Beats version 7.10.0

edit

View commits

Breaking changes

edit

Affecting all Beats

  • Added certificate TLS verification mode to ignore server name mismatch. 12283 20293
  • Remove redundant cloudfoundry.*.timestamp fields. This value is set in @timestamp. 21175
  • Allow embedding of CAs, Certificate of private keys for anything that supports TLS in outputs and inputs 21179
  • API address is a required setting in add_cloudfoundry_metadata. 21759

Auditbeat

  • Change network.direction values to ECS recommended values (inbound, outbound). 12445 20695
  • Docker container needs to be explicitly run as user root for auditing. 21202
  • File integrity dataset no longer includes the leading dot in file.extension values (e.g. it will report "png" instead of ".png") to comply with ECS. 21644

Filebeat

  • Cisco 18753
  • CrowdStrike 19132
  • Fortinet 19133
  • iptables 18756
  • Checkpoint 18754
  • Netflow 19087
  • Zeek 19113 (forwarded tag is not included by default)
  • Suricata 19107 (forwarded tag is not included by default)
  • CoreDNS 19134 (forwarded tag is not included by default)
  • Envoy Proxy 19134 (forwarded tag is not included by default)

    • Move file metrics to dataset endpoint 19977
    • Fix PANW field spelling "veredict" to "verdict" on event.action 18808
    • Tracking session end reason in panw module. 18705
    • API address and shard ID are required settings in the Cloud Foundry input. 21759

Heartbeat

Journalbeat

Metricbeat

  • Remove "invalid zero" metrics on Windows and Darwin, don’t report linux-only memory and disk I/O metrics when running under agent. 21457
  • API address and shard ID are required settings in the Cloud Foundry module. 21759

Packetbeat

Winlogbeat

Functionbeat

Bugfixes

edit

Affecting all Beats

  • Remove unnecessary restarts of metricsets while using Node autodiscover 19974
  • [Metricbeat][Kubernetes] Change cluster_ip field from ip to keyword. 20571
  • [Autodiscover] Handle input-not-finished errors in config reload. 20915
  • Orderly close processors when processing pipelines are not needed anymore to release their resources. 16349
  • Fix parsing of expired licences. 21112 22180

Auditbeat

  • auditd: Fix spelling of anomaly in event.category.
  • auditd: Fix typo in event.action of removed-user-role-from. 19300
  • auditd: Fix typo in event.action of used-suspicious-link. 19300

Filebeat

  • Fix mapping of fortinet.firewall.mem as integer. 19335
  • Fix auditd module syscall table for ppc64 and ppc64le. 20052
  • Fix Filebeat OOMs on very long lines 19500, 19552
  • Ignore missing in Zeek module when dropping unecessary fields. 19984
  • Fix event.outcome logic for azure/siginlogs fileset 20254
  • Improve validation checks for Azure configuration 20369 20389
  • Fix event.kind for system/syslog pipeline 20365 20390
  • Fix event.type for zeek/ssl and duplicate event.category for zeek/connection 20696
  • Remove wrongly mapped tls.client.server_name from fortinet/firewall fileset. 20983
  • Handle multiple upstreams in ingress-controller. 21215
  • Provide backwards compatibility for the append processor when Elasticsearch is less than 7.10.0. 21159
  • Fix checkpoint module when logs contain time field. 20567
  • Fix syslog RFC 5424 parsing in the CheckPoint module. 21854
  • Fix incorrect connection state mapping in zeek connection pipeline. 22151 22149
  • Fix for field [source] not present as part of path [source.ip] error in azure pipelines. 22377
  • Fix handing missing eventtime and assignip field being set to N/A for fortinet module. 22361

Heartbeat

  • Add support for new service_name option to all monitors. 19932.

Journalbeat

Metricbeat

  • Add support for azure light metricset app_stats. 20639
  • Fix ec2 disk and network metrics to use Sum statistic method. 20680
  • Fix ec2 disk and network metrics to use Sum statistic method. 20680
  • Update fields.yml in the azure module, missing metrics field. 20918
  • Disable Kafka metricsets based on Jolokia by default. They require a different configuration. 20989
  • Fix timestamp handling in remote_write. 21166
  • Visualization title fixes in aws, azure and googlecloud compute dashboards. 21098
  • Fix retrieving resources by ID for the azure module. 21711 21707
  • Use timestamp from CloudWatch API when creating events. 21498
  • Report the correct windows events for system/filesystem 21758
  • Fix regular expression in windows/permfon. 22146 21125
  • Fix azure storage event format. 21845
  • Fix panic in kubernetes autodiscover related to keystores 21843 21880
  • [Kubernetes] Remove redundant dockersock volume mount 22009
  • Revert change to report process.memory.rss as process.memory.wss on Windows. 22055
  • Add interval information to monitor metricset in azure. 22152
  • Remove io.time from windows 22237
  • Fix instance name in perfmon metricset. 22218 22261

Packetbeat

Winlogbeat

  • Fix invalid IP addresses in DNS query results from Sysmon data. 18432 18436
  • Fix event.outcome in the security module for non-English languages. 20079 20564
  • Fields from Winlogbeat modules were not being included in index templates and patterns. 18983
  • Protect against accessing undefined variables in Sysmon module. 22219 22236

Functionbeat

  • Fix catchall bucket config errors by adding more validation. 17572 20887
  • Fix Google Cloud Function configuration issue. 20864 22156

Added

edit

Affecting all Beats

  • Add minimum cache TTL for successful DNS responses. 18986
  • Add support for DNS over TLS for the dns processor. 19321
  • Add leader election for Kubernetes autodiscover. 20281
  • Add capability of enriching process metadata with container id also for non-privileged containers in add_process_metadata processor. 19767
  • Add replace_fields config option in add_host_metadata for replacing host fields. 20490 20464
  • Add ingress controller dashboards. 21052
  • Added experimental citrix module. 20820
  • Added experimental cyberark module. 20820
  • Added experimental proofpoint module. 20820
  • Added experimental snort module. 20820
  • Added experimental symantec module. 20820
  • Added experimental dataset barracuda/spamfirewall. 20820
  • Added experimental dataset cisco/meraki. 20820
  • Added experimental dataset f5/bigipafm. 20820
  • Added experimental dataset fortinet/fortimail. 20820
  • Added experimental dataset fortinet/fortimanager. 20820
  • Added experimental dataset juniper/netscreen. 20820
  • Added experimental dataset sophos/utm. 20820
  • Add Cloud Foundry tags in related events. 21177
  • Cloud Foundry metadata is cached to disk. 20775
  • Add option to select the type of index template to load: legacy, component, index. 21212
  • Release add_cloudfoundry_metadata as GA. 21525
  • Added Kafka version 2.2 to the list of supported versions. 22328

Auditbeat

  • Add enrichment of auditd seccomp events with name of the architecture, syscall, and signal. 14055 19300

Filebeat

  • Add support for reading auditd logs that are prefixed with node=. 19659
  • Add event.ingested to all Filebeat modules. 20386
  • Add event.ingested for Suricata module 20220
  • Add support for custom header and headersecret for filebeat http_endpoint input 20435
  • Convert httpjson to v2 input 20226
  • Add event.ingested to all Filebeat modules. 20386
  • Return error when log harvester tries to open a named pipe. 18682 20450
  • Avoid goroutine leaks in Filebeat readers. 19193 20455
  • Improve Zeek x509 module with x509 ECS mappings 20867
  • Improve Zeek SSL module with x509 ECS mappings 20927
  • Added new properties field support for event.outcome in azure module 20998
  • Improve Zeek Kerberos module with x509 ECS mappings 20958
  • Improve Fortinet firewall module with x509 ECS mappings 20983
  • Improve Santa module with x509 ECS mappings 20976
  • Improve Suricata Eve module with x509 ECS mappings 20973
  • Added new module for Zoom webhooks 20414
  • Add type and sub_type to panw panos fileset 20912
  • Always attempt community_id processor on zeek module 21155
  • Add related.hosts ecs field to all modules 21160
  • Keep cursor state between httpjson input restarts 20751
  • Convert aws s3 to v2 input 20005
  • Add support for additional fields from V2 ALB logs. 21540
  • Release Cloud Foundry input as GA. 21525
  • New Cisco Umbrella dataset 21504
  • New juniper.srx dataset for Juniper SRX logs. 20017
  • Adding support for Microsoft 365 Defender (Microsoft Threat Protection) 21446
  • Adding support for FIPS in s3 input 21446
  • Update Okta documentation for new stateful restarts. 22091
  • Use workers in aws-s3 input to process SQS messages. 27199

Heartbeat

  • Add index and pipeline settings to monitor configurations. 20610

Journalbeat

Metricbeat

  • Add state_statefulset metricset to Metricbeat recommended configuration for k8s. 17627
  • Infer types in Prometheus remote_write. 19944
  • Add cloud.instance.name into aws ec2 metricset. 20077
  • Add host inventory metrics into aws ec2 metricset. 20171
  • Add scope setting for Elasticsearch module, allowing it to monitor an Elasticsearch cluster behind a load-balancing proxy. 18539 18547
  • Add state_daemonset metricset for Kubernetes Metricbeat module 20649
  • Add host inventory metrics to googlecloud compute metricset. 20391
  • Add host inventory metrics to azure compute_vm metricset. 20641
  • Add host inventory metrics to system module. 20415
  • Add billing data collection from Cost Explorer into aws billing metricset. 20527 20103
  • Migrate compute_vm metricset to a light one, map cloud.instance.id field. 20889
  • Request prometheus endpoints to be gzipped by default 20766
  • Add latency config parameter into aws module. 20875
  • Add billing metricset into googlecloud module. 20812 20738
  • Release all kubernetes state metricsets as GA 20901
  • Move compute_vm_scaleset to light metricset. 21038 20985
  • Sanitize event.host. 21022
  • Add support for different Azure Cloud environments in the metricbeat azure module. 21044 20988
  • Add overview and platform health dashboards to Cloud Foundry module. 21124
  • Release lambda metricset in aws module as GA. 21251 21255
  • Add dashboard for pubsub metricset in googlecloud module. 21326 17137
  • Move Prometheus query & remote_write to GA. 21507
  • Map cloud data filed cloud.account.id to azure subscription. 21483 21381
  • Expand unsupported option from namespace to metrics in the azure module. 21486

Packetbeat

  • Add an example to packetbeat.yml of using the forwarded tag to disable
  • Add 100-continue support 15830 19349
  • Add initial SIP protocol support 21221

Functionbeat

Winlogbeat

Elastic Log Driver - Add support to change beat name, and support for Kibana Logs. 20522

Deprecated

edit
  • N/A