Beats version 7.0.0-alpha1

edit

View commits

Breaking changes

edit

Affecting all Beats

  • Dissect syntax change, use * instead of ? when working with field reference. 8054

Auditbeat

  • Use initial_scan action for new paths. 7954
  • Rename beat.name to agent.type, beat.hostname to agent.hostname, beat.version to agent.version.
  • Rename source.hostname to source.domain in the auditd module. 9027

Filebeat

  • Rename fileset.name to event.name. 8879
  • Rename fileset.module to event.module. 8879
  • Rename source to log.file.path and log.source.ip 8902
  • Remove the deprecated prospector(s) option in the configuration use input(s) instead. 8909
  • Rename offset to log.offset. 8923
  • Rename source_ecs to source in the Filebeat Suricata module. 8983

Bugfixes

edit

Affecting all Beats

  • Fixed -d CLI flag by trimming spaces from selectors. 7864
  • Fixed Support add_docker_metadata in Windows by identifying systems' path separator. 7797
  • Do not panic when no tokenizer string is configured for a dissect processor. 8895
  • Start autodiscover consumers before producers. 7926

Filebeat

  • Fixed a memory leak when harvesters are closed. 7820
  • Fix improperly set config for CRI Flag in Docker Input 8899
  • Just enabling the elasticsearch fileset and starting Filebeat no longer causes an error. 8891
  • Fix macOS default log path for elasticsearch module based on homebrew paths. {pul}8939[8939]

Heartbeat

  • Heartbeat now always downloads the entire body of HTTP endpoints, even if no checks against the body content are declared. This fixes an issue where timing metrics would be incorrect in scenarios where the body wasn’t used since the connection would be closed soon after the headers were sent, but before the entire body was. 8894
  • Host header can now be overridden for HTTP requests sent by Heartbeat monitors. 9516

Metricbeat

  • Fix golang.heap.gc.cpu_fraction type from long to float in Golang module. 7789
  • Add missing namespace field in http server metricset 7890
  • Fix race condition when enriching events with kubernetes metadata. 9055 9067

Packetbeat

  • Fixed the mysql missing transactions if monitoring a connection from the start. 8173

Added

edit

Affecting all Beats

  • Add field host.os.kernel to the add_host_metadata processor and to the internal monitoring data. 7807
  • Add debug check to logp.Logger 7965
  • Count HTTP 429 responses in the elasticsearch output 8056
  • Allow Bus to buffer events in case listeners are not configured. 8527
  • Dissect will now flag event on parsing error. 8751
  • add_cloud_metadata initialization is performed asynchronously to avoid delays on startup. 8845
  • Add DeDot method in add_docker_metadata processor in libbeat. 9350 9505

Filebeat

  • Make inputsource generic taking bufio.SplitFunc as input 7746
  • Add custom unpack to log hints config to avoid env resolution 7710
  • Make docker input check if container strings are empty 7960
  • Keep unparsed user agent information in user_agent.original. 8537
  • Allow to force CRI format parsing for better performance 8424

Heartbeat

  • Add automatic config file reloading. 8023

Journalbeat

  • Add the ability to check against JSON HTTP bodies with conditions. 8667

Metricbeat

  • Add metrics about cache size to memcached module 7740
  • Add experimental socket summary metricset to system module 6782
  • Collect custom cluster display_name in elasticsearch/cluster_stats metricset. 8445
  • Test etcd module with etcd 3.3. 9068
  • All elasticsearch metricsets now have module-level cluster.id and cluster.name fields. 8770 8771 9164 9165 9166 9168
  • All elasticsearch node-level metricsets now have node.id and node.name fields. 9168 9209

Packetbeat

  • Add support to decode HTTP bodies compressed with gzip and deflate. 7915
  • Added support to calculate certificates' fingerprints (MD5, SHA-1, SHA-256). 8180
  • Support new TLS version negotiation introduced in TLS 1.3. 8647.