Falcon LogScale 1.228.1 Not Released (2026-03-16)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.228.1 | Not Released | 2026-03-16 | Internal Only | 2027-03-31 | No | 1.150.0 | 1.177.0 | No |
These notes include entries from the following previous releases: 1.228.0, 1.227.0, 1.226.0, 1.225.0, 1.224.0, 1.223.0, 1.222.0, 1.221.0, 1.220.0
Not released.
Breaking Changes
The following items create a breaking change in the behavior, response or operation of this release.
GraphQL API
Improved resource management controls to ensure system stability and performance for GraphQL query processing. These changes will not impact normal usage of LogScale's UI and API.
Storage
Removed the feature flag
WriteNewSegmentFileFormat, making the new segment file format mandatory. This feature was introduced in version 1.138 to improve segment file compression and became enabled by default in version 1.162.Important
After deploying this version, clusters cannot be downgraded to versions older than 1.177.
Configuration
The
MAX_GRAPHQL_QUERY_DEPTHenvironment variable has been removed. Use theGraphQLQueryDepthLimitdynamic configuration variable instead.For information about setting dynamic configurations, see Setting a Dynamic Configuration Value. A list of available GraphQL dynamic configurations can be found at Dynamic Configuration Parameters when filtering by "GraphQL".
Advance Warning
The following items are due to change in a future release.
Security
Starting from LogScale version 1.237, support for insecure
ldapconnections will be removed. Self-Hosted customers using LDAP will only be able to useldapssecure connections.User Interface
From version 1.225.0, LogScale will enforce a new limit of 10 labels that can be added or removed in bulk for assets such as dashboards, actions, alerts and scheduled searches.
Labels will also have a character limit of 60.
Existing assets that violate these newly imposed limits will continue to work until they are updated - users will then be forced to remove or reduce their labels to meet the requirement.
Queries
Due to various upcoming changes to LogScale and the recently introduced regex engine, the following regex features will be removed in version 1.225:
Octal notation
Quantification of unquantifiable constructs
Octal notation is being removed due to logic application difficulties and its tendency to make typographical errors easier to overlook.
Here is an example of a common octal notation issue:
regex/10\.26.\122\.128/In this example,
\122is interpreted as the octal escape forRrather than the intended literal122. Similarly, the.matches not just the punctuation itself but also any single character except for new lines.Any construction of
\xwherexis a number from 1 to 9 will always be interpreted as a backreference to a capture group. If the corresponding capture group does not exist, it will be an error.Quantification of unquantifiable constructs is being removed due to lack of appropriate semantic logic, leading to redundancy and errors.
Unquantifiable constructs being removed include:
^(the start of string/start of line)
$(the end of string/end of line)
?=(a positive lookahead)
?!(a negative lookahead)?<= (a positive lookbehind)
<?<!> (a negative lookbehind)
\b(a word boundary)
\B(a non-word boundary)For example, the end-of-text construct
$*only has meaning for a limited number of occurrences. There can never be more than one occurrence of the end of the text at any given position, making elements like$redundant.A common pitfall that causes this warning is when users copy and paste a glob pattern like
*abc*in as a regex, but delimit the regex with start of text and end of text anchors:regex/^*abc*$/The proper configuration should look like this:
regex/abc/For more information, see LogScale Regular Expression Engine V2.
Removed
Items that have been removed as of this release.
GraphQL API
The following fields for the GraphQL mutation ViewInteractionEntry have been removed:
id
interaction
packageId
package
view
As an alternative, users can utilize the GraphQL datatype viewInteraction instead, as this provides access to view interaction data via a stable API surface.
Configuration
Removed the
NoCurrentsForBucketSegmentsfeature flag. Its functionality is now permanently enabled.The environment variable
TEMP_SHORTCUT_EXTERNAL_FUNCTION_CALLSis no longer used by LogScale and can be safely removed.
Deprecation
Items that have been deprecated and may be removed in a future release.
In order to simplify and clean up older documentation and manuals that refer to past versions of LogScale and related products, the following manual versions will be archived after 15th December 2025:
This archiving will improve the efficiency of the site and navigability.
Archived manuals will be available in a download-only format in an archive area of the documentation. Manuals that have been archived will no longer be included in the search, or accessible to view online through the documentation portal.
The following GraphQL APIs are deprecated and will be removed in version 1.225 or later:
In the updateSettings mutation, these input arguments are deprecated:
isPackageDocsMessageDismissed
isDarkModeMessageDismissed
isResizableQueryFieldMessageDismissed
On the UserSettings type, these fields are deprecated:
isPackageDocsMessageDismissed
isDarkModeMessageDismissed
Note
The deprecated input arguments will have no effect, and the deprecated fields will always return true until their removal.
The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.
The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.The Secondary Storage feature is now deprecated and will be removed in LogScale 1.231.0.
The Bucket Storage feature provides superior functionality for storing rarely queried data in cheaper storage while keeping frequently queried data in hot storage (fast and expensive). For more information, see Bucket Storage.
Please contact LogScale support for any concerns about this deprecation.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Storage
Revised bucket transfer priority to the following, in descending order:
Segment uploads transferred to bucket storage for replication
Lookup file uploads transferred to bucket storage for replication
Downloads of minisegments for queries
Downloads of other segments for queries
Segment uploads for disaster recovery migration
Segment downloads for background operations
Configuration
The environment variable
VALIDATE_BLOCK_CRCS_BEFORE_UPLOADhas been removed to guarantee segment validation before uploading segment files to bucket storage. Previously, this environment variable was set totrueby default, allowing users to disable this functionality by disabling checking block CRCs prior to upload.Queries
The
QuerySessionsclass now propagates user permission changes to running static queries, allowing them to end or restart as necessary. Previously, this behavior was only applied to live queries.
Upgrades
Changes that may occur or be required during an upgrade.
Installation and Deployment
Upgraded LogScale's bundled Java Development Kit (JDK) to version 25.0.2, resolving the Transparent Huge Pages (THP) issue mentioned in release 1.213.0 (see RN Issue), where systems configured with THP mode as
madvisedid not enable huge pages when running with the default garbage collector.
New features and improvements
Security
Added the dynamic configuration parameter
DisableAssetSharingto control whether users have the capability to share assets like dashboards, saved searches, reports, etc. with other users via direct permission assignments. When set totrue, only users withchangeUserAccesspermission can assign direct asset permissions.Asset sharing is enabled by default. Administrators can disable it cluster-wide using the dynamic configuration
DisableAssetSharingvia the GraphQL API.
User Interface
The
Searchweb interface has a new layout design and tab grouping for an overall improved user experience. The update includes:Widget Selectornow repositioned as a display tab next to the Source Events listSource Events tab that lists all filtered events
Table tabs new layout
Named prefix Events tabs now with with dropdown selectors for multiple items
Tool Panelcontrolling the event display options now repositioned on top of events and results, next to the tabsEnhanced field statistics with improved performance through the new button
No action is required — users will automatically see the new design when searching.
For more information, see Choose Visualization, Display Results and Events, Display Fields.
Automation and Triggers
It is now possible to configure filter and aggregate alerts to throttle on multiple fields.
To support this change, the following GraphQL changes have been made:
The GraphQL argument throttleField has been deprecated and replaced with with throttleFields for types FilterAlert, AggregateAlert, UnsavedFilterAlert, and UnsavedAggregateAlert.
The GraphQL argument throttleField has been deprecated and replaced it with throttleFields in mutations createFilterAlert() and createAggregateAlert().
Mutations updateFilterAlert() and updateAggregateAlert() have been deprecated and replaced with updateFilterAlertV2() and updateAggregateAlertV2().
The main difference is that the throttleField field is being removed and a throttleFields field is being added.
Added a new action type for uploading the result of a trigger to an AWS S3 bucket.
For more information, see Action Type: S3.
GraphQL API
Added the option for end timestamp functionality for per-repository archiving configuration. This filters out segments with start timestamps later than the configured end timestamp.
A new optional parameter
endAtDateTimehas been added to the following GraphQL endpoints:Extended the analyzeQuery() GraphQL endpoint to support alerts. The
queryKindparameter now supports the following values:For filter alerts: { filterAlert: {} }
For aggregate alerts: { aggregateAlert: {} }
For legacy alerts: { legacyAlert: {} }
Note
Alerts have restrictions beyond the query string, in particular regarding the time interval of a query. Those restrictions are outside the scope of the validation done by analyzeQuery().
Added ability to search for triggers by name using the GraphQL API. The new name argument can be used with filterAlert, aggregateAlert, and scheduledSearch fields in SearchDomain, Repository, or View types.
Note
name and id arguments cannot be used simultaneously.
API
Added
tableTypeto the filesUsed field in query results from the QueryJobs API to indicate the type and origination of the table being referenced.
Configuration
Introduced new environment variables to configure the Netty HTTP client, specifically for bucket operations.
When the value of
S3_NETTY_CLIENTistrue, the following environment variables are available:S3_NETTY_READ_TIMEOUT_SECONDS— Determines the amount of time to wait for a read on a socket before an exception is thrown. The default value is 120 seconds.S3_NETTY_WRITE_TIMEOUT_SECONDS— Determines the amount of time to wait for a write on a socket before an exception is thrown. Default value is 30 seconds.
Dashboards and Widgets
Enhanced Schedule PDF Reports behavior:
If a report times out more than the value set in
SCHEDULED_REPORT_MAX_RETRY_ATTEMPTS(default is 5), the report is automatically disabled.When a report is disabled for any reason (timeouts or specific errors), an email notification is sent to the intended report recipient.
Queries
Added support for unicode categories in LogScale Regular Expression Engine V2 using
\p{L}syntax. Supported categories include:Letters (
L)Symbols (
S)Punctuation (
P)Control characters (
Cc)
These categories can also be used in character classes like
[\p{S}A-Z])and negated using\P{L}.For more information, see Regular Expression Engine V2 Syntax Patterns.
Added support for
(?P<X>)syntax for named capturing groups in the LogScale Regular Expression Engine V2. This syntax is functionally equivalent to the existing(?<X>)syntax.
Metrics and Monitoring
Added new CPU measurements to the
stat_cpunonsensitive logger:stealguestguestNice
These fields are available in the humio repository.
Functions
Released the new query function
explain:asTable(), which provides detailed insights into query performance by showing a step-by-step breakdown of time consumption and event filtering throughout the query.
Fixed in this release
Security
Users who have
ManageOrganizations(Cloud) orManageCluster(Self-Hosted) permissions can now change the Data Retention settings above the repository time limit via the web interface. Previously, changing these settings was possible but only via GraphQL, so this inconsistency has now been fixed.Fixed an issue with JSON Web Token (JWT) authentication, where simultaneous user creation requests across different nodes would fail with the error message User already exists. Now when authenticating with LogScale using a JWT, if the username specified in the token for the user claim does not exist, the user will be created automatically — the process is also self-correcting to avoid similar errors in the future.
System and organization API tokens could not be used for certain view-related routes, even when the tokens contained the necessary permissions. This issue has now been fixed.
User Interface
Fixed an issue with the parser duplication dialog in the UI that incorrectly displayed a repository selector. When duplicating a parser, users can now only duplicate within the same repository, matching the API's actual behavior.
Note
The repository selector continues to work as expected for other asset types like saved queries, dashboards, and actions.
Fixed an issue with correlate query graph visualization, where nodes and edges would not render correctly in certain circumstances.
These two wrong behaviors have been fixed in the web interface:
The Events tab would not show when the main correlate query did not return results.
A wrong default widget was selected by the Widget selector.
Automation and Triggers
Fixed an issue where the creation of a scheduled report without parameter values would result in an invalid and failing result.
Fixed an issue where parameters set by the user during the creation of Schedule PDF Reports were sometimes not saved. To minimize disruption to the user, reports that used default dashboard values for parameters will not require any change — reports will generate using default values.
Fixed an issue with scheduled searches where schedule changes would only be applied to runs after "now". To achieve this, the GraphQL datatype ScheduledSearch has undergone the following changes:
GraphQL fields lastExecuted and lastTriggered have been deprecated.
GraphQL fields timeOfLastExecution and timeOfLastTrigger have been added.
The new fields contain the actual execution time of the query. The deprecated fields contained the end time of the search interval of the last query that was executed or triggered.
Note
The new fields will only have a different value for scheduled searches running on @timestamp where the parameter
searchIntervalOffsetSecondsis set to a value greater than 0.For more information, see ScheduledSearch .
Fixed a rare issue where a trigger deletion could be incorrectly logged as a broken trigger.
Storage
An error log stating Unexpected normal segment in segments missed by coordinator was displayed when a view was being restored from deletion. This issue has now been fixed.
Fixed an issue where global snapshot failure would prevent further attempts until system restart.
Events containing the ASCII character
\NULin field values could be stored in a corrupted format, and blocks containing such events may have been corrupt as well: as a consequence, such fields may have contained incorrect values when displayed or filtered. This issue has now been fixed.Fixed an issue occurring during offset calculation for digest that could cause minisegments that go missing before being fully replicated to be incorrectly deleted and replayed from Kafka.
This occurred only in datasources that were recently created or whose status had recently changed from idle to non-idle. In the future, these minisegments will appear in the cluster admin panel designated as "absent".
Fixed an issue where a failing assertion in
DataSyncJobcould cause a system crash in very rare cases.Fixed an issue where disk clean-up would leak aux/hash files on disk when only the aux/hash files were present and not the segment files themselves. This only affects systems where the
KeepSegmentHashFilesfeature flag has been enabled.Fixed an issue with task cancellation in the node-to-node segment fetcher that could cause a terminating node to drop a copy of the segment file it was fetching.
Fixed an issue where nodes could enter a repeated download and deletion loop of the same segment due to over-replication.
API
An issue has been fixed in how nextRunInterval is applied to subqueries: when
cacheHintis supplied for a query, it is now correctly propagated to subqueries (for example, in queries using thedefineTable()function).
Configuration
Fixed an issue where LogScale would reuse existing Kafka bootstrap servers when tracking brokers, even when Kafka clients were not allowed to rebootstrap. This could prevent Kafka clients from reaching the correct Kafka cluster. For reference, rebootstrapping solves a common issue that occurs when the connection is lost to all Kafka brokers known to the user based on the most recent metadata request.
For example, if a user has "Kafka Broker 1" and "Kafka Broker 2" running and attempts to turn on "Kafka Broker 3" and "Kafka Broker 4" while turning off "Kafka Broker 1" and "Kafka Broker 2" at the same time, a non-rebootstrapping user would lose connection to Kafka because only "Kafka Broker 1" and "Kafka Broker 2" are known to it.
With rebootstrapping enabled, users are able to retry all initial bootstrap servers. If any server is live, the client will not lose connection.
Kafka clients in LogScale are allowed to rebootstrap by setting the environment variable
KAFKA_COMMON_METADATA_RECOVERY_STRATEGYtonone.Disabling rebootstrapping is generally not recommended. However, it may be necessary if any bootstrap servers that have been specified in
KAFKA_SERVERShave a possibility of resolving to a Kafka broker in any cluster other than the original cluster.For more information, see the Apache documentation: KIP-899: Allow producer and consumer clients to rebootstrap
Ingestion
Updated parser/v0.3.0 schema to allow empty rawString values in test cases, ensuring consistency between API-created parsers and YAML export functionality. Previously, parser templates created via CRUD APIs with empty rawString values would fail YAML export due to schema validation.
Fixed an issue where Amazon Simple Queue Service (SQS) permissions problems were not appearing in the activity log for ingest feeds.
Queries
Fixed an issue where using the
likeoperator in a query would sometimes cause the query to malfunction and return no results in the Event List.Fixed an issue where an error surfacing during subquery result calculation, such as within
join()ordefineTable(), would not be visible to the user.Fixed an issue where query results could be incorrectly reused from cache for static queries. Only queries using @ingesttimestamp in conjunction with
start()and/orend()functions were affected.
Functions
Fixed an issue in the
match()function where characters with larger lowercase than uppercase UTF-8 representations caused lookup failures.Fixed an issue where prefix values of a certain length could cause an error during the creation of the lookup structure for the
match()function.Fixed an issue where using the function
wildcard()as part of an expression (for exampletest(wildcard(...))) would result in an internal server error. The proper query validation error now correctly displays in theQuery editor.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Installation and Deployment
Improved Indicator of Compromise (IoC) service efficiency by preventing unnecessary full downloads from the remote IoC server or CrowdStrike API when data is already present in the cluster.
Administration and Management
For release 1.222.0, several minor internal changes were completed for processes unrelated to the user's experience.
Falcon Data Replicator
Falcon Data Replicator metrics job now uses an HTTP proxy when
FDR_USE_PROXYis enabled.
User Interface
Restored quick-access query links from the
Parsersoverview. Users can now access context menu actions to directly navigate to theSearchpage querying parser events and errors. Options are now as follows:- Quickly view all events parsed by a specific parser
- Instantly see parsing errors for troubleshooting
For more information, see Manage Parsers.
Automation and Triggers
The
Triggersoverview page has been updated with the following improvements:Sorting is now available for all columns.
The Search... field now supports filtering across all columns.
The and filtering options are now available for quickly selecting all items and then excluding single items, and for quickly identifying triggers with no label, action, or package attached.
Both options are available for the Labels, Actions and Packages columns.
For more information, see Manage Triggers.
Enhanced action logging in humio-activity logs:
Successfully triggering actions are now logged in the in humio-activity repository with message
Invoking action succeeded.Email actions now include messageId field for SMTP or Postmark emails
Future SaaS email actions will use mailstrikeTraceId field
Test actions now log a
Successfully invoked test actionmessage
Storage
Aligned the check completed during S3 archiving configuration validation with actual archiving upload behavior, enabling support for buckets using Amazon S3 Object Lock.
Added a delay between retry attempts when global snapshot uploads fail.
Configuration
Migrated to official Apache Pekko releases from internal fork. Fixed Google Cloud Storage authentication scope placement to ensure proper handling of read/write permissions.
Added validation checks for the configuration variable
NODE_ROLESto ensure that they are set only to allowed values (all,httponly, andingestonly). Invalid node role configurations now prevent LogScale from starting and notify users with an exception error message.For more information, see
NODE_ROLES.
Ingestion
Improved LogScale's Parser Generator dialog to better handle sample log files:
Added clear error messages for log lines exceeding character limits
Fixed processing of mixed-size log lines to ensure all valid lines are included
Log Collector
Implemented disk-based caching for Log Collector artifacts (installers, binaries, scripts) to reduce update server load. The cache automatically manages artifact cleanup based on manifest presence and configurable disk quota limits.
Queries
Enhanced query performance by implementing hash filter file caching for frequently accessed bucketed segments, even when queries only require hash filter files for search operations.
Function names are no longer reserved words in CrowdStrike Query Language (CQL). As a result, adding new functions will not risk accidentally rendering existing queries invalid. Going forward, a word is only interpreted as a function call if it is immediately followed by a starting parenthesis.
For example, the word
"test"was previously a reserved word and required to be quoted because it also happens to be the name of a function (test()) - it can now be written without quotes.For more information, see Appendix D - Reserved Words.
Optimized performance for Regular Expression Engine v2 regarding zero-or-more repetitions of single character regex matches at the start of regexes. For example, regexes such as
/.*foo/now complete more quickly, also compared to the previous engine.The election process regarding slow queries has been updated to the following parameters:
Changed the threshold from 100 times slower to 500 times slower for vote casting.
Increased vote timeout from 5 minutes to 15 minutes.
When a node is elected as problematic by the entire cluster within the timeout period, it is logged with the message These nodes were deemed bad by the rest of the cluster.
Improved query throttling for segment merges. Queries are not throttled if segment merging falls behind due to slow segment fetches.
Improved caching of query states to allow partial reuse of query results when querying by event time, improving query performance while reducing query costs.
Fleet Management
Fleet Management now performs a staged rollout of collector version updates within groups to prevent simultaneous updates of all collectors.
Auditing and Monitoring
Added logging for topic-level configurations to
KafkaStatusLoggerJob.
Functions
Using the
readFile()function with theincludeargument will now output the columns in the order that the values were provided in theincludearray.
Other
The The http server closed the connection unexpectedly message now appears at the informational level instead of the error level, as this is expected behavior if any requests fail to complete quickly during shutdown.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
infoblox/nios has been updated to v1.3.4.
Updated ECS version to 9.2.0
Fixed DNS answers type field mapping to use array notation (dns.answers[0].type)
Updated parser version to 2.2.4
For more information, see Package infoblox/nios Release Notes.
imperva/cloud-waf has been updated to v1.6.0.
Updated ECS version to 9.2.0
Updated CPS version to 1.1.0
Updated parser version to 4.0.0
Enhanced event categorization with improved event.category and event.type arrays
Added comprehensive client, server, and destination field mappings
Improved network type detection for IPv4 and IPv6 addresses
Added observer, network, and URL field mappings
For more information, see Package imperva/cloud-waf Release Notes.
infoblox/nios has been updated to v1.4.2.
Fixed JSON parsing issue for DNS answers containing backslashes by adding proper escape handling
Added test cases for DNS TYPE65 queries with complex data structures
Updated parser version to 3.0.2
For more information, see Package infoblox/nios Release Notes.
trellix/fireeye-nx has been updated to v1.2.2.
Updated package description in manifest
For more information, see Package trellix/fireeye-nx Release Notes.
infoblox/nios has been updated to v1.4.0.
Enhanced DHCP parsing with support for BOOTREPLY, BOOTREQUEST, ICMP, and NOT FREE events
Added support for password_expired and logout authentication events in audit logs
Improved field mapping with client.address and server.address normalization
Added transaction.id field mapping for DHCP events
Enhanced DNS parsing with timeout resolution support
Updated parser version to 3.0.0
For more information, see Package infoblox/nios Release Notes.
aws/vpcflow has been updated to v1.3.0.
Enhanced IP address validation using CIDR function for source and destination fields
Added network transport protocol mapping based on IANA numbers
Improved event action normalization to lowercase format
Updated ECS version to 9.2.0 and CPS version to 1.1.0
Enhanced CSV header detection with improved regex pattern
For more information, see Package aws/vpcflow Release Notes.
cisco/meraki has been updated to v2.0.0.
Enhanced IP and address normalization with proper CIDR validation
Improved network protocol handling with tcp/ip normalization to network.transport
Added support for l7_firewall events with proper categorization
Enhanced IDS alert processing with decision-based event outcomes
Improved field mapping for client.domain and host.hostname with lowercase normalization
Added destination.mac field mapping from vendor fields
Updated event.type arrays to remove redundant "info" entries for cleaner categorization
Fixed temporary variable naming conflicts by prefixing with underscore
Enhanced file scanning events with proper category and type assignments
For more information, see Package cisco/meraki Release Notes.
cisco/umbrella has been updated to v1.4.1.
Updated parser version to 3.0.1
Added strict=false parameter to regex function for improved parsing reliability
For more information, see Package cisco/umbrella Release Notes.
haproxy/haproxy has been updated to v1.2.3.
Enhanced syslog parsing with improved BSD Syslog format support
Added comprehensive HTTP, TCP, and error log format parsing
Updated ECS version to 9.2.0
Improved field mappings for client, source, destination, and server fields
Added TLS version detection and SSL handshake failure parsing
Enhanced URL parsing with query parameter extraction
Added IP address validation for source and client fields
Improved event categorization and outcome determination
For more information, see Package haproxy/haproxy Release Notes.
microsoft/windows-dns-debug has been updated to v1.5.0.
Added support for new DNS log format with LOOKUP and RECURSE operations
Enhanced DNS answer record parsing with answer name and type extraction
Improved thread ID handling with both name and numeric ID fields
Added new DNS type classification for answer records
Updated parser version to 2.4.0
For more information, see Package microsoft/windows-dns-debug Release Notes.
f5networks/bigip has been updated to v3.1.0.
Enhanced audit event processing by moving AUDIT parsing outside main case statement for better categorization
Improved authentication failure parsing with better regex patterns for usernames and client addresses
Added support for HTTP referrer field extraction in authentication events
Enhanced tmm event processing with HTTP status code handling and URL parsing
Fixed conditional logic for appname extraction in RFC 5424 syslog format
Added array deduplication for event.category and event.type fields
Updated LTM catchall to include msgid 0107 and removed redundant categorization
Improved kvParse operations with better separator handling and empty field exclusion
For more information, see Package f5networks/bigip Release Notes.
cisco/ise has been updated to v2.0.5.
Enhanced syslog parsing to support optional priority field in message format
Updated ECS version to 9.2.0
Updated parser version to 3.0.5
Minor formatting improvements and code cleanup
For more information, see Package cisco/ise Release Notes.
cisco/umbrella has been updated to v1.4.2.
Updated parser version to 3.0.2
Enhanced source.address field mapping to use external_client_ip as fallback when internal_client_ip is not available
For more information, see Package cisco/umbrella Release Notes.
cisco/umbrella has been updated to v1.4.0.
Updated parser to support Cisco Umbrella Log Schema Version 13
For more information, see Package cisco/umbrella Release Notes.
zscaler/deception has been updated to v2.3.0.
Updated parser version to 3.0.0
Updated ECS version to 9.2.0
Enhanced event categorization with comprehensive type matching for different log types
Improved field mappings for source, destination, client, and server fields
Added support for additional file operations and process tracking
Enhanced threat intelligence integration with abuse confidence scoring
Improved timestamp parsing from syslog headers
Added comprehensive network protocol and connection state handling
For more information, see Package zscaler/deception Release Notes.
cloudflare/zerotrust has been updated to v2.2.0.
Enhanced email security alert filtering to only generate alerts for malicious, suspicious, or spoof dispositions
Added threat technique name mapping from ThreatCategories for email security alerts
Improved event categorization for email security with separate handling for threat techniques vs general emails
Updated WAF alert generation to trigger only when severity indicates likely attack or attack (severity <= 50)
Updated parser version to 4.2.0
For more information, see Package cloudflare/zerotrust Release Notes.
veeam/veeamdataplatform has been updated to v1.0.2.
Updated ECS version to 9.2.0 and CPS version to 1.1.0
Consolidated user extraction logic for event ID 42405 with other InitiatorFullInfo events
Merged event ID ranges for UserName field extraction
Updated test cases with new sample data
For more information, see Package veeam/veeamdataplatform Release Notes.
veeam/veeamdataplatform has been updated to v1.1.0.
Enhanced dashboard functionality with new widgets and improved data visualization
Added dashboard details section with comprehensive overview and data source detector
Renamed lookup files with "veeam_" prefix for better organization
Updated all dashboard queries and scheduled searches to use new lookup file names
Improved dashboard layout with reordered sections and enhanced user experience
Added ingested data monitoring widgets
Updated scheduled search names with "Veeam -" prefix for better identification
Enhanced dashboard descriptions and labels
For more information, see Package veeam/veeamdataplatform Release Notes.
infoblox/nios has been updated to v1.4.1.
Fixed DNS answers type field mapping to use proper array notation (dns.answers[0].type instead of dns.answers.type)
Updated parser version to 3.0.1
For more information, see Package infoblox/nios Release Notes.
cisco/firepower has been updated to v1.8.0.
Updated parser version to 4.0.0
Added support for multiple syslog header formats including FTD and legacy NGIPS/Sourcefire devices
Added enhanced timestamp parsing with findTimestamp() function for improved date handling
Added message field populated from vendor message content
Added intelligent client/server role detection based on event type, protocol, and port analysis
Added role reversal logic to handle server-initiated connections and reverse proxy scenarios
Added IP address validation using CIDR checks to filter invalid addresses
Added domain field support for non-IP addresses across source, destination, client, and server fields
Added conditional field mappings for network protocols including SIP and DNS
Added DNS record type normalization to standard values (A, AAAA, PTR, MX, CNAME)
Added TLS certificate hash mapping to tls.client.hash.sha1
Added conditional filtering for unknown TLS versions and cipher suites
Added enhanced event categorization with automatic event.type:connection for network tuples
Added array deduplication for event.category[] and event.type[] fields
Changed primary address fields to use source.address and destination.address with IP/domain separation
Changed event outcome logic for connection teardown events based on teardown reason analysis
Changed connection directionality detection to use interface context (inside/outside/DMZ)
Changed user group field to user.group.name for ECS consistency
Changed field coalescing logic to prioritize existing values over vendor-specific fields
Consolidated lowercase operations for address and domain fields
Consolidated interface alias and name field mappings
Fixed field extraction patterns across multiple event types for improved accuracy
Fixed MAC address formatting to use hyphen separators
Fixed source/destination mapping in connection teardown events using interface-based logic
Removed redundant event.type:connection entries from individual event handlers
For more information, see Package cisco/firepower Release Notes.
checkpoint/ngfw has been updated to v2.7.0.
Fixed event.kind assignment for malware detection events to properly set "alert" value
Enhanced conditional logic for malware event categorization in Block and Detect actions
Updated parser version to 3.7.0
For more information, see Package checkpoint/ngfw Release Notes.
microsoft/sysmon has been updated to v1.1.4.
Added @dataConnectionID field to the select statement for improved data connection tracking
Updated parser version to 1.1.4
For more information, see Package microsoft/sysmon Release Notes.
darktrace/detect has been updated to v2.0.2.
Updated ECS version to 9.2.0
Updated parser version to 3.0.2
Enhanced timestamp parsing for RFC 3164 syslog format to handle single-digit day values with optional space padding
Added array-based field handling for host.mac[] field
For more information, see Package darktrace/detect Release Notes.
okta/sso has been updated to v1.4.6.
Updated ECS version to 9.2.0
Enhanced event outcome handling to include UNANSWERED and ABANDONED result types
Added support for additional event types including app.oauth2.token.grant, event_hook.delivery, system.push.send_factor_verify_push, and various system notification events
Improved code formatting and consistency throughout parser
Added new test cases for enhanced coverage
For more information, see Package okta/sso Release Notes.
cisco/firepower has been updated to v1.7.6.
Updated parser version to 3.3.6
Enhanced key-value parsing for events 430001-430007 to better handle UserAgent field extraction
Improved regex pattern to handle complex field values with commas and special characters
For more information, see Package cisco/firepower Release Notes.
fortinet/fortigate has been updated to v2.3.2.
Added FTNTFGT prefix removal for events forwarded from FortiGate-VM on Azure platform
Enhanced type and subtype parsing with regex to accurately capture combined values
Added network_access log type support
Updated parser version to 5.1.2
For more information, see Package fortinet/fortigate Release Notes.
nozomi/ids has been updated to v1.4.0.
Updated parser version to 4.0.0
Updated ECS version 9.2.0
Added new field mappings for message, domain, and network protocol fields
Added IP address validation to filter invalid and non-routable addresses
Added array deduplication for event categorization fields
Added enhanced extraction patterns for threat indicators and network entities
Changed event categorization from message-based regex to classification prefix-based logic
Changed severity mapping ranges for better alignment with risk levels
Changed address field logic to support both IP and domain values
Changed observer field handling to distinguish between IPs and hostnames
Consolidated field normalization and lowercase operations
Fixed field name reference issues
Removed redundant message-based categorization patterns
Removed duplicate field assignments
Improved overall parser maintainability and performance
For more information, see Package nozomi/ids Release Notes.
f5networks/bigip has been updated to v3.0.0.
Updated to support RFC 5424 syslog format
Added checks to ensure IPs are valid prior to assignment
Improved parsing around login/logout events
For more information, see Package f5networks/bigip Release Notes.
checkpoint/ngfw has been updated to v2.6.0.
Enhanced originsicname field parsing with key-value extraction for better observer name identification
Added policy ID tag parsing to extract policy name, management server, and date information
Improved rule.ruleset field mapping to include policy name from parsed policy ID tag
Enhanced rule.uuid field mapping to include NAT rule UIDs
Added network.community_id field generation for both ICMP and non-ICMP events
Improved observer.name field mapping with conditional logic for firewall traffic and threat prevention events
Enhanced client/server field identification for application control and URL filtering logs
Updated parser version to 3.6.0
For more information, see Package checkpoint/ngfw Release Notes.
aruba/clearpass has been updated to v1.4.0.
Updated ECS version to 9.2.0 and parser version to 3.0.0
Enhanced field mapping with improved address handling using client.address, source.address, and server.address fields
Improved MAC address formatting with dash separators and uppercase conversion
Changed event.id to event.code for better ECS compliance
Enhanced observer IP handling with array support
Improved address validation with CIDR checking and domain/IP separation
Fixed AD/LDAP event outcome mapping from success to failure
Enhanced event type mapping for authentication requests and file transfer operations
Removed redundant array drops for better performance
For more information, see Package aruba/clearpass Release Notes.
cloudflare/zerotrust has been updated to v2.1.0.
Modified risk score to severity mapping: 1-20 (severity 70), 21-50 (severity 50), 51-80 (severity 30), 81-100 (severity 10)
Updatedparser version to 4.1.0
For more information, see Package cloudflare/zerotrust Release Notes.
cisco/ios has been updated to v1.9.0.
Breaking Change: Fixed server.domain field assignment typo
Potentially Breaking Change: Improved ACCOUNTING event parsing with key-value extraction for better field normalization
Potentially Breaking Change: Improved network transport protocol normalization to lowercase
Enhanced regex patterns to support alphanumeric severity codes (A-Z0-7) for broader log format compatibility
Added new timestamp format support for logs with year prefix (yyyy MMM dd HH:mm:ss)
Added severity code remapping values to standard numeric codes
Enhanced SYSTEM_MSG event parsing with support for authentication failures, file errors, and general error messages
Added support for ENCRYPTED, ELEMENT_CRITICAL, FAIL_CONFIG, and NATIVE_VLAN_MISMATCH event types
Updated parser version to 2.8.0
For more information, see Package cisco/ios Release Notes.
zscaler/internet-access has been updated to v2.1.2.
Fixed event.action field assignment order in firewall events to ensure proper conditional processing
Updated parser version to 4.0.2
For more information, see Package zscaler/internet-access Release Notes.
zscaler/internet-access has been updated to v2.0.0.
Enhanced IP address and domain handling with improved address field mapping
Added client.* and server.* field mappings for better network visibility
Improved DNS answer field structure using indexed array format
Removed timezone parameter from file modification time parsing
Changed destination.ip to use Vendor.cdip instead of Vendor.sdip for consistency
Improved event.type categorization for file-related events
Added parsing for nested Vendor.category fields
Updated parser version to 3.0.0
For more information, see Package zscaler/internet-access Release Notes.
aws/waf has been updated to v3.0.0.
Enhanced cloud service detection from httpSourceName (CloudFront, API Gateway, ELB)
Added cloud account ID and region extraction from webaclId ARN
Added rule name extraction from webaclId
Improved event outcome mapping (success/failure based on allow/block actions)
Added TLS JA3 fingerprint support
Added URL scheme field mapping
Updated rule.category and rule.ruleset field mappings
Updated ECS version to 9.2.0
Improved code formatting and organization
For more information, see Package aws/waf Release Notes.
akamai/asec has been updated to v1.2.0.
Enhanced parser with comprehensive field extraction and decoding capabilities
Added support for HTTP request and response header parsing
Implemented advanced categorization logic based on WAF actions and response codes
Added geolocation and network type detection for IPv4 and IPv6 addresses
Enhanced rule field mappings with decoded attack data
Improved TLS version parsing and HTTP/2 protocol detection
Updated ECS version to 9.2.0 and CPS version to 1.1.0
Added user agent extraction and network bytes calculation
For more information, see Package akamai/asec Release Notes.
cisco/meraki has been updated to v1.5.4.
Enhanced firewall flow parsing with improved regex pattern for better action extraction
Added support for pattern-based action determination (0/1 and allow/deny patterns)
Improved handling of firewall events with more robust field extraction
For more information, see Package cisco/meraki Release Notes.
checkpoint/ngfw has been updated to v2.5.0.
Enhanced event categorization for network events to include "info" event type
Added support for Application Control product detection via ProductName field
Improved product matching for VPN-1 & FireWall-1 and Firewall products using in() function
Added Anti Malware product categorization with malware event category
Enhanced client/server field mapping for application control, URL filtering, and HTTPS inspection logs
Updated parser version to 3.5.0
For more information, see Package checkpoint/ngfw Release Notes.
fortinet/fortigate has been updated to v2.2.0.
Enhanced event categorization with improved network session and connection type mapping
Added comprehensive event.type array population based on event.action and session context
Improved source and destination address handling with lowercase normalization
Enhanced destination port mapping to include additional vendor fields (Vendor.dpt)
Updated event.action priority logic to handle UTM block actions specifically
Refined network protocol detection and event type classification
Updated parser version to 5.0.0
For more information, see Package fortinet/fortigate Release Notes.
zscaler/internet-access has been updated to v2.1.0.
Enhanced firewall event categorization with improved event.type arrays for connection events
Added event.outcome field mapping for web events based on action types
Improved file field handling logic with better conditional checks for filename presence
Updated file.name field to use coalesce function for better fallback handling
Enhanced firewall events with intrusion detection categorization for IPS actions
Enhanced HTTP response status code validation to exclude wildcard and "NA" values
Added event.type arrays for DNS and tunnel events to improve event classification
Updated parser version to 4.0.0
For more information, see Package zscaler/internet-access Release Notes.
cloudflare/zerotrust has been updated to v2.0.0.
Added support for new datasets: email-security-alerts, browser-isolation, sinkhole-http, warp-changes, ssh, dex-application-tests, dlp-forensic-copies, dns-firewall, workers-trace, dex-device-state, ipsec
Enhanced timestamp parsing with additional timestamp fields (EventTimestampMs, ActionTimestamp)
Added support for SSO action in access-requests dataset
Improved audit event categorization with view action support
Enhanced source address handling with ActorIPAddress support
Updated event outcome logic for audit events to support success/fail patterns
Added comprehensive field mappings for new datasets including process, error, DNS, and network fields
Enhanced email security alerts with attachment processing and threat categorization
Added browser isolation event processing with decision-based outcomes
Implemented workers trace event handling with exception-based outcome determination
Added SSH session tracking with start/end event types
Enhanced DEX application tests with HTTP performance metrics
Added DLP forensic copies processing with rule-based categorization
Implemented DNS firewall event handling with query type and response code processing
Added IPsec event processing with connection status tracking
Enhanced device state monitoring with network and client metrics
Updated parser version to 4.0.0
For more information, see Package cloudflare/zerotrust Release Notes.
infoblox/nios has been updated to v1.3.5.
Enhanced DNS query parsing to support view-specific queries with improved regex pattern
Added support for extracting view information from DNS messages
Fixed network transport protocol normalization to lowercase format
Updated parser version to 2.2.5
For more information, see Package infoblox/nios Release Notes.
fortinet/fortigate has been updated to v2.1.0.
Enhanced CEF parsing with improved priority handling and format normalization
Fixed CEF header format by replacing "CEF: 0" with "CEF:0" for proper parsing
Reordered parsing logic to prioritize CEF format detection before syslog priority extraction
Improved source.address field mapping with enhanced coalesce logic to preserve existing values
Updated parser version to 4.2.0
For more information, see Package fortinet/fortigate Release Notes.
fortinet/fortigate has been updated to v2.3.0.
Fixed CEF parsing to handle multiple cat fields without overwriting by renaming ad.cat to ad.ext.cat
Enhanced user field mapping with conditional logic for suser and duser fields
Improved source address parsing for events without designated fields using regex extraction from ui and sproc fields
Added support for additional observer fields including hostname, product, vendor, and version
Enhanced event field mappings with additional coalesce options for event.id, event.reason, and event.action
Added event.start field mapping from Vendor.start
Improved source.domain assignment for non-IP addresses
Updated parser version to 5.1.0
For more information, see Package fortinet/fortigate Release Notes.
cisco/ios has been updated to v1.8.0.
Enhanced timezone extraction from timestamp field to improve parsing accuracy
Added conditional logic to extract timezone information when not already present
Alias source/destination/client/server .ip fields to .address fields, checking if valid ip prior to assignment
Improve parsing for CONFIG events
Add parsing for TRUSTPOOL_EXPIRATION_WARNING events
Updated parser version to 2.7.0
For more information, see Package cisco/ios Release Notes.
zscaler/internet-access has been updated to v2.1.1.
Enhanced user field handling with improved fallback logic using coalesce function
Updated user.name field to use both Vendor.elogin and Vendor.user as fallback options
Updated parser version to 4.0.1
For more information, see Package zscaler/internet-access Release Notes.
palo-alto/prisma-sd-wan has been updated to v1.3.0.
Updated parser version to 3.0.0 with enhanced field mapping and categorization
Improved ECS compliance with version 9.2.0 and CPS version 1.1.0
Enhanced event categorization with dynamic array-based event.category and event.type fields
Added comprehensive IP address validation using CIDR functions
Improved zbfw_classification_rules parsing with JSON structure support
Enhanced authentication failure detection and message parsing
Added client/server field mappings for non-flow events
Improved event outcome determination based on various conditions
Enhanced regex patterns for better log parsing accuracy
Added support for multiple authentication scenarios and connection events
For more information, see Package palo-alto/prisma-sd-wan Release Notes.
cisco/ise has been updated to v2.0.4.
Added support for CISE_External_MDM event category with comprehensive event code handling
Enhanced CISE_Passed_Authentications parsing with additional event codes (5236, 5238, 5240)
Improved CISE_Failed_Attempts parsing with new event codes (5402, 5422, 5434, 5416)
Added support for CISE_Administrative_and_Operational_Audit event codes (51025, 60166, 60167, 60069)
Enhanced RADIUS accounting with support for Interim-Update status type
For more information, see Package cisco/ise Release Notes.
microsoft/windows-dns-debug has been updated to v1.5.1.
Enhanced timestamp parsing to support additional date format (d/M/yyyy HH:mm:ss)
Improved regex pattern for PACKET log entries to handle multiple timestamp formats
Fixed timestamp parsing for LOOKUP operation logs
Updated parser version to 2.4.1
For more information, see Package microsoft/windows-dns-debug Release Notes.
cisco/ios has been updated to v1.9.1.
Added support for AUTH_PASSED and AUTHENTICATION_FAILED event types for DMI authentication events
Added support for NHRP_NHS_UP, NHRP_NHS_DOWN, and CRYPTO_SS event types for DMVPN tunnel monitoring
Enhanced authentication event parsing with improved source address and port extraction
Updated parser version to 2.9.0
For more information, see Package cisco/ios Release Notes.
radware/alteon has been updated to v1.3.0.
Updated ECS version to 9.2.0
Updated parser version to 2.0.0
Enhanced message parsing with comprehensive regex patterns for various log types
Added support for authentication, configuration, and network event categorization
Improved timestamp handling with parseTimestamp() function for timezone-aware timestamps
Added field extraction for user information, network protocols, and server details
Enhanced event outcome determination based on HTTP status codes and message content
Added support for IP address validation and domain/IP field assignment
Improved syslog parsing with better handling of AlteonOS format
Added comprehensive test cases for various log message types
For more information, see Package radware/alteon Release Notes.
trellix/fireeye-nx has been updated to v1.3.0.
Enhanced event categorization with conditional logic based on event class ID
Added dynamic event dataset generation based on vendor event name
Improved source and destination field handling with IP/domain detection
Migrated host fields to observer fields for better ECS compliance
Added network transport and VLAN ID field mappings
Added rule name and URL original field mappings
Updated ECS version to 9.2.0
Updated parser version to 2.0.0
Added timestamp parsing from Vendor.rt field
For more information, see Package trellix/fireeye-nx Release Notes.
fortinet/fortigate has been updated to v2.0.0.
Added CEF (Common Event Format) parsing support for Fortinet logs
Enhanced timestamp parsing with support for CEF header timestamps
Enhanced source and destination address handling with conditional logic for login events
Updated event.action field priority to use Vendor.action first, then Vendor.logdesc, then Vendor.eventtype
Added support for additional source fields including Vendor.spt for source port mapping
Improved URL handling in remip field with proper quoting for complex URLs
Updated parser version to 4.1.0
For more information, see Package fortinet/fortigate Release Notes.
microsoft/dhcp-client has been updated to v1.1.3.
Updated parser version to 1.2.0
Enhanced ECS version to 9.2.0
Updated CPS version to 1.1.0
Added comprehensive event categorization using array:append
Implemented event severity mapping based on Windows event levels
Added error field mappings for error codes and messages
Enhanced host field mappings with hostname normalization
Added source and client field mappings for DHCP client identification
Implemented IP address validation and filtering
Added process thread ID mapping
Removed deprecated windows-dhcpclient.yaml parser file
Updated minimum LogScale version requirement to 1.207.0
For more information, see Package microsoft/dhcp-client Release Notes.
cisco/firepower has been updated to v1.9.0.
Updated parser version to 4.1.0
Added support for event codes 106103, 111010, 11300*, 11301*, 317077, 402119, 602101,602303, 602304, 746014, 805002, 805003
Enhanced AAA event parsing with improved user, server, and client address extraction
Improved conditional logic for event type assignment based on message content
Fixed duplicate event code handling for 805002 and 805003
Fixed regex patterns for user and server address extraction in AAA events
For more information, see Package cisco/firepower Release Notes.
netgate/pfsense has been updated to v1.2.0.
Enhanced parser to support multiple log types including DHCP, VPN (charon), login, and filterdns events
Improved CSV parsing for filterlog entries with better protocol-specific field extraction
Added comprehensive IP validation and address mapping functionality
Enhanced MAC address formatting with standardized hyphen notation
Updated ECS version to 9.2.0 and parser version to 2.0.0
Improved syslog parsing to handle both RFC 3164 and RFC 5424 formats more robustly
For more information, see Package netgate/pfsense Release Notes.