Falcon LogScale 1.244.0 GA (2026-06-09)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.244.0GA2026-06-09

Cloud

Next LTSNo1.177.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates

Advance Warning

The following items are due to change in a future release.

  • Installation and Deployment

    • We are decommissioning the the Nexus server used to host Java-based LogScale installation binaries, with a tentative decommission date of August 14, 2026. To download Java-based LogScale installers, please send a request to logscalesuccess@crowdstrike.com to obtain a username & API token, which are required to download from our new distribution platform.

Deprecation

Items that have been deprecated and may be removed in a future release.

New features and improvements

  • GraphQL API

    • Added the new GraphQL endpoint removeFeatureOptInForAllOrgs. This endpoint allows cluster owners to remove feature flag opt-ins at the organization level for all organizations in the cluster for a specific feature flag.

      This simplifies cleanup after a feature flag rollout process that involved first enabling the feature flag on a subset of organizations before enabling it globally on the cluster.

  • API

    • An endpoint has been added to force a parser to recompile on a given node at /api/v1/invalidateParser. This endpoint requires the ManageCluster permission.

Fixed in this release

  • Security

    • A discrepancy regarding organization name validation has been fixed. Previously, names could contain special characters and HTML tags when creating an organization. However, when updating said organization, stricter validation was applied that disallowed those characters and tags. The validation logic for creating and updating operations has now been properly aligned.

      Note

      Organization names can still contain the characters < and >.

  • GraphQL API

    • Fixed an issue where saved queries could be created without a name, making them impossible to display in the UI. The name field in the GraphQL mutation createSavedQuery is now validated, and will fail when the value is empty or contains invalid characters.

  • Ingestion

    • A regression introduced in version 1.237 for parsers has been fixed. Previously, parsers were failing with the error message Parser failed with exception com.humio.jitrex.RegexCancelledException" despite previously operating above the timeout limit.

    • Fixed an issue where updating lookup files with more than one key column could cause an error that was reported to the user as an internal server error.

  • Queries

    • Fixed an issue in the query scheduler where segments were not correctly closed when the feature flag AllowQuerySchedulerToBailOnSlowChunks was enabled, leading to occasional query starvation.

  • Functions

    • Fixed an issue where a recent feature that introduced the ability to look up files in other views using the syntax readFile(file://<path>), and to look up files in packages in other views using the syntax readFile("file://<otherview>/<scope>/<package>:<filename>") was not implemented for files served externally.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • Storage

    • Segment fetches that perform segment merges and archving now each have the same priority as segment fetches for queries. As a result, they are prioritized on a first-come, first-served basis within this priority level.

      This change helps avoid starvation of segment merges and archiving processes in cases of slow bucket downloads, or large numbers of segment downloads for queries.

  • Queries

    • Segment reading has been optimized for certain scenarios, primarily where events contain a larger number of fields.

  • Fleet Management

    • The Fleet Management configuration editor has been upgraded and is now based on the extensible code editor CodeMirror. This improves page loading times across LogScale and NG-SIEM, and includes the following improvements:

      • Ingest tokens are hidden in the editor until actively selected.

      • Visual warnings are displayed for unused sinks.

      Note

      Auto-completion with all required fields automatically added is currently not available in the new editor.

  • Metrics and Monitoring

    • Three new utilization percentage fields have been added to the same logs that record queryCostPerMs:

      • queryUtilizationPercentage - approximates CPU time spent on the query as a percentage of worker capacity.

      • userUtilizationPercentage - approximates CPU time spent on the user's queries as a percentage of worker capacity.

      • orgUtilizationPercentage - approximates CPU time spent on the organization's queries as a percentage of worker capacity.

      These fields approximate how much CPU time is being spent within the time interval denoted by the corresponding queryCurrentTimespanMs, userCurrentTimespanMs, and orgCurrentTimespanMs fields. As the boundaries of this interval are approximate, it is possible for the utilization percentage to exceed 100%.

    • New logging fields have been added to make it easier to determine how much cost per millisecond a query is accumulating, as well as how much cost per millisecond the associated user and organization are accumulating across all their queries.

      The new fields are logged on query workers and measure cost per millisecond for the query, user, and organization respectively:

      • queryCostPerMs - cost per millisecond for the query.

      • userCostPerMs - cost per millisecond for the user across all their queries.

      • orgCostPerMs - cost per millisecond for the organization across all their queries.

      The time interval covered by each measurement is denoted by the queryCurrentTimespanMs, userCurrentTimespanMs, and orgCurrentTimespanMs fields. The interval can be controlled using the new QuerySchedulerCostMetricsLoggingIntervalSeconds dynamic configuration parameter, which defaults to 30 seconds.

      These fields are logged periodically when a measurement interval ends while a query is running, and are also included in the "Query Ended" logs produced by the worker.

  • Functions

    • Two improvements previously gated by cluster version for the correlate() function are now enabled by default, including for multi-cluster search scenarios where the minimum version is unknown:

      • The time bucket boundary off-by-one millisecond fix, previously applied only when all nodes in the cluster were running at least version 1.238.

      • Selective scanning, previously used only when all nodes in the cluster were running at least version 1.239.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • juniper/srx has been updated to v1.5.4.

      • Fixed timestamp parsing format for single-digit day values in BSD syslog format to handle optional space padding

      • Updated parser version to 3.0.3

      For more information, see Package juniper/srx Release Notes.

    • fortinet/fortigate has been updated to v2.4.0.

      • Added FortiSwitch device detection based on devname prefix (FSW)

      • Added FortiSwitch-specific event subtypes: link, poe, spanning_tree, switch, switch_controller

      • Added FortiSwitch-specific field mappings for MAC address learned on switch port

      • Standardized event.module to "fortigate", observer.type to "firewall", and observer.product to "fortigate"

      • Updated parser version to 5.3.0

      For more information, see Package fortinet/fortigate Release Notes.

    • fortinet/fortigate has been updated to v2.3.4.

      • Enhanced CEF parsing to handle optional angle brackets in syslog priority field

      • Improved Vendor.type assignment logic for numeric cat values to use subtype instead

      • Added catch-all case to prevent field dropping in event categorization

      • Enhanced wireless event categorization with dedicated network connection handling

      • Added comprehensive wireless action outcome mapping for success/failure determination

      • Improved observer.serial_number field mapping to include Vendor.sn field

      • Added message field mapping from Vendor.msg for all events

      • Moved message field assignment outside of alert-specific logic for broader coverage

      • Updated parser version to 5.2.0 and ECS version to 9.3.0

      For more information, see Package fortinet/fortigate Release Notes.

    • cisco/ios has been updated to v1.10.0.

      • Added new regex pattern to handle logs with sequence numbers and timestamps in format: &lt;priority&gt;message_count: sequence: timestamp: %facility-severity-eventcode: message

      • Added support for multiline message fragments that start with multiple spaces and lack proper IOS facility headers

      • Enhanced timezone handling to respect data connector timezone selection over parser-defined timezone mappings

      • Fixed IST timezone timestamp parsing to support optional milliseconds format

      • Improved LOGOUT event parsing to handle optional source address in parentheses

      • Updated parser version to 2.10.0

      For more information, see Package cisco/ios Release Notes.

    • juniper/srx has been updated to v1.5.3.

      • Fixed timestamp parsing format for single-digit day values in BSD syslog format

      • Updated parser version to 3.0.2

      • Updated CPS version to 1.2.0

      For more information, see Package juniper/srx Release Notes.

    • f5networks/bigip has been updated to v3.1.1.

      • Updated ECS version to 9.3.0 and Parser version to 4.0.1

      • Enhanced HTTP request parsing for ASM events with improved regex extraction for request content

      • Fixed HTTP request body content extraction to properly parse content portion from request data

      • Added HTTP request MIME type field mapping from Content-Type header

      • Corrected HTTP request referrer field mapping to use proper vendor field

      • Improved authentication failure parsing with more specific regex pattern for user extraction

      • Fixed indentation and formatting issues in audit event processing section

      For more information, see Package f5networks/bigip Release Notes.