Skip to content

Latest commit

 

History

History
347 lines (246 loc) · 18.9 KB

CHANGELOG.next.asciidoc

File metadata and controls

347 lines (246 loc) · 18.9 KB
Raw

Beats version HEAD

Breaking changes

Affecting all Beats

Auditbeat

Filebeat

  • Fixed error spam from add_kubernetes_metadata processor when running on AKS. 33697

  • Metrics hosted by the HTTP monitoring endpoint for the aws-cloudwatch, aws-s3, cel, and lumberjack inputs are now available under /inputs/ instead of /dataset.

  • The close.on_state_change.inactive default value is now set to 5 minutes, matching the documentation.

Heartbeat

Metricbeat

Packetbeat

Winlogbeat

  • Corrects issue with security events with source IP of "LOCAL" or "Unknown" failing to ingest 19627 34295

  • Added processing for Windows Event ID’s 4797, 5379, 5380, 5381, and 5382 for the Security Ingest Pipeline 34293 34294

  • Added processing for Windows Event ID’s 5140 and 5145 for the Security Ingest Pipeline 34352

Functionbeat

Bugfixes

Affecting all Beats - Fix Windows service install/uninstall when Win32_Service returns error, add logic to wait until the Windows Service is stopped before proceeding. 33322 - Support for multiline zookeeper logs 2496 - Allow clock_nanosleep in the default seccomp profiles for amd64 and 386. Newer versions of glibc (e.g. 2.31) require it. 33792 - Disable lockfile when running under elastic-agent. 33988 - Fix lockfile logic, retry locking 34194 - Add checks to ensure reloading of units if the configuration actually changed. 34346 - Fix namespacing on self-monitoring 32336 - Fix race condition when stopping runners 32433 - Fix concurrent map writes when system/process code called from reporter code 32491 - Log errors from the Elastic Agent V2 client errors channel. Avoids blocking when error occurs communicating with the Elastic Agent. 34392 - Only log publish event messages in trace log level under elastic-agent. 34391 - Fix issue where updating a single Elastic Agent configuration unit results in other units being turned off. 34504 - Fix dropped events when monitor a beat under the agent and send its Host info log entry. 34599

  • Fix namespacing on self-monitoring 32336

  • Fix race condition when stopping runners 32433

  • Fix concurrent map writes when system/process code called from reporter code 32491

  • Fix panics when a processor is closed twice 34647

  • Update elastic-agent-system-metrics to v0.4.6 to allow builds on mips platforms. 34674

  • The Elasticsearch output now splits large requests instead of dropping them when it receives a StatusRequestEntityTooLarge error. 34911

  • Fix Beats started by agent do not respect the allow_older_versions: true configuration flag 34227 34964

  • Fix performance issues when we have a lot of inputs starting and stopping by allowing to disable global processors under fleet. 35000 35031

  • In cases where the matcher detects a non-string type in a match statement, report the error as a debug statement, and not a warning statement. 35119

Auditbeat

Filebeat - [Auditbeat System Package] Added support for Apple Silicon chips. 34433 - [Azure blob storage] Changed logger field name from container to container_name so that it does not clash with the ecs field name container. 34403 - [GCS] Added support for more mime types & introduced offset tracking via cursor state. Also added support for automatic splitting at root level, if root level element is an array. 34155 - [httpsjon] Improved error handling during pagination with chaining & split processor 34127 - [Azure blob storage] Added support for more mime types & introduced offset tracking via cursor state. 33981 - Fix EOF on single line not producing any event. 30436 33568 - Fix handling of error in states in direct aws-s3 listing input 33513 33722 - Fix httpjson input page number initialization and documentation. 33400 - Add handling of AAA operations for Cisco ASA module. 32257 32789 - Fix gc.log always shipped even if gc fileset is disabled 30995 - Fix handling of empty array in httpjson input. 32001 - Fix reporting of filebeat.events.active in log events such that the current value is always reported instead of the difference from the last value. 33597 - Fix splitting array of strings/arrays in httpjson input 30345 33609 - Fix Google workspace pagination and document ID generation. 33666 - Fix PANW handling of messages with event.original already set. 33829 33830 - Rename identity as identity_name when the value is a string in Azure Platform Logs. 33654 - Fix 'requires pointer' error while getting cursor metadata. 33956 - Fix input cancellation handling when HTTP client does not support contexts. 33962 33968 - Update mito CEL extension library to v0.0.0-20221207004749-2f0f2875e464 33974 - Fix CEL result deserialisation when evaluation fails. 33992 33996 - Fix handling of non-200/non-429 status codes. 33999 34002 - [azure-eventhub input] Switch the run EPH run mode to non-blocking 34075 - [google_workspace] Fix pagination and cursor value update. 34274 - Fix handling of quoted values in auditd module. 22587 34069 - Fixing system tests not returning expected content encoding for azure blob storage input. 34412 - [Azure Logs] Fix authentication_processing_details parsing in sign-in logs. 34330 34478 - Prevent Elasticsearch from spewing log warnings about redundant wildcard when setting up ingest pipelines. 34249 34550 - Gracefully handle Windows event channel not found errors in winlog input. 30201 34605 - Fix the issue of cometd input worker getting closed in case of a network connection issue and an EOF error. 34326 34327 - Fix for httpjson first_response object throwing false positive errors by making it a flag based object 34747 34748 - Fix errors and panics due to re-used processors 34761 - Add missing Basic Authentication support to CEL input 34609 34689 - [Gcs Input] - Added missing locks for safe concurrency 34914 - Fix the ignore_inactive option being ignored in Filebeat’s filestream input 34770 - Fix TestMultiEventForEOFRetryHandlerInput unit test of CometD input 34903 - Add input instance id to request trace filename for httpjson and cel inputs 35024 - Fix panic in TCP and UDP inputs on Linux when collecting socket metrics from OS. 35064 - Correctly collect TCP and UDP metrics for unspecified address values. 35111 - Fix base for UDP and TCP queue metrics and UDP drops metric. 35123

Heartbeat

  • Fix panics when parsing dereferencing invalid parsed url. 34702

  • Fix broken zip URL monitors. NOTE: Zip URL Monitors will be removed in version 8.7 and replaced with project monitors. 33723

  • Fix integration hashing to prevent reloading all when updated. 34697

  • Fix release of job limit semaphore when context is cancelled. 34697

  • Fix bug where states.duration_ms was incorrect type. 33563

  • Fix handling of long UDP messages in UDP input. 33836 33837

  • Fix browser monitor summary reporting as up when monitor is down. 33374 33819

  • Fix beat capabilities on Docker image. 33584

  • Fix serialization of state duration to avoid scientific notation. 34280

  • Enable nodejs engine strict validation when bundling synthetics. 34470 with the ecs field name container. 34403 automatic splitting at root level, if root level element is an array. 34155

  • Fix broken mapping for state.ends field. 34891

  • Fix issue using projects in airgapped environments by disabling npm audit. 34936

Heartbeat

Heartbeat

Auditbeat

Filebeat

  • Allow the misp fileset in the Filebeat threatintel module to ignore CIDR ranges for an IP field. 29949 34195

  • Remove incorrect reference to CEL ext extensions package. 34610 34620

  • Fix handling of RFC5988 links' relation parameters by getRFC5988Link in HTTPJSON. 34603 34622

  • Drop empty API response events for Microsoft module. 34786 34893

Auditbeat

Filebeat

Heartbeat

Metricbeat

  • in module/windows/perfmon, changed collection method of the second counter value required to create a displayable value 32305

  • Fix and improve AWS metric period calculation to avoid zero-length intervals 32724

  • Add missing cluster metadata to k8s module metricsets 32979 33032

  • Add GCP CloudSQL region filter 32943

  • Fix logstash cgroup mappings 33131

  • Remove unused elasticsearch.node_stats.indices.bulk.avg_time.bytes mapping 33263

  • Fix kafka dashboard field names 33555

  • Add tags to events based on parsed identifier. 33472

  • Support Oracle-specific connection strings in SQL module 32089 32293

  • Remove deprecated metrics from controller manager, scheduler and proxy 34161

  • Fix metrics split through different events and metadata not matching for aws cloudwatch. 34483

  • Fix metadata enricher with correct container ids for pods with multiple containers in container metricset. Align kubernetes.container.id and container.id fields for state_container metricset. 34516

  • Make generic SQL GA 34637

  • Collect missing remote_cluster in elasticsearch ccr metricset 34957

Osquerybeat

  • Adds the elastic_file_analysis table to the Osquery extension for macOS builds. 35056

Packetbeat

  • Fix documentation for flows.period related to flow reporting. 35009

Winlogbeat

  • Fix handling of event data with keys containing dots. 34345 34549

  • Gracefully handle channel not found errors. 30201 34605

  • Clarify query term limits warning and remove link to missing Microsoft doc page. 34715

  • Improve documentation for event_logs.name configuration. 34931

Functionbeat

  • Fix Kinesis events timestamp to use timestamp of the event record instead of when the record was processed 33593

Elastic Logging Plugin

Added

Affecting all Beats

  • Added append Processor which will append concrete values or values from a field to target. 29934 33364

  • Allow users to enable features via configuration, starting with the FQDN reporting feature. 1070 34456

Auditbeat

Filebeat

  • add documentation for decode_xml_wineventlog processor field mappings. 32456

  • httpjson input: Add request tracing logger. 32402 32412

  • Add cloudflare R2 to provider list in AWS S3 input. 32620

  • Add support for single string containing multiple relation-types in getRFC5988Link. 32811

  • Fix handling of invalid UserIP and LocalIP values. 32896

  • Allow http_endpoint instances to share ports. 32578 33377

  • Improve httpjson documentation for split processor. 33473

  • Added separation of transform context object inside httpjson. Introduced new clause .parent_last_response.* 33499

  • Cloud Foundry input uses server-side filtering when retrieving logs. 33456

  • Add parse_aws_vpc_flow_log processor. 33656

  • Update aws.vpcflow dataset in AWS module have a configurable log format and to produce ECS 8.x fields. 33699

  • Modified aws-s3 input to reduce mutex contention when multiple SQS message are being processed concurrently. 33658

  • Disable "event normalization" processing for the aws-s3 input to reduce allocations. 33673

  • Add Common Expression Language input. 31233

  • Add support for http+unix and http+npipe schemes in httpjson input. 33571 33610

  • Add support for http+unix and http+npipe schemes in cel input. 33571 33712

  • Add decode_duration, move_fields processors. 31301

  • Add backup to bucket and delete functionality for the aws-s3 input. 30696 33559

  • Add metrics for UDP packet processing. 33870

  • Convert UDP input to v2 input. 33930

  • Improve collection of risk information from Okta debug data. 33677 34030

  • Adding filename details from zip to response for httpjson 33952 34044

  • Allow user configuration of keep-alive behaviour for HTTPJSON and CEL inputs. 33951 34014

  • Add support for polling system UDP stats for UDP input metrics. 34070

  • Add support for recognizing the log level in Elasticsearch JVM logs 34159

  • Add new Entity Analytics input with Azure Active Directory support. 34305

  • Added metric sqs_lag_time for aws-s3 input. 34306

  • Add metrics for TCP packet processing. 34333

  • Add metrics for unix socket packet processing. 34335

  • Add beta take over mode for filestream for simple migration from log inputs 34292

  • Add pagination support for Salesforce module. 34057 34065

  • Allow users to redact sensitive data from CEL input debug logs. 34302

  • Added support for HTTP destination override to Google Cloud Storage input. 34413

  • Added metric sqs_messages_waiting_gauge for aws-s3 input. 34488

  • Add support for new Rabbitmq timestamp format for logs 34211

  • Allow user configuration of timezone offset in Cisco ASA and FTD modules. 34436

  • Allow user configuration of timezone offset in Checkpoint module. 34472

  • Add support for Okta debug attributes, risk_reasons, risk_behaviors and factor. 33677 34508

  • Fill okta.request.ip_chain.* as a flattened object in Okta module. 34621

  • Fixed GCS log format issues. 34659

  • Add nginx.ingress_controller.upstream.ip to related.ip 34645 34672

  • Include NAT and firewall IPs in related.ip in Fortinet Firewall module. 34640 34673

  • Add Basic Authentication support on constructed requests to CEL input 34609 34689

  • Add string manipulation extensions to CEL input 34610 34689

  • Add unix socket log parsing for nginx ingress_controller 34732

  • Added metric sqs_worker_utilization for aws-s3 input. 34793

  • Improve CEL input documentation 34831

  • Add metrics documentation for CEL and AWS CloudWatch inputs. 34887 34889

  • Register MIME handlers for CSV types in CEL input. 34934

  • Add MySQL authentication message parsing and related.ip and related.user fields 34810

  • Mention mito CEL tool in CEL input docs. 34959

  • Add nginx ingress_controller parsing if one of upstreams fails to return response 34787

  • Allow neflow v9 and ipfix templates to be shared between source addresses. 35036

  • Add support for collecting IPv6 metrics. 35123

Auditbeat - Migration of system/package module storage from gob encoding to flatbuffer encoding in bolt db. 34817

Filebeat

Heartbeat - Users can now configure max scheduler job limits per monitor type via env var. 34307 - Added status to monitor run log report.

  • Remove host and port matching restrictions on hint-generated monitors. 34376

Metricbeat

  • Add Data Granularity option to AWS module to allow for for fewer API calls of longer periods and keep small intervals. 33133 33166

  • Update README file on how to run Metricbeat on Kubernetes. 33308

  • Add per-thread metrics to system_summary 33614

  • Add GCP CloudSQL metadata 33066

  • Remove GCP Compute metadata cache 33655

  • Add support for multiple regions in GCP 32964

  • Add GCP Redis regions support 33728

  • Add namespace metadata to all namespaced kubernetes resources. 33763

  • Changed cloudwatch module to call ListMetrics API only once per region, instead of per AWS namespace 34055

  • Add beta ingest_pipeline metricset to Elasticsearch module for ingest pipeline monitoring 34012

  • Handle duplicated TYPE line for prometheus metrics 18813 33865

  • Add GCP Carbon Footprint metricbeat data 34820

Packetbeat

  • Add option to allow sniffer to change device when default route changes. 31905 32681

  • Add option to allow sniffing multiple interface devices. 31905 32933

  • Bump Windows Npcap version to v1.71. 33164 33172

  • Add fragmented IPv4 packet reassembly. 33012 33296

  • Reduce logging level for ENOENT to WARN when mapping sockets to processes. 33793 33854

  • Add metrics for TCP and UDP packet processing. 33833 34353

  • Allow user to prevent Npcap library installation on Windows. 34420 34428

  • Add metrics documentation for TCP and UDP protocols. 34887 34889

Packetbeat

Functionbeat

Winlogbeat

  • Add metrics for log event processing. 33922

  • Add metrics documentation for event processing. 34887 34889

  • Add note in documentation about 21 event ID clause limit 35048 35049

Elastic Log Driver

Deprecated

Affecting all Beats

Filebeat

Heartbeat

Metricbeat

Packetbeat

Winlogbeat

Functionbeat

Known Issue