Falcon LogScale 1.230.0 Not Released (2026-03-03)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.230.0 | Not Released | 2026-03-03 | Internal Only | 2027-03-31 | No | 1.177.0 | 1.177.0 | No |
Not released.
Advance Warning
The following items are due to change in a future release.
Security
Starting from LogScale version 1.237, support for insecure
ldapconnections will be removed. Self-Hosted customers using LDAP will only be able to useldapssecure connections.
Removed
Items that have been removed as of this release.
Storage
Cached data files mode, which allowed users to configure a local cache directory for segment files, was deprecated in 1.210.0. It has now been entirely removed from LogScale.
To ensure users are aware of this feature's removal, nodes that contain the configuration variables
CACHE_STORAGE_DIRECTORY,CACHE_STORAGE_PERCENTAGE, andCACHE_STORAGE_SOURCEwill now refuse to start.
Deprecation
Items that have been deprecated and may be removed in a future release.
Live streaming queries are now deprecated, and support is slated for removal starting in version 1.241.0.
Note
Aggregate live streaming queries are already unsupported. This additional deprecation notice only applies to filter-only queries. Static streaming queries are unaffected, as are any queries submitted via the queryjobs API.
The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.The Secondary Storage feature is now deprecated and will be removed in LogScale 1.231.0.
The Bucket Storage feature provides superior functionality for storing rarely queried data in cheaper storage while keeping frequently queried data in hot storage (fast and expensive). For more information, see Bucket Storage.
Please contact LogScale support for any concerns about this deprecation.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Automation and Triggers
Alert jobs now only run on nodes that act as query coordinators.
For more information, see Configuring Specific Node Roles.
Configuration
The way LogScale interprets the environment variable
INITIAL_FEATURE_FLAGShas changed.This setting allows administrators to define at boot time what features are enabled in LogScale, and allows feature flags to be toggled via GraphQL at runtime. Previously, features appearing in
INITIAL_FEATURE_FLAGSwould be written into global when the node booted, causing the following unintended behaviors:
The settings were written to global at a late point during bootup. This meant that when enabling a flag via
INITIAL_FEATURE_FLAGS, there would be a period during bootup where the feature was not enabled.In cases where administrators mistakenly only applied
INITIAL_FEATURE_FLAGSto some nodes in the cluster rather than all nodes, those nodes could end up in competitions with one another for what the state in global should be, with the last node to reboot being the final result.If an administrator enabled a feature via
INITIAL_FEATURE_FLAGS, and disabled it at runtime via GraphQL, the flag could enable itself again if any node rebooted, because the feature states fromINITIAL_FEATURE_FLAGSwould again be written into global.The new behavior of
INITIAL_FEATURE_FLAGSis that it is applied immediately on boot, and there is a strict precedence order between GraphQL andINITIAL_FEATURE_FLAGS.If a feature is explicitly enabled or disabled via GraphQL, that setting will take precedence across all cluster nodes, and
INITIAL_FEATURE_FLAGSwill be ignored. Otherwise,INITIAL_FEATURE_FLAGSwill control the feature flag states for the local node only, rather than cluster-wide.If administrators have enabled or disabled a feature via GraphQL and they wish to "unset" this decision, the deleteFeatureFlag mutation allows for returning to the factory setting for the specified flag.
New features and improvements
User Interface
The
Lookup filesoverview table now allows for quickly copying file names using either the new menu option or the copy icon.For more information, see Copy lookup file names.
LogScale now presents an upgraded
Query editorto deliver a faster and more reliable authoring experience. This enhancement improves page loading times across LogScale while resolving several long-standing editor limitations.New features and improvements include:
Code Folding/Collapsible Code Sections. Collapse and expand sections of complex, multi-line queries for easier navigation to focus only on the query portion you're actively editing. This feature applies to any function, such as
correlate()ordefineTable().Auto-Indentation. Queries are now automatically formatted with indentation as you type.
Improved Bracket Matching and Error Highlighting. Matching brackets, parentheses, and braces are instantly identified and enhanced with visual highlighting, reducing syntax errors by clearly identifying bracket pairs. Non-printable characters are now highlighted as errors directly.
Enhanced Copy and Paste Functionality. Mouse-based copying and pasting and keyboard shortcuts now both work consistently in the editor.
Improved Performance. Load times when working with the LogScale's search interface have been improved due to a 50% smaller code footprint, leading to faster response times. This improvement applies to all search uses (queries, automation, etc.).
These upgrades also provide a foundation for future enhancements on an extensible editor platform, including the ability to more easily add features and improvements based on user feedback.
For more information, see Query Editor.
Fixed in this release
Automation and Triggers
Triggers running on behalf of a user could not be enabled or disabled using a view permission token with the administration permission
ChangeTriggersToRunAsOtherUsers, could not be enabled or disabled. This issue has now been fixed.
Queries
Backtracking limits in the LogScale Regular Expression Engine V2 may not have been properly applied by greedy zero-or-more repetitions at the start of regexes. This issue has now been fixed.
For more information, see Regular Expression Engine V2 Syntax Patterns.
Functions
Fixed an issue where the function
xml:prettyPrint()would fail to print valid XML when the field contained a constant string. For example:logscale:= "<a></a>" | xml:prettyPrint(x) x
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Installation and Deployment
The Linux Wolfi OS base image for Docker has been updated for LogScale to eliminate Common Vulnerabilities and Exposures (CVEs).
For more information regarding Wolfi, visit their documentation here: Wolfi OS - GitHub
Updated packages containing CVEs in PDF Render Service to account for Snyk CVEs with a severity level of 'High'.
Documentation
The search system has been updated
An enhancement to the search system to make it faster and more responsive.
Keyboard navigation; you can now use the cursor keys to go through and select items; or use Control+1-9 to instantly select one of the first 9 returned matches. This works both in the popup and main search display pages.
Descriptions and key information information for key terms across our standardised sets (functions, variables, limits) and Terminology are now incorporated directly into the search results. This makes it much clearer what different search results link to.
As part of that connection to the terminology reference, search results also include any related/curated links directly into the search results. For example, if you search for 'Asset', you will get 'Related Links' under the description beyond the standard search match beyond a match to the Asset page.
The alternative and suggestion system has been expanded to include more terms and alternatives.
Configuration
The global boot time timeout for snapshots when fetching for local nodes is now configurable, and can be set using the environment variable
LOCAL_STORAGE_GLOBAL_SNAPSHOT_BOOT_TIMEOUT_SECONDS. The minimum value is 60 seconds.
Queries
The LogScale Regular Expression Engine V2 performance has been improved involving in some cases repetitions with a upper bound, such as
a{2,5}or\d{3}.Subqueries are now allowed to begin with a pipe operator (
|). This aligns subqueries with the main query, which already allows a leading pipe. Starting a subquery with a pipe makes no semantic difference.In the example below, starting the query argument with a pipe is now syntactically valid.
logscaledefineTable( query={ | value=42 }, include=*, name="" )A performance optimization for the LogScale Regular Expression Engine V2 has been introduced. Regexes that use non-greedy repetitions and where backtracking of the body can be ruled out are now faster, particularly if multiple such repetitions follow one another.
Non-greedy repetitions are those that end with the character
?. Examples include:??*?+?{n,m}?
An example of the character used in practice:
regex/\(\w*?\)/Single-line repetitions of any character across capture groups have been optimized to operate faster in the LogScale Regular Expression Engine V2.
For example:
regex/((?s:.*))Y/ and /(.*)X/d
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
infoblox/nios has been updated to v1.4.2.
Fixed JSON parsing issue for DNS answers containing backslashes by adding proper escape handling
Added test cases for DNS TYPE65 queries with complex data structures
Updated parser version to 3.0.2
For more information, see Package infoblox/nios Release Notes.
f5networks/bigip has been updated to v3.1.0.
Enhanced audit event processing by moving AUDIT parsing outside main case statement for better categorization
Improved authentication failure parsing with better regex patterns for usernames and client addresses
Added support for HTTP referrer field extraction in authentication events
Enhanced tmm event processing with HTTP status code handling and URL parsing
Fixed conditional logic for appname extraction in RFC 5424 syslog format
Added array deduplication for event.category and event.type fields
Updated LTM catchall to include msgid 0107 and removed redundant categorization
Improved kvParse operations with better separator handling and empty field exclusion
For more information, see Package f5networks/bigip Release Notes.
cisco/ise has been updated to v2.0.5.
Enhanced syslog parsing to support optional priority field in message format
Updated ECS version to 9.2.0
Updated parser version to 3.0.5
Minor formatting improvements and code cleanup
For more information, see Package cisco/ise Release Notes.
veeam/veeamdataplatform has been updated to v1.1.0.
Enhanced dashboard functionality with new widgets and improved data visualization
Added dashboard details section with comprehensive overview and data source detector
Renamed lookup files with "veeam_" prefix for better organization
Updated all dashboard queries and scheduled searches to use new lookup file names
Improved dashboard layout with reordered sections and enhanced user experience
Added ingested data monitoring widgets
Updated scheduled search names with "Veeam -" prefix for better identification
Enhanced dashboard descriptions and labels
For more information, see Package veeam/veeamdataplatform Release Notes.
infoblox/nios has been updated to v1.4.1.
Fixed DNS answers type field mapping to use proper array notation (dns.answers[0].type instead of dns.answers.type)
Updated parser version to 3.0.1
For more information, see Package infoblox/nios Release Notes.
cisco/firepower has been updated to v1.8.0.
Updated parser version to 4.0.0
Added support for multiple syslog header formats including FTD and legacy NGIPS/Sourcefire devices
Added enhanced timestamp parsing with findTimestamp() function for improved date handling
Added message field populated from vendor message content
Added intelligent client/server role detection based on event type, protocol, and port analysis
Added role reversal logic to handle server-initiated connections and reverse proxy scenarios
Added IP address validation using CIDR checks to filter invalid addresses
Added domain field support for non-IP addresses across source, destination, client, and server fields
Added conditional field mappings for network protocols including SIP and DNS
Added DNS record type normalization to standard values (A, AAAA, PTR, MX, CNAME)
Added TLS certificate hash mapping to tls.client.hash.sha1
Added conditional filtering for unknown TLS versions and cipher suites
Added enhanced event categorization with automatic event.type:connection for network tuples
Added array deduplication for event.category[] and event.type[] fields
Changed primary address fields to use source.address and destination.address with IP/domain separation
Changed event outcome logic for connection teardown events based on teardown reason analysis
Changed connection directionality detection to use interface context (inside/outside/DMZ)
Changed user group field to user.group.name for ECS consistency
Changed field coalescing logic to prioritize existing values over vendor-specific fields
Consolidated lowercase operations for address and domain fields
Consolidated interface alias and name field mappings
Fixed field extraction patterns across multiple event types for improved accuracy
Fixed MAC address formatting to use hyphen separators
Fixed source/destination mapping in connection teardown events using interface-based logic
Removed redundant event.type:connection entries from individual event handlers
For more information, see Package cisco/firepower Release Notes.
fortinet/fortigate has been updated to v2.3.2.
Added FTNTFGT prefix removal for events forwarded from FortiGate-VM on Azure platform
Enhanced type and subtype parsing with regex to accurately capture combined values
Added network_access log type support
Updated parser version to 5.1.2
For more information, see Package fortinet/fortigate Release Notes.
nozomi/ids has been updated to v1.4.0.
Updated parser version to 4.0.0
Updated ECS version 9.2.0
Added new field mappings for message, domain, and network protocol fields
Added IP address validation to filter invalid and non-routable addresses
Added array deduplication for event categorization fields
Added enhanced extraction patterns for threat indicators and network entities
Changed event categorization from message-based regex to classification prefix-based logic
Changed severity mapping ranges for better alignment with risk levels
Changed address field logic to support both IP and domain values
Changed observer field handling to distinguish between IPs and hostnames
Consolidated field normalization and lowercase operations
Fixed field name reference issues
Removed redundant message-based categorization patterns
Removed duplicate field assignments
Improved overall parser maintainability and performance
For more information, see Package nozomi/ids Release Notes.
checkpoint/ngfw has been updated to v2.6.0.
Enhanced originsicname field parsing with key-value extraction for better observer name identification
Added policy ID tag parsing to extract policy name, management server, and date information
Improved rule.ruleset field mapping to include policy name from parsed policy ID tag
Enhanced rule.uuid field mapping to include NAT rule UIDs
Added network.community_id field generation for both ICMP and non-ICMP events
Improved observer.name field mapping with conditional logic for firewall traffic and threat prevention events
Enhanced client/server field identification for application control and URL filtering logs
Updated parser version to 3.6.0
For more information, see Package checkpoint/ngfw Release Notes.
zscaler/internet-access has been updated to v2.1.1.
Enhanced user field handling with improved fallback logic using coalesce function
Updated user.name field to use both Vendor.elogin and Vendor.user as fallback options
Updated parser version to 4.0.1
For more information, see Package zscaler/internet-access Release Notes.
cisco/ise has been updated to v2.0.4.
Added support for CISE_External_MDM event category with comprehensive event code handling
Enhanced CISE_Passed_Authentications parsing with additional event codes (5236, 5238, 5240)
Improved CISE_Failed_Attempts parsing with new event codes (5402, 5422, 5434, 5416)
Added support for CISE_Administrative_and_Operational_Audit event codes (51025, 60166, 60167, 60069)
Enhanced RADIUS accounting with support for Interim-Update status type
For more information, see Package cisco/ise Release Notes.
cisco/ios has been updated to v1.9.1.
Added support for AUTH_PASSED and AUTHENTICATION_FAILED event types for DMI authentication events
Added support for NHRP_NHS_UP, NHRP_NHS_DOWN, and CRYPTO_SS event types for DMVPN tunnel monitoring
Enhanced authentication event parsing with improved source address and port extraction
Updated parser version to 2.9.0
For more information, see Package cisco/ios Release Notes.
radware/alteon has been updated to v1.3.0.
Updated ECS version to 9.2.0
Updated parser version to 2.0.0
Enhanced message parsing with comprehensive regex patterns for various log types
Added support for authentication, configuration, and network event categorization
Improved timestamp handling with parseTimestamp() function for timezone-aware timestamps
Added field extraction for user information, network protocols, and server details
Enhanced event outcome determination based on HTTP status codes and message content
Added support for IP address validation and domain/IP field assignment
Improved syslog parsing with better handling of AlteonOS format
Added comprehensive test cases for various log message types
For more information, see Package radware/alteon Release Notes.
cisco/firepower has been updated to v1.9.0.
Updated parser version to 4.1.0
Added support for event codes 106103, 111010, 11300*, 11301*, 317077, 402119, 602101,602303, 602304, 746014, 805002, 805003
Enhanced AAA event parsing with improved user, server, and client address extraction
Improved conditional logic for event type assignment based on message content
Fixed duplicate event code handling for 805002 and 805003
Fixed regex patterns for user and server address extraction in AAA events
For more information, see Package cisco/firepower Release Notes.
netgate/pfsense has been updated to v1.2.0.
Enhanced parser to support multiple log types including DHCP, VPN (charon), login, and filterdns events
Improved CSV parsing for filterlog entries with better protocol-specific field extraction
Added comprehensive IP validation and address mapping functionality
Enhanced MAC address formatting with standardized hyphen notation
Updated ECS version to 9.2.0 and parser version to 2.0.0
Improved syslog parsing to handle both RFC 3164 and RFC 5424 formats more robustly
For more information, see Package netgate/pfsense Release Notes.