Falcon LogScale 1.245.1 GA (2026-07-07)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.245.1 | GA | 2026-07-07 | Cloud | Next LTS | No | 1.177.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.245.1 to download the latest version
Hide file hashes
These notes include entries from the following previous releases: 1.245.0
Bug fixes and updates.
Advance Warning
The following items are due to change in a future release.
Installation and Deployment
We are decommissioning the the Nexus server used to host Java-based LogScale installation binaries, with a tentative decommission date of August 14, 2026. To download Java-based LogScale installers, please send a request to logscalesuccess@crowdstrike.com to obtain a username & API token, which are required to download from our new distribution platform.
Removed
Items that have been removed as of this release.
GraphQL API
The deprecated enum value
filteralerthas been removed from theLanguageVersionEnumenum in the GraphQL API.Configuration
The deprecated environment variable
EXTRA_KAFKA_CONFIGS_FILEhas been removed. LogScale will now refuse to start if this environment variable is configured.The following environment variable prefixes are available for configuring each Kafka client individually:
In addition,
KAFKA_COMMON_can be used to pass configuration to all clients, though settings configured using the client-specific prefixes take precedence when a setting is present with both prefixes.Kafka configuration options such as
request.timeout.mscan be passed with these prefixes using the following rewrite procedure:
Enter the option name in all uppercase - for example:
REQUEST.TIMEOUT.MS.Replace
.with_- for example:REQUEST_TIMEOUT_MS.Apply the prefix for the target client - for example:
KAFKA_INGEST_QUEUE_CONSUMER_REQUEST_TIMEOUT_MS.Pass the configuration option as an environment variable to LogScale on boot - for example:
KAFKA_INGEST_QUEUE_CONSUMER_REQUEST_TIMEOUT_MS=30000.Configuration previously passed via
EXTRA_KAFKA_CONFIGS_FILEcan be migrated to environment variables using the procedure above, using theKAFKA_COMMON_prefix.
Deprecation
Items that have been deprecated and may be removed in a future release.
The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
New features and improvements
Functions
Added the new function
appendAggregation(), which appends an aggregation of the preceding events to the end of the current result set. This allows query results to be appended with an aggregate summary such as totals, averages, and more.The following example demonstrates the function:
logscalehead() | appendAggregation({ sum(value, as="value") | event:="total"})
Fixed in this release
GraphQL API
Fixed an issue where the GraphQL argument metadataEndpointUrl was not persisted when provided to the GraphQL mutation updateSamlIdentityProvider.
Storage
Fixed an issue with bucket upload logic that in rare cases was causing the loss of lookup files during upload. This same issue also caused lookup file uploads to be slower than expected due to unintentional throttling.
Ingestion
Digest partition assignment to hosts is now uniform across the partition range to avoid hotspots.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
User Interface
Collapsible sections have been added to the parser extensions view in the Parser editor.
GraphQL API
The GraphQL query
analyzeQuerynow supports a new query kind for scheduled searches.
Configuration
The default value for the environment variable
QUERY_CACHE_COMPLETE_STATES_MIN_COSThas been lowered from 1000 to 100 to make cheaper queries eligible for caching.
Queries
Queries that filter on the event ID field @id using a malformed value now immediately returns no results, instead of scanning for events that could never match.
If a malformed value appears alongside one or more valid values (for example in an
orexpression of several @id values), only the invalid value is dropped; the valid values still resolve directly to their respective events.
Functions
The query function
stdDev()has been improved:An issue has been fixed that caused the function to crash in an extreme corner case.
Overall performance of the function has been improved.
A new algorithm has been introduced that handles smaller relative deviations with greater ease. This algorithm may produce slightly different results than before. However, under normal circumstances the change amounts to less than 1 parts per million (ppm).
The function
redactEvents()has been updated to account for internal query result caches. Redaction tasks will now only finish once query caches that may contain the redacted event have reached their maximum time to live, ensuring that such events will not temporarily appear due to results being served from the cache.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
everpure/flashblade has been updated to v1.2.0.
Added support for GUI and CLI session logs (purity.guisession and purity.clisession)
Enhanced heartbeat message parsing for system monitoring
Improved source address handling with IP/domain classification
Updated ECS version to 9.3.0
Enhanced regex patterns for better alert message parsing
Added session authentication event categorization
For more information, see Package everpure/flashblade Release Notes.
dell/isilon has been updated to v1.3.0.
Updated CPS version to 1.2.0
Updated parser version to 1.2.0
Added support for Dell Isilon API audit logs parsing
Enhanced regex pattern matching to handle both SMB protocol logs and API request logs
Added HTTP request method and response status code field mappings
Added JSON parsing for API request arguments
Enhanced user ID mapping with coalesce function for multiple source fields
Enhanced client IP mapping with coalesce function for multiple source fields
Added event outcome determination based on HTTP response status codes
For more information, see Package dell/isilon Release Notes.
rubrik/security-cloud has been updated to v1.1.3.
Enhanced timestamp parsing to support additional precision formats
Updated parser version to 1.1.3
Updated ECS version to 9.3.0
Updated CPS version to 1.2.0
For more information, see Package rubrik/security-cloud Release Notes.
everpure/flasharray has been updated to v1.0.5.
Added new regex pattern for enhanced audit log parsing with support for command structure extraction
Enhanced observer.hostname field mapping to use coalesce function for better field population
Added event.id field mapping from Vendor.MessageID for improved event tracking
Updated parser version to 2.0.4
Updated CPS version to 1.2.0
Updated ECS version to 9.3.0
For more information, see Package everpure/flasharray Release Notes.
cisco/ios has been updated to v1.10.0.
Added new regex pattern to handle logs with sequence numbers and timestamps in format: <priority>message_count: sequence: timestamp: %facility-severity-eventcode: message
Added support for multiline message fragments that start with multiple spaces and lack proper IOS facility headers
Enhanced timezone handling to respect data connector timezone selection over parser-defined timezone mappings
Fixed IST timezone timestamp parsing to support optional milliseconds format
Improved LOGOUT event parsing to handle optional source address in parentheses
Updated parser version to 2.10.0
For more information, see Package cisco/ios Release Notes.
everpure/flashblade has been updated to v1.2.1.
Updated vendor name from Pure Storage to Everpure across all package components
Updated manifest author information to reflect Everpure branding
For more information, see Package everpure/flashblade Release Notes.
juniper/srx has been updated to v1.5.4.
Fixed timestamp parsing format for single-digit day values in BSD syslog format to handle optional space padding
Updated parser version to 3.0.3
For more information, see Package juniper/srx Release Notes.
darktrace/detect has been updated to v2.1.0.
Updated CPS version to 1.2.0
Updated parser version to 3.1.0
Updated ECS version to 9.3.0
Enhanced AI Analyst event processing to include "informational" category for alert generation
Improved model breach event processing to use Vendor.model.category instead of Vendor.category for alert determination
Enhanced severity mapping for model breach events with improved priority-based scoring (1-5 scale)
Fixed event.risk_score assignment to occur before conditional processing
Improved code formatting and conditional logic structure
Enhanced regex patterns for email attachment hash processing
For more information, see Package darktrace/detect Release Notes.
cloudflare/zerotrust has been updated to v2.2.1.
Fixed WAF alert generation logic to trigger when severity >= 50 (previously <= 50)
Updated parser version to 4.2.1
Updated ECS version to 9.3.0
Updated CPS version to 1.2.0
For more information, see Package cloudflare/zerotrust Release Notes.
cisco/ise has been updated to v2.0.7.
Improve consistency for log.level parsing
Add support for connection failure events
Updated parser version to 3.0.7
For more information, see Package cisco/ise Release Notes.
everpure/flasharray has been updated to v1.0.6.
Updated vendor name from Pure Storage to Everpure across all package components
Updated manifest author information to reflect Everpure branding
For more information, see Package everpure/flasharray Release Notes.
cisco/ise has been updated to v2.0.6.
Enhanced network field mapping with improved source, destination, client, server, and host field assignments
Restructured IP address and domain handling for better network topology representation
Added host.ip[] and host.mac[] arrays for endpoint authentication tracking
Improved MAC address formatting with standardized uppercase and hyphen format
Updated ECS version to 9.3.0
Updated parser version to 3.0.6
Updated CPS version to 1.2.0
Enhanced user.email field with lowercase normalization
Fixed event.type assignment for profiler event code 80003 from "error" to "info"
Minor code formatting improvements and indentation fixes
For more information, see Package cisco/ise Release Notes.
fortinet/fortigate has been updated to v2.4.0.
Added FortiSwitch device detection based on devname prefix (FSW)
Added FortiSwitch-specific event subtypes: link, poe, spanning_tree, switch, switch_controller
Added FortiSwitch-specific field mappings for MAC address learned on switch port
Standardized event.module to "fortigate", observer.type to "firewall", and observer.product to "fortigate"
Updated parser version to 5.3.0
For more information, see Package fortinet/fortigate Release Notes.