Falcon LogScale 1.243.0 GA (2026-06-02)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.243.0GA2026-06-02

Cloud

2027-07-31No1.177.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates

Advance Warning

The following items are due to change in a future release.

  • Installation and Deployment

    • We are decommissioning the the Nexus server used to host Java-based LogScale installation binaries, with a tentative decommission date of August 14, 2026. To download Java-based LogScale installers, please send a request to logscalesuccess@crowdstrike.com to obtain a username & API token, which are required to download from our new distribution platform.

Deprecation

Items that have been deprecated and may be removed in a future release.

New features and improvements

  • API

    • The following endpoint has been added:

      POST /api/v1/repositories/{repo}/queryjobs/{id}/newclient

      This endpoint creates a new client for an existing query, allowing multiple independent consumers to poll the same query session.

Fixed in this release

  • Administration and Management

    • Fixed an issue where removing a node using the Cluster administration menu, with the REST endpoint DELETE /api/v1/clusterconfig/members/<node_id>, or with GraphQL API using the mutation clusterUnregisterNode could lead to data loss, even when the flag force/accept-data-loss was not set.

      A validation step has also been added that ensures data is properly replicated before allowing node removal, which may slightly slow the operation.

      The fix can be disabled via the feature flag RefreshClusterManagementStatsInUnregisterNode, which is scheduled for removal in version 1.252. If issues arise that lead to the need to disable the feature flag, inform support.

      For more information, see Best Practice: Contacting Support.

  • User Interface

    • Fixed an issue where recalling a recent query would incorrectly display results as an event list instead of auto-selecting the appropriate visualization.

  • Queries

    • Fixed an issue where, in rare cases, queries could go missing when reusing query sessions and submitting identical queries close together, causing a race condition.

  • Auditing and Monitoring

    • An issue has been fixed where audit log entries exceeding 16KB would be truncated with an ellipsis character (...), causing the resulting JSON to be unparseable. The maximum string length for audit log JSON output has also been increased to 900KB.

  • Functions

    • The parseLEEF() function now correctly adds error messages to the @error_msg[] field when failing to parse. This aligns error reporting with other parse functions.

    • The sankey() function now displays a more specific warning when the number of source-target flows exceed the limit, instead of showing the more generic groupBy() function limit warning.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • User Interface

    • Recent queries are now saved after the first results arrive rather than immediately after a search is initiated. This allows the system to correctly determine whether to store the current widget type for manually selected visualizations, or omit it for auto-detected visualizations, ensuring recalled queries display with the correct visualization.

  • Storage

    • A new environment variable, S3_STORAGE_STREAM_IDLE_TIMEOUT_SECONDS, has been introduced. The environment variable ensures that if an Amazon S3 provider fails to send any data for the configured time duration, the transfer is aborted instead of hanging indefinitely and blocking other transfers from being scheduled. When using this variable, it's important to note the following:

      • If not defined, the default duration value is 180 seconds.

      • This environment variable controls the stream idle timeout for both upload and download times.

      • While the timeout mechanism was already in place for S3 upload, it was not previously present for S3 download.

  • Configuration

    • The following environment variables have been added to control start rate limiting for the query coordinator:

      These environment variables allow for controlling an existing mechanism. No new mechanism is introduced. If these limits are reached, queries are delayed and do not start execution until later.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • fortinet/fortigate has been updated to v2.3.4.

      • Enhanced CEF parsing to handle optional angle brackets in syslog priority field

      • Improved Vendor.type assignment logic for numeric cat values to use subtype instead

      • Added catch-all case to prevent field dropping in event categorization

      • Enhanced wireless event categorization with dedicated network connection handling

      • Added comprehensive wireless action outcome mapping for success/failure determination

      • Improved observer.serial_number field mapping to include Vendor.sn field

      • Added message field mapping from Vendor.msg for all events

      • Moved message field assignment outside of alert-specific logic for broader coverage

      • Updated parser version to 5.2.0 and ECS version to 9.3.0

      For more information, see Package fortinet/fortigate Release Notes.

    • everpure/flashblade has been updated to v1.2.0.

      • Added support for GUI and CLI session logs (purity.guisession and purity.clisession)

      • Enhanced heartbeat message parsing for system monitoring

      • Improved source address handling with IP/domain classification

      • Updated ECS version to 9.3.0

      • Enhanced regex patterns for better alert message parsing

      • Added session authentication event categorization

      For more information, see Package everpure/flashblade Release Notes.

    • dell/isilon has been updated to v1.3.0.

      • Updated CPS version to 1.2.0

      • Updated parser version to 1.2.0

      • Added support for Dell Isilon API audit logs parsing

      • Enhanced regex pattern matching to handle both SMB protocol logs and API request logs

      • Added HTTP request method and response status code field mappings

      • Added JSON parsing for API request arguments

      • Enhanced user ID mapping with coalesce function for multiple source fields

      • Enhanced client IP mapping with coalesce function for multiple source fields

      • Added event outcome determination based on HTTP response status codes

      For more information, see Package dell/isilon Release Notes.

    • everpure/flasharray has been updated to v1.0.5.

      • Added new regex pattern for enhanced audit log parsing with support for command structure extraction

      • Enhanced observer.hostname field mapping to use coalesce function for better field population

      • Added event.id field mapping from Vendor.MessageID for improved event tracking

      • Updated parser version to 2.0.4

      • Updated CPS version to 1.2.0

      • Updated ECS version to 9.3.0

      For more information, see Package everpure/flasharray Release Notes.

    • cisco/firepower has been updated to v2.0.0.

      • Updated parser version to 5.0.0

      • Updated CPS version to 1.2.0

      • Updated ECS version to 9.3.0

      • Enhanced parsing for event codes 109201, 109207, 109210 with improved server address extraction and consistency with ASA format

      • Enhanced parsing for event code 113019 with additional vendor fields for group, session type, and network bytes calculation

      • Enhanced parsing for event codes 11300*, 11301* with improved server address, client NAT IP, and user extraction

      • Enhanced parsing for event codes 302013, 302015 with improved connection ID handling and username extraction from message end

      • Enhanced parsing for event code 302014 with corrected source/destination mapping based on connection initiator/target semantics

      • Enhanced parsing for event code 302016 with improved connection ID extraction and user closure reason parsing

      • Enhanced parsing for event code 302021 with event action extraction and network transport assignment

      • Enhanced parsing for event code 502103 with improved user privilege parsing and IAM categorization

      • Enhanced parsing for event codes 609001, 609002 with additional event action and destination address extraction

      • Enhanced parsing for event code 722051 with corrected field mapping for client NAT IP

      • Added support for event code 733100 with rate limiting and intrusion detection categorization

      • Added support for event code 746015 with DNS protocol parsing and question/answer extraction

      • Enhanced parsing for event code 746016 with improved DNS lookup failure parsing

      • Enhanced parsing for event codes 750001, 750002, 750006, 750007 with network configuration categorization

      • Added support for event code 750003 with network authentication failure categorization

      • Enhanced parsing for event code 751002 with improved authentication failure categorization and error message extraction

      • Added event.code field assignment from vendor mnemonic

      • Added event.reason field consistency logic to ensure availability across ASA and FTD events

      For more information, see Package cisco/firepower Release Notes.

    • cisco/ios has been updated to v1.10.0.

      • Added new regex pattern to handle logs with sequence numbers and timestamps in format: &lt;priority&gt;message_count: sequence: timestamp: %facility-severity-eventcode: message

      • Added support for multiline message fragments that start with multiple spaces and lack proper IOS facility headers

      • Enhanced timezone handling to respect data connector timezone selection over parser-defined timezone mappings

      • Fixed IST timezone timestamp parsing to support optional milliseconds format

      • Improved LOGOUT event parsing to handle optional source address in parentheses

      • Updated parser version to 2.10.0

      For more information, see Package cisco/ios Release Notes.

    • juniper/srx has been updated to v1.5.4.

      • Fixed timestamp parsing format for single-digit day values in BSD syslog format to handle optional space padding

      • Updated parser version to 3.0.3

      For more information, see Package juniper/srx Release Notes.

    • cisco/umbrella has been updated to v1.4.3.

      • Updated parser version to 3.0.3

      • Enhanced DLP logs parsing with improved URL handling using parseUri function

      • Added url.original field mapping for DLP traffic logs

      • Improved destination.domain field extraction for better URL parsing accuracy

      For more information, see Package cisco/umbrella Release Notes.

    • darktrace/detect has been updated to v2.1.0.

      • Updated CPS version to 1.2.0

      • Updated parser version to 3.1.0

      • Updated ECS version to 9.3.0

      • Enhanced AI Analyst event processing to include "informational" category for alert generation

      • Improved model breach event processing to use Vendor.model.category instead of Vendor.category for alert determination

      • Enhanced severity mapping for model breach events with improved priority-based scoring (1-5 scale)

      • Fixed event.risk_score assignment to occur before conditional processing

      • Improved code formatting and conditional logic structure

      • Enhanced regex patterns for email attachment hash processing

      For more information, see Package darktrace/detect Release Notes.

    • juniper/srx has been updated to v1.5.3.

      • Fixed timestamp parsing format for single-digit day values in BSD syslog format

      • Updated parser version to 3.0.2

      • Updated CPS version to 1.2.0

      For more information, see Package juniper/srx Release Notes.

    • fortinet/fortigate has been updated to v2.4.0.

      • Added FortiSwitch device detection based on devname prefix (FSW)

      • Added FortiSwitch-specific event subtypes: link, poe, spanning_tree, switch, switch_controller

      • Added FortiSwitch-specific field mappings for MAC address learned on switch port

      • Standardized event.module to "fortigate", observer.type to "firewall", and observer.product to "fortigate"

      • Updated parser version to 5.3.0

      For more information, see Package fortinet/fortigate Release Notes.

    • f5networks/bigip has been updated to v3.1.1.

      • Updated ECS version to 9.3.0 and Parser version to 4.0.1

      • Enhanced HTTP request parsing for ASM events with improved regex extraction for request content

      • Fixed HTTP request body content extraction to properly parse content portion from request data

      • Added HTTP request MIME type field mapping from Content-Type header

      • Corrected HTTP request referrer field mapping to use proper vendor field

      • Improved authentication failure parsing with more specific regex pattern for user extraction

      • Fixed indentation and formatting issues in audit event processing section

      For more information, see Package f5networks/bigip Release Notes.