Beats version 8.4.0
editBeats version 8.4.0
editKnown Issues
editAuditbeat
Auditbeat/auditd integration will send malformed data and may crash in version 8.4.0. 32818
Suggested resolution: Do not start Auditbeat or auditd integration on Elastic Agent at version 8.4.0. Skip 8.4.0 and upgrade directly to 8.4.1.
This issue is resolved in 8.4.1 and later.
Filebeat
Filebeat agents configured to read from AWS inputs may return an error similar to the following:
sqs ReceiveMessage failed: operation error SQS: ReceiveMessage, https response error StatusCode: 403, RequestID: cb57783a-505f-5099-9160-23b8eea8ddbb, api error SignatureDoesNotMatch: Credential should be scoped to a valid region.
This error was introduced by a breaking change in the AWS library.
This issue also affects FIPS-enabled endpoints. If you rely on FIPS, do not upgrade until version 8.4.2 of the Elastic Stack is available. The workaround documented here will not resolve this problem.
Suggested resolution: In the Filebeat configuration, if an AWS input or module
configuration sets endpoint
to a non empty string, set it to an empty string
instead. Also make sure the default AWS region is set in an environment
variable, credentials or instance profile, or in the default_region
setting in
the configuration. For example:
Or for modules:
Breaking changes
editHeartbeat
- Browser monitors (beta) now write to the synthetics-*
index prefix. 32064
- Setting a custom index for a given monitor is now deprecated. Streams are preferred. 32064
- Browser monitors now default to a max concurrency of two. 32564
Bugfixes
editAffecting all Beats
Auditbeat
Filebeat
Heartbeat
- Send targetted error message for unexpected synthetics exits. 31936
- Reduced memory usage slightly for browser monitors. 32317
- Automatically kill zombie-ish node processes. 32393
- Added timeout for browser monitors. 32434
- Fix bug with browser jobs that had missing check groups or sent empty events. 32542
Metricbeat
- Update Kubernetes apiserver metricset to not collect deprecated metrics and fix dashboard. 31973
- Check for nil metadata in GCP. 32281
- Update Kubernetes controllermanager metricset to not collect deprecated metrics and fix dashboard. 32037
- Fix ARN parsing for Cloudwatch resource names with leading slashes. 32358
- Fix an infinite loop in AWS billing metricset. 32626
- Add missing metrics in AWS Transit Gateway module 32617
- Replace internal expiring cache used by the Kubernetes module with in-memory dictionary. 32539
- Oracle Module: Refactor module to use existing host parsers instead of doing its own parsing of hosts. 31611 #31692
- Oracle Module: Correctly handle special characters in the connection string. 24609 #31368
Winlogbeat
Added
editAffecting all Beats
- Improve performance of disk queue by coalescing writes. 31935
Auditbeat
Filebeat
-
Add
auth.oauth2.google.jwt_json
option tohttpjson
input. 31750 - Add authentication fields to RabbitMQ module documents. 31159 31680
- Add template helper function for decoding hexadecimal strings. 31886
-
Add new
parser
calledinclude_message
to filter based on message contents. 31794 32094 - Extend list of mapped record types in o365 Audit module. 32217
- Add references for CRI-O configuration in input-container and in our Kubernetes manifests. 32149 32151
-
httpjson input: Add
replaceAll
helper function to template context. 32365 - Optimize grok patterns in system.auth module pipeline. 32360
- Checkpoint module: add authentication operation outcome enrichment. 32230 32431
- Add documentation for decode_xml_wineventlog processor field mappings. 32456
Metricbeat
Packetbeat