2.4.0
New features in 2.4.0:
Important changes
#3073 The Windows registry
table was refactored to have a look and feel like the file
table.
#3049 Distributed (ad-hoc) queries now support discovery queries.
#3087 & #3091 Improve events tables performance and protect against multiple queries overwriting sliding window optimizations.
#3100 Add globbing support to the Windows registry
table.
#3120 Add the auid
column to all Audit-based tables.
#3115 Add status logging to AWS-based logger plugins.
Bug fixes
#3065 Set a max size for RocksDB MANIFEST
logs, this helps protect against very large transaction logs leading to massive on-disk files.
#3098 Fix crash when sanitizing REG_NONE types from Windows registry.
#3106 Return blank or NULL
values for sha
, md5
and sha256
when files cannot be hashed.
#3116 Fix potential deadlock with periodic database reset.
#3142 Fix reentry bug with our GLog logger sink leading to potential deadlocks.
Config options / CLI flags changes
--logger_min_status VALUE
Minimum level for status log recording 1=INFO, 2=WARNING, 3=ERROR
Table changes (from 2.3.4 to 2.4.0):
Moved table startup_items
from Darwin to All Platforms
Added table lldp_neighbors
to POSIX-compatible Plaforms
Added table python_packages
to POSIX-compatible Plaforms
Added column auid
(BIGINT_TYPE
) to table process_events
Added column auid
(BIGINT_TYPE
) to table socket_events
Added column auid
(BIGINT_TYPE
) to table user_events
Renamed table syslog
to syslog_events
on Ubuntu, CentOS (the alias syslog
still exists)
Breaking Table API changes
Removed column hive
(TEXT_TYPE
) from table registry
Removed column subkey
(TEXT_TYPE
) from table registry
The hive
and subkey
columns have been combined into a path
column.