IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Beats version 7.6.0
editBeats version 7.6.0
editBreaking changes
editAffecting all Beats
- Remove version information from default ILM policy for improved upgrade experience on custom policies. 14745
-
Running
setup
cmd respectssetup.ilm.overwrite
setting for improved support of custom policies. 14741 - Cleanup the x-pack licenser code to use the new license endpoint and the new format. Replaces the url /_xpack/license with /_license. 15091
- The document id fields has been renamed from @metadata.id to @metadata._id 15859
- Two Beat instances with the same data path cannot be run concurrently. 14069
Filebeat
- CEF extensions are now mapped to the data types defined in the CEF guide. 14342
Journalbeat
- Remove broken dashboard. 15288
Metricbeat
- Update cloudwatch metricset mapping for both metrics and dimensions. 15245
Packetbeat
Bugfixes
editAffecting all Beats
- Fix spooling to disk blocking infinitely if the lock file can not be acquired. 15338
-
Fix
metricbeat test output
with an ipv6 ES host in the output.hosts. 15368 -
Fix
convert
processor conversion of string to integer with leading zeros. 15513 15557 - Fix existing agent.*, ecs.version, and host.name fields getting overwritten by Beats if they are already present in the original event. 14407
- Fix issue where TLS settings would be ignored when a forward proxy was in use. $15516
- Beats no longer attempts to load dashboards if they are unavailable. 15802
Auditbeat
- system/socket: Fix compatibility issue with kernel 5.x. 15771
Filebeat
- Fix a problem in Filebeat input httpjson where interval is not used as time.Duration. 14728
- Fix SSL config in input.yml for Filebeat httpjson input in the MISP module. 14767
- Check content-type when creating new reader in s3 input. 15252 15225
- Fix session reset detection and a crash in Netflow input. 14904
- Handle errors in handleS3Objects function and add more debug messages for s3 input. 15545
- netflow: Allow for options templates without scope fields. 15449
- netflow: Fix bytes/packets counters on some devices (NSEL and Netstream). 15449
-
netflow: Fix compatibility with some Cisco devices by changing the field
class_id
from short to long. 15449 - Fix dashboard for Cisco ASA Firewall. 15420 15553
- Fix s3 input hanging with GetObjectRequest API call by adding context_timeout config. 15502 15590
- Add shared_credential_file to cloudtrail config. 15652 15656
- Fix typos in zeek notice fileset config file. 15764 15765
-
Prevent Elasticsearch from spewing log warnings about redundant wildcards when setting up ingest pipelines for the
elasticsearch
module. 15840 15900 -
Improve
elasticsearch/audit
fileset to handle timestamps correctly. 15942
Heartbeat
- Fix excessive memory usage introduced in 7.5 due to over-allocating memory for HTTP checks. 15639
Metricbeat
- Fix regular expression to detect instance name in perfmon metricset. 14273 14666
-
Fix
docker.container.size
fields values 14979 15224 -
Make
kibana
module more resilient to Kibana unavailability. 15258 15270 - Fix panic exception with some unicode strings in perfmon metricset. 15264
-
Make
logstash
module more resilient to Logstash unavailability. 15276 15306 - Add username/password in Metricbeat autodiscover hints 15349
- Add dedot for tags in ec2 metricset and cloudwatch metricset. 15843 15844
- Use RFC3339 format for timestamps collected using the SQL module. 15847
- Add dedot for cloudwatch metric name. 15916 15917
-
Fixed issue
logstash-xpack
module suddenly ceasing to monitor Logstash. 15974 16044
Added
editAffecting all Beats
- Add a friendly log message when a request to docker has exceeded the deadline. 15336
-
GA the
script
processor. 14325 -
Add
fingerprint
processor. 11173 14205 - Add support for API keys in Elasticsearch outputs. 14324
- Add consumer_lag in Kafka consumergroup metricset 14822
- Make use of consumer_lag in Kafka dashboard 14863
- Refactor kubernetes autodiscover to enable different resource based discovery 14738
-
Add
add_id
processor. 14524 - Enable TLS 1.3 in all beats. 12973
- Spooling to disk creates a lockfile on each platform. 15338
- Enable DEP (Data Execution Protection) for Windows packages. 15149
-
Users can now specify
monitoring.cloud.*
to overridemonitoring.elasticsearch.*
settings. 14399 15254 - Add support to kubernetes autodiscovery to add additional metadata from other source to events. 14875
- Update to ECS 1.4.0. 14844
- Add document_id setting to decode_json_fields processor. 15859
Filebeat
- Add new fileset googlecloud/audit for ingesting Google Cloud Audit logs. 15200
- Add dashboards to the CEF module (ported from the Logstash ArcSight module). 14342
- Add expand_event_list_from_field support in s3 input for reading json format AWS logs. 15357 15370
- Add azure-eventhub input which will use the azure eventhub go sdk. 14092 14882
-
Expose more metrics of harvesters (e.g.
read_offset
,start_time
). 13395 - Include log.source.address for unparseable syslog messages. 13268 15453
- Release aws elb fileset as GA. 15426 15380
- Integrate the azure-eventhub with filebeat azure module (replace the kafka input). 15480
- Release aws s3access fileset to GA. 15431 15430
- Add cloudtrail fileset to AWS module. 14657 15227
- New fileset googlecloud/firewall for ingesting Google Cloud Firewall logs. 14553
- google-pubsub input: ACK pub/sub message when acknowledged by publisher. 13346 14715
- Remove Beta label from google-pubsub input. 13346 14715
- Add dashboard for AWS ELB fileset. 15804
- Set event.outcome field based on googlecloud audit log output. 15731
- Add dashboard for AWS vpcflow fileset. 16007
Heartbeat
Metricbeat
-
Expand data for the
system/memory
metricset 15492 -
Add azure
storage
metricset in order to retrieve metric values for storage accounts. 14548 15342 - Add cost warnings for the azure module. 15356
- Release elb module as GA. 15485
-
Add a
system/network_summary
metricset 15196 - Allow Metricbeat’s beat module to read monitoring information over a named pipe or unix domain socket. 14558
- Enable script processor. 14711
- Add STAN dashboard 15654
Functionbeat