Falcon LogScale 1.237.0 GA (2026-04-21)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.237.0GA2026-04-21

Cloud

2027-06-30No1.177.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates

Breaking Changes

The following items create a breaking change in the behavior, response or operation of this release.

  • Security

    • Secure Lightweight Directory Access Protocol (LDAPS) is now required for LDAP connections, see RN Issue in version 1.217.0.

  • Metrics and Monitoring

    • The internal metrics ingest-parsing and ingest-parsing-allocation have been revised to track on a per event basis, as is implied by their description and documentation.

      The following internal metrics have been added to reflect existing metrics, that are now normalized by bytes parsed:

      • ingest-parsing-time-per-bytes

      • ingest-parsing-allocation-per-byte

      Two additional internal metrics have also been added to track the number of bytes ingested into a parser, and how many bytes emerge from a parser respectively:

      • ingest-parsing-bytes-in

      • ingest-parsing-bytes-out

Removed

Items that have been removed as of this release.

GraphQL API

  • Color coding for denoting additional roles in LogScale's GraphQL API have been removed due to lack of consistent functionality.

Configuration

  • The environment variables SEGMENT_READ_FADVICE and SEGMENT_READ_AHEAD_COUNT have been removed.

    Previously, these variables were used to enable LogScale to use the Linux system posix_fadvise to notify the OS ahead of time that it planned to read segment bytes. This feature was disabled by default in version 1.85.0.

Deprecation

Items that have been deprecated and may be removed in a future release.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • API

    • The User-Agent header of outgoing HTTP requests has been changed from pekko/$pekko-version to LogScale/$major.$minor.$patch.

  • Configuration

    • Support for array and map aliasing has been removed to simplify YAML file handling. This change only affects users who have manually introduced aliases into any YAML files that LogScale is meant to consume - LogScale does not produce YAML files containing aliases.

Upgrades

Changes that may occur or be required during an upgrade.

  • Installation and Deployment

    • The Linux Wolfi OS base image for Docker has been updated for LogScale to eliminate Common Vulnerabilities and Exposures (CVEs).

      For more information regarding Wolfi, visit their documentation here: Wolfi OS - GitHub

  • Ingestion

    • The Apache Kafka client has been updated to version 4.2.0.

New features and improvements

  • Configuration

    • Added the environment variable MAX_TABLE_SIZE_BYTES, which controls the maximum table size for functions such as defineTable(). This allows the table size to be controlled independently of the .CSV file size.

      The variable performs using the following rules:

      • If the environment variable is set by the user, it retains the provided value.

      • If the environment value is not set by the user, the value is derived from the MaxCsvFileUploadSizeBytes.

      • If MaxCsvFileUploadSizeBytes is not set, it has the value from the Default Max CSV File Upload Size.

      Note

      Unless specifically overwritten, the value follows that of the CSV file size.

  • Fleet Management

    • Fleet overview now offers two query modes:

      • The legacy mode, which remains available for existing workflows and is unchanged.

      • The new mode, which supports only collectors operating using versions 1.9.0 and newer.

      The new query mode will be set as the default. To revert to the previous version, the new query mode can be disabled in Settings.

      They key differences in legacy mode and the new query mode overview include:

      • Legacy overview will perform queries to catch all versions of collectors, and also display collectors that are not enrolled.

      • New overview will feature queries only using #kind tags. It will show the notification Requires 1.9.0+ for all collectors with versions 1.5.*-1.8.*, as ingest and status will not be queried, and therefore not shown.

      All collectors below version 1.5.* will not be queried. However, they will appear in the historical section, since we cannot differentiate between inactive collectors and those that are this old.

      Only the overview queries are updated; group queries have not been impacted.

  • Packages

    • Release notes for packages are now incorporated into these release notes. The release notes included cover any changes to a package within the last month from the date of the corresponding LogScale release.

Fixed in this release

  • Automation and Triggers

    • Fixed an issue where action invocation could hang indefinitely if the action used Transport Layer Security (TLS) and the host name was not compatible with Server Name Indication (SNI) hostname requirements. Invalid hostnames are no longer added as an SNI on a TLS connection.

  • Storage

    • Fixed a rare issue where bucket transfer scheduler behavior sometimes led to starvation and/or a reduction in the effective concurrency of bucket transfers by a total of 1, particularly in situations where transfer failure already existed, such as in cases of network issues.

  • Ingestion

    • Fixed an issue where misconfigured ingest feeds would prevent other feeds from being picked up during the initialization phase.

  • Queries

    • Scheduling of hash files has been reverted due to excessive overhead on the thread that creates hash files.

  • Functions

    • Fixed an issue where queries using the correlate() function in a cluster running both a version older than 1.233 and a version that is 1.233 or newer experienced a serialization issue, where the new version serialized items in a format that was not recognized by the previous version.

  • Packages

    • Fixed an issue where the absence of the Linux command-line utility lscpu in the Docker base image broke the CPU Architecture widget in the humio/insights package.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • Fleet Management

    • Fleet management groups can now be created with configurations that are partial and/or that contain merge conflicts. Users are provided with a warning regarding possible conflicts, but are no longer blocked from saving the group.

    • The Fleet Insights page now also provides a legacy mode. Legacy mode will still query for collectors that do not have #kind tags ingest, sources, and problemsReport field.

      The new Fleet Insights page will continue to query using only #kind tags.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • juniper/srx has been updated to v1.5.2.

      • Enhanced timestamp parsing with additional format support for non-RFC compliant logs

      • Updated parser version to 3.0.1

      • Updated ECS version to 9.3.0

      • Updated CPS version to 1.1.0

      • Improved field handling with proper timestamp field cleanup

      For more information, see Package juniper/srx Release Notes.

    • cisco/ios has been updated to v1.9.2.

      • Enhanced regex patterns to handle optional whitespace after colon separators in event codes

      • Added support for FPMD and FTMD event types for SD-WAN flow monitoring and traffic analysis

      • Added IANA protocol number to network transport protocol mapping for common protocols

      • Improved MAC address parsing to support both lowercase and uppercase hexadecimal characters

      • Updated ECS version to 9.3.0

      • Updated parser version to 2.9.1

      For more information, see Package cisco/ios Release Notes.

    • fortinet/fortigate has been updated to v2.3.3.

      • Enhanced VPN tunnel event handling with improved source address mapping for tunnel-up actions

      • Added source.nat.ip field mapping from Vendor.tunnelip for VPN tunnel events

      • Improved network direction detection with additional conditions for Vendor.init field

      • Fixed corrupted type field parsing by restoring "utm" value when type field contains text/css, text/html, or other text/* values

      • Updated parser version to 5.1.3

      For more information, see Package fortinet/fortigate Release Notes.

    • aws/vpcflow has been updated to v1.3.1.

      • Added observer.ingress.interface.id field mapping from Vendor.interface-id

      • Updated parser version to 1.3.1

      For more information, see Package aws/vpcflow Release Notes.

    • dell/isilon has been updated to v1.2.3.

      • Updated ECS version to 9.3.0

      • Updated parser version to 1.1.4

      • Added support for RFC 5424 syslog format parsing

      • Added log.syslog.version field mapping

      • Enhanced timestamp parsing with case-based logic for different syslog formats

      For more information, see Package dell/isilon Release Notes.

    • cisco/firepower has been updated to v1.9.2.

      • Updated parser version to 4.1.2

      • Enhanced regex patterns for event code 106023 to better handle user domain and username extraction in various formats

      • Added support for multiple parsing patterns including domain\user combinations and hostname-only formats

      • Improved connection ID handling in event codes 302013 and 302015 by removing connection ID from event.action field

      • Added support for event code 402117 for IPSEC non-IPSec packet events

      • Enhanced key-value parsing regex patterns for events 430001-430007 to handle more complex field structures

      • Added IANA protocol number to transport protocol mapping for better protocol identification

      • Fixed whitespace formatting issues in parser code

      For more information, see Package cisco/firepower Release Notes.

    • checkpoint/ngfw has been updated to v2.7.1.

      • Enhanced client/server field mapping to apply to all events instead of only application control logs

      • Moved client/server field assignments outside conditional logic for broader coverage

      • Updated parser version to 3.7.1

      For more information, see Package checkpoint/ngfw Release Notes.