CHANGELOG.next.asciidoc

Beats version HEAD

Check the HEAD diff

Breaking changes

Affecting all Beats

• Remove the deprecated xpack.monitoring. settings. Going forward only monitoring. settings may be used. 9424 18608

• Remove deprecated/undocumented IncludeCreatorMetadata setting from kubernetes metadata config options 28006

• Remove deprecated fields from kubernetes module 28046

• Remove deprecated config option aws_partition. 28120

• Improve stats API 27963

• Libbeat: logp package forces ECS compliant logs. Logs are JSON formatted. Options to enable ECS/JSON have been removed. 15544 28573

• Update docker client. 28716

• Remove auto from the available options of setup.ilm.enabled and set the default value to true. 28671

• add_process_metadata processor: Replace usage of deprecated process.ppid field with process.parent.pid. 28620

• add_docker_metadata processor: Replace usage of deprecated process.ppid field with process.parent.pid. 28620

• Use data streams instead of indices for storing events from Beats. 28450

• Remove option setup.template.type and always load composable template with data streams. 28450

• Remove several ILM options (rollover_alias and pattern) as data streams does not require index aliases. 28450

• Index template’s default_fields setting is only populated with ECS fields. 28596 28215

• tar.gz packages for ARM64 will now use the suffix aarch64 rather than arm64. 28813

• Remove deprecated --template and --ilm-policy flags. Use --index-management instead. 28870

• Remove options logging.files.suffix and default to datetime endings. 28927

• Remove Journalbeat. Use journald input of Filebeat instead. 29131

• include_matches option of journald input no longer accepts a list of string. 29294

• Add job.name in pods controlled by Jobs 28954

• Change Docker base image from CentOS 7 to Ubuntu 20.04 29681

• Enrich kubernetes metadata with node annotations. 29605

• Allign kubernetes configuration settings. 29908

Auditbeat

• File integrity dataset (macOS): Replace unnecessary file.origin.raw (type keyword) with file.origin.text (type text). 12423 15630

• Change event.kind=error to event.kind=event to comply with ECS. 18870 20685

Filebeat

• Fix parsing of Elasticsearch node name by elasticsearch/slowlog fileset. 14547

• With the default configuration the cloud modules (aws, azure, googlecloud, o365, okta)

• With the default configuration the cef and panw modules will no longer send the host

• Add while_pattern type to multiline reader. 19662

• auditd dataset: Use process.args to store program arguments instead of auditd.log.aNNN fields. 29601

• Remove deprecated old awscloudwatch input name. 29844

Heartbeat - Fix broken macOS ICMP python e2e test. 29900 - Only add monitor.status to browser events when summary. 29460 - Also add summary to journeys for which the synthetics runner crashes. 29606 - Update size of ICMP packets to adhere to standard min size. 29948

Metricbeat

• Remove deprecated fields in Docker module. 11835 27933

• Remove deprecated fields in Kafka module. 27938

• Remove deprecated config option default_region from aws module. 28120

• Remove network and diskio metrics from ec2 metricset. 28316

• Rename read/write_io.ops_per_sec to read/write.iops in rds metricset. 28350

• Remove linux-only metrics from diskio, memory 28292

• Remove deprecated config option perfmon.counters from windows/perfmon metricset. 28282

• Remove deprecated fields in Redis module. 11835 28246

• system/process metricset: Replace usage of deprecated process.ppid field with process.parent.pid. 28620

• Remove overriding of index pattern on the Kubernetes overview dashboard. 29676

Packetbeat

• Redis: fix incorrectly handle with two-words redis command. 14872 14873

• event.category no longer contains the value network_traffic because this is not a valid ECS event category value. 20556

• Remove deprecated TLS fields in favor of tls.server.x509 and tls.client.x509 ECS fields. 28487

• HTTP: The field http.request.method will maintain its original case. 28620

• Unify gopacket dependencies. 29167

Winlogbeat

• Add support to Sysmon file delete events (event ID 23). 18094

• Improve ECS field mappings in Sysmon module. related.hash, related.ip, and related.user are now populated. 18364

• Improve ECS field mappings in Sysmon module. Hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash, or file.pe.imphash. 18364

• Improve ECS field mappings in Sysmon module. file.name, file.directory, and file.extension are now populated. 18364

• Improve ECS field mappings in Sysmon module. rule.name is populated for all events when present. 18364

• Remove top level hash property from sysmon events 20653

• Move module processing from local Javascript processor to ingest node 29184 29435

Functionbeat

Bugfixes

Affecting all Beats

Auditbeat

• system/package: Fix parsing of Installed-Size field of DEB packages. 16661 17188

• system module: Fix panic during initialisation when /proc/stat can’t be read. 17569

• system/package: Fix an error that can occur while trying to persist package metadata. 18536 18887

• system/socket: Fix bugs leading to wrong process being attributed to flows. 29166 17165

• system/socket: Fix process name and arg truncation for long names, paths and args lists. 24667 29410

• system/socket: Fix startup errors on newer 5.x kernels due to missing _do_fork function. 29607 29744

• libbeat/processors/add_process_metadata: Fix memory leak in process cache. 24890 29717

• auditd: Add error.message to events when processing fails. 30009

Filebeat

• aws-s3: Stop trying to increase SQS message visibility after ReceiptHandleIsInvalid errors. 29480

• Fix handling of IPv6 addresses in netflow flow events. 19210 29383

• Fix sophos KV splitting and syslog header handling 24237 29331

• Undo deletion of endpoint config from cloudtrail fileset in 29415. 29450

• Make Cisco ASA and FTD modules conform to the ECS definition for event.outcome and event.type. 29581 29698

• ibmmq: Fixed @timestamp not being populated with correct values. 29773

• Fix using log_group_name_prefix in aws-cloudwatch input. 29695

• aws-s3: Improve gzip detection to avoid false negatives. 29968

• decode_cef: Fix panic when recovering from invalid CEF extensions that contain escape characters. 30010

Heartbeat

• Fix race condition in http monitors using mode:all that can cause crashes. pull

• Fix broken ICMP availability check that prevented heartbeat from starting in rare cases. pull

Metricbeat

• Use xpack.enabled on SM modules to write into .monitoring indices when using Metricbeat standalone 28365

• Fix in rename processor to ingest metrics for write.iops to proper field instead of write_iops in rds metricset. 28960

• Enhance filter check in kubernetes event metricset. 29470

• Fix gcp metrics metricset apply aligner to all metric_types 29513

• Extract correct index property in kibana.stats metricset 29622

• Fixed bug with elasticsearch/cluster_stats metricset not recording license expiration date correctly. 29711

• Fixed GCP GKE Overview dashboard 29913

Packetbeat

• Prevent incorrect use of AMQP protocol parsing from causing silent failure. 29017

• Fix error handling in MongoDB protocol parsing. 29017

Winlogbeat

• Add provider names to Security pipeline conditional check in routing pipeline. 27288 29781

Functionbeat

Elastic Logging Plugin

Added

Affecting all Beats

• Add config option rotate_on_startup to file output 19150 19347

• Name all k8s workqueue. 28085

• Update to ECS 8.0 fields. 28620

• Support custom analyzers in fields.yml. 28540 28926

• Discover changes in Kubernetes nodes metadata as soon as they happen. 23139

• Support self signed certificates on outputs 29229

• Update k8s library 29394

• Add FIPS configuration option for all AWS API calls. 28899

• Add default_region config to AWS common module. 29415

• Add support for latest k8s versions v1.23 and v1.22 29575

• Only connect to Elasticsearch instances with the same version or newer. 29683

• Move umask from code to service files. 29708

Auditbeat

• system/process: Prevent hashing files in other mnt namespaces. 25777 29678 29786

Filebeat

• Add text/csv decoder to httpjson input 28564

• Update aws-s3 input to connect to non AWS S3 buckets 28222 28234

• Add support for '/var/log/pods/' path for add_kubernetes_metadata processor with resource_type: pod. 28868

• Add documentation for add_kubernetes_metadata processors log_path matcher. 28868

• Add support for parsers on journald input 29070

• Add support in httpjson input for oAuth2ProviderDefault of password grant_type. 29087

• Add support for filtering in journald input with unit, kernel, identifiers and include_matches. 29294

• Add new userAgent and beatInfo template functions for httpjson input 29528

Heartbeat

• More errors are now visible in ES with new logic failing monitors later to ease debugging. pull

Metricbeat

• Preliminary AIX support 27954

• Add option to skip older k8s events 29396

• Add add_resource_metadata configuration to Kubernetes module. 29133

• Add containerd module with cpu, memory, blkio metricsets. 29247

• Add container.id and container.runtime ECS fields in container metricset. 29560

• Add memory.workingset.limit.pct field in Kubernetes container/pod metricset. 29547

• Add k8s metadata in state_cronjob metricset. 29572

• Add elasticsearch.cluster.id field to Beat and Kibana modules. 29577

• Add elasticsearch.cluster.id field to Logstash module. 29625

• Add xpack.enabled support for Enterprise Search module. 29871

• Add gcp firestore metricset. 29918

Packetbeat

• Add automated OEM Npcap installation handling. 29112

Functionbeat

Winlogbeat

• Add support for custom XML queries 1054 29330

• Add support for sysmon event ID 26; FileDeleteDetected. 26280 29957

Elastic Log Driver

• Fixed docs for hosts 23644

Deprecated

Affecting all Beats

Filebeat

Heartbeat

Metricbeat

Packetbeat

Winlogbeat

Functionbeat

Known Issue

Journalbeat