Beats version 7.11.0

edit

View commits

Breaking changes

edit

Affecting all Beats

  • Allow embedding of CAs, Certificate of private keys for anything that support TLS in ouputs and inputs. 21179
  • Update to ECS 1.7.0. 22571
  • Add support for SCRAM-SHA-512 and SCRAM-SHA-256 in Kafka output. 12867

Auditbeat

  • Use ECS 1.7 ingress/egress network directions instead of inbound/outbound for system/socket. 22991
  • Use ingress/egress instead of inbound/outbound for ECS 1.7 in auditd module. 23000

Filebeat

  • Add fileset to ingest Kibana’s ECS audit logs. 22696
  • Remove suricata.eve.timestamp alias field. 10535 22095
  • Rename bad ECS field name tracing.trace.id to trace.id in aws elb fileset. 22571
  • Fix parsing issues with nested JSON payloads in Elasticsearch audit log fileset. 22975
  • Rename network.direction values in crowdstrike/falcon to ingress/egress. 23041

Heartbeat - Adds negative body match. 20728

Metricbeat

  • Change cloud.provider from googlecloud to gcp. 21775
  • Rename googlecloud module to gcp module. 22246
  • Use ingress/egress instead of inbound/outbound for system/socket metricset. 22992
  • Change types of numeric metrics from Kubelet summary api to double so as to cover big numbers. 23335

Packetbeat

  • Update how Packetbeat classifies network directionality to bring it in line with ECS 1.7 22996

Winlogbeat

  • Use ECS 1.7 ingress/egress instead of inbound/outbound network.direction in sysmon. 22997

Bugfixes

edit

Affecting all Beats

  • Fix memory leak and events duplication in docker autodiscover and add_docker_metadata. 21851
  • Fix duplicated pod events in kubernetes autodiscover for pods with init or ephemeral containers. 22438
  • Fix FileVersion contained in Windows exe files. 22581
  • Log debug message if the Kibana dashboard can not be imported from the archive because of the invalid archive directory structure 12211, 13387
  • Periodic metrics in logs will now report libbeat.output.events.active and beat.memstats.rss as gauges (rather than counters). 22877
  • Use PROGRAMDATA environment variable instead of C:\ProgramData for windows install service 22874
  • Fix reporting of cgroup metrics when running under Docker 22879
  • Fix typo in config docs 23185
  • Fix panic due to unhandled DeletedFinalStateUnknown in k8s OnDelete 23419
  • Fix error loop with runaway CPU use when the Kafka output encounters some connection errors 23484

Auditbeat

  • file_integrity: stop monitoring excluded paths 21278 21282
  • Note incompatibility of system/socket on ARM. 23381

Filebeat

  • Fix Zeek dashboard reference to zeek.ssl.server.name field. 21696
  • Fix network.direction logic in zeek connection fileset. 22967
  • Fix aws s3 overview dashboard. 23045
  • Fix bad network.direction values in Fortinet/firewall fileset. 23072
  • Fix Cisco ASA/FTD module’s parsing of WebVPN log message 716002. 22966
  • Add support for organization and custom prefix in AWS/CloudTrail fileset. 23109 23126
  • Simplify regex for organization custom prefix in AWS/CloudTrail fileset. 23203 23204
  • Fix syslog header parsing in infoblox module. 23272 23273
  • Fix concurrent modification exception in Suricata ingest node pipeline. 23534
  • Fix handling of ModifiedProperties field in Office 365. 23777

Heartbeat

  • Fixed missing tls fields when connecting to https via proxy. 15797 22190

Metricbeat

  • Change Session ID type from int to string 22359
  • Fix filesystem types on Windows in filesystem metricset. 22531
  • Fix failiures caused by custom beat names with more than 15 characters 22550
  • Update NATS dashboards to leverage connection and route metricsets 22646
  • Fix rate metrics in Kafka broker metricset by using last minute rate instead of mean rate. 22733
  • Update config in windows.yml file. 23027https://github.com/elastic/beats/pull/23327[23327]
  • Fix metric grouping for windows/perfmon module 23489 23505

Packetbeat

  • Fix SIP parser logic related to line length check. 23411

Winlogbeat

  • Protect against accessing an undefined variable in Security module. 22937
  • Add source.ip validation for event ID 4778 in the Security module. 19627

Added

edit

Affecting all Beats

  • Add istiod metricset. 21519
  • Add support for OpenStack SSL metadata APIs in add_cloud_metadata. 21590
  • Add cloud.account.id for GCP into add_cloud_metadata processor. 21776
  • Add proxy metricset for istio module. 21751
  • Add kubernetes.node.hostname metadata of Kubernetes node. 22189
  • Enable always add_resource_metadata for Pods and Services of kubernetes autodiscovery. 22189
  • Add add_resource_metadata option setting (always enabled) for add_kubernetes_metadata setting. 22189
  • Add support for ephemeral containers in kubernetes autodiscover and add_kubernetes_metadata. 22389 22439
  • Added support for wildcard fields and keyword fallback in beats setup commands. 22521
  • Fix polling node when it is not ready and monitor by hostname 22666
  • Add expand_keys option to decode_json_fields processor and json input, to recusively de-dot and expand json keys into hierarchical object structures 22849
  • Update k8s client and release k8s leader lock gracefully 22919
  • Improve event normalization performance 22974
  • Add tini as init system in docker images 22137
  • Added "detect_mime_type" processor for detecting mime types 22940
  • Added "add_network_direction" processor for determining perimeter-based network direction. 23076
  • Added new rate_limit processor for enforcing rate limits on event throughput. 22883
  • Allow node/namespace metadata to be disabled on kubernetes metagen and ensure add_kubernetes_metadata honors host 23012
  • Improve equals check. 22778

Auditbeat

  • Add several improvements for auditd module for improved ECS field mapping 22647
  • Add ECS 1.7 configuration categorization in certain events in auditd module. 23000

Filebeat

  • Adding support for Oracle Database Audit Logs 21991
  • Add max_number_of_messages config into s3 input. 21993
  • Add SSL option to checkpoint module 19560
  • Added support for MySQL Enterprise audit logs. 22273
  • Rename googlecloud module to gcp module. 22214
  • Rename awscloudwatch input to aws-cloudwatch. 22228
  • Rename google-pubsub input to gcp-pubsub. 22213
  • Copy tag names from MISP data into events. 21664
  • Added TLS JA3 fingerprint, certificate not_before/not_after, certificate SHA1 hash, and certificate subject fields to Zeek SSL dataset. 21696
  • Add platform logs in the azure filebeat module. 22371
  • Added event.ingested field to data from the Netflow module. 22412
  • Improve panw ECS url fields mapping. 22481
  • Improve Nats filebeat dashboard. 22726
  • Add support for UNIX datagram sockets in unix input. {issues}18632[18632] 22699
  • Add http.request.mime_type for Elasticsearch audit log fileset. 22975
  • Add new httpjson input features and mark old config ones for deprecation 22320
  • Add configuration option to set external and internal networks for panw panos fileset 22998
  • Add subbdomain fields for rsa2elk modules. 23035
  • Add subdomain enrichment for suricata/eve fileset. 23011
  • Add subdomain enrichment for zeek/dns fileset. 23011
  • Add event.category "configuration" to auditd module events. 23010
  • Add event.category "configuration" to gsuite module events. 23010
  • Add event.category "configuration" to o365 module events. 23010
  • Add event.category "configuration" to zoom module events. 23010
  • Add network.direction to auditd/log fileset. 23041
  • Add logic for external network.direction in sophos xg fileset 22973
  • Preserve AWS CloudTrail eventCategory in aws.cloudtrail.event_category. 22776 22805
  • Add top_level_domain enrichment for suricata/eve fileset. 23046
  • Add top_level_domain enrichment for zeek/dns fileset. 23046
  • Add observer.egress.zone and observer.ingress.zone for cisco/asa and cisco/ftd filesets. 23068
  • Allow cisco/asa and cisco/ftd filesets to override network directionality based off of zones. 23068
  • Allow cef and checkpoint modules to override network directionality based off of zones 23066
  • Add network.direction to netflow/log fileset. 23052
  • Add the ability to override network.direction based on interfaces in Fortinet/firewall fileset. 23072
  • Add network.direction override by specifying internal_networks in gcp module. 23081
  • Migrate microsoft/defender_atp to httpjson v2 config 23017
  • Migrate microsoft/m365_defender to httpjson v2 config 23018
  • Migrate okta to httpjson v2 config 23059
  • Add support for Snyk Vulnerability and Audit API. 22677
  • Misp improvements: Migration to httpjson v2 config, pagination and deduplication ID 23070
  • Add Google Workspace module and mark Gsuite module as deprecated 22950
  • Mark m365 defender, defender atp, okta and google workspace modules as GA 23113
  • Added alternative_host option to google pubsub input 23215

Heartbeat

  • Add mime type detection for http responses. 22976

Metricbeat

  • Move s3_daily_storage and s3_request metricsets to use cloudwatch input. 21703
  • Duplicate system.process.cmdline field with process.command_line ECS field name. 22325
  • Add awsfargate module task_stats metricset to monitor AWS ECS Fargate. 22034
  • Add connection and route metricsets for nats metricbeat module to collect metrics per connection/route. 22445
  • Add unit file states to system/service 22557
  • kibana module: stats metricset no-longer collects usage-related data. 22732
  • Add more TCP states to Metricbeat system socket_summary. 14347
  • Add io.ops in fields exported by system.diskio. 22066
  • Adjust the Apache status fields in the fleet mode. 22821
  • Add AWS Fargate overview dashboard. 22941
  • Add process.state, process.cpu.pct, process.cpu.start_time and process.memory.pct. 22845
  • Move IIS module to GA and map fields. 22609 23024
  • Apache: convert status.total_kbytes to status.total_bytes in fleet mode. 23022
  • Release MSSQL as GA 23146

Packetbeat

  • Add support for overriding the published index on a per-protocol/flow basis. 22134
  • Change build process for x-pack distribution 21979
  • Tuned the internal queue size to reduce the chances of events being dropped. 22650
  • Add support for "http.request.mime_type" and "http.response.mime_type". 22940

Winlogbeat

  • Add file.pe and process.pe fields to ProcessCreate & LoadImage events in Sysmon module. 17335 22217
  • Add dns.question.subdomain fields for sysmon DNS events. 22999
  • Add additional event categorization for security and sysmon modules. 22988
  • Add dns.question.top_level_domain fields for sysmon DNS events. 23046

Elastic Log Driver

  • Add new winlogbeat security dashboard 18775

Deprecated

edit

Filebeat

  • The experimental modules for Citrix Netscaler and Symantec Endpoint Protection have been removed. As we continue to expand our coverage of common security data sources, we may consider supporting Citrix Netscaler and Symantec Endpoint Protection in a future release. 23129 23130

Known Issue

edit