Falcon LogScale 1.224.0 Not Released (2026-01-20)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.224.0 | Not Released | 2026-01-20 | Internal Only | 2027-01-31 | No | 1.150.0 | 1.177.0 | No |
Not released.
Advance Warning
The following items are due to change in a future release.
Security
Starting from LogScale version 1.237, support for insecure
ldapconnections will be removed. Self-Hosted customers using LDAP will only be able to useldapssecure connections.User Interface
From version 1.225.0, LogScale will enforce a new limit of 10 labels that can be added or removed in bulk for assets such as dashboards, actions, alerts and scheduled searches.
Labels will also have a character limit of 60.
Existing assets that violate these newly imposed limits will continue to work until they are updated - users will then be forced to remove or reduce their labels to meet the requirement.
Queries
Due to various upcoming changes to LogScale and the recently introduced regex engine, the following regex features will be removed in version 1.225:
Octal notation
Quantification of unquantifiable constructs
Octal notation is being removed due to logic application difficulties and its tendency to make typographical errors easier to overlook.
Here is an example of a common octal notation issue:
regex/10\.26.\122\.128/In this example,
\122is interpreted as the octal escape forRrather than the intended literal122. Similarly, the.matches not just the punctuation itself but also any single character except for new lines.Any construction of
\xwherexis a number from 1 to 9 will always be interpreted as a backreference to a capture group. If the corresponding capture group does not exist, it will be an error.Quantification of unquantifiable constructs is being removed due to lack of appropriate semantic logic, leading to redundancy and errors.
Unquantifiable constructs being removed include:
^(the start of string/start of line)
$(the end of string/end of line)
?=(a positive lookahead)
?!(a negative lookahead)?<= (a positive lookbehind)
<?<!> (a negative lookbehind)
\b(a word boundary)
\B(a non-word boundary)For example, the end-of-text construct
$*only has meaning for a limited number of occurrences. There can never be more than one occurrence of the end of the text at any given position, making elements like$redundant.A common pitfall that causes this warning is when users copy and paste a glob pattern like
*abc*in as a regex, but delimit the regex with start of text and end of text anchors:regex/^*abc*$/The proper configuration should look like this:
regex/abc/For more information, see LogScale Regular Expression Engine V2.
Deprecation
Items that have been deprecated and may be removed in a future release.
The following GraphQL APIs are deprecated and will be removed in version 1.225 or later:
In the updateSettings mutation, these input arguments are deprecated:
isPackageDocsMessageDismissed
isDarkModeMessageDismissed
isResizableQueryFieldMessageDismissed
On the UserSettings type, these fields are deprecated:
isPackageDocsMessageDismissed
isDarkModeMessageDismissed
Note
The deprecated input arguments will have no effect, and the deprecated fields will always return true until their removal.
The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.
The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.The Secondary Storage feature is now deprecated and will be removed in LogScale 1.231.0.
The Bucket Storage feature provides superior functionality for storing rarely queried data in cheaper storage while keeping frequently queried data in hot storage (fast and expensive). For more information, see Bucket Storage.
Please contact LogScale support for any concerns about this deprecation.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Configuration
The environment variable
VALIDATE_BLOCK_CRCS_BEFORE_UPLOADhas been removed to guarantee segment validation before uploading segment files to bucket storage. Previously, this environment variable was set totrueby default, allowing users to disable this functionality by disabling checking block CRCs prior to upload.
New features and improvements
API
Added
tableTypeto the filesUsed field in query results from the QueryJobs API to indicate the type and origination of the table being referenced.
Queries
Added support for
(?P<X>)syntax for named capturing groups in the LogScale Regular Expression Engine V2. This syntax is functionally equivalent to the existing(?<X>)syntax.
Fixed in this release
Automation and Triggers
Fixed an issue with scheduled searches where schedule changes would only be applied to runs after "now". To achieve this, the GraphQL datatype ScheduledSearch has undergone the following changes:
GraphQL fields lastExecuted and lastTriggered have been deprecated.
GraphQL fields timeOfLastExecution and timeOfLastTrigger have been added.
The new fields contain the actual execution time of the query. The deprecated fields contained the end time of the search interval of the last query that was executed or triggered.
Note
The new fields will only have a different value for scheduled searches running on @timestamp where the parameter
searchIntervalOffsetSecondsis set to a value greater than 0.For more information, see ScheduledSearch .
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Queries
Function names are no longer reserved words in CrowdStrike Query Language (CQL). As a result, adding new functions will not risk accidentally rendering existing queries invalid. Going forward, a word is only interpreted as a function call if it is immediately followed by a starting parenthesis.
For example, the word
"test"was previously a reserved word and required to be quoted because it also happens to be the name of a function (test()) - it can now be written without quotes.For more information, see Appendix D - Reserved Words.
Fleet Management
Fleet Management now performs a staged rollout of collector version updates within groups to prevent simultaneous updates of all collectors.
Other
The The http server closed the connection unexpectedly message now appears at the informational level instead of the error level, as this is expected behavior if any requests fail to complete quickly during shutdown.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
infoblox/nios has been updated to v1.4.0.
Enhanced DHCP parsing with support for BOOTREPLY, BOOTREQUEST, ICMP, and NOT FREE events
Added support for password_expired and logout authentication events in audit logs
Improved field mapping with client.address and server.address normalization
Added transaction.id field mapping for DHCP events
Enhanced DNS parsing with timeout resolution support
Updated parser version to 3.0.0
For more information, see Package infoblox/nios Release Notes.
aws/vpcflow has been updated to v1.3.0.
Enhanced IP address validation using CIDR function for source and destination fields
Added network transport protocol mapping based on IANA numbers
Improved event action normalization to lowercase format
Updated ECS version to 9.2.0 and CPS version to 1.1.0
Enhanced CSV header detection with improved regex pattern
For more information, see Package aws/vpcflow Release Notes.
aruba/clearpass has been updated to v1.4.0.
Updated ECS version to 9.2.0 and parser version to 3.0.0
Enhanced field mapping with improved address handling using client.address, source.address, and server.address fields
Improved MAC address formatting with dash separators and uppercase conversion
Changed event.id to event.code for better ECS compliance
Enhanced observer IP handling with array support
Improved address validation with CIDR checking and domain/IP separation
Fixed AD/LDAP event outcome mapping from success to failure
Enhanced event type mapping for authentication requests and file transfer operations
Removed redundant array drops for better performance
For more information, see Package aruba/clearpass Release Notes.
cisco/ios has been updated to v1.9.0.
Breaking Change: Fixed server.domain field assignment typo
Potentially Breaking Change: Improved ACCOUNTING event parsing with key-value extraction for better field normalization
Potentially Breaking Change: Improved network transport protocol normalization to lowercase
Enhanced regex patterns to support alphanumeric severity codes (A-Z0-7) for broader log format compatibility
Added new timestamp format support for logs with year prefix (yyyy MMM dd HH:mm:ss)
Added severity code remapping values to standard numeric codes
Enhanced SYSTEM_MSG event parsing with support for authentication failures, file errors, and general error messages
Added support for ENCRYPTED, ELEMENT_CRITICAL, FAIL_CONFIG, and NATIVE_VLAN_MISMATCH event types
Updated parser version to 2.8.0
For more information, see Package cisco/ios Release Notes.
aws/waf has been updated to v3.0.0.
Enhanced cloud service detection from httpSourceName (CloudFront, API Gateway, ELB)
Added cloud account ID and region extraction from webaclId ARN
Added rule name extraction from webaclId
Improved event outcome mapping (success/failure based on allow/block actions)
Added TLS JA3 fingerprint support
Added URL scheme field mapping
Updated rule.category and rule.ruleset field mappings
Updated ECS version to 9.2.0
Improved code formatting and organization
For more information, see Package aws/waf Release Notes.
akamai/asec has been updated to v1.2.0.
Enhanced parser with comprehensive field extraction and decoding capabilities
Added support for HTTP request and response header parsing
Implemented advanced categorization logic based on WAF actions and response codes
Added geolocation and network type detection for IPv4 and IPv6 addresses
Enhanced rule field mappings with decoded attack data
Improved TLS version parsing and HTTP/2 protocol detection
Updated ECS version to 9.2.0 and CPS version to 1.1.0
Added user agent extraction and network bytes calculation
For more information, see Package akamai/asec Release Notes.
fortinet/fortigate has been updated to v2.3.0.
Fixed CEF parsing to handle multiple cat fields without overwriting by renaming ad.cat to ad.ext.cat
Enhanced user field mapping with conditional logic for suser and duser fields
Improved source address parsing for events without designated fields using regex extraction from ui and sproc fields
Added support for additional observer fields including hostname, product, vendor, and version
Enhanced event field mappings with additional coalesce options for event.id, event.reason, and event.action
Added event.start field mapping from Vendor.start
Improved source.domain assignment for non-IP addresses
Updated parser version to 5.1.0
For more information, see Package fortinet/fortigate Release Notes.
palo-alto/prisma-sd-wan has been updated to v1.3.0.
Updated parser version to 3.0.0 with enhanced field mapping and categorization
Improved ECS compliance with version 9.2.0 and CPS version 1.1.0
Enhanced event categorization with dynamic array-based event.category and event.type fields
Added comprehensive IP address validation using CIDR functions
Improved zbfw_classification_rules parsing with JSON structure support
Enhanced authentication failure detection and message parsing
Added client/server field mappings for non-flow events
Improved event outcome determination based on various conditions
Enhanced regex patterns for better log parsing accuracy
Added support for multiple authentication scenarios and connection events
For more information, see Package palo-alto/prisma-sd-wan Release Notes.
microsoft/dhcp-client has been updated to v1.1.3.
Updated parser version to 1.2.0
Enhanced ECS version to 9.2.0
Updated CPS version to 1.1.0
Added comprehensive event categorization using array:append
Implemented event severity mapping based on Windows event levels
Added error field mappings for error codes and messages
Enhanced host field mappings with hostname normalization
Added source and client field mappings for DHCP client identification
Implemented IP address validation and filtering
Added process thread ID mapping
Removed deprecated windows-dhcpclient.yaml parser file
Updated minimum LogScale version requirement to 1.207.0
For more information, see Package microsoft/dhcp-client Release Notes.