Falcon LogScale 1.229.0 Not Released (2026-02-24)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.229.0Not Released2026-02-24

Internal Only

2027-02-28No1.177.01.177.0No

Not released.

Breaking Changes

The following items create a breaking change in the behavior, response or operation of this release.

  • Configuration

    • Removed the environment variable ENABLE_QUERY_LOAD_BALANCING to remove the option for disabling internal query routing, which led to inconsistent and incorrect behavior when submitting and polling queries.

Advance Warning

The following items are due to change in a future release.

  • Security

    • Starting from LogScale version 1.237, support for insecure ldap connections will be removed. Self-Hosted customers using LDAP will only be able to use ldaps secure connections.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The package schemas LogScale Aggregate Alert Template v0.2.0 and LogScale Filter Alert Template v0.4.0 now have the field throttleField deprecated (it was replaced by throttleFields before). Instead of being just silently ignored, the deprecated throttleField field now generates an error if set in those two schema versions.

  • The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

  • The Secondary Storage feature is now deprecated and will be removed in LogScale 1.231.0.

    The Bucket Storage feature provides superior functionality for storing rarely queried data in cheaper storage while keeping frequently queried data in hot storage (fast and expensive). For more information, see Bucket Storage.

    Please contact LogScale support for any concerns about this deprecation.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Queries

    • Extended the characters represented by the \s regex character class to include all characters that Unicode considers as "whitespace". This change reduces the size of the \S non-whitespace character class.

      For reference, see the following: Unicode Character Database.

New features and improvements

  • Metrics and Monitoring

    • Added the metric failedPdfGenerationAttempts for measuring the number of failed attempts to generate a scheduled PDF report.

  • Functions

    • Added the query function text:trim(). This function removes leading and/or trailing whitespace from strings by targeting all Unicode whitespace characters, and operates in a single pass over the underlying representation of character sequences.

Fixed in this release

  • Storage

    • Fixed an issue where clusters with a replication factor of 1 and mini segments that were the result of merging other mini segments would experience ownership transfer issues.

      If the owner host of the mini segment differed from the host completing the merge, the owner host would lapse into a bad state and ownership transferral would fail, even though the host would already have the segment on disk.

  • Queries

    • Fixed an issue causing digester nodes with 0 node partitions assigned to restart digest sessions too quickly. In these cases, the issue could cause potentially unnecessary restarts of live queries, or prevent live queries with large static parts from finishing.

  • Fleet Management

    • Fixed an issue where the Fleet Management groups dialog would show incomplete pagination results while the system was still loading data. The dialog now properly displays a loading state during backend polling, ensuring all log collectors are loaded before showing pagination controls.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • API

    • A deprecation notice in the showQueryEventDistribution field in queryJobs has been removed, as it was generated by mistake.

  • Ingestion

    • Fixed an issue where failed parsers would result in a null failure message. Future messages will now default to the name of the exception class in cases where a description is missing.

  • Metrics and Monitoring

    • Added the metric query-cancelled-starved, which tracks the number of queries that have been canceled due to starvation.

    • The bucket storage metric currently-submitted-segment-bucket-uploads has been renamed to align with the naming conventions of other metrics related to bucket storage.

      The metric is now named bucket-storage-currently-submitted-segment-uploads.

      The behavior of bucket storage metrics compressed-bytes-underreplicated-ignoring-bucket-storage and compressed-bytes-only-present-in-bucket-storage have also been adjusted. These metrics are now only updated by one node in the cluster at a time. Rather than having other nodes set the metric value to -1 when they aren't updating the metric, these nodes will now stop reporting the metric entirely.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • infoblox/nios has been updated to v1.4.2.

      • Fixed JSON parsing issue for DNS answers containing backslashes by adding proper escape handling

      • Added test cases for DNS TYPE65 queries with complex data structures

      • Updated parser version to 3.0.2

      For more information, see Package infoblox/nios Release Notes.

    • cisco/meraki has been updated to v2.0.0.

      • Enhanced IP and address normalization with proper CIDR validation

      • Improved network protocol handling with tcp/ip normalization to network.transport

      • Added support for l7_firewall events with proper categorization

      • Enhanced IDS alert processing with decision-based event outcomes

      • Improved field mapping for client.domain and host.hostname with lowercase normalization

      • Added destination.mac field mapping from vendor fields

      • Updated event.type arrays to remove redundant "info" entries for cleaner categorization

      • Fixed temporary variable naming conflicts by prefixing with underscore

      • Enhanced file scanning events with proper category and type assignments

      For more information, see Package cisco/meraki Release Notes.

    • f5networks/bigip has been updated to v3.1.0.

      • Enhanced audit event processing by moving AUDIT parsing outside main case statement for better categorization

      • Improved authentication failure parsing with better regex patterns for usernames and client addresses

      • Added support for HTTP referrer field extraction in authentication events

      • Enhanced tmm event processing with HTTP status code handling and URL parsing

      • Fixed conditional logic for appname extraction in RFC 5424 syslog format

      • Added array deduplication for event.category and event.type fields

      • Updated LTM catchall to include msgid 0107 and removed redundant categorization

      • Improved kvParse operations with better separator handling and empty field exclusion

      For more information, see Package f5networks/bigip Release Notes.

    • cisco/ise has been updated to v2.0.5.

      • Enhanced syslog parsing to support optional priority field in message format

      • Updated ECS version to 9.2.0

      • Updated parser version to 3.0.5

      • Minor formatting improvements and code cleanup

      For more information, see Package cisco/ise Release Notes.

    • cisco/umbrella has been updated to v1.4.2.

      • Updated parser version to 3.0.2

      • Enhanced source.address field mapping to use external_client_ip as fallback when internal_client_ip is not available

      For more information, see Package cisco/umbrella Release Notes.

    • fortinet/fortigate has been updated to v2.3.1.

      • Enhanced remip field parsing with conditional logic to handle URL values properly

      • Fixed regex pattern to only quote remip values when they are not already quoted IP addresses

      • Updated parser version to 5.1.1

      For more information, see Package fortinet/fortigate Release Notes.

    • veeam/veeamdataplatform has been updated to v1.1.0.

      • Enhanced dashboard functionality with new widgets and improved data visualization

      • Added dashboard details section with comprehensive overview and data source detector

      • Renamed lookup files with "veeam_" prefix for better organization

      • Updated all dashboard queries and scheduled searches to use new lookup file names

      • Improved dashboard layout with reordered sections and enhanced user experience

      • Added ingested data monitoring widgets

      • Updated scheduled search names with "Veeam -" prefix for better identification

      • Enhanced dashboard descriptions and labels

      For more information, see Package veeam/veeamdataplatform Release Notes.

    • infoblox/nios has been updated to v1.4.1.

      • Fixed DNS answers type field mapping to use proper array notation (dns.answers[0].type instead of dns.answers.type)

      • Updated parser version to 3.0.1

      For more information, see Package infoblox/nios Release Notes.

    • cisco/firepower has been updated to v1.8.0.

      • Updated parser version to 4.0.0

      • Added support for multiple syslog header formats including FTD and legacy NGIPS/Sourcefire devices

      • Added enhanced timestamp parsing with findTimestamp() function for improved date handling

      • Added message field populated from vendor message content

      • Added intelligent client/server role detection based on event type, protocol, and port analysis

      • Added role reversal logic to handle server-initiated connections and reverse proxy scenarios

      • Added IP address validation using CIDR checks to filter invalid addresses

      • Added domain field support for non-IP addresses across source, destination, client, and server fields

      • Added conditional field mappings for network protocols including SIP and DNS

      • Added DNS record type normalization to standard values (A, AAAA, PTR, MX, CNAME)

      • Added TLS certificate hash mapping to tls.client.hash.sha1

      • Added conditional filtering for unknown TLS versions and cipher suites

      • Added enhanced event categorization with automatic event.type:connection for network tuples

      • Added array deduplication for event.category[] and event.type[] fields

      • Changed primary address fields to use source.address and destination.address with IP/domain separation

      • Changed event outcome logic for connection teardown events based on teardown reason analysis

      • Changed connection directionality detection to use interface context (inside/outside/DMZ)

      • Changed user group field to user.group.name for ECS consistency

      • Changed field coalescing logic to prioritize existing values over vendor-specific fields

      • Consolidated lowercase operations for address and domain fields

      • Consolidated interface alias and name field mappings

      • Fixed field extraction patterns across multiple event types for improved accuracy

      • Fixed MAC address formatting to use hyphen separators

      • Fixed source/destination mapping in connection teardown events using interface-based logic

      • Removed redundant event.type:connection entries from individual event handlers

      For more information, see Package cisco/firepower Release Notes.

    • fortinet/fortigate has been updated to v2.3.2.

      • Added FTNTFGT prefix removal for events forwarded from FortiGate-VM on Azure platform

      • Enhanced type and subtype parsing with regex to accurately capture combined values

      • Added network_access log type support

      • Updated parser version to 5.1.2

      For more information, see Package fortinet/fortigate Release Notes.

    • nozomi/ids has been updated to v1.4.0.

      • Updated parser version to 4.0.0

      • Updated ECS version 9.2.0

      • Added new field mappings for message, domain, and network protocol fields

      • Added IP address validation to filter invalid and non-routable addresses

      • Added array deduplication for event categorization fields

      • Added enhanced extraction patterns for threat indicators and network entities

      • Changed event categorization from message-based regex to classification prefix-based logic

      • Changed severity mapping ranges for better alignment with risk levels

      • Changed address field logic to support both IP and domain values

      • Changed observer field handling to distinguish between IPs and hostnames

      • Consolidated field normalization and lowercase operations

      • Fixed field name reference issues

      • Removed redundant message-based categorization patterns

      • Removed duplicate field assignments

      • Improved overall parser maintainability and performance

      For more information, see Package nozomi/ids Release Notes.

    • checkpoint/ngfw has been updated to v2.6.0.

      • Enhanced originsicname field parsing with key-value extraction for better observer name identification

      • Added policy ID tag parsing to extract policy name, management server, and date information

      • Improved rule.ruleset field mapping to include policy name from parsed policy ID tag

      • Enhanced rule.uuid field mapping to include NAT rule UIDs

      • Added network.community_id field generation for both ICMP and non-ICMP events

      • Improved observer.name field mapping with conditional logic for firewall traffic and threat prevention events

      • Enhanced client/server field identification for application control and URL filtering logs

      • Updated parser version to 3.6.0

      For more information, see Package checkpoint/ngfw Release Notes.

    • cisco/ise has been updated to v2.0.4.

      • Added support for CISE_External_MDM event category with comprehensive event code handling

      • Enhanced CISE_Passed_Authentications parsing with additional event codes (5236, 5238, 5240)

      • Improved CISE_Failed_Attempts parsing with new event codes (5402, 5422, 5434, 5416)

      • Added support for CISE_Administrative_and_Operational_Audit event codes (51025, 60166, 60167, 60069)

      • Enhanced RADIUS accounting with support for Interim-Update status type

      For more information, see Package cisco/ise Release Notes.

    • cisco/ios has been updated to v1.9.1.

      • Added support for AUTH_PASSED and AUTHENTICATION_FAILED event types for DMI authentication events

      • Added support for NHRP_NHS_UP, NHRP_NHS_DOWN, and CRYPTO_SS event types for DMVPN tunnel monitoring

      • Enhanced authentication event parsing with improved source address and port extraction

      • Updated parser version to 2.9.0

      For more information, see Package cisco/ios Release Notes.

    • radware/alteon has been updated to v1.3.0.

      • Updated ECS version to 9.2.0

      • Updated parser version to 2.0.0

      • Enhanced message parsing with comprehensive regex patterns for various log types

      • Added support for authentication, configuration, and network event categorization

      • Improved timestamp handling with parseTimestamp() function for timezone-aware timestamps

      • Added field extraction for user information, network protocols, and server details

      • Enhanced event outcome determination based on HTTP status codes and message content

      • Added support for IP address validation and domain/IP field assignment

      • Improved syslog parsing with better handling of AlteonOS format

      • Added comprehensive test cases for various log message types

      For more information, see Package radware/alteon Release Notes.

    • trellix/fireeye-nx has been updated to v1.3.0.

      • Enhanced event categorization with conditional logic based on event class ID

      • Added dynamic event dataset generation based on vendor event name

      • Improved source and destination field handling with IP/domain detection

      • Migrated host fields to observer fields for better ECS compliance

      • Added network transport and VLAN ID field mappings

      • Added rule name and URL original field mappings

      • Updated ECS version to 9.2.0

      • Updated parser version to 2.0.0

      • Added timestamp parsing from Vendor.rt field

      For more information, see Package trellix/fireeye-nx Release Notes.

    • cisco/firepower has been updated to v1.9.0.

      • Updated parser version to 4.1.0

      • Added support for event codes 106103, 111010, 11300*, 11301*, 317077, 402119, 602101,602303, 602304, 746014, 805002, 805003

      • Enhanced AAA event parsing with improved user, server, and client address extraction

      • Improved conditional logic for event type assignment based on message content

      • Fixed duplicate event code handling for 805002 and 805003

      • Fixed regex patterns for user and server address extraction in AAA events

      For more information, see Package cisco/firepower Release Notes.

    • netgate/pfsense has been updated to v1.2.0.

      • Enhanced parser to support multiple log types including DHCP, VPN (charon), login, and filterdns events

      • Improved CSV parsing for filterlog entries with better protocol-specific field extraction

      • Added comprehensive IP validation and address mapping functionality

      • Enhanced MAC address formatting with standardized hyphen notation

      • Updated ECS version to 9.2.0 and parser version to 2.0.0

      • Improved syslog parsing to handle both RFC 3164 and RFC 5424 formats more robustly

      For more information, see Package netgate/pfsense Release Notes.