IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Beats version 7.11.0
editBeats version 7.11.0
editBreaking changes
editAffecting all Beats
Auditbeat
Filebeat
- Add fileset to ingest Kibana’s ECS audit logs. 22696
-
Remove
suricata.eve.timestamp
alias field. 10535 22095 - Rename bad ECS field name tracing.trace.id to trace.id in aws elb fileset. 22571
- Fix parsing issues with nested JSON payloads in Elasticsearch audit log fileset. 22975
-
Rename
network.direction
values in crowdstrike/falcon toingress
/egress
. 23041
Heartbeat - Adds negative body match. 20728
Metricbeat
Packetbeat
- Update how Packetbeat classifies network directionality to bring it in line with ECS 1.7 22996
Winlogbeat
- Use ECS 1.7 ingress/egress instead of inbound/outbound network.direction in sysmon. 22997
Bugfixes
editAffecting all Beats
- Fix memory leak and events duplication in docker autodiscover and add_docker_metadata. 21851
- Fix duplicated pod events in kubernetes autodiscover for pods with init or ephemeral containers. 22438
- Fix FileVersion contained in Windows exe files. 22581
- Log debug message if the Kibana dashboard can not be imported from the archive because of the invalid archive directory structure 12211, 13387
-
Periodic metrics in logs will now report
libbeat.output.events.active
andbeat.memstats.rss
as gauges (rather than counters). 22877 - Use PROGRAMDATA environment variable instead of C:\ProgramData for windows install service 22874
- Fix reporting of cgroup metrics when running under Docker 22879
- Fix typo in config docs 23185
- Fix panic due to unhandled DeletedFinalStateUnknown in k8s OnDelete 23419
- Fix error loop with runaway CPU use when the Kafka output encounters some connection errors 23484
Auditbeat
Filebeat
-
Fix Zeek dashboard reference to
zeek.ssl.server.name
field. 21696 - Fix network.direction logic in zeek connection fileset. 22967
- Fix aws s3 overview dashboard. 23045
-
Fix bad
network.direction
values in Fortinet/firewall fileset. 23072 - Fix Cisco ASA/FTD module’s parsing of WebVPN log message 716002. 22966
- Add support for organization and custom prefix in AWS/CloudTrail fileset. 23109 23126
- Simplify regex for organization custom prefix in AWS/CloudTrail fileset. 23203 23204
- Fix syslog header parsing in infoblox module. 23272 23273
- Fix concurrent modification exception in Suricata ingest node pipeline. 23534
- Fix handling of ModifiedProperties field in Office 365. 23777
Heartbeat
Metricbeat
- Change Session ID type from int to string 22359
- Fix filesystem types on Windows in filesystem metricset. 22531
- Fix failiures caused by custom beat names with more than 15 characters 22550
- Update NATS dashboards to leverage connection and route metricsets 22646
- Fix rate metrics in Kafka broker metricset by using last minute rate instead of mean rate. 22733
-
Update config in
windows.yml
file. 23027https://github.com/elastic/beats/pull/23327[23327] - Fix metric grouping for windows/perfmon module 23489 23505
Packetbeat
- Fix SIP parser logic related to line length check. 23411
Winlogbeat
Added
editAffecting all Beats
- Add istiod metricset. 21519
-
Add support for OpenStack SSL metadata APIs in
add_cloud_metadata
. 21590 - Add cloud.account.id for GCP into add_cloud_metadata processor. 21776
- Add proxy metricset for istio module. 21751
- Add kubernetes.node.hostname metadata of Kubernetes node. 22189
- Enable always add_resource_metadata for Pods and Services of kubernetes autodiscovery. 22189
- Add add_resource_metadata option setting (always enabled) for add_kubernetes_metadata setting. 22189
-
Add support for ephemeral containers in kubernetes autodiscover and
add_kubernetes_metadata
. 22389 22439 - Added support for wildcard fields and keyword fallback in beats setup commands. 22521
- Fix polling node when it is not ready and monitor by hostname 22666
-
Add
expand_keys
option todecode_json_fields
processor andjson
input, to recusively de-dot and expand json keys into hierarchical object structures 22849 - Update k8s client and release k8s leader lock gracefully 22919
- Improve event normalization performance 22974
- Add tini as init system in docker images 22137
- Added "detect_mime_type" processor for detecting mime types 22940
- Added "add_network_direction" processor for determining perimeter-based network direction. 23076
-
Added new
rate_limit
processor for enforcing rate limits on event throughput. 22883 - Allow node/namespace metadata to be disabled on kubernetes metagen and ensure add_kubernetes_metadata honors host 23012
- Improve equals check. 22778
Auditbeat
Filebeat
- Adding support for Oracle Database Audit Logs 21991
- Add max_number_of_messages config into s3 input. 21993
- Add SSL option to checkpoint module 19560
- Added support for MySQL Enterprise audit logs. 22273
- Rename googlecloud module to gcp module. 22214
- Rename awscloudwatch input to aws-cloudwatch. 22228
- Rename google-pubsub input to gcp-pubsub. 22213
- Copy tag names from MISP data into events. 21664
- Added TLS JA3 fingerprint, certificate not_before/not_after, certificate SHA1 hash, and certificate subject fields to Zeek SSL dataset. 21696
- Add platform logs in the azure filebeat module. 22371
-
Added
event.ingested
field to data from the Netflow module. 22412 - Improve panw ECS url fields mapping. 22481
- Improve Nats filebeat dashboard. 22726
-
Add support for UNIX datagram sockets in
unix
input. {issues}18632[18632] 22699 -
Add
http.request.mime_type
for Elasticsearch audit log fileset. 22975 - Add new httpjson input features and mark old config ones for deprecation 22320
- Add configuration option to set external and internal networks for panw panos fileset 22998
-
Add
subbdomain
fields for rsa2elk modules. 23035 - Add subdomain enrichment for suricata/eve fileset. 23011
- Add subdomain enrichment for zeek/dns fileset. 23011
-
Add
event.category
"configuration" to auditd module events. 23010 -
Add
event.category
"configuration" to gsuite module events. 23010 -
Add
event.category
"configuration" to o365 module events. 23010 -
Add
event.category
"configuration" to zoom module events. 23010 -
Add
network.direction
to auditd/log fileset. 23041 - Add logic for external network.direction in sophos xg fileset 22973
- Preserve AWS CloudTrail eventCategory in aws.cloudtrail.event_category. 22776 22805
- Add top_level_domain enrichment for suricata/eve fileset. 23046
- Add top_level_domain enrichment for zeek/dns fileset. 23046
-
Add
observer.egress.zone
andobserver.ingress.zone
for cisco/asa and cisco/ftd filesets. 23068 - Allow cisco/asa and cisco/ftd filesets to override network directionality based off of zones. 23068
- Allow cef and checkpoint modules to override network directionality based off of zones 23066
-
Add
network.direction
to netflow/log fileset. 23052 -
Add the ability to override
network.direction
based on interfaces in Fortinet/firewall fileset. 23072 -
Add
network.direction
override by specifyinginternal_networks
in gcp module. 23081 - Migrate microsoft/defender_atp to httpjson v2 config 23017
- Migrate microsoft/m365_defender to httpjson v2 config 23018
- Migrate okta to httpjson v2 config 23059
- Add support for Snyk Vulnerability and Audit API. 22677
- Misp improvements: Migration to httpjson v2 config, pagination and deduplication ID 23070
- Add Google Workspace module and mark Gsuite module as deprecated 22950
- Mark m365 defender, defender atp, okta and google workspace modules as GA 23113
-
Added
alternative_host
option to google pubsub input 23215
Heartbeat
- Add mime type detection for http responses. 22976
Metricbeat
- Move s3_daily_storage and s3_request metricsets to use cloudwatch input. 21703
- Duplicate system.process.cmdline field with process.command_line ECS field name. 22325
- Add awsfargate module task_stats metricset to monitor AWS ECS Fargate. 22034
- Add connection and route metricsets for nats metricbeat module to collect metrics per connection/route. 22445
- Add unit file states to system/service 22557
-
kibana
module:stats
metricset no-longer collects usage-related data. 22732 - Add more TCP states to Metricbeat system socket_summary. 14347
- Add io.ops in fields exported by system.diskio. 22066
- Adjust the Apache status fields in the fleet mode. 22821
- Add AWS Fargate overview dashboard. 22941
- Add process.state, process.cpu.pct, process.cpu.start_time and process.memory.pct. 22845
- Move IIS module to GA and map fields. 22609 23024
- Apache: convert status.total_kbytes to status.total_bytes in fleet mode. 23022
- Release MSSQL as GA 23146
Packetbeat
Winlogbeat
- Add file.pe and process.pe fields to ProcessCreate & LoadImage events in Sysmon module. 17335 22217
- Add dns.question.subdomain fields for sysmon DNS events. 22999
- Add additional event categorization for security and sysmon modules. 22988
- Add dns.question.top_level_domain fields for sysmon DNS events. 23046
Elastic Log Driver
- Add new winlogbeat security dashboard 18775
Deprecated
editFilebeat