Beats version 7.8.0

edit

View commits

Breaking changes

edit

Affecting all Beats

  • Introduce APM instrumentation, which is active when running the beat with ELASTIC_APM_ACTIVE=true. 17938

Filebeat

  • Improve ECS field mappings in panw module. event.outcome now only contains success or failure, as recommended by the ECS specification. 16025 17910
  • Improve ECS categorization field mappings for nginx module. http.request.referrer is now lowercase, and it is only populated when nginx sets a value. 16174 17844
  • Improve ECS field mappings in santa module. hash.sha256 is moved to process.hash.sha256, and certificate fields are now under santa.certificate. 16180 17982

Bugfixes

edit

Affecting all Beats

  • Fix a bug in config reloading that could result in memory leaks or lost events when an output was rapidly reloaded multiple times. 10491 17381
  • Fix panic when assigning a key to a nil value in an event. 18143

Heartbeat

  • Fix TCP TLS checks to properly validate hostnames. In previous 7.x versions, this only worked for IP SANs. 17549

Metricbeat

  • No longer send NaNs for memory metrics that don’t exist on the platform being monitored. 17400
  • Add a switch to the driver definition on SQL module to use pretty names. 17378

Added

edit

Affecting all Beats

  • Update supported versions of redis output. 17198
  • Add replace processor for replacing string values of fields. 17342
  • Add urldecode processor for decoding URL-encoded fields. 17505
  • Add support for AWS IAM role_arn in credentials config. 17658 12464
  • Add Kerberos support to Elasticsearch output. 17927
  • Set agent.name to the hostname by default. 16377 18000
  • Add keystore support for autodiscover static configurations. 16306
  • Add support for basic ECS logging. 17974
  • Add config example of how to skip the add_host_metadata processor when forwarding logs. 13920 18153
  • Add backoff configuration options for the Kafka output. 16777 17808
  • Add keystore support for autodiscover static configurations. 16306
  • Add Kerberos support to Elasticsearch output. 17927
  • Add support for fixed length extraction in dissect processor. 17191

Auditbeat

  • Add system module process dataset ECS categorization fields. 18032
  • Add system module user dataset ECS categorization fields. 18035
  • Add system module login dataset ECS categorization fields. 18034
  • Add system module package dataset ECS categorization fields. 18033
  • Add ECS categories for system module host dataset. 18031
  • Add system module socket dataset ECS categorization fields. 18036
  • Add file integrity module ECS categorization fields. 18012
  • Add file.mime_type, file.extension, and file.drive_letter for file integrity module. 18012

Filebeat

  • Add source field in k8s events. 17209
  • Add new crowdstrike module for ingesting Crowdstrike Falcon streaming API endpoint event data. 16988
  • Improve ECS categorization field mappings in mongodb module. 16170 17371
  • Improve ECS categorization field mappings for mssql module. 16171 17376
  • Improve ECS categorization field mappings for mysql module. 16172 17491
  • Add new Checkpoint Syslog filebeat module. 17682
  • Add config option to select a different azure cloud env in the azure-eventhub input and azure module. 17649 17659
  • Enhance elasticsearch/server fileset to handle ECS-compatible logs emitted by Elasticsearch. 17715 17714
  • Add Unix stream socket support as an input source and a syslog input source. 17492
  • Improve ECS categorization field mappings in misp module. 16026 17344
  • Enhance elasticsearch/deprecation fileset to handle ECS-compatible logs emitted by Elasticsearch. 17715 17728
  • Make decode_cef processor GA. 17944
  • Add new Fortigate Syslog filebeat module. 17890
  • Improve ECS categorization field mappings in redis module. 16179 17918
  • Improve ECS categorization field mappings in rabbitmq module. 16178 17916
  • Improve ECS categorization field mappings in postgresql module. 16177 17914
  • Improve ECS categorization field mappings for nginx module. 16174 17844
  • Add support for Google Application Default Credentials to the Google Pub/Sub input and Google Cloud modules. 15668
  • Improve ECS categorization field mappings for zeek module. 16029 17738
  • Improve ECS categorization field mappings for netflow module. 16135 18108
  • Add an input option publisher_pipeline.disable_host to disable host.name from being added to events by default. 18159
  • Improve ECS categorization field mappings in system module. 16031 18065
  • Improve ECS categorization field mappings in osquery module. 16176 17881
  • Add support for v10, v11 and v12 logs on Postgres 13810 17732
  • Add dashboard for Google Cloud Audit and AWS CloudTrail. 17379

Heartbeat

  • Add additional ECS compatible fields for TLS information. 17687

Metricbeat

  • Refactor windows/perfmon metricset configuration options and event output. 17596
  • Add more detailed error messages, system tests and small refactoring to the service metricset in windows. 17725
  • Stack Monitoring modules now auto-configure required metricsets when xpack.enabled: true is set. 16471 17609
  • Add Metricbeat IIS module dashboards. 17966
  • Add dashboard for the azure database account metricset. 17901
  • Allow partial region and zone name in googlecloud module config. 17913
  • Add aggregation aligner as a config parameter for googlecloud stackdriver metricset. 17141 17719
  • Move the perfmon metricset to GA. 16608 17879
  • Stack Monitoring modules now auto-configure required metricsets when xpack.enabled: true is set. 16471 17609
  • Add static mapping for metricsets under aws module. 17614 17650
  • Add dashboard for googlecloud storage metricset. 18172
  • Collect new bulk indexing metrics from Elasticsearch when xpack.enabled:true is set. 17977 17992
  • Remove requirement to connect as sysdba in Oracle module. 15846 18182
  • Update MSSQL module to fix some SSPI authentication and add brackets to USE statements. 17862

Winlogbeat

  • Set process.command_line and process.parent.command_line from Sysmon Event ID 1. 17327
  • Add support for event IDs 4673,4674,4697,4698,4699,4700,4701,4702,4768,4769,4770,4771,4776,4778,4779,4964 to the Security module. 17517
  • Add registry and code signature information and ECS categorization fields for sysmon module. 18058