision-based outcomes
Implemented workers trace event handling with exception-based outcome determination
Added SSH session tracking with start/end event types
Enhanced DEX application tests with HTTP performance metrics
Added DLP forensic copies processing with rule-based categorization
Implemented DNS firewall event handling with query type and response code processing
Added IPsec event processing with connection status tracking
Enhanced device state monitoring with network and client metrics
Updated parser version to 4.0.0
For more information, see Package cloudflare/zerotrust Release Notes.
infoblox/nios has been updated to v1.3.5.
Enhanced DNS query parsing to support view-specific queries with improved regex pattern
Added support for extracting view information from DNS messages
Fixed network transport protocol normalization to lowercase format
Updated parser version to 2.2.5
For more information, see Package infoblox/nios Release Notes.
fortinet/fortigate has been updated to v2.1.0.
Enhanced CEF parsing with improved priority handling and format normalization
Fixed CEF header format by replacing "CEF: 0" with "CEF:0" for proper parsing
Reordered parsing logic to prioritize CEF format detection before syslog priority extraction
Improved source.address field mapping with enhanced coalesce logic to preserve existing values
Updated parser version to 4.2.0
For more information, see Package fortinet/fortigate Release Notes.
microsoft/windows-dns-debug has been updated to v1.5.1.
Enhanced timestamp parsing to support additional date format (d/M/yyyy HH:mm:ss)
Improved regex pattern for PACKET log entries to handle multiple timestamp formats
Fixed timestamp parsing for LOOKUP operation logs
Updated parser version to 2.4.1
For more information, see Package microsoft/windows-dns-debug Release Notes.
aws/guardduty has been updated to v1.2.2.
Updated ECS version to 9.2.0
Updated CPS version to 1.1.0
Added removePrefixes="detail." to parseJson function for improved field handling
Updated parser version to 1.3.2
For more information, see Package aws/guardduty Release Notes.
fortinet/fortigate has been updated to v2.0.0.
Added CEF (Common Event Format) parsing support for Fortinet logs
Enhanced timestamp parsing with support for CEF header timestamps
Enhanced source and destination address handling with conditional logic for login events
Updated event.action field priority to use Vendor.action first, then Vendor.logdesc, then Vendor.eventtype
Added support for additional source fields including Vendor.spt for source port mapping
Improved URL handling in remip field with proper quoting for complex URLs
Updated parser version to 4.1.0
For more information, see Package fortinet/fortigate Release Notes.