Falcon LogScale 1.219.1 LTS (2026-02-13)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.219.1 | LTS | 2026-02-13 | Cloud On-Prem | 2027-02-28 | Yes | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.219.1 to download the latest version
Hide file hashes
These notes include entries from the following previous releases: 1.219.0, 1.218.0, 1.217.0, 1.216.0, 1.215.0, 1.214.0
Bug fixes and updates.
Breaking Changes
The following items create a breaking change in the behavior, response or operation of this release.
Automation and Triggers
LogScale now enforces a limit of 10 actions per trigger (alert or scheduled search). Existing triggers exceeding this limit will continue to run, but must comply with the limit when edited.
Advance Warning
The following items are due to change in a future release.
Security
Starting from LogScale version 1.237, support for insecure
ldapconnections will be removed. Self-Hosted customers using LDAP will only be able to useldapssecure connections.User Interface
From version 1.225.0, LogScale will enforce a new limit of 10 labels that can be added or removed in bulk for assets such as dashboards, actions, alerts and scheduled searches.
Labels will also have a character limit of 60.
Existing assets that violate these newly imposed limits will continue to work until they are updated - users will then be forced to remove or reduce their labels to meet the requirement.
Queries
Due to various upcoming changes to LogScale and the recently introduced regex engine, the following regex features will be removed in version 1.225:
Octal notation
Quantification of unquantifiable constructs
Octal notation is being removed due to logic application difficulties and its tendency to make typographical errors easier to overlook.
Here is an example of a common octal notation issue:
regex/10\.26.\122\.128/In this example,
\122is interpreted as the octal escape forRrather than the intended literal122. Similarly, the.matches not just the punctuation itself but also any single character except for new lines.Any construction of
\xwherexis a number from 1 to 9 will always be interpreted as a backreference to a capture group. If the corresponding capture group does not exist, it will be an error.Quantification of unquantifiable constructs is being removed due to lack of appropriate semantic logic, leading to redundancy and errors.
Unquantifiable constructs being removed include:
^(the start of string/start of line)
$(the end of string/end of line)
?=(a positive lookahead)
?!(a negative lookahead)?<= (a positive lookbehind)
<?<!> (a negative lookbehind)
\b(a word boundary)
\B(a non-word boundary)For example, the end-of-text construct
$*only has meaning for a limited number of occurrences. There can never be more than one occurrence of the end of the text at any given position, making elements like$redundant.A common pitfall that causes this warning is when users copy and paste a glob pattern like
*abc*in as a regex, but delimit the regex with start of text and end of text anchors:regex/^*abc*$/The proper configuration should look like this:
regex/abc/For more information, see LogScale Regular Expression Engine V2.
Removed
Items that have been removed as of this release.
Storage
Segment and lookup file bucket storage upload protocols have been improved in preparation for incoming changes. As a result, the metric bucket-storage-request-upload-queue-overflow has been removed, as the underlying logic this metric was measuring no longer exists.
Configuration
Removed the following deprecated configuration variables:
S3_STORAGE_FORCED_COPY_SOURCE
S3_BUCKET_STORAGE_PREFERRED_MEANS_FORCEDUsers previously using
S3_STORAGE_FORCED_COPY_SOURCEshould now useS3_STORAGE_PREFERRED_COPY_SOURCEinstead.Removed
SEGMENT_TO_HOST_MAPPING_CRASH_SETTLING_TIME_SECONDSconfiguration as the logic is now handled internally according to Heartbeats.
Deprecation
Items that have been deprecated and may be removed in a future release.
The Release Note Full Index page page has been deprecated. Please use the Search Release Notes page to search the release notes for any product.
In order to simplify and clean up older documentation and manuals that refer to past versions of LogScale and related products, the following manual versions will be archived after 15th December 2025:
This archiving will improve the efficiency of the site and navigability.
Archived manuals will be available in a download-only format in an archive area of the documentation. Manuals that have been archived will no longer be included in the search, or accessible to view online through the documentation portal.
The following GraphQL mutations have been deprecated:
addAlertLabel
removeAlertLabel
removeScheduledSearchLabelThe deprecated GraphQL mutations will be replaced by the following mutations:
The following GraphQL mutations are being added:
The following GraphQL APIs are deprecated and will be removed in version 1.225 or later:
In the updateSettings mutation, these input arguments are deprecated:
isPackageDocsMessageDismissed
isDarkModeMessageDismissed
isResizableQueryFieldMessageDismissed
On the UserSettings type, these fields are deprecated:
isPackageDocsMessageDismissed
isDarkModeMessageDismissed
Note
The deprecated input arguments will have no effect, and the deprecated fields will always return true until their removal.
The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.
The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.The Secondary Storage feature is now deprecated and will be removed in LogScale 1.231.0.
The Bucket Storage feature provides superior functionality for storing rarely queried data in cheaper storage while keeping frequently queried data in hot storage (fast and expensive). For more information, see Bucket Storage.
Please contact LogScale support for any concerns about this deprecation.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Installation and Deployment
LogScale has temporarily downgraded its version of Java to v24 due to a potential regression in Java v25, which could affect digest when using zstd compression in Kafka. The downgrade will remain in effect until the issue is resolved, or Java v25 is confirmed benign.
Storage
When a request to LogScale hits a timeout for updating the global database, it will now return HTTP status code 500 instead of status code 400.
LogScale now prevents start-up if a user's Azure endpoint base has not been configured for Azure bucket storage.
If
AZURE_STORAGE_BUCKET,AZURE_STORAGE_ACCOUNTNAME, andAZURE_STORAGE_ACCOUNTKEYvariables are specified andAZURE_STORAGE_ENDPOINT_BASEis not specified, LogScale will fail to start rather than delaying failure until an attempt to connect to the bucket is made.Ingestion
The environment variable
KAFKA_INGEST_QUEUE_SKIP_ON_ERRORmust now be explicitly set to skip messages from the ingest queue. Previously, specific corrupt Kafka records would be automatically skipped, even if the variable was set tofalse.Queries
Filter prefixes have been refactored to change the way they are validated - as a result, the diagnostic message for all prefixes has been changed.
A query prefix may only contain pure filters. Transformations, aggregations etc. are not allowed. Functions are also disallowed, even if their behavior is purely filtering.
Upgrades
Changes that may occur or be required during an upgrade.
User Interface
Upgraded the API explorer to GraphiQL version 5.2.0.
Configuration
LogScale has upgraded its Netty version to 4.2.7.
New features and improvements
User Interface
The following bulk actions can now be performed on multiple assets:
as .zip file
Assets that support this feature include:
Actions
Dashboards
Interactions
Lookup files
Parsers
Triggers
LogScale now also supports enabling and disabling triggers in bulk.
Corresponding GraphQL Batch operations are also available.
For more information, see Table Components.
Documentation
The release note search system has been updated to provide more functionality across a wider range of products. Searching of release notes has been expanded to add support for searching multiple individual products (LogScale, Log Collector, Aux PDF and Humio Operator):
We now have full release notes for each of these products with their own dedicated page and entries.
Improved search speed and filtering
Release note searches can now be saved and shared
With this change, the Full Release Notes Index page has been deprecated as the new search page provides better functionality for searching the release note system. See RN Issue.
Automation and Triggers
Added a new system repository humio-trigger-execution-info, which contains information about the execution of triggers. This new system repository is meant to be consumed by other systems; for a human-readable version, refer to the humio-activity repository.
Currently, this new system repository only contains information about the execution of scheduled searches, not alerts.
A new message template for formatting timestamps is now available for providing more formatting options. It applies to
query_end,query_start, andtriggeredtimestamps. For example:{format_time(triggered, "yyyy-MM-dd'T'HH:mm:ssX")}.For more information, see Message Templates and Variables.
Storage
Enabled new bucket queue implementation by default. It can be disabled via the
NewFileTransferQueuingfeature flag.
API
Added a new parameter
nextRunIntervalto the POSTapi/v1/queryjobsendpoint for query submission. This parameter provides a hint to the query engine about the next run's interval, improving performance through partial result reuse.Example usage:
json{ [...] "nextRunInterval": { "start": 1764765006226 "end": 1764851406227, } }Note
This parameter and its capability is relevant only when users are submitting the same query over and over for different time intervals.
Added a new admin-level API for unsetting a segment's bucketId field. This is for segments that are on disk but not in bucket storage. In cases where a bucket storage has lost data, this API can be used to remove corresponding metadata from LogScale, ending repeated attempts to download the missing files.
Usage requires a POST call to the following endpoint, where bucketField specifies which bucket field to unset (e.g.,"primary" or "secondary"):
/api/v1/dataspaces/${dataspaceId}/datasources/${datasourceId}/segments/${segmentId}/unset-bucket-id?bucketField=${bucketField}Here's an example:
shellcurl https://${clusterUrl}/api/v1/dataspaces/${dataspaceId}/datasources/${datasourceId}/segments/${segmentId}/unset-bucket-id&bucketField=primary -H "Authorization: Bearer ${token}"Added the parameter
queryKindto the GraphQL mutation analyzeQuery, which indicates what kind of query program is being validated/analyzed.Valid values for a standard search query are:
graphql{standardSearch: {} }Valid values for a filter-prefix are:
graphql{ filterPrefix: {} }
Configuration
Added a new dynamic configuration
GraphQLMaxErrorsCount, to configure the maximum number of errors returned in the GraphQL response errors array. Default value is100, with valid values between1and10000.
Dashboards and Widgets
A new styling option in the
Tablewidget now enables to configure custom column labels:Users can now rename column headers directly in the table widget's style configuration panel.
Custom column labels are preserved when switching between columns and refreshing the view.
For more information, see Table Property Reference.
A new styling option in the
Tablewidget now allows users to reorder columns. A reset button is also available for restoring the original columns order of the query result.For more information, see Table Property Reference.
Tablewidgets now support a new Column overflow setting with options to either truncate or wrap text content. Users can now control how to handle long text entries in table columns, improving readability and visual organization of various data and display preferences.The setting is available in the widget style panel under General.
For more information, see Table Widget.
Log Collector
Added new configuration variables:
These variables control whether Log Collector should use the configured HTTP proxy when calling the update server and download endpoint, respectively. The default is to use the proxy, which maintains the same behavior as before this change.
Queries
Added support in the LogScale Regular Expression Engine V2 for hexadecimal escape sequences up to 4 digits in length using the following formats:
\x{n}\x{nn}\x{nnn}\x{nnnn}
Note
Curly brackets are required for this syntax. This is in addition to the existing
\xnnand\unnnnnotations.Added support for repeated backreferences in the LogScale Regular Expression Engine V2 engine. For example, the pattern
regex(.)\1{2,3}can now be used to detect sequences of repeated characters.
Views can now be configured to resolve saved queries, lookup files and field aliases from a different view or repository.
For more information, see Referencing Resources.
Fleet Management
Added support for optional expiration dates on Log Collector enrollment tokens. Users can now specify when tokens should expire during creation.
Note
The default behavior remains unchanged - tokens have no expiration unless explicitly configured.
Metrics and Monitoring
Added new metrics:
currently-submitted-fetches-for-prefetching - Counts the number of pending segment file fetches the prefetcher has requested from the fetching subsystem.
currently-submitted-fetches-for-archiving - Counts the number of pending segment file fetches the bucket archiving job has requested from the fetching subsystem.
Added new metrics for measuring free slots in the transfer queue:
bucket-storage-transfer-free-slots: Measures the number of available slots for bucket transfers within the limits imposed by environment variables such asS3_STORAGE_CONCURRENCYnode-to-node-transfer-free-slots: Measures the number of available slots for segment downloads within the limit imposed by the environment variableSEGMENTMOVER_EXECUTOR_CORES
Added the metric
currently-submitted-fetches-for-queries, which measures the number of segment downloads the query scheduler is actively waiting to complete.This metric differs from
bucket-storage-fetch-for-query-queuein that the latter counts all fetches the scheduler is planning to do for currently running queries, including those the scheduler has not yet requested.
Auditing and Monitoring
The following audit log types have been removed:
aggregateAlert.add-label
aggregateAlert.remove-label
filterAlert.add-label
filterAlert.remove-label
The following Audit Log types have been added:
saved-query.add-labels
saved-query.remove-labels
aggregateAlert.add-labels
aggregateAlert.remove-labels
filterAlert.add-labels
filterAlert.remove-labels
alert.add-labels
alert.remove-labels
scheduled-search.add-labels
scheduled-search.remove-labels
uploaded-file.add-labels
uploaded-file.remove-labels
action.add-labels
action.remove-labels
dashboard.add-labels
dashboard.remove-labels
Added audit logging to the Export to File functionality for query results.
This adds two new audit log entries:
dataspace.query.export-file: when a query is exported to a file.
dataspace.query.export-bucket: when a query is streamed to an external file bucket (if the
Export to bucketfeature flag is enabled).
All entries include the following data points:
actor - Export requester data
timestamp- Time of the loggingexportedFileName - Exported file name with the file extension chosen
queryId- The ID of the related query audit log found through dataspace.querycsvFieldsExported (optional) - When exporting a query to CSV, you must select specific fields to include.
If the query is streamed due to size, the selected fields are added directly to the query as a filter using
select().When streaming to a bucket, additional fields are added:
bucketProvider - The bucket provider used to stream the file to (for example, S3)
bucket - The bucket ID used to stream the file to
To fetch information regarding audits for exported query requests, you can run a join query like
defineTable()orcorrelate()on the queryId. For example:logscalecorrelate( exports: { type = /dataspace.query.export/ } include: *, queries: { type = "dataspace.query" | queryId <=> exports.queryId } include: [query.queryString, query.ingestStart, query.ingestEnd] )
Fixed in this release
Security
The Service Provider-initiated SAML login protocol has been corrected to route to the default provider instead of the first provider listed.
Installation and Deployment
Fixed an issue in KafkaAdminUtils where a NullPointerException could occur if the code was accessed while a Kafka partition had no leader, causing unnecessary entries in the debug log. This problem has now been fixed.
User Interface
When creating a scheduled report, clicking before the data was loaded could result in no selectable dashboards in the dropdown menu. This issue has now been fixed by disabling the button until the data is loaded.
Storage
Fixed an issue affecting clusters with secondary storage where segment files could not be fetched from other nodes or downloaded from bucket storage directly to secondary storage. This issue only occurred when primary storage was approaching capacity and was introduced in version 1.200.
Fixed a rare issue preventing segments from being merged.
Fixed a bug in the ordering of segment downloads. Downloads for queries now get priority over other downloads.
A few issues have been fixed in idle datasource deletion code. The deletion code could delete the last datasource from a partition, which could cause digest to start from scratch on that partition in Kafka.
Fixed an issue where an InterruptedException could occur from
CurrentHostsSyncJobduring system termination, causing unnecessary entries in the debug log. This problem has now been fixed.An issue found in version 1.218.0 could cause bucket uploads to become stuck. This issue has now been fixed.
Fixed an issue where a scala.MatchError could be thrown from the metrics system during node shutdown, causing unnecessary entries in the debug log. This problem has now been fixed.
Configuration
Error messages that point to instructions to MaxMind configuration contained a wrong documentation URL. The URL has now been updated to the correct location.
Ingestion
Event forwarding rules that reference a saved query will now use the latest version of the saved query if it has been updated.
Log Collector
Fixed several
/api/v1/log-collectorendpoints to return proper status codes for invalid credentials.
Queries
Fixed an issue where the highlighting for query results where regexes with
dorFflags displayed incorrect matches. For example, the regex/.*$/dwould incorrectly highlight the last line of multi-line text instead of the entire text.Note
This issue impacted the display only. It did not affect actual query results.
Fixed an issue where warnings produced when merging worker states, such as
groupBy()function limit breaches, were not consistently attached to a user's query results.
Fleet Management
Adjusted Fleet and Group Management processing to continue applying valid groups when encountering malformed filter queries. Previously, a single group with an invalid filter would prevent all subsequent groups from being processed.
Note
The user interface prevents creation of invalid filters, but filters created before LogScale v1.158.0 may contain malformed queries.
Metrics and Monitoring
Fixed a bug in the
ingest-queue-read-offset-progress-jobthat prevented it from finding the ingest-queue-read-offset metric. This resolves the error message Ingest queue progress error: No ingest-queue-read-offset metrics found for partition that appeared about an hour after cluster restart.
Functions
Fixed an issue related to serialization where queries including
fieldstats()functions orcount()with thedistinctparameter set totruewould sometimes fail, causing the query to be cancelled.
Packages
Fixed an issue where failed package installations or updates could incorrectly produce audit log events, indicating triggers were created or updated.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Security
Added the
OrganizationOwnedQueriespermission to the default Admin role.Note
Existing user's Admin role selections will not be impacted. Only new instances of the Admin role, created when a new customer organization is created, will get this new permission.
User Interface
Dashboards with query parameters now load faster when displaying large suggestion lists. This improvement prevents dashboard to become unresponsive, which previously occurred when multiple query parameters contained thousands of suggestions.
Documentation
We have enabled a new search system for the main search pages which includes the following features:
Faster and more efficient searching
Defaults to searching only the current manuals covering the latest active releases
Searching of the full document set is available by selecting the checkbox on the search page
Auto-corrections and spelling mistakes are now automatically corrected during the search
Suggestions for alternative search terms (e.g. Virtual Private Network in place of VPN); clicking the links will search for the alternative term
Highlighting of found search terms on pages when you click through to a page; highlights can be removed by clicking the button at the top of the page
Automation and Triggers
Fixed a rare issue where rapidly disabling and re-enabling a scheduled search could cause the next scheduled execution to fail.
The next planned execution time is now preserved when disabling or enabling a scheduled search. It will be updated during the next scheduled search job run after enabling.
Storage
The global snapshot process has been improved to handle uploads one at a time using a dedicated thread. This ensures global snapshot uploads execute as planned and without delay from other uploads in the queue.
Bucket storage prefetch jobs will now download segments from bucket storage to attempt to hit the configured replication factor, even if another node in the cluster already possesses a copy.
AWS' Netty-based HTTP client is now the default for S3 bucket operations. It is also the default client for asynchronous operations in AWS SDK v2.
Users who wish to continue using Apache's Pekko HTTP client can revert by setting
S3_NETTY_CLIENTtoFALSE, then restarting the cluster.This implementation provides the following additional metrics for monitoring the client connection pool:
s3-aws-bucket-available-concurrency
s3-aws-bucket-leased-concurrency
s3-aws-bucket-max-concurrency
s3-aws-bucket-pending-concurrency-acquires
s3-aws-bucket-concurrency-acquire-duration
On clusters where non-humio thread dumps are available, it is also possible to look into the state of the client thread pool by searching for the thread name prefix
bucketstorage-netty.The client is set with default values originating from AWS' SDK Netty client. However, users can fine-tune the client further with the following environment variables:
Improved internal queueing logic for bucket uploads and downloads to adjust the order of transfer when there is contention. Transfer order is now as follows:
Segment uploads
Lookup file uploads
Segment downloads
Configuration
The following environment variables have been renamed to reflect their specific usage:
NUMBER_OF_ROWS_IN_SEGMENT_TO_HOST_MAPPING_TABLEchanged toNUMBER_OF_ROWS_IN_OWNER_HOSTS_TABLESEGMENT_TO_HOST_MAPPING_TOPOLOGY_CHANGE_SETTLING_TIME_SECONDSchanged toOWNER_HOSTS_TABLE_TOPOLOGY_CHANGE_SETTLING_TIME_SECONDS
Ingestion
Improved the handling of digest partitions assignment changes. The digest readers now attempt to update the consumed partitions when possible, instead of restarting on changed assignments.
Queries
Implemented query reuse capability for multi-cluster search worker queries, matching the existing functionality for standard cluster queries.
Filter prefix validation has been strengthened: use of query parameters is now explicitly disallowed.
Improved performance for the LogScale Regular Expression Engine V2 by optimizing concatenated repetitions of similar scope and body, i.e. greedy vs nongreedy repetitions. For example, the regex pattern
.*.*Foowill now be optimized to.*Foo, resulting in significantly improved performance.Added optimization related to tag filters. This improvement should slightly speed up
correlate()queries containing tag filters.Improved caching of query states to allow partial reuse of query results when querying by ingest time.
Metrics and Monitoring
Added two new metrics:
cluster-static-query-total-search-cost
cluster-static-query-reused-search-cost
These metrics record the total cost of search and cost of reused parts for queries coordinated on a node.
Packages
Improved error messages for package assets violating the latest package schema to better identify which asset specifically is causing validation errors. Error messages now contain the name and type of the offending asset.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
infoblox/nios has been updated to v1.3.4.
Updated ECS version to 9.2.0
Fixed DNS answers type field mapping to use array notation (dns.answers[0].type)
Updated parser version to 2.2.4
For more information, see Package infoblox/nios Release Notes.
imperva/cloud-waf has been updated to v1.6.0.
Updated ECS version to 9.2.0
Updated CPS version to 1.1.0
Updated parser version to 4.0.0
Enhanced event categorization with improved event.category and event.type arrays
Added comprehensive client, server, and destination field mappings
Improved network type detection for IPv4 and IPv6 addresses
Added observer, network, and URL field mappings
For more information, see Package imperva/cloud-waf Release Notes.
cisco/ise has been updated to v2.0.3.
Enhanced Response field parsing for cisco-av-pair attributes with improved regex pattern matching
Updated parser version to 3.0.3
For more information, see Package cisco/ise Release Notes.
trellix/fireeye-nx has been updated to v1.2.2.
Updated package description in manifest
For more information, see Package trellix/fireeye-nx Release Notes.
aws/vpcflow has been updated to v1.3.0.
Enhanced IP address validation using CIDR function for source and destination fields
Added network transport protocol mapping based on IANA numbers
Improved event action normalization to lowercase format
Updated ECS version to 9.2.0 and CPS version to 1.1.0
Enhanced CSV header detection with improved regex pattern
For more information, see Package aws/vpcflow Release Notes.
cisco/meraki has been updated to v2.0.0.
Enhanced IP and address normalization with proper CIDR validation
Improved network protocol handling with tcp/ip normalization to network.transport
Added support for l7_firewall events with proper categorization
Enhanced IDS alert processing with decision-based event outcomes
Improved field mapping for client.domain and host.hostname with lowercase normalization
Added destination.mac field mapping from vendor fields
Updated event.type arrays to remove redundant "info" entries for cleaner categorization
Fixed temporary variable naming conflicts by prefixing with underscore
Enhanced file scanning events with proper category and type assignments
For more information, see Package cisco/meraki Release Notes.
cisco/firepower has been updated to v1.7.5.
Updated ECS version to 9.2.0
Updated parser version to 3.3.5
Added message field assignment from Vendor.message
For more information, see Package cisco/firepower Release Notes.
cisco/umbrella has been updated to v1.4.1.
Updated parser version to 3.0.1
Added strict=false parameter to regex function for improved parsing reliability
For more information, see Package cisco/umbrella Release Notes.
cloudflare/zerotrust has been updated to v1.6.0.
Updated ECS version to 9.2.0
Enhanced field mapping with improved global field normalizations
Added support for spectrum dataset
Improved DNS answer parsing with dynamic array handling
Enhanced client, destination, and source field processing with address/IP/domain logic
Added comprehensive threat indicator confidence mapping
Improved TLS version extraction with regex patterns
Enhanced event categorization for malware detection in gateway-http
Added new fields: file.extension, email.message_id, email.reply_to.address[], rule.description, network.iana_number, destination.as.number, source.as.number, source.nat.ip, cloud.account.id, server.as.number
Updated parser version to 3.0.0
For more information, see Package cloudflare/zerotrust Release Notes.
haproxy/haproxy has been updated to v1.2.3.
Enhanced syslog parsing with improved BSD Syslog format support
Added comprehensive HTTP, TCP, and error log format parsing
Updated ECS version to 9.2.0
Improved field mappings for client, source, destination, and server fields
Added TLS version detection and SSL handshake failure parsing
Enhanced URL parsing with query parameter extraction
Added IP address validation for source and client fields
Improved event categorization and outcome determination
For more information, see Package haproxy/haproxy Release Notes.
microsoft/windows-dns-debug has been updated to v1.5.0.
Added support for new DNS log format with LOOKUP and RECURSE operations
Enhanced DNS answer record parsing with answer name and type extraction
Improved thread ID handling with both name and numeric ID fields
Added new DNS type classification for answer records
Updated parser version to 2.4.0
For more information, see Package microsoft/windows-dns-debug Release Notes.
netgate/pfsense has been updated to v1.1.2.
Added support for RFC 5424 syslog format with ISO 8601 timestamps
Enhanced timestamp parsing to handle both BSD syslog and RFC 5424 formats
Updated parser version to 1.1.2
For more information, see Package netgate/pfsense Release Notes.
fortinet/fortigate has been updated to v1.4.1.
Updated parser version to 3.0.1
Removed timezone parameter from parseTimestamp function for date/time parsing
For more information, see Package fortinet/fortigate Release Notes.
aws/fsx has been updated to v1.1.2.
Removed deprecated fsx-xml parser
For more information, see Package aws/fsx Release Notes.
cisco/umbrella has been updated to v1.4.2.
Updated parser version to 3.0.2
Enhanced source.address field mapping to use external_client_ip as fallback when internal_client_ip is not available
For more information, see Package cisco/umbrella Release Notes.
zscaler/deception has been updated to v2.2.1.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Improved timestamp parsing by removing timezone parameter
For more information, see Package zscaler/deception Release Notes.
darktrace/detect has been updated to v2.0.1.
Updated ECS version to 9.1.0
Updated parser version to 3.0.1
Fixed timezone handling for RFC 3164 syslog timestamps by removing explicit UTC timezone setting
For more information, see Package darktrace/detect Release Notes.
cisco/umbrella has been updated to v1.4.0.
Updated parser to support Cisco Umbrella Log Schema Version 13
For more information, see Package cisco/umbrella Release Notes.
palo-alto/prisma-sd-wan has been updated to v1.2.1.
Updated ECS version to 9.1.0
Improved timestamp parsing by removing timezone parameter for better compatibility
For more information, see Package palo-alto/prisma-sd-wan Release Notes.
f5networks/bigip has been updated to v2.5.2.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
For more information, see Package f5networks/bigip Release Notes.
zscaler/deception has been updated to v2.3.0.
Updated parser version to 3.0.0
Updated ECS version to 9.2.0
Enhanced event categorization with comprehensive type matching for different log types
Improved field mappings for source, destination, client, and server fields
Added support for additional file operations and process tracking
Enhanced threat intelligence integration with abuse confidence scoring
Improved timestamp parsing from syslog headers
Added comprehensive network protocol and connection state handling
For more information, see Package zscaler/deception Release Notes.
claroty/ctd has been updated to v1.2.2.
Removed timezone parameter from parseTimestamp function to use automatic timezone detection
Updated parser version to 1.1.3
For more information, see Package claroty/ctd Release Notes.
forcepoint/dlp has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Removed timezone specifications from timestamp parsing
Enhanced field mapping documentation
For more information, see Package forcepoint/dlp Release Notes.
checkpoint/ngfw has been updated to v2.3.3.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
For more information, see Package checkpoint/ngfw Release Notes.
veeam/veeamdataplatform has been updated to v1.0.2.
Updated ECS version to 9.2.0 and CPS version to 1.1.0
Consolidated user extraction logic for event ID 42405 with other InitiatorFullInfo events
Merged event ID ranges for UserName field extraction
Updated test cases with new sample data
For more information, see Package veeam/veeamdataplatform Release Notes.
trellix/fireeye-nx has been updated to v1.2.1.
Updated parser schema to v0.3.0
For more information, see Package trellix/fireeye-nx Release Notes.
juniper/srx has been updated to v1.5.0.
Added event severity mapping based on threat severity levels
Added support for rshd command line extraction
Fixed duplicate event.kind assignments in IDP processing
Updated parser to version 3.0.0
Enhanced field mapping with IP address validation before normalization
Improved timestamp parsing with support for both ISO 8601 and BSD syslog timestamp formats
For more information, see Package juniper/srx Release Notes.
dell/isilon has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 1.1.3
Removed timezone specification from parseTimestamp function
Updated test case data with new sample values
For more information, see Package dell/isilon Release Notes.
zscaler/internet-access has been updated to v1.5.4.
Enhanced JSON parsing to handle escaped quotes in nested JSON structures
Added support for complex audit log events with nested preaction and postaction objects
Improved string replacement logic to preserve escaped quotes for proper JSON parsing
Updated parser version to 2.5.4
For more information, see Package zscaler/internet-access Release Notes.
zscaler/private-access has been updated to v1.3.3.
Updated ECS version to 9.1.0
Removed timezone parameter from parseTimestamp function
For more information, see Package zscaler/private-access Release Notes.
infoblox/nios has been updated to v1.3.3.
Removed timezone parameter from parseTimestamp functions to use system default timezone
Updated parser version to 2.2.3
For more information, see Package infoblox/nios Release Notes.
microsoft/sysmon has been updated to v1.1.3.
Updated ECS version to 9.1.0
Removed timezone parameter from parseTimestamp functions for improved timestamp handling
For more information, see Package microsoft/sysmon Release Notes.
infoblox/nios has been updated to v1.4.1.
Fixed DNS answers type field mapping to use proper array notation (dns.answers[0].type instead of dns.answers.type)
Updated parser version to 3.0.1
For more information, see Package infoblox/nios Release Notes.
checkpoint/ngfw has been updated to v2.4.1.
Enhanced event categorization for "Redirect" action to include "denied" event type
Added event.outcome field for "Redirect" action with "success" value
Updated parser version to 3.4.1
For more information, see Package checkpoint/ngfw Release Notes.
fortinet/fortigate has been updated to v1.5.0.
Updated parser version to 4.0.0
Enhanced event categorization and type mapping with comprehensive coverage for all event types
Improved field mapping using coalesce function for better field consolidation
Added threat enrichment fields for UTM events including virus, IPS, and anomaly detection
Enhanced network protocol detection and application layer protocol mapping
Improved client/server field mapping based on connection direction
Added array deduplication for event.category and event.type fields
Enhanced MAC address formatting with colon-to-dash replacement
Improved IP address validation with CIDR filtering
Added comprehensive test cases for SSL, DNS, traffic, and system events
For more information, see Package fortinet/fortigate Release Notes.
juniper/srx has been updated to v1.5.1.
Updated minimum LogScale version requirement to 1.207.0
For more information, see Package juniper/srx Release Notes.
cisco/firepower has been updated to v1.8.0.
Updated parser version to 4.0.0
Added support for multiple syslog header formats including FTD and legacy NGIPS/Sourcefire devices
Added enhanced timestamp parsing with findTimestamp() function for improved date handling
Added message field populated from vendor message content
Added intelligent client/server role detection based on event type, protocol, and port analysis
Added role reversal logic to handle server-initiated connections and reverse proxy scenarios
Added IP address validation using CIDR checks to filter invalid addresses
Added domain field support for non-IP addresses across source, destination, client, and server fields
Added conditional field mappings for network protocols including SIP and DNS
Added DNS record type normalization to standard values (A, AAAA, PTR, MX, CNAME)
Added TLS certificate hash mapping to tls.client.hash.sha1
Added conditional filtering for unknown TLS versions and cipher suites
Added enhanced event categorization with automatic event.type:connection for network tuples
Added array deduplication for event.category[] and event.type[] fields
Changed primary address fields to use source.address and destination.address with IP/domain separation
Changed event outcome logic for connection teardown events based on teardown reason analysis
Changed connection directionality detection to use interface context (inside/outside/DMZ)
Changed user group field to user.group.name for ECS consistency
Changed field coalescing logic to prioritize existing values over vendor-specific fields
Consolidated lowercase operations for address and domain fields
Consolidated interface alias and name field mappings
Fixed field extraction patterns across multiple event types for improved accuracy
Fixed MAC address formatting to use hyphen separators
Fixed source/destination mapping in connection teardown events using interface-based logic
Removed redundant event.type:connection entries from individual event handlers
For more information, see Package cisco/firepower Release Notes.
google/chrome-enterprise-security-events has been updated to v1.2.1.
Updated parser schema to v0.3.0
For more information, see Package google/chrome-enterprise-security-events Release Notes.
zscaler/private-access has been updated to v1.4.0.
Enhanced parser with comprehensive ECS field mappings for all ZPA log types
Added support for app connector metrics logs
Improved field normalization with proper source/destination/client/server mappings
Enhanced network traffic analysis with ingress/egress byte tracking
Added comprehensive event categorization and outcome determination
Improved timestamp handling across all log types
Enhanced user and authentication event processing
Added proper host infrastructure monitoring fields
Improved security inspection rule mapping
Enhanced geographic location tracking for all components
For more information, see Package zscaler/private-access Release Notes.
okta/sso has been updated to v1.4.6.
Updated ECS version to 9.2.0
Enhanced event outcome handling to include UNANSWERED and ABANDONED result types
Added support for additional event types including app.oauth2.token.grant, event_hook.delivery, system.push.send_factor_verify_push, and various system notification events
Improved code formatting and consistency throughout parser
Added new test cases for enhanced coverage
For more information, see Package okta/sso Release Notes.
cisco/firepower has been updated to v1.7.6.
Updated parser version to 3.3.6
Enhanced key-value parsing for events 430001-430007 to better handle UserAgent field extraction
Improved regex pattern to handle complex field values with commas and special characters
For more information, see Package cisco/firepower Release Notes.
nozomi/ids has been updated to v1.4.0.
Updated parser version to 4.0.0
Updated ECS version 9.2.0
Added new field mappings for message, domain, and network protocol fields
Added IP address validation to filter invalid and non-routable addresses
Added array deduplication for event categorization fields
Added enhanced extraction patterns for threat indicators and network entities
Changed event categorization from message-based regex to classification prefix-based logic
Changed severity mapping ranges for better alignment with risk levels
Changed address field logic to support both IP and domain values
Changed observer field handling to distinguish between IPs and hostnames
Consolidated field normalization and lowercase operations
Fixed field name reference issues
Removed redundant message-based categorization patterns
Removed duplicate field assignments
Improved overall parser maintainability and performance
For more information, see Package nozomi/ids Release Notes.
f5networks/bigip has been updated to v3.0.0.
Updated to support RFC 5424 syslog format
Added checks to ensure IPs are valid prior to assignment
Improved parsing around login/logout events
For more information, see Package f5networks/bigip Release Notes.
checkpoint/ngfw has been updated to v2.6.0.
Enhanced originsicname field parsing with key-value extraction for better observer name identification
Added policy ID tag parsing to extract policy name, management server, and date information
Improved rule.ruleset field mapping to include policy name from parsed policy ID tag
Enhanced rule.uuid field mapping to include NAT rule UIDs
Added network.community_id field generation for both ICMP and non-ICMP events
Improved observer.name field mapping with conditional logic for firewall traffic and threat prevention events
Enhanced client/server field identification for application control and URL filtering logs
Updated parser version to 3.6.0
For more information, see Package checkpoint/ngfw Release Notes.
cisco/ios has been updated to v1.7.2.
Updated timestamp parsing to remove hardcoded timezone defaults for better flexibility
Enhanced parser to use system timezone when no timezone is specified
Improved timestamp handling for logs without explicit timezone information
For more information, see Package cisco/ios Release Notes.
nozomi/ids has been updated to v1.3.3.
Updated parser version to 3.0.3
Added new message pattern for cleartext password authentication requests
Enhanced event categorization for network and intrusion detection events
For more information, see Package nozomi/ids Release Notes.
cloudflare/zerotrust has been updated to v2.1.0.
Modified risk score to severity mapping: 1-20 (severity 70), 21-50 (severity 50), 51-80 (severity 30), 81-100 (severity 10)
Updatedparser version to 4.1.0
For more information, see Package cloudflare/zerotrust Release Notes.
microsoft/windows-dns-debug has been updated to v1.3.2.
Updated ECS version to 9.1.0
Removed timezone specification from timestamp parsing
Enhanced parser version to 2.2.2
For more information, see Package microsoft/windows-dns-debug Release Notes.
microsoft/dhcp-client has been updated to v1.1.2.
Updated parser schema to v0.3.0
For more information, see Package microsoft/dhcp-client Release Notes.
cisco/ios has been updated to v1.7.3.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 2.6.3
Fixed typo in observer.ingress.interface.name field extraction for IGMP events
For more information, see Package cisco/ios Release Notes.
cisco/meraki has been updated to v1.5.3.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
For more information, see Package cisco/meraki Release Notes.
aws/s3-server-access has been updated to v1.2.2.
Added cloud provider identification with cloud.provider field set to "aws"
Enhanced cloud resource tracking with cloud.target.Resource.type[] and cloud.target.Resource.id[] arrays
Improved cloud resource categorization for S3 buckets
For more information, see Package aws/s3-server-access Release Notes.
zscaler/internet-access has been updated to v2.0.0.
Enhanced IP address and domain handling with improved address field mapping
Added client.* and server.* field mappings for better network visibility
Improved DNS answer field structure using indexed array format
Removed timezone parameter from file modification time parsing
Changed destination.ip to use Vendor.cdip instead of Vendor.sdip for consistency
Improved event.type categorization for file-related events
Added parsing for nested Vendor.category fields
Updated parser version to 3.0.0
For more information, see Package zscaler/internet-access Release Notes.
aws/waf has been updated to v3.0.0.
Enhanced cloud service detection from httpSourceName (CloudFront, API Gateway, ELB)
Added cloud account ID and region extraction from webaclId ARN
Added rule name extraction from webaclId
Improved event outcome mapping (success/failure based on allow/block actions)
Added TLS JA3 fingerprint support
Added URL scheme field mapping
Updated rule.category and rule.ruleset field mappings
Updated ECS version to 9.2.0
Improved code formatting and organization
For more information, see Package aws/waf Release Notes.
aws/waf has been updated to v2.0.0.
Breaking Change: If X-Forwarded-For header is present, normalize the original client IP to source.ip and Vendor.httpRequest.clientIp is now normalied to source.nat.ip.
Improved HTTP header extraction for referrer, host, and user-agent fields
Added URL domain and port parsing from Host header
Updated ECS version to 9.1.0 and CPS version to 1.1.0
For more information, see Package aws/waf Release Notes.
cisco/meraki has been updated to v1.5.4.
Enhanced firewall flow parsing with improved regex pattern for better action extraction
Added support for pattern-based action determination (0/1 and allow/deny patterns)
Improved handling of firewall events with more robust field extraction
For more information, see Package cisco/meraki Release Notes.
checkpoint/ngfw has been updated to v2.5.0.
Enhanced event categorization for network events to include "info" event type
Added support for Application Control product detection via ProductName field
Improved product matching for VPN-1 & FireWall-1 and Firewall products using in() function
Added Anti Malware product categorization with malware event category
Enhanced client/server field mapping for application control, URL filtering, and HTTPS inspection logs
Updated parser version to 3.5.0
For more information, see Package checkpoint/ngfw Release Notes.
fortinet/fortigate has been updated to v2.2.0.
Enhanced event categorization with improved network session and connection type mapping
Added comprehensive event.type array population based on event.action and session context
Improved source and destination address handling with lowercase normalization
Enhanced destination port mapping to include additional vendor fields (Vendor.dpt)
Updated event.action priority logic to handle UTM block actions specifically
Refined network protocol detection and event type classification
Updated parser version to 5.0.0
For more information, see Package fortinet/fortigate Release Notes.
cisco/ise has been updated to v2.0.2.
Enhanced CISE_Profiler event parsing with comprehensive event code support
Added support for profiler event codes 80001-80019 including endpoint collection, SNMP operations, DNS requests, and Edda connector management
Improved event categorization for profiler events with specific outcomes and actions
Updated ECS version to 9.1.0
Updated parser version to 3.0.2
For more information, see Package cisco/ise Release Notes.
zscaler/internet-access has been updated to v2.1.0.
Enhanced firewall event categorization with improved event.type arrays for connection events
Added event.outcome field mapping for web events based on action types
Improved file field handling logic with better conditional checks for filename presence
Updated file.name field to use coalesce function for better fallback handling
Enhanced firewall events with intrusion detection categorization for IPS actions
Enhanced HTTP response status code validation to exclude wildcard and "NA" values
Added event.type arrays for DNS and tunnel events to improve event classification
Updated parser version to 4.0.0
For more information, see Package zscaler/internet-access Release Notes.
zscaler/internet-access has been updated to v1.5.3.
Updated ECS version to 9.1.0
Removed timezone parameter from parseTimestamp function
For more information, see Package zscaler/internet-access Release Notes.
aws/vpcflow has been updated to v1.2.2.
Updated timestamp parsing to remove explicit timezone parameter
Updated parser version to 1.2.2
For more information, see Package aws/vpcflow Release Notes.
nozomi/ids has been updated to v1.3.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 3.0.2
Removed timezone specification from timestamp parsing for MMM dd yyyy HH:mm:ss format
For more information, see Package nozomi/ids Release Notes.
cloudflare/zerotrust has been updated to v2.0.0.
Added support for new datasets: email-security-alerts, browser-isolation, sinkhole-http, warp-changes, ssh, dex-application-tests, dlp-forensic-copies, dns-firewall, workers-trace, dex-device-state, ipsec
Enhanced timestamp parsing with additional timestamp fields (EventTimestampMs, ActionTimestamp)
Added support for SSO action in access-requests dataset
Improved audit event categorization with view action support
Enhanced source address handling with ActorIPAddress support
Updated event outcome logic for audit events to support success/fail patterns
Added comprehensive field mappings for new datasets including process, error, DNS, and network fields
Enhanced email security alerts with attachment processing and threat categorization
Added browser isolation event processing with decision-based outcomes
Implemented workers trace event handling with exception-based outcome determination
Added SSH session tracking with start/end event types
Enhanced DEX application tests with HTTP performance metrics
Added DLP forensic copies processing with rule-based categorization
Implemented DNS firewall event handling with query type and response code processing
Added IPsec event processing with connection status tracking
Enhanced device state monitoring with network and client metrics
Updated parser version to 4.0.0
For more information, see Package cloudflare/zerotrust Release Notes.
checkpoint/ngfw has been updated to v2.4.0.
Added several new field normalizations
Enhanced field organization and grouping for better readability
Improved network protocol detection logic
Fixed event categorization for authentication events (Failed Log In now uses start type)
Added new event categorization patterns for system events
Updated parser version to 3.4.0
For more information, see Package checkpoint/ngfw Release Notes.
infoblox/nios has been updated to v1.3.5.
Enhanced DNS query parsing to support view-specific queries with improved regex pattern
Added support for extracting view information from DNS messages
Fixed network transport protocol normalization to lowercase format
Updated parser version to 2.2.5
For more information, see Package infoblox/nios Release Notes.
radware/alteon has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated parser version to 1.1.2
Removed timezone parameter from findTimestamp() function calls
For more information, see Package radware/alteon Release Notes.
fortinet/fortigate has been updated to v2.1.0.
Enhanced CEF parsing with improved priority handling and format normalization
Fixed CEF header format by replacing "CEF: 0" with "CEF:0" for proper parsing
Reordered parsing logic to prioritize CEF format detection before syslog priority extraction
Improved source.address field mapping with enhanced coalesce logic to preserve existing values
Updated parser version to 4.2.0
For more information, see Package fortinet/fortigate Release Notes.
fortinet/fortigate has been updated to v2.3.0.
Fixed CEF parsing to handle multiple cat fields without overwriting by renaming ad.cat to ad.ext.cat
Enhanced user field mapping with conditional logic for suser and duser fields
Improved source address parsing for events without designated fields using regex extraction from ui and sproc fields
Added support for additional observer fields including hostname, product, vendor, and version
Enhanced event field mappings with additional coalesce options for event.id, event.reason, and event.action
Added event.start field mapping from Vendor.start
Improved source.domain assignment for non-IP addresses
Updated parser version to 5.1.0
For more information, see Package fortinet/fortigate Release Notes.
cisco/ios has been updated to v1.7.4.
Added support for EEM (Embedded Event Manager) events with new parsing pattern
Enhanced parser to handle EEM event actions and messages
Updated parser version to 2.6.4
For more information, see Package cisco/ios Release Notes.
haproxy/haproxy has been updated to v1.2.2.
Updated ECS version to 9.1.0
Updated CPS version to 1.1.0
Updated parser version to 1.1.3
Removed timezone parameter from parseTimestamp function
For more information, see Package haproxy/haproxy Release Notes.
microsoft/windows-dns-debug has been updated to v1.4.0.
Added support for additional timestamp formats (dd.MM.yyyy HH:mm:ss and yyyy-MM-dd HH:mm:ss AM/PM)
Enhanced field mapping with separate address, IP, and domain fields for client, destination, server, and source
Updated ECS version to 9.2.0 and CPS version to 1.1.0
Improved DNS error message mapping with additional error codes
Enhanced network type detection for IPv6 addresses
Refactored parser logic for better field organization and performance
For more information, see Package microsoft/windows-dns-debug Release Notes.
cisco/firepower has been updated to v1.7.4.
Removed timezone parameter from timestamp parsing functions to use system default timezone handling
Updated parser version to 3.3.4
For more information, see Package cisco/firepower Release Notes.
cisco/ise has been updated to v2.0.4.
Added support for CISE_External_MDM event category with comprehensive event code handling
Enhanced CISE_Passed_Authentications parsing with additional event codes (5236, 5238, 5240)
Improved CISE_Failed_Attempts parsing with new event codes (5402, 5422, 5434, 5416)
Added support for CISE_Administrative_and_Operational_Audit event codes (51025, 60166, 60167, 60069)
Enhanced RADIUS accounting with support for Interim-Update status type
For more information, see Package cisco/ise Release Notes.
netgate/pfsense has been updated to v1.1.3.
Updated minimum LogScale version requirement to 1.207.0
For more information, see Package netgate/pfsense Release Notes.
microsoft/windows-dns-debug has been updated to v1.5.1.
Enhanced timestamp parsing to support additional date format (d/M/yyyy HH:mm:ss)
Improved regex pattern for PACKET log entries to handle multiple timestamp formats
Fixed timestamp parsing for LOOKUP operation logs
Updated parser version to 2.4.1
For more information, see Package microsoft/windows-dns-debug Release Notes.
aws/guardduty has been updated to v1.2.2.
Updated ECS version to 9.2.0
Updated CPS version to 1.1.0
Added removePrefixes="detail." to parseJson function for improved field handling
Updated parser version to 1.3.2
For more information, see Package aws/guardduty Release Notes.
cisco/ise has been updated to v2.0.1.
Fixed timezone handling in timestamp parsing by removing hardcoded timezone parameter
Updated parser version to 3.0.1
For more information, see Package cisco/ise Release Notes.
cisco/ios has been updated to v1.9.1.
Added support for AUTH_PASSED and AUTHENTICATION_FAILED event types for DMI authentication events
Added support for NHRP_NHS_UP, NHRP_NHS_DOWN, and CRYPTO_SS event types for DMVPN tunnel monitoring
Enhanced authentication event parsing with improved source address and port extraction
Updated parser version to 2.9.0
For more information, see Package cisco/ios Release Notes.
trellix/fireeye-nx has been updated to v1.3.0.
Enhanced event categorization with conditional logic based on event class ID
Added dynamic event dataset generation based on vendor event name
Improved source and destination field handling with IP/domain detection
Migrated host fields to observer fields for better ECS compliance
Added network transport and VLAN ID field mappings
Added rule name and URL original field mappings
Updated ECS version to 9.2.0
Updated parser version to 2.0.0
Added timestamp parsing from Vendor.rt field
For more information, see Package trellix/fireeye-nx Release Notes.
fortinet/fortigate has been updated to v2.0.0.
Added CEF (Common Event Format) parsing support for Fortinet logs
Enhanced timestamp parsing with support for CEF header timestamps
Enhanced source and destination address handling with conditional logic for login events
Updated event.action field priority to use Vendor.action first, then Vendor.logdesc, then Vendor.eventtype
Added support for additional source fields including Vendor.spt for source port mapping
Improved URL handling in remip field with proper quoting for complex URLs
Updated parser version to 4.1.0
For more information, see Package fortinet/fortigate Release Notes.