Breaking changes in 7.15

edit

See the release notes for a complete list of changes, including changes to beta or experimental functionality.

Beats dashboard import and export requires Kibana 7.15

edit

Loading Kibana assets (such as dashboards and index templates) relies on the Saved Object API. Therefore, to provide a reliable service, Beats requires Kibana 7.15 to import and export dashboards.

Field changes

edit
  • In Filebeat, the log.path field has been renamed to log.file.path in the filestream input to be consistent with the log input and ECS.
  • In Filebeat, alias fields that were used to point to ECS fields from modules are now removed. The following alias fields were removed from the Suricata and Traefik modules:

    • suricata.eve.fileinfo.filename
    • suricata.eve.fileinfo.size
    • suricata.eve.dest_port
    • suricata.eve.src_port
    • suricata.eve.proto
    • suricata.eve.src_ip
    • suricata.eve.dest_ip
    • suricata.eve.http.status
    • suricata.eve.http.http_user_agent
    • suricata.eve.http.http_refer
    • suricata.eve.http.url
    • suricata.eve.http.hostname
    • suricata.eve.http.http_refer
    • suricata.eve.http.url
    • suricata.eve.http.hostname
    • suricata.eve.http.length
    • suricata.eve.http.http_method
    • suricata.eve.alert.severity
    • suricata.eve.alert.action
    • suricata.eve.flow.bytes_toclient
    • suricata.eve.flow.start
    • suricata.eve.flow.pkts_toclient
    • suricata.eve.flow.bytes_toserver
    • suricata.eve.flow.pkts_toserver
    • suricata.eve.app_proto
    • traefik.access.user_agent.device
  • In Heartbeat, the event.dataset value is now set to the monitor type / Fleet dataset to fix inconsistencies between Heartbeat and Fleet.

Filebeat Crowdstrike ingest pipeline no longer flattens process fields

edit

In previous releases, the ingest pipeline used by the Crowdstrike module flattened process fields instead of creating nested fields. The mix of flattened and nested fields with similar names was confusing and led to errors when running queries or automated processes that expect nested fields. To fix this problem, the ingest pipeline no longer flattens process fields.

Heartbeat watch_poll functionality has been removed

edit

The Heartbeat watch_poll functionality was deprecated a long time ago, and has been completely removed in 7.15.