Falcon LogScale 1.242.0 GA (2026-05-26)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.242.0 | GA | 2026-05-26 | Cloud | Next LTS | No | 1.177.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.242.0 to download the latest version
Bug fixes and updates
Advance Warning
The following items are due to change in a future release.
Installation and Deployment
We are decommissioning the the Nexus server used to host Java-based LogScale installation binaries, with a tentative decommission date of August 14, 2026. To download Java-based LogScale installers, please send a request to logscalesuccess@crowdstrike.com to obtain a username & API token, which are required to download from our new distribution platform.
Deprecation
Items that have been deprecated and may be removed in a future release.
The following manuals have been moved to the archives:
The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Upgrades
Changes that may occur or be required during an upgrade.
Security
Upgraded the dependency Jackson to version 2.21.3 to address a denial of service vulnerability.
See their documentation here: Jackson: GitHub
User Interface
The LogScale UI time zone database has been updated to the Internet Assigned Numbers Authority (IANA) 2026b release.
New features and improvements
Automation and Triggers
Email actions now support dynamic recipients using message templates. Most templates available in email subjects and bodies can also be used in the recipients list, including field references such as
{field:fieldName}that resolve from event data at trigger time. Templates can constitute the entire recipient address (for example,{field:email}) or be embedded within an email address (for example,{field:username}@crowdstrike.comor{name}@example.com). This enables sending notifications directly to users referenced in log events, such as notifying a user whose login failed. Static and dynamic recipients can be mixed freely.Templates that produce large or multi-line output (such as
{events},{events_html}, or{url}) are not permitted in recipients. For filter alerts, which trigger on a single event, the recipient is calculated from that event. For other alert types, the recipient is calculated from the first event only, which may be problematic if events have different values for the field referenced in the recipient template.Warning: when using field references, ensure the query is scoped so that recipients only receive events relevant to them.
For more information, see Dynamic Email Recipients.
API
Added an ingest status endpoint at
/api/v1/status/ingest. This endpoint exposes a node's ability to receive and handle incoming ingest requests.In the future, this endpoint will be used to signal whether all conditions necessary for ingesting have been met for recently-started nodes, such as whether lookup files have been synchronized. At present, no such conditions have been implemented and the endpoint always responds with
200 OK.
Fixed in this release
Security
Fixed an issue where BitBucket social login was failing due to Atlassian's CHANGE-3052 deprecation. BitBucket now requires OAuth2 access tokens to be sent as a Bearer token in the Authorization header rather than as a query parameter. This issue has now been resolved.
Queries
Anchoring in regular expressions would produce incorrect prefilters. Specifically, this affected the
$anchor, which may optionally match a line terminator unless the multi-line flag is enabled. The resulting prefilter would incorrectly require anchoring at the end of the input, causing some valid values to be erroneously filtered out. This issue has now been resolved.
Functions
The query function
series()now correctly respects query memory limits.The
parseCEF()function now correctly adds error messages to the @error_msg field when parsing fails, aligning error reporting with the behavior of other functions.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Security
The default example text provided when setting up IP filters has been updated and deduplicated.
Ingestion
Improved the distribution of digest partitions onto nodes. The previous implementation would sometimes cause individual nodes to own clusters of partitions, causing hotspots. The new implementation distributes partitions across available nodes without this type of clustering.
Queries
Scheduled searches no longer start immediately when due to run. Instead, all scheduled searches due to start within a given minute are staggered over that minute, smoothing out the load on the query engine and improving overall query performance.
For more information, see Automatic distribution within each minute.
LogScale's
SearchUI now populates events in subquery Table tabs using a direct lookup in the table used by the query. As a result, the subquery table tab is now populated with a single request, increasing its speed significantly.For more information, see Display tabs.
Added an optimization for
ORcharacter predicates in the Regular Expression Engine v2. Regexes such as the following are now significantly faster:regex[ab]{4}regex[Ee]xecution|[Mm]alwareFor more information, see Operators.
Added an optimization for case-insensitive regexes in the Regular Expression Engine v2. Many case-insensitive regexes are now up to approximately 30% faster than before.
Added an optimization for case-insensitive searching in the Regular Expression Engine v2. This optimization applies to most regular expressions containing a sequence of characters. For example, case-insensitive regular expressions such as
/Twain/and/(Tom|Sawyer|Huckleberry|Finn)/are now up to twice as fast.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
fortinet/fortigate has been updated to v2.3.4.
Enhanced CEF parsing to handle optional angle brackets in syslog priority field
Improved Vendor.type assignment logic for numeric cat values to use subtype instead
Added catch-all case to prevent field dropping in event categorization
Enhanced wireless event categorization with dedicated network connection handling
Added comprehensive wireless action outcome mapping for success/failure determination
Improved observer.serial_number field mapping to include Vendor.sn field
Added message field mapping from Vendor.msg for all events
Moved message field assignment outside of alert-specific logic for broader coverage
Updated parser version to 5.2.0 and ECS version to 9.3.0
For more information, see Package fortinet/fortigate Release Notes.
everpure/flashblade has been updated to v1.2.0.
Added support for GUI and CLI session logs (purity.guisession and purity.clisession)
Enhanced heartbeat message parsing for system monitoring
Improved source address handling with IP/domain classification
Updated ECS version to 9.3.0
Enhanced regex patterns for better alert message parsing
Added session authentication event categorization
For more information, see Package everpure/flashblade Release Notes.
cisco/firepower has been updated to v2.0.0.
Updated parser version to 5.0.0
Updated CPS version to 1.2.0
Updated ECS version to 9.3.0
Enhanced parsing for event codes 109201, 109207, 109210 with improved server address extraction and consistency with ASA format
Enhanced parsing for event code 113019 with additional vendor fields for group, session type, and network bytes calculation
Enhanced parsing for event codes 11300*, 11301* with improved server address, client NAT IP, and user extraction
Enhanced parsing for event codes 302013, 302015 with improved connection ID handling and username extraction from message end
Enhanced parsing for event code 302014 with corrected source/destination mapping based on connection initiator/target semantics
Enhanced parsing for event code 302016 with improved connection ID extraction and user closure reason parsing
Enhanced parsing for event code 302021 with event action extraction and network transport assignment
Enhanced parsing for event code 502103 with improved user privilege parsing and IAM categorization
Enhanced parsing for event codes 609001, 609002 with additional event action and destination address extraction
Enhanced parsing for event code 722051 with corrected field mapping for client NAT IP
Added support for event code 733100 with rate limiting and intrusion detection categorization
Added support for event code 746015 with DNS protocol parsing and question/answer extraction
Enhanced parsing for event code 746016 with improved DNS lookup failure parsing
Enhanced parsing for event codes 750001, 750002, 750006, 750007 with network configuration categorization
Added support for event code 750003 with network authentication failure categorization
Enhanced parsing for event code 751002 with improved authentication failure categorization and error message extraction
Added event.code field assignment from vendor mnemonic
Added event.reason field consistency logic to ensure availability across ASA and FTD events
For more information, see Package cisco/firepower Release Notes.
cisco/ios has been updated to v1.10.0.
Added new regex pattern to handle logs with sequence numbers and timestamps in format: <priority>message_count: sequence: timestamp: %facility-severity-eventcode: message
Added support for multiline message fragments that start with multiple spaces and lack proper IOS facility headers
Enhanced timezone handling to respect data connector timezone selection over parser-defined timezone mappings
Fixed IST timezone timestamp parsing to support optional milliseconds format
Improved LOGOUT event parsing to handle optional source address in parentheses
Updated parser version to 2.10.0
For more information, see Package cisco/ios Release Notes.
juniper/srx has been updated to v1.5.4.
Fixed timestamp parsing format for single-digit day values in BSD syslog format to handle optional space padding
Updated parser version to 3.0.3
For more information, see Package juniper/srx Release Notes.
cisco/umbrella has been updated to v1.4.3.
Updated parser version to 3.0.3
Enhanced DLP logs parsing with improved URL handling using parseUri function
Added url.original field mapping for DLP traffic logs
Improved destination.domain field extraction for better URL parsing accuracy
For more information, see Package cisco/umbrella Release Notes.
juniper/srx has been updated to v1.5.3.
Fixed timestamp parsing format for single-digit day values in BSD syslog format
Updated parser version to 3.0.2
Updated CPS version to 1.2.0
For more information, see Package juniper/srx Release Notes.
fortinet/fortigate has been updated to v2.4.0.
Added FortiSwitch device detection based on devname prefix (FSW)
Added FortiSwitch-specific event subtypes: link, poe, spanning_tree, switch, switch_controller
Added FortiSwitch-specific field mappings for MAC address learned on switch port
Standardized event.module to "fortigate", observer.type to "firewall", and observer.product to "fortigate"
Updated parser version to 5.3.0
For more information, see Package fortinet/fortigate Release Notes.
f5networks/bigip has been updated to v3.1.1.
Updated ECS version to 9.3.0 and Parser version to 4.0.1
Enhanced HTTP request parsing for ASM events with improved regex extraction for request content
Fixed HTTP request body content extraction to properly parse content portion from request data
Added HTTP request MIME type field mapping from Content-Type header
Corrected HTTP request referrer field mapping to use proper vendor field
Improved authentication failure parsing with more specific regex pattern for user extraction
Fixed indentation and formatting issues in audit event processing section
For more information, see Package f5networks/bigip Release Notes.