Breaking changes in 7.15
editBreaking changes in 7.15
editSee the release notes for a complete list of changes, including changes to beta or experimental functionality.
Beats dashboard import and export requires Kibana 7.15
editLoading Kibana assets (such as dashboards and index templates) relies on the Saved Object API. Therefore, to provide a reliable service, Beats requires Kibana 7.15 to import and export dashboards.
Field changes
edit-
In Filebeat, the
log.path
field has been renamed tolog.file.path
in thefilestream
input to be consistent with thelog
input and ECS. -
In Filebeat, alias fields that were used to point to ECS fields from modules are now removed. The following alias fields were removed from the Suricata and Traefik modules:
-
suricata.eve.fileinfo.filename
-
suricata.eve.fileinfo.size
-
suricata.eve.dest_port
-
suricata.eve.src_port
-
suricata.eve.proto
-
suricata.eve.src_ip
-
suricata.eve.dest_ip
-
suricata.eve.http.status
-
suricata.eve.http.http_user_agent
-
suricata.eve.http.http_refer
-
suricata.eve.http.url
-
suricata.eve.http.hostname
-
suricata.eve.http.http_refer
-
suricata.eve.http.url
-
suricata.eve.http.hostname
-
suricata.eve.http.length
-
suricata.eve.http.http_method
-
suricata.eve.alert.severity
-
suricata.eve.alert.action
-
suricata.eve.flow.bytes_toclient
-
suricata.eve.flow.start
-
suricata.eve.flow.pkts_toclient
-
suricata.eve.flow.bytes_toserver
-
suricata.eve.flow.pkts_toserver
-
suricata.eve.app_proto
-
traefik.access.user_agent.device
-
-
In Heartbeat, the
event.dataset
value is now set to the monitor type / Fleet dataset to fix inconsistencies between Heartbeat and Fleet.
Filebeat Crowdstrike ingest pipeline no longer flattens process
fields
editIn previous releases, the ingest pipeline used by the Crowdstrike module
flattened process
fields instead of creating nested fields. The mix of
flattened and nested fields with similar names was confusing and led to errors
when running queries or automated processes that expect nested fields. To fix
this problem, the ingest pipeline no longer flattens process
fields.
Heartbeat watch_poll
functionality has been removed
editThe Heartbeat watch_poll
functionality was deprecated a long time ago, and has
been completely removed in 7.15.