Beats version 7.11.0
editBeats version 7.11.0
editBreaking changes
editAffecting all Beats
Auditbeat
Filebeat
- Add fileset to ingest Kibana’s ECS audit logs. 22696
-
Remove
suricata.eve.timestamp
alias field. 10535 22095 - Rename bad ECS field name tracing.trace.id to trace.id in aws elb fileset. 22571
- Fix parsing issues with nested JSON payloads in Elasticsearch audit log fileset. 22975
-
Rename
network.direction
values in crowdstrike/falcon toingress
/egress
. 23041
Heartbeat - Adds negative body match. 20728
Metricbeat
Packetbeat
- Update how Packetbeat classifies network directionality to bring it in line with ECS 1.7 22996
Winlogbeat
- Use ECS 1.7 ingress/egress instead of inbound/outbound network.direction in sysmon. 22997
Bugfixes
editAffecting all Beats
- Fix memory leak and events duplication in docker autodiscover and add_docker_metadata. 21851
- Fix duplicated pod events in kubernetes autodiscover for pods with init or ephemeral containers. 22438
- Fix FileVersion contained in Windows exe files. 22581
- Log debug message if the Kibana dashboard can not be imported from the archive because of the invalid archive directory structure 12211, 13387
-
Periodic metrics in logs will now report
libbeat.output.events.active
andbeat.memstats.rss
as gauges (rather than counters). 22877 - Use PROGRAMDATA environment variable instead of C:\ProgramData for windows install service 22874
- Fix reporting of cgroup metrics when running under Docker 22879
- Fix typo in config docs 23185
- Fix panic due to unhandled DeletedFinalStateUnknown in k8s OnDelete 23419
- Fix error loop with runaway CPU use when the Kafka output encounters some connection errors 23484
Auditbeat
Filebeat
-
Fix Zeek dashboard reference to
zeek.ssl.server.name
field. 21696 - Fix network.direction logic in zeek connection fileset. 22967
- Fix aws s3 overview dashboard. 23045
-
Fix bad
network.direction
values in Fortinet/firewall fileset. 23072 - Fix Cisco ASA/FTD module’s parsing of WebVPN log message 716002. 22966
- Add support for organization and custom prefix in AWS/CloudTrail fileset. 23109 23126
- Simplify regex for organization custom prefix in AWS/CloudTrail fileset. 23203 23204
- Fix syslog header parsing in infoblox module. 23272 23273
- Fix concurrent modification exception in Suricata ingest node pipeline. 23534
- Fix handling of ModifiedProperties field in Office 365. 23777
Heartbeat
Metricbeat
- Change Session ID type from int to string 22359
- Fix filesystem types on Windows in filesystem metricset. 22531
- Fix failiures caused by custom beat names with more than 15 characters 22550
- Update NATS dashboards to leverage connection and route metricsets 22646
- Fix rate metrics in Kafka broker metricset by using last minute rate instead of mean rate. 22733
-
Update config in
windows.yml
file. 23027https://github.com/elastic/beats/pull/23327[23327] - Fix metric grouping for windows/perfmon module 23489 23505
Packetbeat
- Fix SIP parser logic related to line length check. 23411
Winlogbeat
Added
editAffecting all Beats
- Add istiod metricset. 21519
-
Add support for OpenStack SSL metadata APIs in
add_cloud_metadata
. 21590 - Add cloud.account.id for GCP into add_cloud_metadata processor. 21776
- Add proxy metricset for istio module. 21751
- Add kubernetes.node.hostname metadata of Kubernetes node. 22189
- Enable always add_resource_metadata for Pods and Services of kubernetes autodiscovery. 22189
- Add add_resource_metadata option setting (always enabled) for add_kubernetes_metadata setting. 22189
-
Add support for ephemeral containers in kubernetes autodiscover and
add_kubernetes_metadata
. 22389 22439 - Added support for wildcard fields and keyword fallback in beats setup commands. 22521
- Fix polling node when it is not ready and monitor by hostname 22666
-
Add
expand_keys
option todecode_json_fields
processor andjson
input, to recusively de-dot and expand json keys into hierarchical object structures 22849 - Update k8s client and release k8s leader lock gracefully 22919
- Improve event normalization performance 22974
- Add tini as init system in docker images 22137
- Added "detect_mime_type" processor for detecting mime types 22940
- Added "add_network_direction" processor for determining perimeter-based network direction. 23076
-
Added new
rate_limit
processor for enforcing rate limits on event throughput. 22883 - Allow node/namespace metadata to be disabled on kubernetes metagen and ensure add_kubernetes_metadata honors host 23012
- Improve equals check. 22778
Auditbeat
Filebeat
- Adding support for Oracle Database Audit Logs 21991
- Add max_number_of_messages config into s3 input. 21993
- Add SSL option to checkpoint module 19560
- Added support for MySQL Enterprise audit logs. 22273
- Rename googlecloud module to gcp module. 22214
- Rename awscloudwatch input to aws-cloudwatch. 22228
- Rename google-pubsub input to gcp-pubsub. 22213
- Copy tag names from MISP data into events. 21664
- Added TLS JA3 fingerprint, certificate not_before/not_after, certificate SHA1 hash, and certificate subject fields to Zeek SSL dataset. 21696
- Add platform logs in the azure filebeat module. 22371
-
Added
event.ingested
field to data from the Netflow module. 22412 - Improve panw ECS url fields mapping. 22481
- Improve Nats filebeat dashboard. 22726
-
Add support for UNIX datagram sockets in
unix
input. {issues}18632[18632] 22699 -
Add
http.request.mime_type
for Elasticsearch audit log fileset. 22975 - Add new httpjson input features and mark old config ones for deprecation 22320
- Add configuration option to set external and internal networks for panw panos fileset 22998
-
Add
subbdomain
fields for rsa2elk modules. 23035 - Add subdomain enrichment for suricata/eve fileset. 23011
- Add subdomain enrichment for zeek/dns fileset. 23011
-
Add
event.category
"configuration" to auditd module events. 23010 -
Add
event.category
"configuration" to gsuite module events. 23010 -
Add
event.category
"configuration" to o365 module events. 23010 -
Add
event.category
"configuration" to zoom module events. 23010 -
Add
network.direction
to auditd/log fileset. 23041 - Add logic for external network.direction in sophos xg fileset 22973
- Preserve AWS CloudTrail eventCategory in aws.cloudtrail.event_category. 22776 22805
- Add top_level_domain enrichment for suricata/eve fileset. 23046
- Add top_level_domain enrichment for zeek/dns fileset. 23046
-
Add
observer.egress.zone
andobserver.ingress.zone
for cisco/asa and cisco/ftd filesets. 23068 - Allow cisco/asa and cisco/ftd filesets to override network directionality based off of zones. 23068
- Allow cef and checkpoint modules to override network directionality based off of zones 23066
-
Add
network.direction
to netflow/log fileset. 23052 -
Add the ability to override
network.direction
based on interfaces in Fortinet/firewall fileset. 23072 -
Add
network.direction
override by specifyinginternal_networks
in gcp module. 23081 - Migrate microsoft/defender_atp to httpjson v2 config 23017
- Migrate microsoft/m365_defender to httpjson v2 config 23018
- Migrate okta to httpjson v2 config 23059
- Add support for Snyk Vulnerability and Audit API. 22677
- Misp improvements: Migration to httpjson v2 config, pagination and deduplication ID 23070
- Add Google Workspace module and mark Gsuite module as deprecated 22950
- Mark m365 defender, defender atp, okta and google workspace modules as GA 23113
-
Added
alternative_host
option to google pubsub input 23215
Heartbeat
- Add mime type detection for http responses. 22976
Metricbeat
- Move s3_daily_storage and s3_request metricsets to use cloudwatch input. 21703
- Duplicate system.process.cmdline field with process.command_line ECS field name. 22325
- Add awsfargate module task_stats metricset to monitor AWS ECS Fargate. 22034
- Add connection and route metricsets for nats metricbeat module to collect metrics per connection/route. 22445
- Add unit file states to system/service 22557
-
kibana
module:stats
metricset no-longer collects usage-related data. 22732 - Add more TCP states to Metricbeat system socket_summary. 14347
- Add io.ops in fields exported by system.diskio. 22066
- Adjust the Apache status fields in the fleet mode. 22821
- Add AWS Fargate overview dashboard. 22941
- Add process.state, process.cpu.pct, process.cpu.start_time and process.memory.pct. 22845
- Move IIS module to GA and map fields. 22609 23024
- Apache: convert status.total_kbytes to status.total_bytes in fleet mode. 23022
- Release MSSQL as GA 23146
Packetbeat
Winlogbeat
- Add file.pe and process.pe fields to ProcessCreate & LoadImage events in Sysmon module. 17335 22217
- Add dns.question.subdomain fields for sysmon DNS events. 22999
- Add additional event categorization for security and sysmon modules. 22988
- Add dns.question.top_level_domain fields for sysmon DNS events. 23046
Elastic Log Driver
- Add new winlogbeat security dashboard 18775
Deprecated
editFilebeat