Falcon LogScale 1.231.0 Not Released (2026-03-10)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.231.0 | Not Released | 2026-03-10 | Internal Only | 2027-03-31 | No | 1.177.0 | 1.177.0 | No |
Not released.
Advance Warning
The following items are due to change in a future release.
Security
Starting from LogScale version 1.237, support for insecure
ldapconnections will be removed. Self-Hosted customers using LDAP will only be able to useldapssecure connections.
Deprecation
Items that have been deprecated and may be removed in a future release.
The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.The Secondary Storage feature is now deprecated and will be removed in LogScale 1.231.0.
The Bucket Storage feature provides superior functionality for storing rarely queried data in cheaper storage while keeping frequently queried data in hot storage (fast and expensive). For more information, see Bucket Storage.
Please contact LogScale support for any concerns about this deprecation.
Fixed in this release
Storage
Fixed a rarely triggered issue where a datasource state changing to idle could cause data loss from recently written events. The feature flag
HandleDatasourceIdlenessInConsumerThreadallows users to disable this fix.Fixed an issue in LogScale's AWS S3 SDK code that could cause spurious warning logs and retries for segment downloads that were canceled by the system.
An example of these spurious logs is c.h.b.s.S3BucketStorageImplNative 350 - download failed, retrying just once now ... Caused by: software.amazon.awssdk.core.exception.SdkInterruptedException"
Queries
Fixed an issue where longer-running static and/or multi-pass queries like those using the
correlate()function would fail with the error message File does not exist if the file was updated during the query.Fixed a regression in the CrowdStrike Query Language (CQL) introduced in version 1.224.0, where a query such as the following example would be incorrectly interpreted as
foo AND count AND field:logscalefoo count(field)The example is missing a pipe operator (
|) betweenfooand thecount()function.The query is now rejected automatically. Prior to version 1.224.0, the query would have also been rejected.
Packages
Fixed an issue where updating an application package where an asset had been deleted would not be detected as a conflict, preventing the asset from being recreated.
Conflicts occur when an asset from a package has been modified, leaving users with the option of keeping the modified version or overwriting it with what is in the new package version. In cases where an asset was deleted instead of modified, the previous protocol would not have flagged the missing asset as a conflict.
After this change, a deleted asset will result in a conflict and require a conflict resolution to indicate whether to keep it deleted or recreate it from the new package version.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Installation and Deployment
LogScale now adjusts the version fields provided in the global snapshot as part of the initial bootup process instead of completing the task later.
Appropriate version fields allow LogScale to verify that upgrades and downgrades happen across compatible versions. Allowing nodes to run without updating the fields immediately created the potential for users to terminate LogScale before it had completed these updates, then perform an unsafe upgrade or downgrade later due to the fields being out of date.
Storage
The new bucket transfer queuing code that was introduced in version 1.219.0 is now enabled by default. To account for possible unexpected bucket storage behavior, this feature can be disabled using the feature flag
NewFileTransferQueuing. This flag and the previous implementation will be removed in a future release given no significant issues.Note
This improvement is comprised of mostly internal adjustments, and is not expected to cause any system behavior changes for users.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
infoblox/nios has been updated to v1.4.2.
Fixed JSON parsing issue for DNS answers containing backslashes by adding proper escape handling
Added test cases for DNS TYPE65 queries with complex data structures
Updated parser version to 3.0.2
For more information, see Package infoblox/nios Release Notes.
f5networks/bigip has been updated to v3.1.0.
Enhanced audit event processing by moving AUDIT parsing outside main case statement for better categorization
Improved authentication failure parsing with better regex patterns for usernames and client addresses
Added support for HTTP referrer field extraction in authentication events
Enhanced tmm event processing with HTTP status code handling and URL parsing
Fixed conditional logic for appname extraction in RFC 5424 syslog format
Added array deduplication for event.category and event.type fields
Updated LTM catchall to include msgid 0107 and removed redundant categorization
Improved kvParse operations with better separator handling and empty field exclusion
For more information, see Package f5networks/bigip Release Notes.
cisco/ise has been updated to v2.0.5.
Enhanced syslog parsing to support optional priority field in message format
Updated ECS version to 9.2.0
Updated parser version to 3.0.5
Minor formatting improvements and code cleanup
For more information, see Package cisco/ise Release Notes.
cloudflare/zerotrust has been updated to v2.2.0.
Enhanced email security alert filtering to only generate alerts for malicious, suspicious, or spoof dispositions
Added threat technique name mapping from ThreatCategories for email security alerts
Improved event categorization for email security with separate handling for threat techniques vs general emails
Updated WAF alert generation to trigger only when severity indicates likely attack or attack (severity <= 50)
Updated parser version to 4.2.0
For more information, see Package cloudflare/zerotrust Release Notes.
veeam/veeamdataplatform has been updated to v1.1.0.
Enhanced dashboard functionality with new widgets and improved data visualization
Added dashboard details section with comprehensive overview and data source detector
Renamed lookup files with "veeam_" prefix for better organization
Updated all dashboard queries and scheduled searches to use new lookup file names
Improved dashboard layout with reordered sections and enhanced user experience
Added ingested data monitoring widgets
Updated scheduled search names with "Veeam -" prefix for better identification
Enhanced dashboard descriptions and labels
For more information, see Package veeam/veeamdataplatform Release Notes.
cisco/firepower has been updated to v1.8.0.
Updated parser version to 4.0.0
Added support for multiple syslog header formats including FTD and legacy NGIPS/Sourcefire devices
Added enhanced timestamp parsing with findTimestamp() function for improved date handling
Added message field populated from vendor message content
Added intelligent client/server role detection based on event type, protocol, and port analysis
Added role reversal logic to handle server-initiated connections and reverse proxy scenarios
Added IP address validation using CIDR checks to filter invalid addresses
Added domain field support for non-IP addresses across source, destination, client, and server fields
Added conditional field mappings for network protocols including SIP and DNS
Added DNS record type normalization to standard values (A, AAAA, PTR, MX, CNAME)
Added TLS certificate hash mapping to tls.client.hash.sha1
Added conditional filtering for unknown TLS versions and cipher suites
Added enhanced event categorization with automatic event.type:connection for network tuples
Added array deduplication for event.category[] and event.type[] fields
Changed primary address fields to use source.address and destination.address with IP/domain separation
Changed event outcome logic for connection teardown events based on teardown reason analysis
Changed connection directionality detection to use interface context (inside/outside/DMZ)
Changed user group field to user.group.name for ECS consistency
Changed field coalescing logic to prioritize existing values over vendor-specific fields
Consolidated lowercase operations for address and domain fields
Consolidated interface alias and name field mappings
Fixed field extraction patterns across multiple event types for improved accuracy
Fixed MAC address formatting to use hyphen separators
Fixed source/destination mapping in connection teardown events using interface-based logic
Removed redundant event.type:connection entries from individual event handlers
For more information, see Package cisco/firepower Release Notes.
checkpoint/ngfw has been updated to v2.7.0.
Fixed event.kind assignment for malware detection events to properly set "alert" value
Enhanced conditional logic for malware event categorization in Block and Detect actions
Updated parser version to 3.7.0
For more information, see Package checkpoint/ngfw Release Notes.
microsoft/sysmon has been updated to v1.1.4.
Added @dataConnectionID field to the select statement for improved data connection tracking
Updated parser version to 1.1.4
For more information, see Package microsoft/sysmon Release Notes.
fortinet/fortigate has been updated to v2.3.2.
Added FTNTFGT prefix removal for events forwarded from FortiGate-VM on Azure platform
Enhanced type and subtype parsing with regex to accurately capture combined values
Added network_access log type support
Updated parser version to 5.1.2
For more information, see Package fortinet/fortigate Release Notes.
nozomi/ids has been updated to v1.4.0.
Updated parser version to 4.0.0
Updated ECS version 9.2.0
Added new field mappings for message, domain, and network protocol fields
Added IP address validation to filter invalid and non-routable addresses
Added array deduplication for event categorization fields
Added enhanced extraction patterns for threat indicators and network entities
Changed event categorization from message-based regex to classification prefix-based logic
Changed severity mapping ranges for better alignment with risk levels
Changed address field logic to support both IP and domain values
Changed observer field handling to distinguish between IPs and hostnames
Consolidated field normalization and lowercase operations
Fixed field name reference issues
Removed redundant message-based categorization patterns
Removed duplicate field assignments
Improved overall parser maintainability and performance
For more information, see Package nozomi/ids Release Notes.
zscaler/internet-access has been updated to v2.1.1.
Enhanced user field handling with improved fallback logic using coalesce function
Updated user.name field to use both Vendor.elogin and Vendor.user as fallback options
Updated parser version to 4.0.1
For more information, see Package zscaler/internet-access Release Notes.
cisco/ios has been updated to v1.9.1.
Added support for AUTH_PASSED and AUTHENTICATION_FAILED event types for DMI authentication events
Added support for NHRP_NHS_UP, NHRP_NHS_DOWN, and CRYPTO_SS event types for DMVPN tunnel monitoring
Enhanced authentication event parsing with improved source address and port extraction
Updated parser version to 2.9.0
For more information, see Package cisco/ios Release Notes.
radware/alteon has been updated to v1.3.0.
Updated ECS version to 9.2.0
Updated parser version to 2.0.0
Enhanced message parsing with comprehensive regex patterns for various log types
Added support for authentication, configuration, and network event categorization
Improved timestamp handling with parseTimestamp() function for timezone-aware timestamps
Added field extraction for user information, network protocols, and server details
Enhanced event outcome determination based on HTTP status codes and message content
Added support for IP address validation and domain/IP field assignment
Improved syslog parsing with better handling of AlteonOS format
Added comprehensive test cases for various log message types
For more information, see Package radware/alteon Release Notes.
cisco/firepower has been updated to v1.9.0.
Updated parser version to 4.1.0
Added support for event codes 106103, 111010, 11300*, 11301*, 317077, 402119, 602101,602303, 602304, 746014, 805002, 805003
Enhanced AAA event parsing with improved user, server, and client address extraction
Improved conditional logic for event type assignment based on message content
Fixed duplicate event code handling for 805002 and 805003
Fixed regex patterns for user and server address extraction in AAA events
For more information, see Package cisco/firepower Release Notes.
netgate/pfsense has been updated to v1.2.0.
Enhanced parser to support multiple log types including DHCP, VPN (charon), login, and filterdns events
Improved CSV parsing for filterlog entries with better protocol-specific field extraction
Added comprehensive IP validation and address mapping functionality
Enhanced MAC address formatting with standardized hyphen notation
Updated ECS version to 9.2.0 and parser version to 2.0.0
Improved syslog parsing to handle both RFC 3164 and RFC 5424 formats more robustly
For more information, see Package netgate/pfsense Release Notes.