Beats version 7.8.0
editBeats version 7.8.0
editBreaking changes
editAffecting all Beats
-
Introduce APM instrumentation, which is active when running the beat with
ELASTIC_APM_ACTIVE=true
. 17938
Filebeat
-
Improve ECS field mappings in panw module.
event.outcome
now only contains success or failure, as recommended by the ECS specification. 16025 17910 -
Improve ECS categorization field mappings for nginx module.
http.request.referrer
is now lowercase, and it is only populated when nginx sets a value. 16174 17844 -
Improve ECS field mappings in santa module.
hash.sha256
is moved toprocess.hash.sha256
, and certificate fields are now undersanta.certificate
. 16180 17982
Bugfixes
editAffecting all Beats
Heartbeat
- Fix TCP TLS checks to properly validate hostnames. In previous 7.x versions, this only worked for IP SANs. 17549
Metricbeat
Added
editAffecting all Beats
-
Update supported versions of
redis
output. 17198 -
Add
replace
processor for replacing string values of fields. 17342 -
Add
urldecode
processor for decoding URL-encoded fields. 17505 -
Add support for AWS IAM
role_arn
in credentials config. 17658 12464 - Add Kerberos support to Elasticsearch output. 17927
-
Set
agent.name
to the hostname by default. 16377 18000 - Add keystore support for autodiscover static configurations. 16306
- Add support for basic ECS logging. 17974
-
Add config example of how to skip the
add_host_metadata
processor when forwarding logs. 13920 18153 - Add backoff configuration options for the Kafka output. 16777 17808
- Add keystore support for autodiscover static configurations. 16306
- Add Kerberos support to Elasticsearch output. 17927
-
Add support for fixed length extraction in
dissect
processor. 17191
Auditbeat
- Add system module process dataset ECS categorization fields. 18032
- Add system module user dataset ECS categorization fields. 18035
- Add system module login dataset ECS categorization fields. 18034
- Add system module package dataset ECS categorization fields. 18033
- Add ECS categories for system module host dataset. 18031
- Add system module socket dataset ECS categorization fields. 18036
- Add file integrity module ECS categorization fields. 18012
-
Add
file.mime_type
,file.extension
, andfile.drive_letter
for file integrity module. 18012
Filebeat
- Add source field in k8s events. 17209
-
Add new
crowdstrike
module for ingesting Crowdstrike Falcon streaming API endpoint event data. 16988 - Improve ECS categorization field mappings in mongodb module. 16170 17371
- Improve ECS categorization field mappings for mssql module. 16171 17376
- Improve ECS categorization field mappings for mysql module. 16172 17491
- Add new Checkpoint Syslog filebeat module. 17682
- Add config option to select a different azure cloud env in the azure-eventhub input and azure module. 17649 17659
-
Enhance
elasticsearch/server
fileset to handle ECS-compatible logs emitted by Elasticsearch. 17715 17714 - Add Unix stream socket support as an input source and a syslog input source. 17492
- Improve ECS categorization field mappings in misp module. 16026 17344
-
Enhance
elasticsearch/deprecation
fileset to handle ECS-compatible logs emitted by Elasticsearch. 17715 17728 -
Make
decode_cef
processor GA. 17944 - Add new Fortigate Syslog filebeat module. 17890
- Improve ECS categorization field mappings in redis module. 16179 17918
- Improve ECS categorization field mappings in rabbitmq module. 16178 17916
- Improve ECS categorization field mappings in postgresql module. 16177 17914
- Improve ECS categorization field mappings for nginx module. 16174 17844
- Add support for Google Application Default Credentials to the Google Pub/Sub input and Google Cloud modules. 15668
- Improve ECS categorization field mappings for zeek module. 16029 17738
- Improve ECS categorization field mappings for netflow module. 16135 18108
-
Add an input option
publisher_pipeline.disable_host
to disablehost.name
from being added to events by default. 18159 - Improve ECS categorization field mappings in system module. 16031 18065
- Improve ECS categorization field mappings in osquery module. 16176 17881
- Add support for v10, v11 and v12 logs on Postgres 13810 17732
- Add dashboard for Google Cloud Audit and AWS CloudTrail. 17379
Heartbeat
- Add additional ECS compatible fields for TLS information. 17687
Metricbeat
- Refactor windows/perfmon metricset configuration options and event output. 17596
- Add more detailed error messages, system tests and small refactoring to the service metricset in windows. 17725
-
Stack Monitoring modules now auto-configure required metricsets when
xpack.enabled: true
is set. 16471 17609 - Add Metricbeat IIS module dashboards. 17966
- Add dashboard for the azure database account metricset. 17901
- Allow partial region and zone name in googlecloud module config. 17913
- Add aggregation aligner as a config parameter for googlecloud stackdriver metricset. 17141 17719
- Move the perfmon metricset to GA. 16608 17879
-
Stack Monitoring modules now auto-configure required metricsets when
xpack.enabled: true
is set. 16471 17609 - Add static mapping for metricsets under aws module. 17614 17650
- Add dashboard for googlecloud storage metricset. 18172
-
Collect new
bulk
indexing metrics from Elasticsearch whenxpack.enabled:true
is set. 17977 17992 - Remove requirement to connect as sysdba in Oracle module. 15846 18182
- Update MSSQL module to fix some SSPI authentication and add brackets to USE statements. 17862
Winlogbeat
-
Set
process.command_line
andprocess.parent.command_line
from Sysmon Event ID 1. 17327 - Add support for event IDs 4673,4674,4697,4698,4699,4700,4701,4702,4768,4769,4770,4771,4776,4778,4779,4964 to the Security module. 17517
- Add registry and code signature information and ECS categorization fields for sysmon module. 18058