Beats version 7.13.0

edit

View commits

Breaking changes

edit

Affecting all Beats

  • Use alias to report container image in k8s metadata. 24380
  • Set cleanup_timeout to zero by default in docker and kubernetes autodiscover in all beats except Filebeat where it is kept to 60 seconds. 24681
  • Update to ECS 1.9.0. 24909

Filebeat

  • Changes filebeat httpjson input’s append transform to create a list even with only a single valuehttps://github.com/elastic/beats/pull/25074[25074]
  • Deprecated the cyberark module (replaced by cyberarkpas). 25261 25505

Metricbeat

  • Store cloudfoundry.container.cpu.pct in decimal form and as scaled_float. 24219
  • Remove index_stats.created field from Elasticsearch/index Metricset 25113

Bugfixes

edit

Affecting all Beats

  • Fix events being dropped if they contain a floating point value of NaN or Inf. 25051
  • Fix templates being overwritten if there was an error when check for the template existance. 24332
  • Add expand_keys to the list of permitted config fields for decode_json_fields 24862
  • Fix discovery of short-living and failing pods in Kubernetes autodiscover 22718 24742
  • Fix panic when overwriting metadata 24741
  • Fix role_arn to work with access keys for AWS. 25446
  • Fix community_id processor so that ports greater than 65535 aren’t valid. 25409

Auditbeat

  • Fix o365 module config when client_secret contains special characters. 25058

Filebeat

  • Fix date parsing in GSuite/login fileset. 24694
  • Improve Cisco ASA/FTD parsing of messages 23766
  • Better support for identity FW messages.
  • Change network.bytes, source.bytes, and destination.bytes to long from integer since value can exceed integer capacity.
  • Add descriptions for various processors for easier pipeline editing in Kibana UI.
  • Fix usage of unallowed ECS event.outcome values in Cisco ASA/FTD pipeline. 24744.
  • Fix IPtables Pipeline and Ubiquiti dashboard. 24878 24928
  • Strip Azure Eventhub connection string in debug logs. {pulll}25066[25066]
  • Updating Oauth2 flow for m365_defender fileset. 24829
  • Fix o365 module config when client_secret contains special characters. 25058
  • Fix s3 input when there is a blank line in the log file. 25357
  • Remove space from field sophos.xg.trans_src_ ip. 25154 25250
  • Fix checkpoint.action_reason when its a string, not a Long. 25575 25609
  • Fix fortinet.firewall.addr when its a string, not an IP address. 25585 25608

Metricbeat

  • Sort correctly the keys when accessing JMX through the Jolokia module 25631
  • Change lookup_fields from metricset.host to service.address 15883
  • Fix incorrect types of fields GetHits and Ops in NodeInterestingStats for Couchbase module in Metricbeat 21021 23287
  • Fix GCP not able to request Cloudfunctions metrics if a region filter was set 24218
  • Fix type of uwsgi.status.worker.rss type. 24468
  • Accept text/plain type by default for prometheus client scraping. 24622
  • Use working set bytes to calculate the pod memory limit pct when memory usage is not reported (ie. Windows pods). 25428
  • Fix copy-paste error in libbeat docs. 25448
  • Fix azure billing dashboard. 25554

Winlogbeat

  • Change event.code and winlog.event_id from int to keyword. 25176

Added

edit

Affecting all Beats

  • Add wineventlog schema to decode_xml processor. 23910 24726
  • Add new ECS 1.9 field cloud.service.name to add_cloud_metadata processor. 24993
  • Libbeat: report queue capacity, output batch size, and output client count to monitoring. 24700
  • Add kubernetes.pod.ip field in kubernetes metadata. 25037
  • Discover changes in Kubernetes namespace metadata as soon as they happen. 25117
  • Add decode_xml_wineventlog processor. 23910 25115
  • Add new setting gc_percent for tuning the garbage collector limits via configuration file. 25394
  • Add unit and metric_type properties to fields.yml for populating field metadata in Elasticsearch templates 25419
  • Add new option suffix to logging.files to control how log files are rotated. 25464
  • Validate that required functionality in Elasticsearch is available upon initial connection. 25351

Filebeat

  • Support X-Forwarder-For in IIS logs. 192142
  • Add support for logs generated by servers configured with log_statement and log_duration in PostgreSQL module. 24607
  • Added fifteen new message IDs to Cisco ASA/FTD pipeline. 24744
  • Added NTP fileset to Zeek module 24224
  • Add proxy_url config for httpjson v2 input. 24615 24662
  • Change okta.target to flattened field type. 24354 24636
  • Added http.request.id to nginx/ingress_controller and elasticsearch/audit. 24994
  • Add awsfargate module to collect container logs from Amazon ECS on Fargate. 25041
  • New module cyberarkpas for CyberArk Privileged Access Security audit logs. 24803
  • Add uri_parts processor to Apache, Nginx, IIS, Traefik, S3Access, Cisco, F5, Fortinet, Google Workspace, Imperva, Microsoft, Netscout, O365, Sophos, Squid, Suricata, Zeek, Zia, Zoom, and ZScaler modules ingest pipelines. 19088 24699
  • New module zookeeper for Zookeeper service and audit logs 25061 25128
  • Add parsing for haproxy.http.request.raw_request_line field 25480 25482
  • Mark filestream input beta. 25560
  • Add User Agent Parser for Azure Sign In Logs Ingest Pipeline 23201

Heartbeat

  • Handle datastreams for fleet. 24223
  • Add --sandbox option for browser monitor. 24172
  • Support additional root fields from synthetics. 24770
  • Browser zip_url source type. 24714

Metricbeat

  • Add support for Consul 1.9. 24123
  • Add support for defining metrics_filters for prometheus module in hints. 24264
  • Add support for PostgreSQL 10, 11, 12 and 13. 24402
  • Add support for SASL/SCRAM authentication to the Kafka module. 24810

Winlogbeat

  • Add support for sysmon v13 events 24 and 25. 24217 24945