Skip to content

Latest commit

 

History

History
232 lines (164 loc) · 11.9 KB

CHANGELOG.next.asciidoc

File metadata and controls

232 lines (164 loc) · 11.9 KB
Raw

Beats version HEAD

Breaking changes

Affecting all Beats

  • Remove the deprecated xpack.monitoring. settings. Going forward only monitoring. settings may be used. 9424 18608

  • Remove deprecated/undocumented IncludeCreatorMetadata setting from kubernetes metadata config options 28006

  • Remove deprecated fields from kubernetes module 28046

  • Remove deprecated config option aws_partition. 28120

  • Improve stats API 27963

  • Libbeat: logp package forces ECS compliant logs. Logs are JSON formatted. Options to enable ECS/JSON have been removed. 15544 28573

  • Update docker client. 28716

  • Remove auto from the available options of setup.ilm.enabled and set the default value to true. 28671

  • add_process_metadata processor: Replace usage of deprecated process.ppid field with process.parent.pid. 28620

  • add_docker_metadata processor: Replace usage of deprecated process.ppid field with process.parent.pid. 28620

  • Use data streams instead of indices for storing events from Beats. 28450

  • Remove option setup.template.type and always load composable template with data streams. 28450

  • Remove several ILM options (rollover_alias and pattern) as data streams does not require index aliases. 28450

  • Index template’s default_fields setting is only populated with ECS fields. 28596 28215

  • tar.gz packages for ARM64 will now use the suffix aarch64 rather than arm64. 28813

  • Remove deprecated --template and --ilm-policy flags. Use --index-management instead. 28870

  • Remove options logging.files.suffix and default to datetime endings. 28927

  • Remove Journalbeat. Use journald input of Filebeat instead. 29131

  • include_matches option of journald input no longer accepts a list of string. 29294

  • Add job.name in pods controlled by Jobs 28954

  • Change Docker base image from CentOS 7 to Ubuntu 20.04 29681

  • Enrich kubernetes metadata with node annotations. 29605

  • Allign kubernetes configuration settings. 29908

Auditbeat

  • File integrity dataset (macOS): Replace unnecessary file.origin.raw (type keyword) with file.origin.text (type text). 12423 15630

  • Change event.kind=error to event.kind=event to comply with ECS. 18870 20685

Filebeat

  • Fix parsing of Elasticsearch node name by elasticsearch/slowlog fileset. 14547

  • With the default configuration the cloud modules (aws, azure, googlecloud, o365, okta)

  • With the default configuration the cef and panw modules will no longer send the host

  • Add while_pattern type to multiline reader. 19662

  • auditd dataset: Use process.args to store program arguments instead of auditd.log.aNNN fields. 29601

  • Remove deprecated old awscloudwatch input name. 29844

Heartbeat - Fix broken macOS ICMP python e2e test. 29900 - Only add monitor.status to browser events when summary. 29460 - Also add summary to journeys for which the synthetics runner crashes. 29606 - Update size of ICMP packets to adhere to standard min size. 29948

Metricbeat

  • Remove deprecated fields in Docker module. 11835 27933

  • Remove deprecated fields in Kafka module. 27938

  • Remove deprecated config option default_region from aws module. 28120

  • Remove network and diskio metrics from ec2 metricset. 28316

  • Rename read/write_io.ops_per_sec to read/write.iops in rds metricset. 28350

  • Remove linux-only metrics from diskio, memory 28292

  • Remove deprecated config option perfmon.counters from windows/perfmon metricset. 28282

  • Remove deprecated fields in Redis module. 11835 28246

  • system/process metricset: Replace usage of deprecated process.ppid field with process.parent.pid. 28620

  • Remove overriding of index pattern on the Kubernetes overview dashboard. 29676

Packetbeat

  • Redis: fix incorrectly handle with two-words redis command. 14872 14873

  • event.category no longer contains the value network_traffic because this is not a valid ECS event category value. 20556

  • Remove deprecated TLS fields in favor of tls.server.x509 and tls.client.x509 ECS fields. 28487

  • HTTP: The field http.request.method will maintain its original case. 28620

  • Unify gopacket dependencies. 29167

Winlogbeat

  • Add support to Sysmon file delete events (event ID 23). 18094

  • Improve ECS field mappings in Sysmon module. related.hash, related.ip, and related.user are now populated. 18364

  • Improve ECS field mappings in Sysmon module. Hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash, or file.pe.imphash. 18364

  • Improve ECS field mappings in Sysmon module. file.name, file.directory, and file.extension are now populated. 18364

  • Improve ECS field mappings in Sysmon module. rule.name is populated for all events when present. 18364

  • Remove top level hash property from sysmon events 20653

  • Move module processing from local Javascript processor to ingest node 29184 29435

  • Fix run loop when reading from evtx file 30006

Functionbeat

Bugfixes

Affecting all Beats

Auditbeat

  • system/package: Fix parsing of Installed-Size field of DEB packages. 16661 17188

  • system module: Fix panic during initialisation when /proc/stat can’t be read. 17569

  • system/package: Fix an error that can occur while trying to persist package metadata. 18536 18887

  • system/socket: Fix bugs leading to wrong process being attributed to flows. 29166 17165

  • system/socket: Fix process name and arg truncation for long names, paths and args lists. 24667 29410

  • system/socket: Fix startup errors on newer 5.x kernels due to missing _do_fork function. 29607 29744

  • libbeat/processors/add_process_metadata: Fix memory leak in process cache. 24890 29717

Filebeat

  • aws-s3: Stop trying to increase SQS message visibility after ReceiptHandleIsInvalid errors. 29480

  • Fix handling of IPv6 addresses in netflow flow events. 19210 29383

  • Fix sophos KV splitting and syslog header handling 24237 29331

  • Undo deletion of endpoint config from cloudtrail fileset in 29415. 29450

  • Make Cisco ASA and FTD modules conform to the ECS definition for event.outcome and event.type. 29581 29698

  • ibmmq: Fixed @timestamp not being populated with correct values. 29773

  • Fix using log_group_name_prefix in aws-cloudwatch input. 29695

  • aws-s3: Improve gzip detection to avoid false negatives. 29968

Heartbeat

  • Fix race condition in http monitors using mode:all that can cause crashes. pull

  • Fix broken ICMP availability check that prevented heartbeat from starting in rare cases. pull

Metricbeat

  • Use xpack.enabled on SM modules to write into .monitoring indices when using Metricbeat standalone 28365

  • Fix in rename processor to ingest metrics for write.iops to proper field instead of write_iops in rds metricset. 28960

  • Enhance filter check in kubernetes event metricset. 29470

  • Fix gcp metrics metricset apply aligner to all metric_types 29513

  • Extract correct index property in kibana.stats metricset 29622

  • Fixed bug with elasticsearch/cluster_stats metricset not recording license expiration date correctly. 29711

  • Fixed GCP GKE Overview dashboard 29913

Packetbeat

  • Prevent incorrect use of AMQP protocol parsing from causing silent failure. 29017

  • Fix error handling in MongoDB protocol parsing. 29017

Winlogbeat

  • Add provider names to Security pipeline conditional check in routing pipeline. 27288 29781

Functionbeat

Elastic Logging Plugin

Added

Affecting all Beats

  • Add config option rotate_on_startup to file output 19150 19347

  • Name all k8s workqueue. 28085

  • Update to ECS 8.0 fields. 28620

  • Support custom analyzers in fields.yml. 28540 28926

  • Discover changes in Kubernetes nodes metadata as soon as they happen. 23139

  • Support self signed certificates on outputs 29229

  • Update k8s library 29394

  • Add FIPS configuration option for all AWS API calls. 28899

  • Add default_region config to AWS common module. 29415

  • Add support for latest k8s versions v1.23 and v1.22 29575

  • Only connect to Elasticsearch instances with the same version or newer. 29683

  • Move umask from code to service files. 29708

Auditbeat

  • system/process: Prevent hashing files in other mnt namespaces. 25777 29678 29786

Filebeat

  • Add text/csv decoder to httpjson input 28564

  • Update aws-s3 input to connect to non AWS S3 buckets 28222 28234

  • Add support for '/var/log/pods/' path for add_kubernetes_metadata processor with resource_type: pod. 28868

  • Add documentation for add_kubernetes_metadata processors log_path matcher. 28868

  • Add support for parsers on journald input 29070

  • Add support in httpjson input for oAuth2ProviderDefault of password grant_type. 29087

  • Add support for filtering in journald input with unit, kernel, identifiers and include_matches. 29294

  • Add new userAgent and beatInfo template functions for httpjson input 29528

Heartbeat

  • More errors are now visible in ES with new logic failing monitors later to ease debugging. pull

Metricbeat

  • Preliminary AIX support 27954

  • Add option to skip older k8s events 29396

  • Add add_resource_metadata configuration to Kubernetes module. 29133

  • Add containerd module with cpu, memory, blkio metricsets. 29247

  • Add container.id and container.runtime ECS fields in container metricset. 29560

  • Add memory.workingset.limit.pct field in Kubernetes container/pod metricset. 29547

  • Add k8s metadata in state_cronjob metricset. 29572

  • Add elasticsearch.cluster.id field to Beat and Kibana modules. 29577

  • Add elasticsearch.cluster.id field to Logstash module. 29625

Packetbeat

Functionbeat

Winlogbeat

  • Add support for custom XML queries 1054 29330

  • Add support for sysmon event ID 26; FileDeleteDetected. 26280 29957

Elastic Log Driver

  • Fixed docs for hosts 23644

Deprecated

Affecting all Beats

Filebeat

Heartbeat

Metricbeat

Packetbeat

Winlogbeat

Functionbeat

Known Issue

Journalbeat