Skip to content

Latest commit

 

History

History
270 lines (171 loc) · 11.9 KB

CHANGELOG.next.asciidoc

File metadata and controls

270 lines (171 loc) · 11.9 KB
Raw

Beats version HEAD

Breaking changes

Affecting all Beats

Auditbeat

Filebeat

  • Fixed error spam from add_kubernetes_metadata processor when running on AKS. 33697

  • Metrics hosted by the HTTP monitoring endpoint for the aws-cloudwatch, aws-s3, cel, and lumberjack inputs are now available under /inputs/ instead of /dataset.

  • The close.on_state_change.inactive default value is now set to 5 minutes, matching the documentation.

Heartbeat

Metricbeat

Packetbeat

Winlogbeat

  • Corrects issue with security events with source IP of "LOCAL" or "Unknown" failing to ingest 19627 34295

  • Added processing for Windows Event ID’s 4797, 5379, 5380, 5381, and 5382 for the Security Ingest Pipeline 34293 34294

  • Added processing for Windows Event ID’s 5140 and 5145 for the Security Ingest Pipeline 34352

Functionbeat

Bugfixes

Affecting all Beats

  • Fix Windows service install/uninstall when Win32_Service returns error, add logic to wait until the Windows Service is stopped before proceeding. 33322

  • Support for multiline zookeeper logs 2496

  • Allow clock_nanosleep in the default seccomp profiles for amd64 and 386. Newer versions of glibc (e.g. 2.31) require it. 33792

  • Disable lockfile when running under elastic-agent. 33988

  • Fix lockfile logic, retry locking 34194

  • Add checks to ensure reloading of units if the configuration actually changed. 34346

  • Fix namespacing on self-monitoring 32336

  • Fix race condition when stopping runners 32433

  • Fix concurrent map writes when system/process code called from reporter code 32491

  • Log errors from the Elastic Agent V2 client errors channel. Avoids blocking when error occurs communicating with the Elastic Agent. 34392

  • Only log publish event messages in trace log level under elastic-agent. 34391

Auditbeat

Filebeat - [Auditbeat System Package] Added support for Apple Silicon chips. 34433 - [Azure blob storage] Changed logger field name from container to container_name so that it does not clash with the ecs field name container. 34403 - [GCS] Added support for more mime types & introduced offset tracking via cursor state. Also added support for automatic splitting at root level, if root level element is an array. 34155 - [httpsjon] Improved error handling during pagination with chaining & split processor 34127 - [Azure blob storage] Added support for more mime types & introduced offset tracking via cursor state. 33981 - Fix EOF on single line not producing any event. 30436 33568 - Fix handling of error in states in direct aws-s3 listing input 33513 33722 - Fix httpjson input page number initialization and documentation. 33400 - Add handling of AAA operations for Cisco ASA module. 32257 32789 - Fix gc.log always shipped even if gc fileset is disabled 30995 - Fix handling of empty array in httpjson input. 32001 - Fix reporting of filebeat.events.active in log events such that the current value is always reported instead of the difference from the last value. 33597 - Fix splitting array of strings/arrays in httpjson input 30345 33609 - Fix Google workspace pagination and document ID generation. 33666 - Fix PANW handling of messages with event.original already set. 33829 33830 - Rename identity as identity_name when the value is a string in Azure Platform Logs. 33654 - Fix 'requires pointer' error while getting cursor metadata. 33956 - Fix input cancellation handling when HTTP client does not support contexts. 33962 33968 - Update mito CEL extension library to v0.0.0-20221207004749-2f0f2875e464 33974 - Fix CEL result deserialisation when evaluation fails. 33992 33996 - Fix handling of non-200/non-429 status codes. 33999 34002 - [azure-eventhub input] Switch the run EPH run mode to non-blocking 34075 - [google_workspace] Fix pagination and cursor value update. 34274 - Fix handling of quoted values in auditd module. 22587 34069 - Fixing system tests not returning expected content encoding for azure blob storage input. 34412

Heartbeat

  • Fix broken zip URL monitors. NOTE: Zip URL Monitors will be removed in version 8.7 and replaced with project monitors. 33723

  • Fix bug where states.duration_ms was incorrect type. 33563

  • Fix handling of long UDP messages in UDP input. 33836 33837

  • Fix browser monitor summary reporting as up when monitor is down. 33374 33819

  • Fix beat capabilities on Docker image. 33584

  • Fix serialization of state duration to avoid scientific notation. 34280

Heartbeat

Auditbeat

Filebeat

  • Allow the misp fileset in the Filebeat threatintel module to ignore CIDR ranges for an IP field. 29949 34195

Auditbeat

Filebeat

Heartbeat

Metricbeat

  • in module/windows/perfmon, changed collection method of the second counter value required to create a displayable value 32305

  • Fix and improve AWS metric period calculation to avoid zero-length intervals 32724

  • Add missing cluster metadata to k8s module metricsets 32979 33032

  • Add GCP CloudSQL region filter 32943

  • Fix logstash cgroup mappings 33131

  • Remove unused elasticsearch.node_stats.indices.bulk.avg_time.bytes mapping 33263

  • Fix kafka dashboard field names 33555

  • Add tags to events based on parsed identifier. 33472

  • Support Oracle-specific connection strings in SQL module 32089 32293

  • Remove deprecated metrics from controller manager, scheduler and proxy 34161

Osquerybeat

Packetbeat

Winlogbeat

Functionbeat

  • Fix Kinesis events timestamp to use timestamp of the event record instead of when the record was processed 33593

Elastic Logging Plugin

Added

Affecting all Beats

  • Added append Processor which will append concrete values or values from a field to target. 29934 33364

Auditbeat

Filebeat

  • add documentation for decode_xml_wineventlog processor field mappings. 32456

  • httpjson input: Add request tracing logger. 32402 32412

  • Add cloudflare R2 to provider list in AWS S3 input. 32620

  • Add support for single string containing multiple relation-types in getRFC5988Link. 32811

  • Fix handling of invalid UserIP and LocalIP values. 32896

  • Allow http_endpoint instances to share ports. 32578 33377

  • Improve httpjson documentation for split processor. 33473

  • Added separation of transform context object inside httpjson. Introduced new clause .parent_last_response.* 33499

  • Cloud Foundry input uses server-side filtering when retrieving logs. 33456

  • Add parse_aws_vpc_flow_log processor. 33656

  • Update aws.vpcflow dataset in AWS module have a configurable log format and to produce ECS 8.x fields. 33699

  • Modified aws-s3 input to reduce mutex contention when multiple SQS message are being processed concurrently. 33658

  • Disable "event normalization" processing for the aws-s3 input to reduce allocations. 33673

  • Add Common Expression Language input. 31233

  • Add support for http+unix and http+npipe schemes in httpjson input. 33571 33610

  • Add support for http+unix and http+npipe schemes in cel input. 33571 33712

  • Add decode_duration, move_fields processors. 31301

  • Add backup to bucket and delete functionality for the aws-s3 input. 30696 33559

  • Add metrics for UDP packet processing. 33870

  • Convert UDP input to v2 input. 33930

  • Improve collection of risk information from Okta debug data. 33677 34030

  • Adding filename details from zip to response for httpjson 33952 34044

  • Allow user configuration of keep-alive behaviour for HTTPJSON and CEL inputs. 33951 34014

  • Add support for polling system UDP stats for UDP input metrics. 34070

  • Add support for recognizing the log level in Elasticsearch JVM logs 34159

  • Added metric sqs_lag_time for aws-s3 input. 34306

  • Add metrics for TCP packet processing. 34333

  • Add metrics for unix socket packet processing. 34335

  • Add beta take over mode for filestream for simple migration from log inputs 34292

  • Add pagination support for Salesforce module. 34057 34065

  • Allow users to redact sensitive data from CEL input debug logs. 34302

  • Added support for HTTP destination override to Google Cloud Storage input. 34413

  • Add support for new Rabbitmq timestamp format for logs 34211

  • Allow user configuration of timezone offset in Cisco ASA and FTD modules. 34436

Auditbeat

Filebeat

Heartbeat

  • Remove host and port matching restrictions on hint-generated monitors. 34376

Metricbeat

  • Add Data Granularity option to AWS module to allow for for fewer API calls of longer periods and keep small intervals. 33133 33166

  • Update README file on how to run Metricbeat on Kubernetes. 33308

  • Add per-thread metrics to system_summary 33614

  • Add GCP CloudSQL metadata 33066

  • Remove GCP Compute metadata cache 33655

  • Add support for multiple regions in GCP 32964

  • Add GCP Redis regions support 33728

  • Add namespace metadata to all namespaced kubernetes resources. 33763

  • Changed cloudwatch module to call ListMetrics API only once per region, instead of per AWS namespace 34055

  • Add beta ingest_pipeline metricset to Elasticsearch module for ingest pipeline monitoring 34012

  • Handle duplicated TYPE line for prometheus metrics 18813 33865

Packetbeat

  • Add option to allow sniffer to change device when default route changes. 31905 32681

  • Add option to allow sniffing multiple interface devices. 31905 32933

  • Bump Windows Npcap version to v1.71. 33164 33172

  • Add fragmented IPv4 packet reassembly. 33012 33296

  • Reduce logging level for ENOENT to WARN when mapping sockets to processes. 33793 33854

  • Add metrics for TCP and UDP packet processing. 33833 34353

  • Allow user to prevent Npcap library installation on Windows. 34420 34428

Packetbeat

Functionbeat

Winlogbeat

  • Add metrics for log event processing. 33922

Elastic Log Driver

Deprecated

Affecting all Beats

Filebeat

Heartbeat

Metricbeat

Packetbeat

Winlogbeat

Functionbeat

Known Issue