Falcon LogScale 1.232.0 Not Released (2026-03-17)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.232.0 | Not Released | 2026-03-17 | Internal Only | 2027-03-31 | No | 1.177.0 | 1.177.0 | No |
Not released.
Advance Warning
The following items are due to change in a future release.
Security
Starting from LogScale version 1.237, support for insecure
ldapconnections will be removed. Self-Hosted customers using LDAP will only be able to useldapssecure connections.Fleet Management
Due to efforts to improve resource management, Fleet Management groups will soon no longer support Falcon LogScale Collector versions below 1.5.0.
For more information, see Manage Versions - Groups.
Deprecation
Items that have been deprecated and may be removed in a future release.
The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Fixed in this release
Installation and Deployment
Fixed an issue where nodes could occasionally lose connection to Kafka clusters if the node was started with the environment variable
KAFKA_COMMON_METADATA_RECOVERY_STRATEGYset tonone.
User Interface
The documentation link in the error message for aggregate alerts containing prohibited functions has been repaired.
Automation and Triggers
In rare cases, Email actions would fail to send emails when the following conditions occurred:
The email action sent results as an attached CSV.
The name of the trigger activating the actions contained one of the
{field:or theFIELD_NAME}{field_raw:message templates.FIELD_NAME}The name of the trigger with an unexpanded message template was longer than 30 characters.
The part of the name of the trigger coming before the message template was at most 30 characters.
This issue has now been fixed and Email actions are now sent correctly even when the above conditions are met.
Storage
Fixed an issue with segment file validation on startup, where the validation process could end up blocking segment operations for an extended period of time. On nodes with a slow disk and many segment files, all segments could become locked for validation immediately instead of validating groups of files in smaller batches.
Ingestion
Fixed an issue where live queries that referenced a parser were not restarted when parser updates occurred. Changes to a parser referenced by a live query now cause the live query to be restarted similar to saved queries.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Automation and Triggers
Improved the delineation of the time zone for scheduled reports - reports now define the time zone as UTC in the
Report generated atfield.For more information, see Schedule PDF Reports.
Queries
Improved LogScale-generated metrics by propagating information regarding data reuse from subqueries located in the query state cache to the main query.
This improvement will not be noticeable to the user except when viewing the metric query-static-cost-cache-hit in comparison to the metric query-static-cost-total. In this case, the two metrics will more accurately reflect the real use for queries that use
defineTable().For more information, see
defineTable(), The humio-metrics Repository,query-static-cost-cache-hitMetric,query-static-cost-totalMetric.
Auditing and Monitoring
Added the field acceptedPotentialDataLoss to the remove-host audit log entry. This addition indicates whether the administrator chose to override safeguards against data loss when submitting the host removal via the API.
For more information, see Audit Logging.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
infoblox/nios has been updated to v1.4.2.
Fixed JSON parsing issue for DNS answers containing backslashes by adding proper escape handling
Added test cases for DNS TYPE65 queries with complex data structures
Updated parser version to 3.0.2
For more information, see Package infoblox/nios Release Notes.
f5networks/bigip has been updated to v3.1.0.
Enhanced audit event processing by moving AUDIT parsing outside main case statement for better categorization
Improved authentication failure parsing with better regex patterns for usernames and client addresses
Added support for HTTP referrer field extraction in authentication events
Enhanced tmm event processing with HTTP status code handling and URL parsing
Fixed conditional logic for appname extraction in RFC 5424 syslog format
Added array deduplication for event.category and event.type fields
Updated LTM catchall to include msgid 0107 and removed redundant categorization
Improved kvParse operations with better separator handling and empty field exclusion
For more information, see Package f5networks/bigip Release Notes.
cisco/ise has been updated to v2.0.5.
Enhanced syslog parsing to support optional priority field in message format
Updated ECS version to 9.2.0
Updated parser version to 3.0.5
Minor formatting improvements and code cleanup
For more information, see Package cisco/ise Release Notes.
cloudflare/zerotrust has been updated to v2.2.0.
Enhanced email security alert filtering to only generate alerts for malicious, suspicious, or spoof dispositions
Added threat technique name mapping from ThreatCategories for email security alerts
Improved event categorization for email security with separate handling for threat techniques vs general emails
Updated WAF alert generation to trigger only when severity indicates likely attack or attack (severity <= 50)
Updated parser version to 4.2.0
For more information, see Package cloudflare/zerotrust Release Notes.
veeam/veeamdataplatform has been updated to v1.1.0.
Enhanced dashboard functionality with new widgets and improved data visualization
Added dashboard details section with comprehensive overview and data source detector
Renamed lookup files with "veeam_" prefix for better organization
Updated all dashboard queries and scheduled searches to use new lookup file names
Improved dashboard layout with reordered sections and enhanced user experience
Added ingested data monitoring widgets
Updated scheduled search names with "Veeam -" prefix for better identification
Enhanced dashboard descriptions and labels
For more information, see Package veeam/veeamdataplatform Release Notes.
checkpoint/ngfw has been updated to v2.7.0.
Fixed event.kind assignment for malware detection events to properly set "alert" value
Enhanced conditional logic for malware event categorization in Block and Detect actions
Updated parser version to 3.7.0
For more information, see Package checkpoint/ngfw Release Notes.
microsoft/sysmon has been updated to v1.1.4.
Added @dataConnectionID field to the select statement for improved data connection tracking
Updated parser version to 1.1.4
For more information, see Package microsoft/sysmon Release Notes.
darktrace/detect has been updated to v2.0.2.
Updated ECS version to 9.2.0
Updated parser version to 3.0.2
Enhanced timestamp parsing for RFC 3164 syslog format to handle single-digit day values with optional space padding
Added array-based field handling for host.mac[] field
For more information, see Package darktrace/detect Release Notes.
fortinet/fortigate has been updated to v2.3.2.
Added FTNTFGT prefix removal for events forwarded from FortiGate-VM on Azure platform
Enhanced type and subtype parsing with regex to accurately capture combined values
Added network_access log type support
Updated parser version to 5.1.2
For more information, see Package fortinet/fortigate Release Notes.
zscaler/internet-access has been updated to v2.1.2.
Fixed event.action field assignment order in firewall events to ensure proper conditional processing
Updated parser version to 4.0.2
For more information, see Package zscaler/internet-access Release Notes.
zscaler/internet-access has been updated to v2.1.1.
Enhanced user field handling with improved fallback logic using coalesce function
Updated user.name field to use both Vendor.elogin and Vendor.user as fallback options
Updated parser version to 4.0.1
For more information, see Package zscaler/internet-access Release Notes.
radware/alteon has been updated to v1.3.0.
Updated ECS version to 9.2.0
Updated parser version to 2.0.0
Enhanced message parsing with comprehensive regex patterns for various log types
Added support for authentication, configuration, and network event categorization
Improved timestamp handling with parseTimestamp() function for timezone-aware timestamps
Added field extraction for user information, network protocols, and server details
Enhanced event outcome determination based on HTTP status codes and message content
Added support for IP address validation and domain/IP field assignment
Improved syslog parsing with better handling of AlteonOS format
Added comprehensive test cases for various log message types
For more information, see Package radware/alteon Release Notes.
cisco/firepower has been updated to v1.9.0.
Updated parser version to 4.1.0
Added support for event codes 106103, 111010, 11300*, 11301*, 317077, 402119, 602101,602303, 602304, 746014, 805002, 805003
Enhanced AAA event parsing with improved user, server, and client address extraction
Improved conditional logic for event type assignment based on message content
Fixed duplicate event code handling for 805002 and 805003
Fixed regex patterns for user and server address extraction in AAA events
For more information, see Package cisco/firepower Release Notes.
netgate/pfsense has been updated to v1.2.0.
Enhanced parser to support multiple log types including DHCP, VPN (charon), login, and filterdns events
Improved CSV parsing for filterlog entries with better protocol-specific field extraction
Added comprehensive IP validation and address mapping functionality
Enhanced MAC address formatting with standardized hyphen notation
Updated ECS version to 9.2.0 and parser version to 2.0.0
Improved syslog parsing to handle both RFC 3164 and RFC 5424 formats more robustly
For more information, see Package netgate/pfsense Release Notes.