Falcon LogScale 1.241.0 GA (2026-05-19)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.241.0GA2026-05-19

Cloud

Next LTSNo1.177.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates

Deprecation

Items that have been deprecated and may be removed in a future release.

Upgrades

Changes that may occur or be required during an upgrade.

  • Security

    • Upgraded Netty to version 4.2.13 to address a number of security vulnerabilities.

New features and improvements

  • Security

  • Automation and Triggers

    • The new Interval option has been added as an alternative to cron expressions or simple scheduling frequency for scheduled reports. This new option uses Relative Time Syntax modifiers (for example, @every 3h) allowing scheduled reports to run at regular intervals.

      For more information, see Create Scheduled Reports.

Fixed in this release

  • User Interface

    • Fixed an issue where syntax highlighting in the Query Editor could sometimes fail on large queries.

  • Storage

    • Fixed an issue where auxiliary files with no local segment were not included when calculating disk usage. Previously, the files would appear as system data for a node in the Cluster Overview page, when they are in fact LogScale data. As a result, the node would be able to fetch an auxiliary file without fetching the corresponding segment file as a valid part of execution.

    • Fixed an issue that could cause bucket storage uploads to throttle unnecessarily when lookup files were being deleted while LogScale attempted to upload them to bucket storage. LogScale was incorrectly treating this as an upload failure, causing exponential backoff to activate.

  • Dashboards and Widgets

    • The legend ordering for stacked bar charts now follows the order of the stack itself.

      For more information, see Bar Chart Widget.

  • Queries

    • Fixed an issue in the Regular Expression Engine v2 where end-of-string anchors were not applied correctly in all cases, which could lead to incorrect query results.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • User Interface

    • The saved searches filter now matches against labels in addition to the search name.

  • Automation and Triggers

    • Labels are now one of the elements exported when exporting Amazon S3 actions to templates or packages. However, the field useProxyOption is no longer exported, in an effort to align consistently with other action types.

      For more information, see Action Type: S3.

    • Trigger errors and warnings are now shown and can be cleared regardless of whether the trigger is enabled or disabled.

      For more information, see Triggers.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • cisco/umbrella has been updated to v1.4.3.

      • Updated parser version to 3.0.3

      • Enhanced DLP logs parsing with improved URL handling using parseUri function

      • Added url.original field mapping for DLP traffic logs

      • Improved destination.domain field extraction for better URL parsing accuracy

      For more information, see Package cisco/umbrella Release Notes.

    • fortinet/fortigate has been updated to v2.3.4.

      • Enhanced CEF parsing to handle optional angle brackets in syslog priority field

      • Improved Vendor.type assignment logic for numeric cat values to use subtype instead

      • Added catch-all case to prevent field dropping in event categorization

      • Enhanced wireless event categorization with dedicated network connection handling

      • Added comprehensive wireless action outcome mapping for success/failure determination

      • Improved observer.serial_number field mapping to include Vendor.sn field

      • Added message field mapping from Vendor.msg for all events

      • Moved message field assignment outside of alert-specific logic for broader coverage

      • Updated parser version to 5.2.0 and ECS version to 9.3.0

      For more information, see Package fortinet/fortigate Release Notes.

    • cisco/firepower has been updated to v2.0.0.

      • Updated parser version to 5.0.0

      • Updated CPS version to 1.2.0

      • Updated ECS version to 9.3.0

      • Enhanced parsing for event codes 109201, 109207, 109210 with improved server address extraction and consistency with ASA format

      • Enhanced parsing for event code 113019 with additional vendor fields for group, session type, and network bytes calculation

      • Enhanced parsing for event codes 11300*, 11301* with improved server address, client NAT IP, and user extraction

      • Enhanced parsing for event codes 302013, 302015 with improved connection ID handling and username extraction from message end

      • Enhanced parsing for event code 302014 with corrected source/destination mapping based on connection initiator/target semantics

      • Enhanced parsing for event code 302016 with improved connection ID extraction and user closure reason parsing

      • Enhanced parsing for event code 302021 with event action extraction and network transport assignment

      • Enhanced parsing for event code 502103 with improved user privilege parsing and IAM categorization

      • Enhanced parsing for event codes 609001, 609002 with additional event action and destination address extraction

      • Enhanced parsing for event code 722051 with corrected field mapping for client NAT IP

      • Added support for event code 733100 with rate limiting and intrusion detection categorization

      • Added support for event code 746015 with DNS protocol parsing and question/answer extraction

      • Enhanced parsing for event code 746016 with improved DNS lookup failure parsing

      • Enhanced parsing for event codes 750001, 750002, 750006, 750007 with network configuration categorization

      • Added support for event code 750003 with network authentication failure categorization

      • Enhanced parsing for event code 751002 with improved authentication failure categorization and error message extraction

      • Added event.code field assignment from vendor mnemonic

      • Added event.reason field consistency logic to ensure availability across ASA and FTD events

      For more information, see Package cisco/firepower Release Notes.

    • f5networks/bigip has been updated to v3.1.1.

      • Updated ECS version to 9.3.0 and Parser version to 4.0.1

      • Enhanced HTTP request parsing for ASM events with improved regex extraction for request content

      • Fixed HTTP request body content extraction to properly parse content portion from request data

      • Added HTTP request MIME type field mapping from Content-Type header

      • Corrected HTTP request referrer field mapping to use proper vendor field

      • Improved authentication failure parsing with more specific regex pattern for user extraction

      • Fixed indentation and formatting issues in audit event processing section

      For more information, see Package f5networks/bigip Release Notes.

    • juniper/srx has been updated to v1.5.3.

      • Fixed timestamp parsing format for single-digit day values in BSD syslog format

      • Updated parser version to 3.0.2

      • Updated CPS version to 1.2.0

      For more information, see Package juniper/srx Release Notes.