Beats version 8.0.0

edit

View commits

Breaking changes

edit

Affecting all Beats

  • Remove the deprecated xpack.monitoring.* settings. Going forward only monitoring.* settings may be used. 9424 18608
  • Remove deprecated/undocumented IncludeCreatorMetadata setting from kubernetes metadata config options. 28006
  • Remove deprecated fields from kubernetes module. 28046
  • Remove deprecated config option aws_partition. 28120
  • Improve stats API by adding host metadata. 27963
  • Libbeat: logp package forces ECS compliant logs. Logs are JSON formatted. Options to enable ECS/JSON have been removed. 15544 28573
  • Remove auto from the available options of setup.ilm.enabled and set the default value to true. 28671
  • add_process_metadata processor: Replace usage of deprecated process.ppid field with process.parent.pid. 28620
  • add_docker_metadata processor: Replace usage of deprecated process.ppid field with process.parent.pid. 28620
  • Use data streams instead of indices for storing events from Beats. 28450
  • Remove option setup.template.type and always load composable template with data streams. 28450
  • Remove several ILM options (rollover_alias and pattern) as data streams do not require index aliases. 28450
  • Populate index template’s default_fields setting with ECS fields only. 28596 28215
  • Remove deprecated --template and --ilm-policy flags. Use --index-management instead. 28870
  • Remove logging.files.suffix option, and default to datetime endings in log file names. The format of the new name is {beatname}-{date}(-n)?.ndjson. Example log file names from oldest to newest: filebeat-20200101.ndjson, filebeat-20200101-1.ndjson, filebeat-20200101-2.ndjson. 28927
  • Align kubernetes configuration settings. 29908
  • Change log file extension for Beats and Elastic Agent to .ndjson. If you are collecting the logs, you must change the path configuration to /path/to/logs/{beatname}*.ndjson to avoid any issues. 28927
  • Remove legacy support for SSLv3. 30071

Filebeat

  • Add while_pattern type to multiline reader. 19662
  • auditd dataset: Use process.args to store program arguments instead of auditd.log.aNNN fields. 29601
  • Remove deprecated old awscloudwatch input name. 29844
  • Remove docker input. Please use filestream input with container parser or container input. 28817

Metricbeat

  • Remove network and diskio metrics from ec2 metricset. 28316
  • Rename read/write_io.ops_per_sec to read/write.iops in rds metricset. 28350
  • system/process metricset: Replace usage of deprecated process.ppid field with process.parent.pid. 28620

Packetbeat

  • event.category no longer contains the value network_traffic because this is not a valid ECS event category value. 20556
  • Remove deprecated TLS fields in favor of tls.server.x509 and tls.client.x509 ECS fields. 28487
  • HTTP: The field http.request.method will maintain its original case. 28620

Winlogbeat

  • Remove top level hash property from sysmon events. 20653
  • Move module processing from local Javascript processor to ingest node. 29184 29435

Bugfixes

edit

Auditbeat

  • libbeat/processors/add_process_metadata: Fix memory leak in process cache. 24890 29717

Filebeat

  • Fix using log_group_name_prefix in aws-cloudwatch input. 29695

Heartbeat

  • Add fonts to support more types of characters for multiple languages. 29861

Metricbeat

  • Extract correct index property in kibana.stats metricset. 29622
  • Fixed bug with elasticsearch/cluster_stats metricset not recording license expiration date correctly. 29711

Packetbeat

  • Prevent incorrect use of AMQP protocol parsing from causing silent failure. 29017
  • Fix error handling in MongoDB protocol parsing. 29017
  • Redis: fix incorrectly handle with two-words redis command. 14872 14873
  • Unify gopacket dependencies. 29167

Added

edit

Affecting all Beats

  • Add config option rotate_on_startup to file output. 19150 19347
  • Update to ECS 8.0 fields. 28620
  • Support custom analyzers in fields.yml. 28540 28926
  • Support self-signed certificates on outputs. 29229
  • Add FIPS configuration option for all AWS API calls. 28899
  • Warn users when connecting to older versions of Elasticsearch instances. 29723
  • add_fields processor is now able to set metadata in events. 30092

Auditbeat

  • system/process: Prevent hashing files in other mnt namespaces. 25777 29678 29786

Metricbeat

  • Add preliminary AIX support. 27954
  • Add option to skip older k8s events. 29396
  • Add elasticsearch.cluster.id field to Beat and Kibana modules. 29577
  • Add elasticsearch.cluster.id field to Logstash module. 29625

Winlogbeat

  • Add support for sysmon event ID 26; FileDeleteDetected. 26280 29957

Elastic Log Driver

  • Fixed docs for hosts. 23644