Beats version 7.12.0

edit

View commits

Breaking changes

edit

Filebeat

  • Rename s3 input to aws-s3 input. 23469

Heartbeat

  • Refactor synthetics configuration to new syntax. 23467

Bugfixes

edit

Affecting all Beats

  • Fix nested subfield handling in generated Elasticsearch templates. 23178 23183
  • Fix CPU usage metrics on VMs with dynamic CPU config 23154
  • Allow configuring credential_profile_name and shared_credential_file when using role_arn. 24174
  • Fix panic with inline SSL when the certificate or key was smaller than 256 bytes. 23820 23858

Auditbeat

  • system/login: Fixed offset reset on inode reuse. 24414
  • system/login: Add additional offset check for utmp files. 24515

Filebeat

  • CheckPoint Firewall module: Change event.severity JSON data type to a number because the field mapping is a long. 23424
  • Cisco IOS: Change icmp.type/code and igmp.type JSON data types to strings because the fields mappings are keyword. 23424
  • CrowdStrike Falcon: Change JSON field types to match the field mappings. 23424
  • Fortinet Firewall: Drop fortinet.firewall.assignip when the value is "N/A". 23424
  • Juniper SRX: Change JSON field types to match the field mappings. 23424
  • Suricata EVE: Convert suricata.eve.flow_id to string because the field is a keyword in the mapping. 23424
  • Zeek DNS: Ignore failures in data type conversions. And change dns.id JSON field to a string to match its keyword mapping. 23424
  • Update filestream reader offset when a line is skipped. 23417
  • Add check for empty values in azure module. 24156
  • Change the event.created in Netflow events to be the time the event was created by Filebeat
  • Fix Zoom module parameters for basic auth and url path. 23779
  • Use rfc6587 framing for fortinet firewall and clientendpoint filesets when transferring over tcp. 23837
  • Fix httpjson input logging so it doesn’t conflict with ECS. 23972
  • Fix Logstash module handling of logstash.log.log_event.action field. 20709
  • aws/s3access dataset was populating event.duration using the wrong unit. 23920
  • Zoom module pipeline failed to ingest some chat_channel events. 23904
  • Fix Netlow module issue with missing internal_networks config parameter. 24094 24110
  • in httpjson input using encode_as "application/x-www-form-urlencoded" now sets Content-Type correctly 24331 24336
  • Fix default scope in add_nomad_metadata. 24559

Metricbeat

  • Add stack monitoring section to elasticsearch module documentation 23286
  • Fix ec2 metricset fields.yml and the integration test 23726
  • Unskip s3_request integration test. 23887
  • Add system.hostfs configuration option for system module. 23831

Added

edit

Affecting all Beats

  • Honor kube event resysncs to handle missed watch events 22668
  • Add autodiscover provider and metadata processor for Nomad. 14954 23324
  • Add processors.rate_limit.n.dropped monitoring counter metric for the rate_limit processor. 23330
  • Deprecate aws_partition config parameter for AWS, use endpoint instead. 23539
  • Update the baseline version of Sarama (Kafka support library) to 1.27.2. 23595
  • Add kubernetes.volume.fs.used.pct field. 23564
  • Add the enable_krb5_fast flag to the Kafka output to explicitly opt-in to FAST authentication. 23629
  • Added new decode_xml processor to libbeat that is available to all beat types. 23678
  • Add deployment name in pod’s meta. 23610
  • Added ECS 1.8 host.os.type field to add_host_metadata processor. 23513
  • Add selector information in Kubernetes services' metadata. 23730

Auditbeat

  • Improve file_integrity monitoring when a file is created/deleted in quick succession. 17347 22170
  • system/host: Add new ECS 1.8 field os.type in host.os.type. 23513
  • Update Auditbeat auditd module to ECS 1.8 23594 23118

Filebeat

  • Add parsing of tcp flags to AWS vpcflow fileset 22820 23157
  • Added support for first_event context in Filebeat httpjson input 23437
  • Adding Threat Intel module 21795
  • Added username parsing from Cisco ASA message 302013. 21196
  • Added encode_as and decode_as options to httpjson along with pluggable encoders/decoders 23478
  • Added feature to modules to adapt Ingest Node pipelines for compatibility with older Elasticsearch versions by removing unsupported processors. 23763
  • Added support for Cisco AMP API as a new fileset. 22768
  • Added RFC6587 framing option for tcp and unix inputs 23663 23724
  • Added application/x-ndjson as decode option for httpjson input 23521
  • Added application/x-www-form-urlencoded as encode option for httpjson input 23521
  • Move aws-s3 input to GA. 23631
  • Populate source.mac and destination.mac for Suricata EVE events. 23706 23721
  • Added string splitting for httpjson input 24022
  • Added Signatures fileset to Zeek module 23772
  • Upgrade Cisco ASA/FTD/Umbrella to ECS 1.8.0. 23819
  • Add new ECS user and categories features to google_workspace/gsuite 23118 23709
  • Move crowdstrike JS processor to ingest pipelines and upgrade to ECS 1.8.0 23118 23875
  • Update Filebeat auditd dataset to ECS 1.8.0. 23723 23118
  • Updated microsoft defender_atp and m365_defender to ECS 1.8. 23897 23118
  • Updated o365 module to ECS 1.8. 23118 23896
  • Upgrade CEF module to ECS 1.8.0. 23832
  • Upgrade fortinet/firewall to ECS 1.8 23118 23902
  • Upgrade Zeek to ECS 1.8.0. 23118 23847
  • Updated azure module to ECS 1.8. 23118 23927
  • Update aws/s3access to ECS 1.8. 23118 23920
  • Upgrade panw module to ECS 1.8 23118 23931
  • Updated aws/cloudtrail fileset to ECS 1.8. 23118 23911
  • Upgrade juniper/srx to ECS 1.8.0. 23118 23936
  • Update mysqlenterprise module to ECS 1.8. 23118 23978
  • Upgrade sophos/xg fileset to ECS 1.8.0. 23118 23967
  • Upgrade system/auth to ECS 1.8 23118 23961
  • Upgrade elasticsearch/audit to ECS 1.8 23118 24000
  • Upgrade okta to ECS 1.8.0 and move js processor to ingest pipeline 23118 23929
  • Update zoom module to ECS 1.8. 23904 23118
  • Add fileset to ingest PostgreSQL CSV logs. 23334
  • Add beta support for RFC 5424 to the Syslog input. 23954

Heartbeat

  • Bundle synthetics dependencies with Heartbeat docker image. 23274

Heartbeat

  • Update Journalbeat to ECS 1.8. 23737

Metricbeat

  • Enrich events of state_service metricset with Kubernetes services' metadata. 23730
  • Add support for Darwin/arm M1. 24019
  • Check fields are documented in AWS metricsets. 23887
  • Add container.image.name and containe.name ECS fields for state_container. 23802
  • Add support for the MemoryPressure, DiskPressure, OutOfDisk and PIDPressure status conditions in state_node. 23905

Packetbeat

  • Upgrade to ECS 1.8.0. 23783
  • Add event.type: [connection] to flow events and include end for final flows. 24564

Functionbeat

  • Provide more ways to set AWS credentials. 12464 23344
  • Add support for multiple regions 21065

Heartbeat

  • Add support for script processor. 23229

Winlogbeat

  • Add Audit and Authentication Policy Change Events and related.ip information 20684
  • Add new ECS 1.8 improvements. 23563
  • Remove deprecated eventlogging API that was used for Windows XP/2003 and associated unused code. 24463

Deprecated

edit

Affecting all Beats

  • Selecting full in ssl.verification_mode option will not treat CommonName field in x509 certificates as a hostname when Subject Alternative Name is not present from v8.0. Please update your certificates so it contains at least one DNSName instead of relying on CommonName in the new major version of Beats.