Falcon LogScale 1.225.0 Not Released (2026-01-27)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.225.0Not Released2026-01-27

Internal Only

2027-01-31No1.150.01.177.0No

Not Released

Advance Warning

The following items are due to change in a future release.

  • Security

    • Starting from LogScale version 1.237, support for insecure ldap connections will be removed. Self-Hosted customers using LDAP will only be able to use ldaps secure connections.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The following GraphQL APIs are deprecated and will be removed in version 1.225 or later:

    In the updateSettings mutation, these input arguments are deprecated:

    • isPackageDocsMessageDismissed

    • isDarkModeMessageDismissed

    • isResizableQueryFieldMessageDismissed

    On the UserSettings type, these fields are deprecated:

    • isPackageDocsMessageDismissed

    • isDarkModeMessageDismissed

    Note

    The deprecated input arguments will have no effect, and the deprecated fields will always return true until their removal.

  • The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

  • The Secondary Storage feature is now deprecated and will be removed in LogScale 1.231.0.

    The Bucket Storage feature provides superior functionality for storing rarely queried data in cheaper storage while keeping frequently queried data in hot storage (fast and expensive). For more information, see Bucket Storage.

    Please contact LogScale support for any concerns about this deprecation.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Storage

    • Revised bucket transfer priority to the following, in descending order:

      1. Segment uploads transferred to bucket storage for replication

      2. Lookup file uploads transferred to bucket storage for replication

      3. Downloads of minisegments for queries

      4. Downloads of other segments for queries

      5. Segment uploads for disaster recovery migration

      6. Segment downloads for background operations

Upgrades

Changes that may occur or be required during an upgrade.

  • Installation and Deployment

    • Upgraded LogScale's bundled Java Development Kit (JDK) to version 25.0.2, resolving the Transparent Huge Pages (THP) issue mentioned in release 1.213.0 (see RN Issue), where systems configured with THP mode as madvise did not enable huge pages when running with the default garbage collector.

Fixed in this release

  • Storage

    • Fixed an issue with task cancellation in the node-to-node segment fetcher that could cause a terminating node to drop a copy of the segment file it was fetching.

    • Fixed an issue where nodes could enter a repeated download and deletion loop of the same segment due to over-replication.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • Queries

    • Optimized performance for Regular Expression Engine v2 regarding zero-or-more repetitions of single character regex matches at the start of regexes. For example, regexes such as /.*foo/ now complete more quickly, also compared to the previous engine.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • infoblox/nios has been updated to v1.4.0.

      • Enhanced DHCP parsing with support for BOOTREPLY, BOOTREQUEST, ICMP, and NOT FREE events

      • Added support for password_expired and logout authentication events in audit logs

      • Improved field mapping with client.address and server.address normalization

      • Added transaction.id field mapping for DHCP events

      • Enhanced DNS parsing with timeout resolution support

      • Updated parser version to 3.0.0

      For more information, see Package infoblox/nios Release Notes.

    • aws/vpcflow has been updated to v1.3.0.

      • Enhanced IP address validation using CIDR function for source and destination fields

      • Added network transport protocol mapping based on IANA numbers

      • Improved event action normalization to lowercase format

      • Updated ECS version to 9.2.0 and CPS version to 1.1.0

      • Enhanced CSV header detection with improved regex pattern

      For more information, see Package aws/vpcflow Release Notes.

    • cisco/umbrella has been updated to v1.4.2.

      • Updated parser version to 3.0.2

      • Enhanced source.address field mapping to use external_client_ip as fallback when internal_client_ip is not available

      For more information, see Package cisco/umbrella Release Notes.

    • aruba/clearpass has been updated to v1.4.0.

      • Updated ECS version to 9.2.0 and parser version to 3.0.0

      • Enhanced field mapping with improved address handling using client.address, source.address, and server.address fields

      • Improved MAC address formatting with dash separators and uppercase conversion

      • Changed event.id to event.code for better ECS compliance

      • Enhanced observer IP handling with array support

      • Improved address validation with CIDR checking and domain/IP separation

      • Fixed AD/LDAP event outcome mapping from success to failure

      • Enhanced event type mapping for authentication requests and file transfer operations

      • Removed redundant array drops for better performance

      For more information, see Package aruba/clearpass Release Notes.

    • cisco/ios has been updated to v1.9.0.

      • Breaking Change: Fixed server.domain field assignment typo

      • Potentially Breaking Change: Improved ACCOUNTING event parsing with key-value extraction for better field normalization

      • Potentially Breaking Change: Improved network transport protocol normalization to lowercase

      • Enhanced regex patterns to support alphanumeric severity codes (A-Z0-7) for broader log format compatibility

      • Added new timestamp format support for logs with year prefix (yyyy MMM dd HH:mm:ss)

      • Added severity code remapping values to standard numeric codes

      • Enhanced SYSTEM_MSG event parsing with support for authentication failures, file errors, and general error messages

      • Added support for ENCRYPTED, ELEMENT_CRITICAL, FAIL_CONFIG, and NATIVE_VLAN_MISMATCH event types

      • Updated parser version to 2.8.0

      For more information, see Package cisco/ios Release Notes.

    • aws/waf has been updated to v3.0.0.

      • Enhanced cloud service detection from httpSourceName (CloudFront, API Gateway, ELB)

      • Added cloud account ID and region extraction from webaclId ARN

      • Added rule name extraction from webaclId

      • Improved event outcome mapping (success/failure based on allow/block actions)

      • Added TLS JA3 fingerprint support

      • Added URL scheme field mapping

      • Updated rule.category and rule.ruleset field mappings

      • Updated ECS version to 9.2.0

      • Improved code formatting and organization

      For more information, see Package aws/waf Release Notes.

    • akamai/asec has been updated to v1.2.0.

      • Enhanced parser with comprehensive field extraction and decoding capabilities

      • Added support for HTTP request and response header parsing

      • Implemented advanced categorization logic based on WAF actions and response codes

      • Added geolocation and network type detection for IPv4 and IPv6 addresses

      • Enhanced rule field mappings with decoded attack data

      • Improved TLS version parsing and HTTP/2 protocol detection

      • Updated ECS version to 9.2.0 and CPS version to 1.1.0

      • Added user agent extraction and network bytes calculation

      For more information, see Package akamai/asec Release Notes.

    • fortinet/fortigate has been updated to v2.3.0.

      • Fixed CEF parsing to handle multiple cat fields without overwriting by renaming ad.cat to ad.ext.cat

      • Enhanced user field mapping with conditional logic for suser and duser fields

      • Improved source address parsing for events without designated fields using regex extraction from ui and sproc fields

      • Added support for additional observer fields including hostname, product, vendor, and version

      • Enhanced event field mappings with additional coalesce options for event.id, event.reason, and event.action

      • Added event.start field mapping from Vendor.start

      • Improved source.domain assignment for non-IP addresses

      • Updated parser version to 5.1.0

      For more information, see Package fortinet/fortigate Release Notes.

    • palo-alto/prisma-sd-wan has been updated to v1.3.0.

      • Updated parser version to 3.0.0 with enhanced field mapping and categorization

      • Improved ECS compliance with version 9.2.0 and CPS version 1.1.0

      • Enhanced event categorization with dynamic array-based event.category and event.type fields

      • Added comprehensive IP address validation using CIDR functions

      • Improved zbfw_classification_rules parsing with JSON structure support

      • Enhanced authentication failure detection and message parsing

      • Added client/server field mappings for non-flow events

      • Improved event outcome determination based on various conditions

      • Enhanced regex patterns for better log parsing accuracy

      • Added support for multiple authentication scenarios and connection events

      For more information, see Package palo-alto/prisma-sd-wan Release Notes.

    • trellix/fireeye-nx has been updated to v1.3.0.

      • Enhanced event categorization with conditional logic based on event class ID

      • Added dynamic event dataset generation based on vendor event name

      • Improved source and destination field handling with IP/domain detection

      • Migrated host fields to observer fields for better ECS compliance

      • Added network transport and VLAN ID field mappings

      • Added rule name and URL original field mappings

      • Updated ECS version to 9.2.0

      • Updated parser version to 2.0.0

      • Added timestamp parsing from Vendor.rt field

      For more information, see Package trellix/fireeye-nx Release Notes.

    • microsoft/dhcp-client has been updated to v1.1.3.

      • Updated parser version to 1.2.0

      • Enhanced ECS version to 9.2.0

      • Updated CPS version to 1.1.0

      • Added comprehensive event categorization using array:append

      • Implemented event severity mapping based on Windows event levels

      • Added error field mappings for error codes and messages

      • Enhanced host field mappings with hostname normalization

      • Added source and client field mappings for DHCP client identification

      • Implemented IP address validation and filtering

      • Added process thread ID mapping

      • Removed deprecated windows-dhcpclient.yaml parser file

      • Updated minimum LogScale version requirement to 1.207.0

      For more information, see Package microsoft/dhcp-client Release Notes.