Falcon LogScale 1.92.0 Preview (2023-05-30)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | JDK Compatibility? | Req. Data Migration | Config. Changes? |
|---|---|---|---|---|---|---|---|---|---|
| 1.92.0 | Preview | 2023-05-30 | Cloud On-Prem | 2024-07-31 | No | 1.44.0 | 11 | No | No |
Bug fixes and updates.
Advanced Warning
The following items are due to change in a future release.
Installation and Deployment
Support for running on Java 11, 12, 13, 14, 15 and 16 will be removed by the end of September 2023.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Storage
Be less aggressive updating the digest partitions when a node goes offline. When a node goes offline/online, creating a well balanced table can require changes to partitions other than those where the changed node appears. This can cause more digest reassignment that we'd like, so we're changing the behavior of the automation. We'll now only generate optimally balanced tables in reaction to nodes being registered or unregistered from the cluster, and in reaction to the digest replication factor changing. The rest of the time, we'll take the previously generated balanced table as a starting point, and do very minimal node replacements in it to ensure partitions are properly replicated to live nodes.
It is no longer allowed for nodes to delete bucketed minisegments involved in queries off local disks before the queries are done. This should help ensure queries do not "miss" querying these files if they are deleted while a query is running.
Metadata on segments in memory is now represented in a manner that requires less memory at runtime after booting. The heap required for global snapshot is in the range 3-6 times the size of the disk, for a cluster with many segments. This change reduces the memory requirements for long retention compared to previous versions. Note that for a short time during boot of a node the memory requirement is closer to 10-15 times the size of the snapshot on disk.
Configuration
Remove
NEW_INGEST_ONLY_NODE_SEMANTICSsince we no longer support opting out of the newingestonlybehavior. The behavior has been the default since 1.79.0.For more information, see Falcon LogScale 1.79.0 Preview (2023-02-28), LogScale Operational Architecture.
Improvements, new features and functionality
UI Changes
A new tutorial built on a dedicated demo data view is available for environments that do not have access to legacy tutorial based on a sandbox repository.
The
DeleteRepositoryOrViewdata permission is now visible in the UI on Cloud environments.The Time Selector now only allows zooming out to approximately 4,000 years.
The
ChangeRetentiondata permission is now enabled on Cloud environments.
Documentation
LogScale Kubernetes Reference Architecture new page has been added with LogScale reference architecture description when deploying LogScale using Kubernetes.
Regular Expression Syntax new page has been added with extended details of supported regular expression syntax and differences between the LogScale support and other implementations such as Java and Perl.
GraphQL API
The
Usagepage has been updated to support queries that are in progress for longer than the GraphQL timeout allows.The GraphQL schema for
UsageStatshas been updated to reflect that queries can be in progress.
Configuration
Setting the
SHARED_DASHBOARDS_ENABLEDenvironment variable tofalsenow disables the option of creating links for sharing dashboards.For more information, see Disabling Access to Shared Dashboards.
Added support for using Google Cloud storage access Workload Identity rather than an explicit service account for bucket storage and export to bucket of query results.
For more information, see Google Cloud Bucket Storage with Workload Identity.
The new
MAX_EVENT_FIELD_COUNT_IN_PARSERis introduced to control the number of fields allowed within the parser, but not when storing the event.
Dashboards and Widgets
New parsing of Template Expressions has been implemented in the UI for improved performance.
When creating or editing interactions you can now visualize any unused parameter bindings, with the option to remove them.
For more information, see Unused parameters bindings.
The
empty listalias is now available as an input option for parameter bindings, so that Multi-value Parameters can be set explicitly to have the value of an empty list.For more information, see Empty list alias.
Parameter labels are now used instead of parameter IDs when displaying the list of parameters that a widget / query is waiting on.
Other
Reduced the amount of memory used when multiple queries use the
match()function with the same arguments. Before, if you ran many queries that used the same file, the contents of the file would be represented multiple times in memory, once for each query. This could put you at risk of exhausting the server's memory if the files were large. With this change the file contents will be shared between the queries and represented only once. This enables the server to run more queries and/or handle larger files.For more information, see Lookup Files Operations.
Polling a query on
/queryjobscan now delay the response a bit in order to allow returning a potentiallydoneresponse. The typical effective delay is less than 2 seconds, and the positive effect is saving the extra poll roundtrip that would otherwise need to happen before the query completed. This in particular makes simple queries complete faster from the viewpoint of the client, as they do not have to wait for an extra poll roundtrip in most cases.When the Kafka broker set changes at runtime, track that set and use as bootstrap servers for Kafka whenever LogScale needs to create a new Kafka client at runtime. This allows replacing all Kafka brokers (incrementally, moving their work to new servers) without restarting LogScale. Note that the set is not persisted across restart of LogScale, so when restarting LogScale, make sure to provide an up to date set of bootstrap servers.
Bug Fixes
Security
Verified that LogScale does not use the affected Akka dependency component in CVE-2023-31442 by default, and have taken additional precautions to notify customers.
For:
LogScale Cloud/Falcon Long Term Repository:
This CVE does not impact LogScale Cloud or LTR customers.
LogScale Self-Hosted:
Exposure to risk:
Potential risk is only present if a self hosted customer has modified the Akka parameters to a non default value of
akka.io.dns.resolver = async-dnsduring initial setup.By default LogScale does not use this configuration parameter.
CrowdStrike has never recommended custom Akka parameters. We recommend using default values for all parameters.
Steps to mitigate:
Setting akka.io.dns.resolver to default value (inet-address) will mitigate the potential risk.
On versions older than 1.92.0:
Unset the custom Akka configuration. Refer to Akka documentation for more information on how to unset or pass a different value to the parameter here.
CrowdStrike recommends upgrading LogScale to 1.92.x or higher versions.
UI Changes
Automation and Alerts
Fixed an issue that could cause some rarely occurring errors when running alerts to not show up on the alert.
Dashboards and Widgets
Fixed an issue where certain widget options would be ignored when importing a dashboard template or installing a package.
Fixed a wrong behaviour on the Interactions overview page when creating a new interaction: if the interaction panel was opened, the repository options would dropdown in it instead of in the Create new interaction dialog.
Other
The following Node-Level Metrics that showed incorrect results are now fixed:
primary-disk-usage,secondary-disk-usage,cluster-time-skew,temp-disk-usage-bytes.