This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
Beats version 7.12.0
editBeats version 7.12.0
editBreaking changes
editFilebeat
-
Rename
s3
input toaws-s3
input. 23469
Heartbeat
- Refactor synthetics configuration to new syntax. 23467
Bugfixes
editAffecting all Beats
-
Fix
nested
subfield handling in generated Elasticsearch templates. 23178 23183 - Fix CPU usage metrics on VMs with dynamic CPU config 23154
- Allow configuring credential_profile_name and shared_credential_file when using role_arn. 24174
- Fix panic with inline SSL when the certificate or key was smaller than 256 bytes. 23820 23858
Auditbeat
Filebeat
-
CheckPoint Firewall module: Change event.severity JSON data type to a number because the field mapping is a
long
. 23424 -
Cisco IOS: Change icmp.type/code and igmp.type JSON data types to strings because the fields mappings are
keyword
. 23424 - CrowdStrike Falcon: Change JSON field types to match the field mappings. 23424
-
Fortinet Firewall: Drop
fortinet.firewall.assignip
when the value is "N/A". 23424 - Juniper SRX: Change JSON field types to match the field mappings. 23424
-
Suricata EVE: Convert
suricata.eve.flow_id
to string because the field is a keyword in the mapping. 23424 -
Zeek DNS: Ignore failures in data type conversions. And change
dns.id
JSON field to a string to match itskeyword
mapping. 23424 -
Update
filestream
reader offset when a line is skipped. 23417 - Add check for empty values in azure module. 24156
-
Change the
event.created
in Netflow events to be the time the event was created by Filebeat - Fix Zoom module parameters for basic auth and url path. 23779
- Use rfc6587 framing for fortinet firewall and clientendpoint filesets when transferring over tcp. 23837
- Fix httpjson input logging so it doesn’t conflict with ECS. 23972
- Fix Logstash module handling of logstash.log.log_event.action field. 20709
- aws/s3access dataset was populating event.duration using the wrong unit. 23920
- Zoom module pipeline failed to ingest some chat_channel events. 23904
-
Fix Netlow module issue with missing
internal_networks
config parameter. 24094 24110 - in httpjson input using encode_as "application/x-www-form-urlencoded" now sets Content-Type correctly 24331 24336
-
Fix default
scope
inadd_nomad_metadata
. 24559
Metricbeat
Added
editAffecting all Beats
- Honor kube event resysncs to handle missed watch events 22668
- Add autodiscover provider and metadata processor for Nomad. 14954 23324
-
Add
processors.rate_limit.n.dropped
monitoring counter metric for therate_limit
processor. 23330 - Deprecate aws_partition config parameter for AWS, use endpoint instead. 23539
- Update the baseline version of Sarama (Kafka support library) to 1.27.2. 23595
- Add kubernetes.volume.fs.used.pct field. 23564
-
Add the
enable_krb5_fast
flag to the Kafka output to explicitly opt-in to FAST authentication. 23629 - Added new decode_xml processor to libbeat that is available to all beat types. 23678
- Add deployment name in pod’s meta. 23610
-
Added ECS 1.8
host.os.type
field toadd_host_metadata
processor. 23513 -
Add
selector
information in Kubernetes services' metadata. 23730
Auditbeat
Filebeat
- Add parsing of tcp flags to AWS vpcflow fileset 22820 23157
- Added support for first_event context in Filebeat httpjson input 23437
- Adding Threat Intel module 21795
- Added username parsing from Cisco ASA message 302013. 21196
-
Added
encode_as
anddecode_as
options to httpjson along with pluggable encoders/decoders 23478 - Added feature to modules to adapt Ingest Node pipelines for compatibility with older Elasticsearch versions by removing unsupported processors. 23763
- Added support for Cisco AMP API as a new fileset. 22768
- Added RFC6587 framing option for tcp and unix inputs 23663 23724
-
Added
application/x-ndjson
as decode option for httpjson input 23521 -
Added
application/x-www-form-urlencoded
as encode option for httpjson input 23521 - Move aws-s3 input to GA. 23631
-
Populate
source.mac
anddestination.mac
for Suricata EVE events. 23706 23721 - Added string splitting for httpjson input 24022
- Added Signatures fileset to Zeek module 23772
- Upgrade Cisco ASA/FTD/Umbrella to ECS 1.8.0. 23819
- Add new ECS user and categories features to google_workspace/gsuite 23118 23709
- Move crowdstrike JS processor to ingest pipelines and upgrade to ECS 1.8.0 23118 23875
- Update Filebeat auditd dataset to ECS 1.8.0. 23723 23118
- Updated microsoft defender_atp and m365_defender to ECS 1.8. 23897 23118
- Updated o365 module to ECS 1.8. 23118 23896
- Upgrade CEF module to ECS 1.8.0. 23832
- Upgrade fortinet/firewall to ECS 1.8 23118 23902
- Upgrade Zeek to ECS 1.8.0. 23118 23847
- Updated azure module to ECS 1.8. 23118 23927
- Update aws/s3access to ECS 1.8. 23118 23920
- Upgrade panw module to ECS 1.8 23118 23931
- Updated aws/cloudtrail fileset to ECS 1.8. 23118 23911
- Upgrade juniper/srx to ECS 1.8.0. 23118 23936
- Update mysqlenterprise module to ECS 1.8. 23118 23978
- Upgrade sophos/xg fileset to ECS 1.8.0. 23118 23967
- Upgrade system/auth to ECS 1.8 23118 23961
- Upgrade elasticsearch/audit to ECS 1.8 23118 24000
- Upgrade okta to ECS 1.8.0 and move js processor to ingest pipeline 23118 23929
- Update zoom module to ECS 1.8. 23904 23118
- Add fileset to ingest PostgreSQL CSV logs. 23334
- Add beta support for RFC 5424 to the Syslog input. 23954
Heartbeat
- Bundle synthetics dependencies with Heartbeat docker image. 23274
Heartbeat
- Update Journalbeat to ECS 1.8. 23737
Metricbeat
-
Enrich events of
state_service
metricset with Kubernetes services' metadata. 23730 - Add support for Darwin/arm M1. 24019
- Check fields are documented in AWS metricsets. 23887
- Add container.image.name and containe.name ECS fields for state_container. 23802
- Add support for the MemoryPressure, DiskPressure, OutOfDisk and PIDPressure status conditions in state_node. 23905
Packetbeat
Functionbeat
Heartbeat
- Add support for script processor. 23229
Winlogbeat
Deprecated
editAffecting all Beats
-
Selecting
full
inssl.verification_mode
option will not treat CommonName field in x509 certificates as a hostname when Subject Alternative Name is not present from v8.0. Please update your certificates so it contains at least one DNSName instead of relying on CommonName in the new major version of Beats.