Beats version 7.14.0

edit

View commits

Breaking changes

edit

Affecting all Beats

  • Removed beats central management 25696, 23908
  • MacOSX minimum supported version set to 10.14 24193

Filebeat

  • Change logging in logs input to structure logging. Some log message formats have changed. 25299
  • All url.* fields apart from url.original in the Apache, Nginx, IIS, Traefik, S3Access, Cisco, F5, Fortinet, Google Workspace, Imperva, Microsoft, Netscout, O365, Sophos, Squid, Suricata, Zeek, Zia, Zoom, and ZScaler modules are now url unescaped due to using the Elasticsearch uri_parts processor. 24699
  • Change source field for event.action in fortinet.firewall module to fortinet.firewall.action instead of fortinet.firewall.eventtype. 24816
  • threatintel module: Changed the type of threatintel.indicator.first_seen from keyword to date. 26765

Heartbeat

  • Add support for screenshot blocks and use newer synthetics flags that only works in newer synthetics betas. 25808

Metricbeat

  • Adjust host fields to adopt new names from 1.9.0 ECS. 24312

Bugfixes

edit

Affecting all Beats

  • Omit full index template from errors that occur while loading the template. 25743
  • In the script processor, the decode_xml and decode_xml_wineventlog processors are now available as DecodeXML and DecodeXMLWineventlog respectively.
  • Fix encoding errors when using the disk queue on nested data with multi-byte characters 26484

Auditbeat

  • file_integrity: Create fsnotify watcher only when starting file_integrity module 19505
  • system/socket: Fix kprobe grouping to allow running more than one instance. 20325
  • system/socket: Fixed a crash due to concurrent map read and write. 21192 21690
  • auditd: Fix an error condition causing a lot of audit_send_reply kernel threads being created. 22673
  • system/socket: Fixed start failure when run under config reloader. 20851 21693
  • system/socket: Having some CPUs unavailable to Auditbeat could cause startup errors or event loss. 22827

Filebeat

  • Fix mapping of fortinet.firewall.mem as integer. 19335
  • Add shared_credential_file to cloudtrail config 15652 15656
  • Fix integer overflow in S3 offsets when collecting very large files. 22523
  • Fix issue with m365_defender, when parsing incidents that has no alerts attached: 25421
  • Fix default config template values for paths on oracle module: 26276
  • Fix Elasticsearch compatibility for modules that use copy_from in set processors. 26629
  • Change type of max_bytes in all configs to be cfgtype.ByteSize 26699
  • Change checkpoint.source_object from Long to Keyword. 25124 25145
  • Fix Nginx module pipelines. 19088 24699
  • Fix incorrect field name appending to related.hash in threatintel.abusechmalware ingest pipeline. 25151 25674
  • Add improvements to the azure activitylogs and platformlogs ingest pipelines. 26148
  • Fix kibana.log pipeline when event.duration calculation becomes a Long. 24556 25675
  • Removed incorrect http.request.referrer field from aws.elb module. 26435 26441
  • Fix threatintel.indicator.url.full not being populated. 26351 26508
  • Fix Suricata metadata fields breaking visualizations, moved out of flattened datatype. 26710
  • Fix httpjson template data key for url.params. 26848
  • Cisco asa/ftd: Fix reversed usage of observer ingress and egress interfaces. 26265
  • Fix aws.s3access pipeline when remote IP is a -. 26913 26940
  • Fix service name in aws-cloudwatch input from cloudwatchlogs to logs. 27007

Heartbeat

  • Add Context to otherwise ambiguous HTTP body read errors. 25499

Metricbeat

  • Major refactor of system/cpu and system/core metrics. 25771
  • Fix GCP Project ID being ingested as cloud.account.id in gcp.billing module 26357 26412
  • Fix memory leak in SQL module when database is not available. 25840 26607
  • Fix aws metric tags with resourcegroupstaggingapi paginator. 26385 26443
  • Fix quoting in GCP billing table name 26855 26870
  • Recover service.address field in vsphere module 26902 26904

Winlogbeat

  • Fix related.ip field in renameCommonAuthFields 24892

Functionbeat

  • Expose region in AWS configuration so Functionbeat can deploy the Lambda in the correct place. 26523

Added

edit

Affecting all Beats

  • Add support for defining explicitly named dynamic templates without path/type match criteria 25422
  • Improve ES output error insights. 25825
  • Add orchestrator.cluster.name/url fields as k8s metadata 26056
  • Libbeat: report beat version to monitoring. 26214
  • Ensure common proxy settings support in HTTP clients: proxy_disabled, proxy_url, proxy_headers and typical environment variables HTTP_PROXY, HTTPS_PROXY, NOPROXY. 25219

Filebeat

  • Update PanOS module to parse Global Protect & User ID logs. 24722 24724 24927
  • Add HMAC signature validation support for http_endpoint input. 24918
  • Add new grok pattern for iptables module for Ubiquiti UDM 25615 25616
  • Add multiline support to aws-s3 input. 25249 25710 25873
  • Add monitoring metrics to the aws-s3 input. 25711
  • Added network.direction fields to Zeek and Suricata modules using the add_network_direction processor 24620
  • Add Content-Type override to aws-s3 input. 25697 25772
  • In Cisco Umbrella fileset add users from cisco.umbrella.identities to related.user. 25776
  • Add fingerprint processor to generate fixed ids for google_workspace events. 25841
  • Update PanOS module to parse HIP Match logs. 24350 25686
  • Support MongoDB 4.4 in filebeat’s MongoDB module. 20501 24774
  • Enhance GCP module to populate orchestrator.* fields for GKE / K8S logs 25368
  • Add log_group_name_prefix config into aws-cloudwatch input. 26187
  • Move Filebeat azure module to GA. 26114 26168
  • Make filestream input GA. 26127
  • http_endpoint: Support multiple documents in a single request by POSTing an array or NDJSON format. 25764
  • Add new parser to filestream input: container. 26115
  • Add support for ISO8601 timestamps in Zeek fileset 25564
  • Add possibility to include headers in resulting docs and preserve the original event in http_endpoint input 26279
  • Add preserve_original_event option to o365audit input. 26273
  • Add log.flags to events created by the aws-s3 input. 26267
  • Add include_s3_metadata config option to the aws-s3 input for including object metadata in events. 26267
  • RFC 5424 and UNIX socket support in the Syslog input are now GA 26293
  • Update grok patterns for HA Proxy module 25827 25835
  • Update PanOS module’s date processor formats to parse strict_date_optional_time_nanos. 26033 26158
  • Update Okta module to parse additional fields to okta.debug_context.debug_data. 25689 25818
  • Added dataset anomalithreatstream to the threatintel module to ingest indicators from Anomali ThreatStream 26350
  • Add support for copytruncate method when rotating input logs with an external tool in filestream input. 23457
  • Add uri_parts and user_agent ingest processors to aws.elb module. 26435 26441
  • Added dataset recordedfuture to the threatintel module to ingest indicators from Recorded Future Connect API 26481
  • Update fortinet ingest pipelines. 22136 25254 24816
  • Release Filebeat Stack Monitoring modules as GA 26226
  • Use default add_locale for fortinet.firewall 20300 26524

Heartbeat

  • Add support for copytruncate method when rotating input logs with an external tool in filestream input. 23457
  • Add proxy_headers to HTTP monitor. 25219
  • Suppress too many bad message error logs when reading from corrupted journal for 5 seconds. 26224
  • Add replicas.ready field to state_statefulset in Kubernetes module 26088

Metricbeat

  • Refactor state_* metricsets to share response from endpoint. 25640
  • Add server id to zookeeper events. 25550
  • Add additional network metrics to docker/network 25354
  • Migrate ec2 metricsets to use cloudwatch input. 25924
  • Reduce number of requests done by kubernetes metricsets to kubelet. 25782
  • Migrate rds metricsets to use cloudwatch input. 26077
  • Migrate sqs metricsets to use cloudwatch input. 26117
  • Collect linked account information in AWS billing. 26285
  • Add total CPU to vSphere virtual machine metrics. 26167
  • Add AWS Kinesis metricset. 25989
  • Add Cluster filter on ECS Kubernetes overview dashboard and corresponding section on Kubernetes module documentation page. 26919

Packetbeat

Winlogbeat

  • Changed the log level of the "Successfully published events" message from info to debug to reduce verbosity of the info logging level. To track event log reader activity use the published_events metric. 25617

Deprecated

edit

Filebeat

  • Deprecate the MISP module. The Threat Intel module should be used instead. 25240