Falcon LogScale 1.226.0 Not Released (2026-02-03)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.226.0Not Released2026-02-03

Internal Only

2027-02-28No1.150.01.177.0No

Not released.

Advance Warning

The following items are due to change in a future release.

  • Security

    • Starting from LogScale version 1.237, support for insecure ldap connections will be removed. Self-Hosted customers using LDAP will only be able to use ldaps secure connections.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

  • The Secondary Storage feature is now deprecated and will be removed in LogScale 1.231.0.

    The Bucket Storage feature provides superior functionality for storing rarely queried data in cheaper storage while keeping frequently queried data in hot storage (fast and expensive). For more information, see Bucket Storage.

    Please contact LogScale support for any concerns about this deprecation.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • infoblox/nios has been updated to v1.4.0.

      • Enhanced DHCP parsing with support for BOOTREPLY, BOOTREQUEST, ICMP, and NOT FREE events

      • Added support for password_expired and logout authentication events in audit logs

      • Improved field mapping with client.address and server.address normalization

      • Added transaction.id field mapping for DHCP events

      • Enhanced DNS parsing with timeout resolution support

      • Updated parser version to 3.0.0

      For more information, see Package infoblox/nios Release Notes.

    • aws/vpcflow has been updated to v1.3.0.

      • Enhanced IP address validation using CIDR function for source and destination fields

      • Added network transport protocol mapping based on IANA numbers

      • Improved event action normalization to lowercase format

      • Updated ECS version to 9.2.0 and CPS version to 1.1.0

      • Enhanced CSV header detection with improved regex pattern

      For more information, see Package aws/vpcflow Release Notes.

    • cisco/meraki has been updated to v2.0.0.

      • Enhanced IP and address normalization with proper CIDR validation

      • Improved network protocol handling with tcp/ip normalization to network.transport

      • Added support for l7_firewall events with proper categorization

      • Enhanced IDS alert processing with decision-based event outcomes

      • Improved field mapping for client.domain and host.hostname with lowercase normalization

      • Added destination.mac field mapping from vendor fields

      • Updated event.type arrays to remove redundant "info" entries for cleaner categorization

      • Fixed temporary variable naming conflicts by prefixing with underscore

      • Enhanced file scanning events with proper category and type assignments

      For more information, see Package cisco/meraki Release Notes.

    • cisco/umbrella has been updated to v1.4.2.

      • Updated parser version to 3.0.2

      • Enhanced source.address field mapping to use external_client_ip as fallback when internal_client_ip is not available

      For more information, see Package cisco/umbrella Release Notes.

    • infoblox/nios has been updated to v1.4.1.

      • Fixed DNS answers type field mapping to use proper array notation (dns.answers[0].type instead of dns.answers.type)

      • Updated parser version to 3.0.1

      For more information, see Package infoblox/nios Release Notes.

    • checkpoint/ngfw has been updated to v2.6.0.

      • Enhanced originsicname field parsing with key-value extraction for better observer name identification

      • Added policy ID tag parsing to extract policy name, management server, and date information

      • Improved rule.ruleset field mapping to include policy name from parsed policy ID tag

      • Enhanced rule.uuid field mapping to include NAT rule UIDs

      • Added network.community_id field generation for both ICMP and non-ICMP events

      • Improved observer.name field mapping with conditional logic for firewall traffic and threat prevention events

      • Enhanced client/server field identification for application control and URL filtering logs

      • Updated parser version to 3.6.0

      For more information, see Package checkpoint/ngfw Release Notes.

    • aruba/clearpass has been updated to v1.4.0.

      • Updated ECS version to 9.2.0 and parser version to 3.0.0

      • Enhanced field mapping with improved address handling using client.address, source.address, and server.address fields

      • Improved MAC address formatting with dash separators and uppercase conversion

      • Changed event.id to event.code for better ECS compliance

      • Enhanced observer IP handling with array support

      • Improved address validation with CIDR checking and domain/IP separation

      • Fixed AD/LDAP event outcome mapping from success to failure

      • Enhanced event type mapping for authentication requests and file transfer operations

      • Removed redundant array drops for better performance

      For more information, see Package aruba/clearpass Release Notes.

    • cisco/ios has been updated to v1.9.0.

      • Breaking Change: Fixed server.domain field assignment typo

      • Potentially Breaking Change: Improved ACCOUNTING event parsing with key-value extraction for better field normalization

      • Potentially Breaking Change: Improved network transport protocol normalization to lowercase

      • Enhanced regex patterns to support alphanumeric severity codes (A-Z0-7) for broader log format compatibility

      • Added new timestamp format support for logs with year prefix (yyyy MMM dd HH:mm:ss)

      • Added severity code remapping values to standard numeric codes

      • Enhanced SYSTEM_MSG event parsing with support for authentication failures, file errors, and general error messages

      • Added support for ENCRYPTED, ELEMENT_CRITICAL, FAIL_CONFIG, and NATIVE_VLAN_MISMATCH event types

      • Updated parser version to 2.8.0

      For more information, see Package cisco/ios Release Notes.

    • aws/waf has been updated to v3.0.0.

      • Enhanced cloud service detection from httpSourceName (CloudFront, API Gateway, ELB)

      • Added cloud account ID and region extraction from webaclId ARN

      • Added rule name extraction from webaclId

      • Improved event outcome mapping (success/failure based on allow/block actions)

      • Added TLS JA3 fingerprint support

      • Added URL scheme field mapping

      • Updated rule.category and rule.ruleset field mappings

      • Updated ECS version to 9.2.0

      • Improved code formatting and organization

      For more information, see Package aws/waf Release Notes.

    • akamai/asec has been updated to v1.2.0.

      • Enhanced parser with comprehensive field extraction and decoding capabilities

      • Added support for HTTP request and response header parsing

      • Implemented advanced categorization logic based on WAF actions and response codes

      • Added geolocation and network type detection for IPv4 and IPv6 addresses

      • Enhanced rule field mappings with decoded attack data

      • Improved TLS version parsing and HTTP/2 protocol detection

      • Updated ECS version to 9.2.0 and CPS version to 1.1.0

      • Added user agent extraction and network bytes calculation

      For more information, see Package akamai/asec Release Notes.

    • fortinet/fortigate has been updated to v2.3.0.

      • Fixed CEF parsing to handle multiple cat fields without overwriting by renaming ad.cat to ad.ext.cat

      • Enhanced user field mapping with conditional logic for suser and duser fields

      • Improved source address parsing for events without designated fields using regex extraction from ui and sproc fields

      • Added support for additional observer fields including hostname, product, vendor, and version

      • Enhanced event field mappings with additional coalesce options for event.id, event.reason, and event.action

      • Added event.start field mapping from Vendor.start

      • Improved source.domain assignment for non-IP addresses

      • Updated parser version to 5.1.0

      For more information, see Package fortinet/fortigate Release Notes.

    • palo-alto/prisma-sd-wan has been updated to v1.3.0.

      • Updated parser version to 3.0.0 with enhanced field mapping and categorization

      • Improved ECS compliance with version 9.2.0 and CPS version 1.1.0

      • Enhanced event categorization with dynamic array-based event.category and event.type fields

      • Added comprehensive IP address validation using CIDR functions

      • Improved zbfw_classification_rules parsing with JSON structure support

      • Enhanced authentication failure detection and message parsing

      • Added client/server field mappings for non-flow events

      • Improved event outcome determination based on various conditions

      • Enhanced regex patterns for better log parsing accuracy

      • Added support for multiple authentication scenarios and connection events

      For more information, see Package palo-alto/prisma-sd-wan Release Notes.

    • cisco/ise has been updated to v2.0.4.

      • Added support for CISE_External_MDM event category with comprehensive event code handling

      • Enhanced CISE_Passed_Authentications parsing with additional event codes (5236, 5238, 5240)

      • Improved CISE_Failed_Attempts parsing with new event codes (5402, 5422, 5434, 5416)

      • Added support for CISE_Administrative_and_Operational_Audit event codes (51025, 60166, 60167, 60069)

      • Enhanced RADIUS accounting with support for Interim-Update status type

      For more information, see Package cisco/ise Release Notes.

    • trellix/fireeye-nx has been updated to v1.3.0.

      • Enhanced event categorization with conditional logic based on event class ID

      • Added dynamic event dataset generation based on vendor event name

      • Improved source and destination field handling with IP/domain detection

      • Migrated host fields to observer fields for better ECS compliance

      • Added network transport and VLAN ID field mappings

      • Added rule name and URL original field mappings

      • Updated ECS version to 9.2.0

      • Updated parser version to 2.0.0

      • Added timestamp parsing from Vendor.rt field

      For more information, see Package trellix/fireeye-nx Release Notes.

    • microsoft/dhcp-client has been updated to v1.1.3.

      • Updated parser version to 1.2.0

      • Enhanced ECS version to 9.2.0

      • Updated CPS version to 1.1.0

      • Added comprehensive event categorization using array:append

      • Implemented event severity mapping based on Windows event levels

      • Added error field mappings for error codes and messages

      • Enhanced host field mappings with hostname normalization

      • Added source and client field mappings for DHCP client identification

      • Implemented IP address validation and filtering

      • Added process thread ID mapping

      • Removed deprecated windows-dhcpclient.yaml parser file

      • Updated minimum LogScale version requirement to 1.207.0

      For more information, see Package microsoft/dhcp-client Release Notes.