Beats version 8.7.0

edit

View commits

Bugfixes

edit

Affecting all Beats

  • Fix dropped events when monitor a beat under the agent and send its Host info log entry. 34599
  • Fix panics when a processor is closed twice 34647
  • Update elastic-agent-system-metrics to v0.4.6 to allow builds on mips platforms. 34674

Filebeat - [Auditbeat System Package] Added support for Apple Silicon chips. 34433 with the ecs field name container. 34403 automatic splitting at root level, if root level element is an array. 34155 - Prevent Elasticsearch from spewing log warnings about redundant wildcard when setting up ingest pipelines. 34249 34550 - Gracefully handle Windows event channel not found errors in winlog input. 30201 34605 - Fix the issue of cometd input worker getting closed in case of a network connection issue and an EOF error. 34326 34327 - Fix for httpjson first_response object throwing false positive errors by making it a flag based object 34747 34748 - Fix errors and panics due to re-used processors 34761 - Add missing Basic Authentication support to CEL input 34609 34689

Heartbeat

  • Fix integration hashing to prevent reloading all when updated. 34697
  • Fix release of job limit semaphore when context is cancelled. 34697 with the ecs field name container. 34403 automatic splitting at root level, if root level element is an array. 34155
  • Fix broken mapping for state.ends field. 34891

Filebeat

  • Allow the misp fileset in the Filebeat threatintel module to ignore CIDR ranges for an IP field. 29949 34195
  • Remove incorrect reference to CEL ext extensions package. 34610 34620
  • Fix handling of RFC5988 links' relation parameters by getRFC5988Link in HTTPJSON. 34603 34622
  • Drop empty API response events for Microsoft module. 34786 34893

Metricbeat

  • Fix kafka dashboard field names 33555

Winlogbeat

  • Fix handling of event data with keys containing dots. 34345 34549
  • Gracefully handle channel not found errors. 30201 34605
  • Clarify query term limits warning and remove link to missing Microsoft doc page. 34715
  • Improve documentation for event_logs.name configuration. 34931

Functionbeat

  • Fix Kinesis events timestamp to use timestamp of the event record instead of when the record was processed 33593

Added

edit

Filebeat

  • Add backup to bucket and delete functionality for the aws-s3 input. 30696 33559
  • Add support for polling system UDP stats for UDP input metrics. 34070
  • Add support for recognizing the log level in Elasticsearch JVM logs 34159
  • Add new Entity Analytics input with Azure Active Directory support. 34305
  • Added metric sqs_lag_time for aws-s3 input. 34306
  • Add metrics for TCP packet processing. 34333
  • Add metrics for unix socket packet processing. 34335
  • Add beta take over mode for filestream for simple migration from log inputs 34292
  • Add pagination support for Salesforce module. 34057 34065
  • Allow users to redact sensitive data from CEL input debug logs. 34302
  • Add support for new Rabbitmq timestamp format for logs 34211
  • Allow user configuration of timezone offset in Cisco ASA and FTD modules. 34436
  • Allow user configuration of timezone offset in Checkpoint module. 34472
  • Fill okta.request.ip_chain.* as a flattened object in Okta module. 34621
  • Fixed GCS log format issues. 34659
  • Add Basic Authentication support on constructed requests to CEL input 34609 34689
  • Add string manipulation extensions to CEL input 34610 34689
  • Improve CEL input documentation 34831
  • Add metrics documentation for CEL and AWS CloudWatch inputs. 34887 34889
  • Metrics hosted by the HTTP monitoring endpoint for the aws-cloudwatch, aws-s3, cel, and lumberjack inputs are now available under /inputs/ instead of /dataset.

Heartbeat

  • Users can now configure max scheduler job limits per monitor type via env var. 34307
  • Remove host and port matching restrictions on hint-generated monitors. 34376

Metricbeat

  • Remove GCP Compute metadata cache 33655
  • Add GCP Redis regions support 33728
  • Changed cloudwatch module to call ListMetrics API only once per region, instead of per AWS namespace 34055
  • Add beta ingest_pipeline metricset to Elasticsearch module for ingest pipeline monitoring 34012
  • Handle duplicated TYPE line for prometheus metrics 18813 33865

Packetbeat

  • Reduce logging level for ENOENT to WARN when mapping sockets to processes. 33793 33854
  • Add metrics for TCP and UDP packet processing. 33833 34353
  • Allow user to prevent Npcap library installation on Windows. 34420 34428
  • Add metrics documentation for TCP and UDP protocols. 34887 34889

Winlogbeat

  • Add metrics for log event processing. 33922
  • Add metrics documentation for event processing. 34887 34889
  • Added processing for Windows Event ID’s 4797, 5379, 5380, 5381, and 5382 for the Security Ingest Pipeline 34293 34294
  • Added processing for Windows Event ID’s 5140 and 5145 for the Security Ingest Pipeline 34352