Falcon LogScale 1.234.3 LTS (2026-05-28)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.234.3LTS2026-05-28

Cloud

On-Prem

2027-05-31Yes1.150.01.177.0No

Hide file download links

Show file download links

Hide file hashes

Show file hashes

These notes include entries from the following previous releases: 1.234.1, 1.234.0, 1.233.0, 1.232.0, 1.231.0, 1.230.0

Bug fixes and updates.

Breaking Changes

The following items create a breaking change in the behavior, response or operation of this release.

  • Configuration

    • LogScale will now throw an error on boot if SECONDARY_DATA_DIRECTORY variable is configured. This change is intended to help administrators identify that they are using this deprecated feature that is now being removed.

Advance Warning

The following items are due to change in a future release.

  • Security

    • Starting from LogScale version 1.237, support for insecure ldap connections will be removed. Self-Hosted customers using LDAP will only be able to use ldaps secure connections.

  • Fleet Management

Removed

Items that have been removed as of this release.

Storage

  • Cached data files mode, which allowed users to configure a local cache directory for segment files, was deprecated in 1.210.0. It has now been entirely removed from LogScale.

    To ensure users are aware of this feature's removal, nodes that contain the configuration variables CACHE_STORAGE_DIRECTORY, CACHE_STORAGE_PERCENTAGE, and CACHE_STORAGE_SOURCE will now refuse to start.

  • Secondary storage support has been entirely removed. The following configuration options are no longer available:

  • Secondary storage support has been removed from the redactEvents functionality, the health check functionality, and the internal segment fetching endpoint. This includes the removal of the secondary-disk-usage health check response from the health check API.

GraphQL API

Metrics and Monitoring

  • The humio-metrics repository metric secondary-disk-usage has been removed, as it measured functionality that is no longer present in the product.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The following manuals have been moved to the archives:

  • Live streaming queries are now deprecated, and support is slated for removal starting in version 1.241.0.

    Note

    Aggregate live streaming queries are already unsupported. This additional deprecation notice only applies to filter-only queries. Static streaming queries are unaffected, as are any queries submitted via the queryjobs API.

  • The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

  • The Secondary Storage feature is now deprecated and will be removed in LogScale 1.231.0.

    The Bucket Storage feature provides superior functionality for storing rarely queried data in cheaper storage while keeping frequently queried data in hot storage (fast and expensive). For more information, see Bucket Storage.

    Please contact LogScale support for any concerns about this deprecation.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Automation and Triggers

  • Configuration

    • The way LogScale interprets the environment variable INITIAL_FEATURE_FLAGS has changed.

      This setting allows administrators to define at boot time what features are enabled in LogScale, and allows feature flags to be toggled via GraphQL at runtime. Previously, features appearing in INITIAL_FEATURE_FLAGS would be written into global when the node booted, causing the following unintended behaviors:

      • The settings were written to global at a late point during bootup. This meant that when enabling a flag via INITIAL_FEATURE_FLAGS, there would be a period during bootup where the feature was not enabled.

      • In cases where administrators mistakenly only applied INITIAL_FEATURE_FLAGS to some nodes in the cluster rather than all nodes, those nodes could end up in competitions with one another for what the state in global should be, with the last node to reboot being the final result.

      • If an administrator enabled a feature via INITIAL_FEATURE_FLAGS, and disabled it at runtime via GraphQL, the flag could enable itself again if any node rebooted, because the feature states from INITIAL_FEATURE_FLAGS would again be written into global.

      The new behavior of INITIAL_FEATURE_FLAGS is that it is applied immediately on boot, and there is a strict precedence order between GraphQL and INITIAL_FEATURE_FLAGS.

      If a feature is explicitly enabled or disabled via GraphQL, that setting will take precedence across all cluster nodes, and INITIAL_FEATURE_FLAGS will be ignored. Otherwise, INITIAL_FEATURE_FLAGS will control the feature flag states for the local node only, rather than cluster-wide.

      If administrators have enabled or disabled a feature via GraphQL and they wish to "unset" this decision, the deleteFeatureFlag mutation allows for returning to the factory setting for the specified flag.

New features and improvements

  • User Interface

    • The Lookup files overview table now allows for quickly copying file names using either the new Copy file name menu option or the copy icon.

      For more information, see Copy lookup file names.

    • LogScale now presents an upgraded Query editor to deliver a faster and more reliable authoring experience. This enhancement improves page loading times across LogScale while resolving several long-standing editor limitations.

      New features and improvements include:

      • Code Folding/Collapsible Code Sections. Collapse and expand sections of complex, multi-line queries for easier navigation to focus only on the query portion you're actively editing. This feature applies to any function, such as correlate() or defineTable().

      • Auto-Indentation. Queries are now automatically formatted with indentation as you type.

      • Improved Bracket Matching and Error Highlighting. Matching brackets, parentheses, and braces are instantly identified and enhanced with visual highlighting, reducing syntax errors by clearly identifying bracket pairs. Non-printable characters are now highlighted as errors directly.

      • Enhanced Copy and Paste Functionality. Mouse-based copying and pasting and keyboard shortcuts now both work consistently in the editor.

      • Improved Performance. Load times when working with the LogScale's search interface have been improved due to a 50% smaller code footprint, leading to faster response times. This improvement applies to all search uses (queries, automation, etc.).

      These upgrades also provide a foundation for future enhancements on an extensible editor platform, including the ability to more easily add features and improvements based on user feedback.

      For more information, see Query Editor.

  • Automation and Triggers

    • It is now possible to schedule reruns of scheduled searches that have already been executed. This functionality is currently available through the GraphQL API using the new rerunScheduledSearch mutation, and the cancelScheduledSearchRerun mutation for canceling a rerun. Scheduled reruns can be viewed in the executionTimesToRerun field on the ScheduledSearch type. Reruns run in parallel with normal runs, with at most one rerun per scheduled search at a time.

      A maximum of 50 reruns can be scheduled per scheduled search. This limit is configurable using the SCHEDULED_SEARCH_MAX_NUMBER_OF_RERUNS configuration variable.

    • The new Interval scheduling option has been added as an alternative to cron expressions for scheduled searches. This new option uses Relative Time Syntax modifiers such as @every 5d, allowing searches to run at regular intervals.

      For more information, see Scheduling.

  • GraphQL API

    • The GraphQL mutation unsetRetention has been added, allowing individual retention settings on a repository to be restored to their default values. Previously, once retention settings such as timeBasedBackupRetention were set to a positive value, the only way to restore them to the default was to pass null via the updateRetention mutation, which some API clients do not support.

      The new mutation accepts boolean flags for each retention setting and restores those set to true back to their default values. The supported flags are:

      • timeBasedRetention

      • ingestSizeBasedRetention

      • storageSizeBasedRetention

      • timeBasedBackupRetention

Fixed in this release

  • Installation and Deployment

    • Fixed an issue where nodes could occasionally lose connection to Kafka clusters if the node was started with the environment variable KAFKA_COMMON_METADATA_RECOVERY_STRATEGY set to none.

  • User Interface

    • The documentation link in the error message for aggregate alerts containing prohibited functions has been repaired.

  • Automation and Triggers

    • Triggers running on behalf of a user could not be enabled or disabled using a view permission token with the administration permission ChangeTriggersToRunAsOtherUsers, could not be enabled or disabled. This issue has now been fixed.

    • In rare cases, Email actions would fail to send emails when the following conditions occurred:

      • The email action sent results as an attached CSV.

      • The name of the trigger activating the actions contained one of the {field:FIELD_NAME} or the {field_raw:FIELD_NAME} message templates.

      • The name of the trigger with an unexpanded message template was longer than 30 characters.

      • The part of the name of the trigger coming before the message template was at most 30 characters.

      This issue has now been fixed and Email actions are now sent correctly even when the above conditions are met.

    • Fixed an issue where a filter alert could trigger on two events sharing the same @id field value, depending on timing. Filter alerts now deduplicate events using the @id field and will trigger on only one of them.

  • Storage

    • Fixed a rarely triggered issue where a datasource state changing to idle could cause data loss from recently written events. The feature flag HandleDatasourceIdlenessInConsumerThread allows users to disable this fix.

    • Fixed an issue in LogScale's AWS S3 SDK code that could cause spurious warning logs and retries for segment downloads that were canceled by the system.

      An example of these spurious logs is c.h.b.s.S3BucketStorageImplNative 350 - download failed, retrying just once now ... Caused by: software.amazon.awssdk.core.exception.SdkInterruptedException"

    • Fixed an issue with segment file validation on startup, where the validation process could end up blocking segment operations for an extended period of time. On nodes with a slow disk and many segment files, all segments could become locked for validation immediately instead of validating groups of files in smaller batches.

  • Ingestion

    • Fixed an issue where live queries that referenced a parser were not restarted when parser updates occurred. Changes to a parser referenced by a live query now cause the live query to be restarted similar to saved queries.

  • Queries

    • Backtracking limits in the LogScale Regular Expression Engine V2 may not have been properly applied by greedy zero-or-more repetitions at the start of regexes. This issue has now been fixed.

      For more information, see Regular Expression Engine V2 Syntax Patterns.

    • Fixed an issue where longer-running static and/or multi-pass queries like those using the correlate() function would fail with the error message File does not exist if the file was updated during the query.

    • Fixed a regression in the CrowdStrike Query Language (CQL) introduced in version 1.224.0, where a query such as the following example would be incorrectly interpreted as foo AND count AND field:

      logscale
      foo  count(field)

      The example is missing a pipe operator (|) between foo and the count() function.

      The query is now rejected automatically. Prior to version 1.224.0, the query would have also been rejected.

  • Fleet Management

    • Fixed an issue where the UI would prevent deleting Log Collector configurations even when no collector instances were using the configuration.

  • Metrics and Monitoring

    • The calculation for the humio-metrics repo metric min-unacked-ingest-timestamp has been corrected to account for occasional underreporting due to overly optimistic (low) values.

  • Functions

    • Fixed an issue where the function xml:prettyPrint() would fail to print valid XML when the field contained a constant string. For example:

      logscale
      := "<a></a>" 
  | xml:prettyPrint(x)
x

  • Packages

    • Fixed an issue where updating an application package where an asset had been deleted would not be detected as a conflict, preventing the asset from being recreated.

      Conflicts occur when an asset from a package has been modified, leaving users with the option of keeping the modified version or overwriting it with what is in the new package version. In cases where an asset was deleted instead of modified, the previous protocol would not have flagged the missing asset as a conflict.

      After this change, a deleted asset will result in a conflict and require a conflict resolution to indicate whether to keep it deleted or recreate it from the new package version.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • Installation and Deployment

    • The Linux Wolfi OS base image for Docker has been updated for LogScale to eliminate Common Vulnerabilities and Exposures (CVEs).

      For more information regarding Wolfi, visit their documentation here: Wolfi OS - GitHub

    • Updated packages containing CVEs in PDF Render Service to account for Snyk CVEs with a severity level of 'High'.

    • LogScale now adjusts the version fields provided in the global snapshot as part of the initial bootup process instead of completing the task later.

      Appropriate version fields allow LogScale to verify that upgrades and downgrades happen across compatible versions. Allowing nodes to run without updating the fields immediately created the potential for users to terminate LogScale before it had completed these updates, then perform an unsafe upgrade or downgrade later due to the fields being out of date.

  • Documentation

    • The search system has been updated

      • An enhancement to the search system to make it faster and more responsive.

      • Keyboard navigation; you can now use the cursor keys to go through and select items; or use Control+1-9 to instantly select one of the first 9 returned matches. This works both in the popup and main search display pages.

      • Descriptions and key information information for key terms across our standardised sets (functions, variables, limits) and Terminology are now incorporated directly into the search results. This makes it much clearer what different search results link to.

      • As part of that connection to the terminology reference, search results also include any related/curated links directly into the search results. For example, if you search for 'Asset', you will get 'Related Links' under the description beyond the standard search match beyond a match to the Asset page.

      • The alternative and suggestion system has been expanded to include more terms and alternatives.

  • Automation and Triggers

    • Improved the delineation of the time zone for scheduled reports - reports now define the time zone as UTC in the Report generated at field.

      For more information, see Schedule PDF Reports.

    • The field retryable has been added to the internal log events repository humio-triggers-execution-info. When a scheduled search execution fails, the log event now indicates whether the failure is retryable or non-retryable. Errors that are considered transent and therefore re-tryable include timeouts, I/O errors, or HTTP 5xx responses, while non-retryable, permanent errors include invalid configurations, missing actions, or blocked queries.

      This field can be found on scheduled searches containing the field ExecutionFailed

    • When a live query alert is canceled due to excessive ingest delay, LogScale now waits 1 minute before restarting it. Previously, these queries were restarted immediately, which could worsen cluster load.

      The wait time is configurable per alert type using the following configuration variables:

    • LogScale no longer shows notifications for disabled triggers. Any existing notifications for disabled triggers will be deleted shortly after upgrading to this version. Additionally, when a trigger is deleted, any associated notification is now deleted immediately rather than waiting for a background job.

    • S3 Action uploads now log the version ID returned by S3 for both the event and metadata files. When the target S3 bucket has versioning enabled, the fields eventFileVersionId and metadataFileVersionId are included in the repository humio-triggers-execution-info.

  • Storage

    • The new bucket transfer queuing code that was introduced in version 1.219.0 is now enabled by default. To account for possible unexpected bucket storage behavior, this feature can be disabled using the feature flag NewFileTransferQueuing. This flag and the previous implementation will be removed in a future release given no significant issues.

      Note

      This improvement is comprised of mostly internal adjustments, and is not expected to cause any system behavior changes for users.

  • Configuration

  • Ingestion

    • A new lookup file infrastructure has been enabled, which now allows Lookup Files to run more efficiently with faster load time.

  • Queries

    • The dynamic configuration parameter, ReverseDnsConcurrentRequestsPerQuery has been added to control the maximum number of parallel DNS lookups per reverseDns() query. The default value is 1 (sequential, matching previous behavior). The effective maximum is bounded by ReverseDnsConcurrentRequests, with the default value set to 10.

      Increasing ReverseDnsConcurrentRequestsPerQuery improves single-query throughput at the cost of reducing throughput available to other concurrent reverseDns() queries, as all queries share the ReverseDnsConcurrentRequests pool. Self-hosted customers resolving many IPs in a single query can increase this value to improve single-query throughput.

    • The experimental feature flag KeepSegmentHashFiles has been removed - query performance has been improved by caching hash filter files for frequently used bucketed segments, even in cases where queries only need hash filter files for search. This feature is now enabled by default.

    • The LogScale Regular Expression Engine V2 performance has been improved involving in some cases repetitions with a upper bound, such as a{2,5} or \d{3}.

    • Subqueries are now allowed to begin with a pipe operator (|). This aligns subqueries with the main query, which already allows a leading pipe. Starting a subquery with a pipe makes no semantic difference.

      In the example below, starting the query argument with a pipe is now syntactically valid.

      logscale
      defineTable(
  query={
    | value=42
  }, include=*, name=""
)

    • A performance optimization for the LogScale Regular Expression Engine V2 has been introduced. Regexes that use non-greedy repetitions and where backtracking of the body can be ruled out are now faster, particularly if multiple such repetitions follow one another.

      Non-greedy repetitions are those that end with the character ?. Examples include:

      • ??

      • *?

      • +?

      • {n,m}?

      An example of the character used in practice:

      regex
      /\(\w*?\)/

    • Single-line repetitions of any character across capture groups have been optimized to operate faster in the LogScale Regular Expression Engine V2.

      For example:

      regex
      /((?s:.*))Y/ and /(.*)X/d

    • Improved LogScale-generated metrics by propagating information regarding data reuse from subqueries located in the query state cache to the main query.

      This improvement will not be noticeable to the user except when viewing the metric query-static-cost-cache-hit in comparison to the metric query-static-cost-total. In this case, the two metrics will more accurately reflect the real use for queries that use defineTable().

      For more information, see defineTable(), The humio-metrics Repository, query-static-cost-cache-hit Metric, query-static-cost-total Metric.

    • Queries running in profiling mode using the explain:asTable() function have been optimized, reducing the system overhead of measuring profiling statistics. The accuracy of the reported step-by-step timeMs metric reported by explain:asTable() has also been improved.

      For more information, see explain:asTable().

    • When all nodes in the cluster are running version 1.233.0 or later, correlate queries automatically switch to a more memory-efficient internal representation for link sets. This also lowers the default memory limit per link set from 20MB to 1MB.

      If a custom value has been configured via the CorrelateLinkValuesMaxByteSize dynamic configuration option, it will be respected regardless of cluster version.

  • Auditing and Monitoring

    • Added the field acceptedPotentialDataLoss to the remove-host audit log entry. This addition indicates whether the administrator chose to override safeguards against data loss when submitting the host removal via the API.

      For more information, see Audit Logging.

    • The view ID and view name have been added to uploaded file audit log entries. This information is included only for files uploaded to a view. For shared replicable files, the audit log entries will not include the view ID or view name.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • infoblox/nios has been updated to v1.4.2.

      • Fixed JSON parsing issue for DNS answers containing backslashes by adding proper escape handling

      • Added test cases for DNS TYPE65 queries with complex data structures

      • Updated parser version to 3.0.2

      For more information, see Package infoblox/nios Release Notes.

    • f5networks/bigip has been updated to v3.1.0.

      • Enhanced audit event processing by moving AUDIT parsing outside main case statement for better categorization

      • Improved authentication failure parsing with better regex patterns for usernames and client addresses

      • Added support for HTTP referrer field extraction in authentication events

      • Enhanced tmm event processing with HTTP status code handling and URL parsing

      • Fixed conditional logic for appname extraction in RFC 5424 syslog format

      • Added array deduplication for event.category and event.type fields

      • Updated LTM catchall to include msgid 0107 and removed redundant categorization

      • Improved kvParse operations with better separator handling and empty field exclusion

      For more information, see Package f5networks/bigip Release Notes.

    • cisco/ise has been updated to v2.0.5.

      • Enhanced syslog parsing to support optional priority field in message format

      • Updated ECS version to 9.2.0

      • Updated parser version to 3.0.5

      • Minor formatting improvements and code cleanup

      For more information, see Package cisco/ise Release Notes.

    • juniper/srx has been updated to v1.5.2.

      • Enhanced timestamp parsing with additional format support for non-RFC compliant logs

      • Updated parser version to 3.0.1

      • Updated ECS version to 9.3.0

      • Updated CPS version to 1.1.0

      • Improved field handling with proper timestamp field cleanup

      For more information, see Package juniper/srx Release Notes.

    • cisco/ios has been updated to v1.9.2.

      • Enhanced regex patterns to handle optional whitespace after colon separators in event codes

      • Added support for FPMD and FTMD event types for SD-WAN flow monitoring and traffic analysis

      • Added IANA protocol number to network transport protocol mapping for common protocols

      • Improved MAC address parsing to support both lowercase and uppercase hexadecimal characters

      • Updated ECS version to 9.3.0

      • Updated parser version to 2.9.1

      For more information, see Package cisco/ios Release Notes.

    • cloudflare/zerotrust has been updated to v2.2.0.

      • Enhanced email security alert filtering to only generate alerts for malicious, suspicious, or spoof dispositions

      • Added threat technique name mapping from ThreatCategories for email security alerts

      • Improved event categorization for email security with separate handling for threat techniques vs general emails

      • Updated WAF alert generation to trigger only when severity indicates likely attack or attack (severity <= 50)

      • Updated parser version to 4.2.0

      For more information, see Package cloudflare/zerotrust Release Notes.

    • veeam/veeamdataplatform has been updated to v1.1.0.

      • Enhanced dashboard functionality with new widgets and improved data visualization

      • Added dashboard details section with comprehensive overview and data source detector

      • Renamed lookup files with "veeam_" prefix for better organization

      • Updated all dashboard queries and scheduled searches to use new lookup file names

      • Improved dashboard layout with reordered sections and enhanced user experience

      • Added ingested data monitoring widgets

      • Updated scheduled search names with "Veeam -" prefix for better identification

      • Enhanced dashboard descriptions and labels

      For more information, see Package veeam/veeamdataplatform Release Notes.

    • infoblox/nios has been updated to v1.4.1.

      • Fixed DNS answers type field mapping to use proper array notation (dns.answers[0].type instead of dns.answers.type)

      • Updated parser version to 3.0.1

      For more information, see Package infoblox/nios Release Notes.

    • cisco/firepower has been updated to v1.8.0.

      • Updated parser version to 4.0.0

      • Added support for multiple syslog header formats including FTD and legacy NGIPS/Sourcefire devices

      • Added enhanced timestamp parsing with findTimestamp() function for improved date handling

      • Added message field populated from vendor message content

      • Added intelligent client/server role detection based on event type, protocol, and port analysis

      • Added role reversal logic to handle server-initiated connections and reverse proxy scenarios

      • Added IP address validation using CIDR checks to filter invalid addresses

      • Added domain field support for non-IP addresses across source, destination, client, and server fields

      • Added conditional field mappings for network protocols including SIP and DNS

      • Added DNS record type normalization to standard values (A, AAAA, PTR, MX, CNAME)

      • Added TLS certificate hash mapping to tls.client.hash.sha1

      • Added conditional filtering for unknown TLS versions and cipher suites

      • Added enhanced event categorization with automatic event.type:connection for network tuples

      • Added array deduplication for event.category[] and event.type[] fields

      • Changed primary address fields to use source.address and destination.address with IP/domain separation

      • Changed event outcome logic for connection teardown events based on teardown reason analysis

      • Changed connection directionality detection to use interface context (inside/outside/DMZ)

      • Changed user group field to user.group.name for ECS consistency

      • Changed field coalescing logic to prioritize existing values over vendor-specific fields

      • Consolidated lowercase operations for address and domain fields

      • Consolidated interface alias and name field mappings

      • Fixed field extraction patterns across multiple event types for improved accuracy

      • Fixed MAC address formatting to use hyphen separators

      • Fixed source/destination mapping in connection teardown events using interface-based logic

      • Removed redundant event.type:connection entries from individual event handlers

      For more information, see Package cisco/firepower Release Notes.

    • checkpoint/ngfw has been updated to v2.7.0.

      • Fixed event.kind assignment for malware detection events to properly set "alert" value

      • Enhanced conditional logic for malware event categorization in Block and Detect actions

      • Updated parser version to 3.7.0

      For more information, see Package checkpoint/ngfw Release Notes.

    • fortinet/fortigate has been updated to v2.3.3.

      • Enhanced VPN tunnel event handling with improved source address mapping for tunnel-up actions

      • Added source.nat.ip field mapping from Vendor.tunnelip for VPN tunnel events

      • Improved network direction detection with additional conditions for Vendor.init field

      • Fixed corrupted type field parsing by restoring "utm" value when type field contains text/css, text/html, or other text/* values

      • Updated parser version to 5.1.3

      For more information, see Package fortinet/fortigate Release Notes.

    • microsoft/sysmon has been updated to v1.1.4.

      • Added @dataConnectionID field to the select statement for improved data connection tracking

      • Updated parser version to 1.1.4

      For more information, see Package microsoft/sysmon Release Notes.

    • darktrace/detect has been updated to v2.0.2.

      • Updated ECS version to 9.2.0

      • Updated parser version to 3.0.2

      • Enhanced timestamp parsing for RFC 3164 syslog format to handle single-digit day values with optional space padding

      • Added array-based field handling for host.mac[] field

      For more information, see Package darktrace/detect Release Notes.

    • fortinet/fortigate has been updated to v2.3.2.

      • Added FTNTFGT prefix removal for events forwarded from FortiGate-VM on Azure platform

      • Enhanced type and subtype parsing with regex to accurately capture combined values

      • Added network_access log type support

      • Updated parser version to 5.1.2

      For more information, see Package fortinet/fortigate Release Notes.

    • nozomi/ids has been updated to v1.4.0.

      • Updated parser version to 4.0.0

      • Updated ECS version 9.2.0

      • Added new field mappings for message, domain, and network protocol fields

      • Added IP address validation to filter invalid and non-routable addresses

      • Added array deduplication for event categorization fields

      • Added enhanced extraction patterns for threat indicators and network entities

      • Changed event categorization from message-based regex to classification prefix-based logic

      • Changed severity mapping ranges for better alignment with risk levels

      • Changed address field logic to support both IP and domain values

      • Changed observer field handling to distinguish between IPs and hostnames

      • Consolidated field normalization and lowercase operations

      • Fixed field name reference issues

      • Removed redundant message-based categorization patterns

      • Removed duplicate field assignments

      • Improved overall parser maintainability and performance

      For more information, see Package nozomi/ids Release Notes.

    • checkpoint/ngfw has been updated to v2.6.0.

      • Enhanced originsicname field parsing with key-value extraction for better observer name identification

      • Added policy ID tag parsing to extract policy name, management server, and date information

      • Improved rule.ruleset field mapping to include policy name from parsed policy ID tag

      • Enhanced rule.uuid field mapping to include NAT rule UIDs

      • Added network.community_id field generation for both ICMP and non-ICMP events

      • Improved observer.name field mapping with conditional logic for firewall traffic and threat prevention events

      • Enhanced client/server field identification for application control and URL filtering logs

      • Updated parser version to 3.6.0

      For more information, see Package checkpoint/ngfw Release Notes.

    • zscaler/internet-access has been updated to v2.1.2.

      • Fixed event.action field assignment order in firewall events to ensure proper conditional processing

      • Updated parser version to 4.0.2

      For more information, see Package zscaler/internet-access Release Notes.

    • aws/vpcflow has been updated to v1.3.1.

      • Added observer.ingress.interface.id field mapping from Vendor.interface-id

      • Updated parser version to 1.3.1

      For more information, see Package aws/vpcflow Release Notes.

    • zscaler/internet-access has been updated to v2.1.1.

      • Enhanced user field handling with improved fallback logic using coalesce function

      • Updated user.name field to use both Vendor.elogin and Vendor.user as fallback options

      • Updated parser version to 4.0.1

      For more information, see Package zscaler/internet-access Release Notes.

    • cisco/ise has been updated to v2.0.4.

      • Added support for CISE_External_MDM event category with comprehensive event code handling

      • Enhanced CISE_Passed_Authentications parsing with additional event codes (5236, 5238, 5240)

      • Improved CISE_Failed_Attempts parsing with new event codes (5402, 5422, 5434, 5416)

      • Added support for CISE_Administrative_and_Operational_Audit event codes (51025, 60166, 60167, 60069)

      • Enhanced RADIUS accounting with support for Interim-Update status type

      For more information, see Package cisco/ise Release Notes.

    • dell/isilon has been updated to v1.2.3.

      • Updated ECS version to 9.3.0

      • Updated parser version to 1.1.4

      • Added support for RFC 5424 syslog format parsing

      • Added log.syslog.version field mapping

      • Enhanced timestamp parsing with case-based logic for different syslog formats

      For more information, see Package dell/isilon Release Notes.

    • cisco/ios has been updated to v1.9.1.

      • Added support for AUTH_PASSED and AUTHENTICATION_FAILED event types for DMI authentication events

      • Added support for NHRP_NHS_UP, NHRP_NHS_DOWN, and CRYPTO_SS event types for DMVPN tunnel monitoring

      • Enhanced authentication event parsing with improved source address and port extraction

      • Updated parser version to 2.9.0

      For more information, see Package cisco/ios Release Notes.

    • cisco/firepower has been updated to v1.9.2.

      • Updated parser version to 4.1.2

      • Enhanced regex patterns for event code 106023 to better handle user domain and username extraction in various formats

      • Added support for multiple parsing patterns including domain\user combinations and hostname-only formats

      • Improved connection ID handling in event codes 302013 and 302015 by removing connection ID from event.action field

      • Added support for event code 402117 for IPSEC non-IPSec packet events

      • Enhanced key-value parsing regex patterns for events 430001-430007 to handle more complex field structures

      • Added IANA protocol number to transport protocol mapping for better protocol identification

      • Fixed whitespace formatting issues in parser code

      For more information, see Package cisco/firepower Release Notes.

    • radware/alteon has been updated to v1.3.0.

      • Updated ECS version to 9.2.0

      • Updated parser version to 2.0.0

      • Enhanced message parsing with comprehensive regex patterns for various log types

      • Added support for authentication, configuration, and network event categorization

      • Improved timestamp handling with parseTimestamp() function for timezone-aware timestamps

      • Added field extraction for user information, network protocols, and server details

      • Enhanced event outcome determination based on HTTP status codes and message content

      • Added support for IP address validation and domain/IP field assignment

      • Improved syslog parsing with better handling of AlteonOS format

      • Added comprehensive test cases for various log message types

      For more information, see Package radware/alteon Release Notes.

    • checkpoint/ngfw has been updated to v2.7.1.

      • Enhanced client/server field mapping to apply to all events instead of only application control logs

      • Moved client/server field assignments outside conditional logic for broader coverage

      • Updated parser version to 3.7.1

      For more information, see Package checkpoint/ngfw Release Notes.

    • cisco/firepower has been updated to v1.9.0.

      • Updated parser version to 4.1.0

      • Added support for event codes 106103, 111010, 11300*, 11301*, 317077, 402119, 602101,602303, 602304, 746014, 805002, 805003

      • Enhanced AAA event parsing with improved user, server, and client address extraction

      • Improved conditional logic for event type assignment based on message content

      • Fixed duplicate event code handling for 805002 and 805003

      • Fixed regex patterns for user and server address extraction in AAA events

      For more information, see Package cisco/firepower Release Notes.

    • netgate/pfsense has been updated to v1.2.0.

      • Enhanced parser to support multiple log types including DHCP, VPN (charon), login, and filterdns events

      • Improved CSV parsing for filterlog entries with better protocol-specific field extraction

      • Added comprehensive IP validation and address mapping functionality

      • Enhanced MAC address formatting with standardized hyphen notation

      • Updated ECS version to 9.2.0 and parser version to 2.0.0

      • Improved syslog parsing to handle both RFC 3164 and RFC 5424 formats more robustly

      For more information, see Package netgate/pfsense Release Notes.