IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Beats version 7.14.0
editBeats version 7.14.0
editBreaking changes
editAffecting all Beats
Filebeat
- Change logging in logs input to structure logging. Some log message formats have changed. 25299
- All url.* fields apart from url.original in the Apache, Nginx, IIS, Traefik, S3Access, Cisco, F5, Fortinet, Google Workspace, Imperva, Microsoft, Netscout, O365, Sophos, Squid, Suricata, Zeek, Zia, Zoom, and ZScaler modules are now url unescaped due to using the Elasticsearch uri_parts processor. 24699
-
Change source field for
event.action
infortinet.firewall
module tofortinet.firewall.action
instead offortinet.firewall.eventtype
. 24816 -
threatintel module: Changed the type of
threatintel.indicator.first_seen
fromkeyword
todate
. 26765
Heartbeat
- Add support for screenshot blocks and use newer synthetics flags that only works in newer synthetics betas. 25808
Metricbeat
- Adjust host fields to adopt new names from 1.9.0 ECS. 24312
Bugfixes
editAffecting all Beats
- Omit full index template from errors that occur while loading the template. 25743
-
In the script processor, the
decode_xml
anddecode_xml_wineventlog
processors are now available asDecodeXML
andDecodeXMLWineventlog
respectively. - Fix encoding errors when using the disk queue on nested data with multi-byte characters 26484
Auditbeat
- file_integrity: Create fsnotify watcher only when starting file_integrity module 19505
- system/socket: Fix kprobe grouping to allow running more than one instance. 20325
- system/socket: Fixed a crash due to concurrent map read and write. 21192 21690
-
auditd: Fix an error condition causing a lot of
audit_send_reply
kernel threads being created. 22673 - system/socket: Fixed start failure when run under config reloader. 20851 21693
- system/socket: Having some CPUs unavailable to Auditbeat could cause startup errors or event loss. 22827
Filebeat
-
Fix mapping of
fortinet.firewall.mem
as integer. 19335 -
Add
shared_credential_file
to cloudtrail config 15652 15656 - Fix integer overflow in S3 offsets when collecting very large files. 22523
- Fix issue with m365_defender, when parsing incidents that has no alerts attached: 25421
- Fix default config template values for paths on oracle module: 26276
-
Fix Elasticsearch compatibility for modules that use
copy_from
inset
processors. 26629 - Change type of max_bytes in all configs to be cfgtype.ByteSize 26699
-
Change
checkpoint.source_object
from Long to Keyword. 25124 25145 - Fix Nginx module pipelines. 19088 24699
-
Fix incorrect field name appending to
related.hash
inthreatintel.abusechmalware
ingest pipeline. 25151 25674 - Add improvements to the azure activitylogs and platformlogs ingest pipelines. 26148
-
Fix
kibana.log
pipeline whenevent.duration
calculation becomes a Long. 24556 25675 -
Removed incorrect
http.request.referrer
field fromaws.elb
module. 26435 26441 -
Fix
threatintel.indicator.url.full
not being populated. 26351 26508 - Fix Suricata metadata fields breaking visualizations, moved out of flattened datatype. 26710
-
Fix
httpjson
template data key forurl.params
. 26848 - Cisco asa/ftd: Fix reversed usage of observer ingress and egress interfaces. 26265
-
Fix
aws.s3access
pipeline when remote IP is a-
. 26913 26940 - Fix service name in aws-cloudwatch input from cloudwatchlogs to logs. 27007
Heartbeat
- Add Context to otherwise ambiguous HTTP body read errors. 25499
Metricbeat
- Major refactor of system/cpu and system/core metrics. 25771
-
Fix GCP Project ID being ingested as
cloud.account.id
ingcp.billing
module 26357 26412 - Fix memory leak in SQL module when database is not available. 25840 26607
- Fix aws metric tags with resourcegroupstaggingapi paginator. 26385 26443
- Fix quoting in GCP billing table name 26855 26870
-
Recover
service.address
field in vsphere module 26902 26904
Winlogbeat
-
Fix
related.ip
field in renameCommonAuthFields 24892
Functionbeat
- Expose region in AWS configuration so Functionbeat can deploy the Lambda in the correct place. 26523
Added
editAffecting all Beats
- Add support for defining explicitly named dynamic templates without path/type match criteria 25422
- Improve ES output error insights. 25825
- Add orchestrator.cluster.name/url fields as k8s metadata 26056
- Libbeat: report beat version to monitoring. 26214
-
Ensure common proxy settings support in HTTP clients:
proxy_disabled
,proxy_url
,proxy_headers
and typical environment variablesHTTP_PROXY
,HTTPS_PROXY
,NOPROXY
. 25219
Filebeat
- Update PanOS module to parse Global Protect & User ID logs. 24722 24724 24927
- Add HMAC signature validation support for http_endpoint input. 24918
- Add new grok pattern for iptables module for Ubiquiti UDM 25615 25616
- Add multiline support to aws-s3 input. 25249 25710 25873
-
Add monitoring metrics to the
aws-s3
input. 25711 -
Added
network.direction
fields to Zeek and Suricata modules using theadd_network_direction
processor 24620 - Add Content-Type override to aws-s3 input. 25697 25772
- In Cisco Umbrella fileset add users from cisco.umbrella.identities to related.user. 25776
-
Add fingerprint processor to generate fixed ids for
google_workspace
events. 25841 - Update PanOS module to parse HIP Match logs. 24350 25686
- Support MongoDB 4.4 in filebeat’s MongoDB module. 20501 24774
- Enhance GCP module to populate orchestrator.* fields for GKE / K8S logs 25368
- Add log_group_name_prefix config into aws-cloudwatch input. 26187
- Move Filebeat azure module to GA. 26114 26168
-
Make
filestream
input GA. 26127 - http_endpoint: Support multiple documents in a single request by POSTing an array or NDJSON format. 25764
-
Add new
parser
tofilestream
input:container
. 26115 - Add support for ISO8601 timestamps in Zeek fileset 25564
- Add possibility to include headers in resulting docs and preserve the original event in http_endpoint input 26279
-
Add
preserve_original_event
option too365audit
input. 26273 -
Add
log.flags
to events created by theaws-s3
input. 26267 -
Add
include_s3_metadata
config option to theaws-s3
input for including object metadata in events. 26267 - RFC 5424 and UNIX socket support in the Syslog input are now GA 26293
- Update grok patterns for HA Proxy module 25827 25835
-
Update PanOS module’s date processor formats to parse
strict_date_optional_time_nanos
. 26033 26158 -
Update Okta module to parse additional fields to
okta.debug_context.debug_data
. 25689 25818 -
Added dataset
anomalithreatstream
to thethreatintel
module to ingest indicators from Anomali ThreatStream 26350 -
Add support for
copytruncate
method when rotating input logs with an external tool infilestream
input. 23457 -
Add
uri_parts
anduser_agent
ingest processors toaws.elb
module. 26435 26441 -
Added dataset
recordedfuture
to thethreatintel
module to ingest indicators from Recorded Future Connect API 26481 -
Update
fortinet
ingest pipelines. 22136 25254 24816 - Release Filebeat Stack Monitoring modules as GA 26226
- Use default add_locale for fortinet.firewall 20300 26524
Heartbeat
-
Add support for
copytruncate
method when rotating input logs with an external tool infilestream
input. 23457 -
Add
proxy_headers
to HTTP monitor. 25219 - Suppress too many bad message error logs when reading from corrupted journal for 5 seconds. 26224
-
Add
replicas.ready
field to state_statefulset in Kubernetes module 26088
Metricbeat
-
Refactor
state_*
metricsets to share response from endpoint. 25640 - Add server id to zookeeper events. 25550
- Add additional network metrics to docker/network 25354
- Migrate ec2 metricsets to use cloudwatch input. 25924
- Reduce number of requests done by kubernetes metricsets to kubelet. 25782
- Migrate rds metricsets to use cloudwatch input. 26077
- Migrate sqs metricsets to use cloudwatch input. 26117
- Collect linked account information in AWS billing. 26285
- Add total CPU to vSphere virtual machine metrics. 26167
- Add AWS Kinesis metricset. 25989
- Add Cluster filter on ECS Kubernetes overview dashboard and corresponding section on Kubernetes module documentation page. 26919
Packetbeat
Winlogbeat
-
Changed the log level of the "Successfully published events" message from
info
todebug
to reduce verbosity of theinfo
logging level. To track event log reader activity use thepublished_events
metric. 25617