Falcon LogScale 1.228.0 Not Released (2026-02-17)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.228.0Not Released2026-02-17

Internal Only

2027-02-28No1.150.01.177.0No

Not released.

Advance Warning

The following items are due to change in a future release.

  • Security

    • Starting from LogScale version 1.237, support for insecure ldap connections will be removed. Self-Hosted customers using LDAP will only be able to use ldaps secure connections.

Removed

Items that have been removed as of this release.

GraphQL API

  • The following fields for the GraphQL mutation ViewInteractionEntry have been removed:

    • id

    • interaction

    • packageId

    • package

    • view

    As an alternative, users can utilize the GraphQL datatype viewInteraction instead, as this provides access to view interaction data via a stable API surface.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

  • The Secondary Storage feature is now deprecated and will be removed in LogScale 1.231.0.

    The Bucket Storage feature provides superior functionality for storing rarely queried data in cheaper storage while keeping frequently queried data in hot storage (fast and expensive). For more information, see Bucket Storage.

    Please contact LogScale support for any concerns about this deprecation.

New features and improvements

  • User Interface

    • The Search web interface has a new layout design and tab grouping for an overall improved user experience. The update includes:

      • Widget Selector now repositioned as a display tab next to the Source Events list

      • Source Events tab that lists all filtered events

      • Table tabs new layout

      • Named prefix Events tabs now with with dropdown selectors for multiple items

      • Tool Panel controlling the event display options now repositioned on top of events and results, next to the tabs

      • Enhanced field statistics with improved performance through the new Sample more button

      No action is required โ€” users will automatically see the new design when searching.

      For more information, see Choose Visualization, Display Results and Events, Display Fields.

  • Configuration

    • Introduced new environment variables to configure the Netty HTTP client, specifically for bucket operations.

      When the value of S3_NETTY_CLIENT is true, the following environment variables are available:

      • S3_NETTY_READ_TIMEOUT_SECONDS โ€” Determines the amount of time to wait for a read on a socket before an exception is thrown. The default value is 120 seconds.

      • S3_NETTY_WRITE_TIMEOUT_SECONDS โ€” Determines the amount of time to wait for a write on a socket before an exception is thrown. Default value is 30 seconds.

  • Dashboards and Widgets

    • Enhanced Schedule PDF Reports behavior:

      • If a report times out more than the value set in SCHEDULED_REPORT_MAX_RETRY_ATTEMPTS (default is 5), the report is automatically disabled.

      • When a report is disabled for any reason (timeouts or specific errors), an email notification is sent to the intended report recipient.

Fixed in this release

  • Security

    • Fixed an issue with JSON Web Token (JWT) authentication, where simultaneous user creation requests across different nodes would fail with the error message User already exists. Now when authenticating with LogScale using a JWT, if the username specified in the token for the user claim does not exist, the user will be created automatically โ€” the process is also self-correcting to avoid similar errors in the future.

    • System and organization API tokens could not be used for certain view-related routes, even when the tokens contained the necessary permissions. This issue has now been fixed.

  • User Interface

    • The following issues with table drilldown links have been fixed:

      • The table drilldown links for a groupBy() function would not always use a regex for values containing *.

      • The table drilldown links for a groupBy() function would use escape quotes twice in certain cases.

  • Automation and Triggers

    • Fixed an issue where parameters set by the user during the creation of Schedule PDF Reports were sometimes not saved. To minimize disruption to the user, reports that used default dashboard values for parameters will not require any change โ€” reports will generate using default values.

  • Storage

    • An error log stating Unexpected normal segment in segments missed by coordinator was displayed when a view was being restored from deletion. This issue has now been fixed.

    • Events containing the ASCII character \NUL in field values could be stored in a corrupted format, and blocks containing such events may have been corrupt as well: as a consequence, such fields may have contained incorrect values when displayed or filtered. This issue has now been fixed.

  • API

    • An issue has been fixed in how nextRunInterval is applied to subqueries: when cacheHint is supplied for a query, it is now correctly propagated to subqueries (for example, in queries using the defineTable() function).

  • Ingestion

    • Fixed an issue where Amazon Simple Queue Service (SQS) permissions problems were not appearing in the activity log for ingest feeds.

  • Queries

    • Fixed an issue where using the like operator in a query would sometimes cause the query to malfunction and return no results in the Event List.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • Installation and Deployment

    • Improved Indicator of Compromise (IoC) service efficiency by preventing unnecessary full downloads from the remote IoC server or CrowdStrike API when data is already present in the cluster.

  • Auditing and Monitoring

    • Added logging for topic-level configurations to KafkaStatusLoggerJob.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • aws/vpcflow has been updated to v1.3.0.

      • Enhanced IP address validation using CIDR function for source and destination fields

      • Added network transport protocol mapping based on IANA numbers

      • Improved event action normalization to lowercase format

      • Updated ECS version to 9.2.0 and CPS version to 1.1.0

      • Enhanced CSV header detection with improved regex pattern

      For more information, see Package aws/vpcflow Release Notes.

    • cisco/meraki has been updated to v2.0.0.

      • Enhanced IP and address normalization with proper CIDR validation

      • Improved network protocol handling with tcp/ip normalization to network.transport

      • Added support for l7_firewall events with proper categorization

      • Enhanced IDS alert processing with decision-based event outcomes

      • Improved field mapping for client.domain and host.hostname with lowercase normalization

      • Added destination.mac field mapping from vendor fields

      • Updated event.type arrays to remove redundant "info" entries for cleaner categorization

      • Fixed temporary variable naming conflicts by prefixing with underscore

      • Enhanced file scanning events with proper category and type assignments

      For more information, see Package cisco/meraki Release Notes.

    • cisco/umbrella has been updated to v1.4.2.

      • Updated parser version to 3.0.2

      • Enhanced source.address field mapping to use external_client_ip as fallback when internal_client_ip is not available

      For more information, see Package cisco/umbrella Release Notes.

    • fortinet/fortigate has been updated to v2.3.1.

      • Enhanced remip field parsing with conditional logic to handle URL values properly

      • Fixed regex pattern to only quote remip values when they are not already quoted IP addresses

      • Updated parser version to 5.1.1

      For more information, see Package fortinet/fortigate Release Notes.

    • infoblox/nios has been updated to v1.4.1.

      • Fixed DNS answers type field mapping to use proper array notation (dns.answers[0].type instead of dns.answers.type)

      • Updated parser version to 3.0.1

      For more information, see Package infoblox/nios Release Notes.

    • cisco/firepower has been updated to v1.8.0.

      • Updated parser version to 4.0.0

      • Added support for multiple syslog header formats including FTD and legacy NGIPS/Sourcefire devices

      • Added enhanced timestamp parsing with findTimestamp() function for improved date handling

      • Added message field populated from vendor message content

      • Added intelligent client/server role detection based on event type, protocol, and port analysis

      • Added role reversal logic to handle server-initiated connections and reverse proxy scenarios

      • Added IP address validation using CIDR checks to filter invalid addresses

      • Added domain field support for non-IP addresses across source, destination, client, and server fields

      • Added conditional field mappings for network protocols including SIP and DNS

      • Added DNS record type normalization to standard values (A, AAAA, PTR, MX, CNAME)

      • Added TLS certificate hash mapping to tls.client.hash.sha1

      • Added conditional filtering for unknown TLS versions and cipher suites

      • Added enhanced event categorization with automatic event.type:connection for network tuples

      • Added array deduplication for event.category[] and event.type[] fields

      • Changed primary address fields to use source.address and destination.address with IP/domain separation

      • Changed event outcome logic for connection teardown events based on teardown reason analysis

      • Changed connection directionality detection to use interface context (inside/outside/DMZ)

      • Changed user group field to user.group.name for ECS consistency

      • Changed field coalescing logic to prioritize existing values over vendor-specific fields

      • Consolidated lowercase operations for address and domain fields

      • Consolidated interface alias and name field mappings

      • Fixed field extraction patterns across multiple event types for improved accuracy

      • Fixed MAC address formatting to use hyphen separators

      • Fixed source/destination mapping in connection teardown events using interface-based logic

      • Removed redundant event.type:connection entries from individual event handlers

      For more information, see Package cisco/firepower Release Notes.

    • fortinet/fortigate has been updated to v2.3.2.

      • Added FTNTFGT prefix removal for events forwarded from FortiGate-VM on Azure platform

      • Enhanced type and subtype parsing with regex to accurately capture combined values

      • Added network_access log type support

      • Updated parser version to 5.1.2

      For more information, see Package fortinet/fortigate Release Notes.

    • nozomi/ids has been updated to v1.4.0.

      • Updated parser version to 4.0.0

      • Updated ECS version 9.2.0

      • Added new field mappings for message, domain, and network protocol fields

      • Added IP address validation to filter invalid and non-routable addresses

      • Added array deduplication for event categorization fields

      • Added enhanced extraction patterns for threat indicators and network entities

      • Changed event categorization from message-based regex to classification prefix-based logic

      • Changed severity mapping ranges for better alignment with risk levels

      • Changed address field logic to support both IP and domain values

      • Changed observer field handling to distinguish between IPs and hostnames

      • Consolidated field normalization and lowercase operations

      • Fixed field name reference issues

      • Removed redundant message-based categorization patterns

      • Removed duplicate field assignments

      • Improved overall parser maintainability and performance

      For more information, see Package nozomi/ids Release Notes.

    • checkpoint/ngfw has been updated to v2.6.0.

      • Enhanced originsicname field parsing with key-value extraction for better observer name identification

      • Added policy ID tag parsing to extract policy name, management server, and date information

      • Improved rule.ruleset field mapping to include policy name from parsed policy ID tag

      • Enhanced rule.uuid field mapping to include NAT rule UIDs

      • Added network.community_id field generation for both ICMP and non-ICMP events

      • Improved observer.name field mapping with conditional logic for firewall traffic and threat prevention events

      • Enhanced client/server field identification for application control and URL filtering logs

      • Updated parser version to 3.6.0

      For more information, see Package checkpoint/ngfw Release Notes.

    • aws/waf has been updated to v3.0.0.

      • Enhanced cloud service detection from httpSourceName (CloudFront, API Gateway, ELB)

      • Added cloud account ID and region extraction from webaclId ARN

      • Added rule name extraction from webaclId

      • Improved event outcome mapping (success/failure based on allow/block actions)

      • Added TLS JA3 fingerprint support

      • Added URL scheme field mapping

      • Updated rule.category and rule.ruleset field mappings

      • Updated ECS version to 9.2.0

      • Improved code formatting and organization

      For more information, see Package aws/waf Release Notes.

    • microsoft/dhcp-server has been updated to v1.4.0.

      • Updated parser version to 3.0.0

      • Updated CPS version to 1.1.0

      • Updated ECS version to 9.2.0

      • Enhanced field mappings with improved source and client field handling

      • Added network protocol detection (dhcp/dhcpv6)

      • Improved event categorization using array:append for better ECS compliance

      • Added support for legacy authorization event ID 1103

      • Enhanced IP address validation with CIDR filtering

      • Improved MAC address formatting

      • Added client.* fields for better DHCP client identification

      For more information, see Package microsoft/dhcp-server Release Notes.

    • cisco/ise has been updated to v2.0.4.

      • Added support for CISE_External_MDM event category with comprehensive event code handling

      • Enhanced CISE_Passed_Authentications parsing with additional event codes (5236, 5238, 5240)

      • Improved CISE_Failed_Attempts parsing with new event codes (5402, 5422, 5434, 5416)

      • Added support for CISE_Administrative_and_Operational_Audit event codes (51025, 60166, 60167, 60069)

      • Enhanced RADIUS accounting with support for Interim-Update status type

      For more information, see Package cisco/ise Release Notes.

    • cisco/ios has been updated to v1.9.1.

      • Added support for AUTH_PASSED and AUTHENTICATION_FAILED event types for DMI authentication events

      • Added support for NHRP_NHS_UP, NHRP_NHS_DOWN, and CRYPTO_SS event types for DMVPN tunnel monitoring

      • Enhanced authentication event parsing with improved source address and port extraction

      • Updated parser version to 2.9.0

      For more information, see Package cisco/ios Release Notes.

    • radware/alteon has been updated to v1.3.0.

      • Updated ECS version to 9.2.0

      • Updated parser version to 2.0.0

      • Enhanced message parsing with comprehensive regex patterns for various log types

      • Added support for authentication, configuration, and network event categorization

      • Improved timestamp handling with parseTimestamp() function for timezone-aware timestamps

      • Added field extraction for user information, network protocols, and server details

      • Enhanced event outcome determination based on HTTP status codes and message content

      • Added support for IP address validation and domain/IP field assignment

      • Improved syslog parsing with better handling of AlteonOS format

      • Added comprehensive test cases for various log message types

      For more information, see Package radware/alteon Release Notes.

    • trellix/fireeye-nx has been updated to v1.3.0.

      • Enhanced event categorization with conditional logic based on event class ID

      • Added dynamic event dataset generation based on vendor event name

      • Improved source and destination field handling with IP/domain detection

      • Migrated host fields to observer fields for better ECS compliance

      • Added network transport and VLAN ID field mappings

      • Added rule name and URL original field mappings

      • Updated ECS version to 9.2.0

      • Updated parser version to 2.0.0

      • Added timestamp parsing from Vendor.rt field

      For more information, see Package trellix/fireeye-nx Release Notes.