Beats version 8.14.0

edit

View commits

Known Issues

edit

Filebeat - Filestream input will resend files that have been inactive for 30min or more. Workaround: set clean_inactive to a very high value, like 5 years: clean_inactive: 43800h0m0s. 40178

Breaking changes

edit

Filebeat

Heartbeat

  • Fix monitor state loader to not wait extra seconds for the last attempt. 39621

Bugfixes

edit

Auditbeat - Set field types to correctly match ECS in sessionmd processor. 38955 38994 - Fix failing to enrich process events in sessionmd processor. 38955 39173 39243 - Fix seccomp policy of FIM kprobes backend on arm64. 39759

Filebeat - Fix handling of endpoint for custom domains and ensure region, default_region, and region parsed from queue_url are applied in the order specified in the documentation for the awss3 input. 39709 - Prevent HTTPJSON holding response bodies between executions. 35219 38116 - Fix the incorrect values generated by the uri_parts processor. 38216 - Rename activity_guid to activity_id in ETW input events to suit other Windows inputs. 38530 - Add missing provider registration and fix published entity for Active Directory entityanalytics provider. 38645 - Fix handling of un-parsed JSON in O365 module. 37800 38709 - Fix filestream’s registry GC: registry entries are now removed from the in-memory and disk store when they’re older than the set TTL. 36761 38488 - Fix handling of truncated files in Filestream 38070 38416 - Fix panic when more than 32767 pipeline clients are active. 38197 38556 - Fix a bug in CloudWatch task allocation that could skip some logs. 38918 38953 - Prevent GCP Pub/Sub input blockage by increasing default value of max_outstanding_messages. 35029 38985 - entity-analytics input: Improve structured logging. 38990 - Upgrade azure-event-hubs-go and azure-storage-blob-go dependencies. 38861 - Fix concurrency/error handling bugs in the AWS S3 input that could drop data and prevent ingestion of large buckets. 39131 - Fix EntraID query handling. 39419 39420 - Expand ID patterns in request trace logger for HTTP Endpoint. 39656 - Fix awscloudwarch input: set startTime to 0 for the first iteration of retrieving log events from CloudWatch. 40079

Heartbeat

  • Redact synthexec cmd output. 39535

Metricbeat

  • RabbitMQ/queue - Change the mapping type of rabbitmq.queue.consumers.utilisation.pct to scaled_float from long because the values fall within the range of [0.0, 1.0]. Previously, conversion to integer resulted in reporting either 0 or 1.
  • Fix timeout caused by the retrival of which indices are hidden. 39165

Winlogbeat

  • Fix error handling in perfmon metrics. 38140 39404

Added

edit

Affecting all Beats

  • Update Go version to 1.21.10. 39467
  • Enable early event encoding in the Elasticsearch output, improving CPU and memory use. 38572

Auditbeat

  • Add add_session_metadata processor, which enables session viewer on Auditbeat data. 37640
  • Add procfs backend to the add_session_metadata processor. 38799
  • Add process.entity_id, process.group.name and process.group.id in add_process_metadata processor. Make FIM module with Kprobes backend to always add an appropriately configured add_process_metadata processor to enrich file events. 38776

Filebeat

  • Add Saved Object name field to Kibana audit logs. 38307
  • Add Salesforce input. 37331
  • Add logging for cache processor file reads and writes. 38052
  • Support VPC endpoint for aws-s3 input SQS queue url. 38189
  • Add support for complex event objects in the HTTP Endpoint input. 37910 38193
  • Parse more fields from Elasticsearch slowlogs. 38295
  • Update CEL mito extensions to v1.10.0 to add keys/values helper. 38504
  • Add support for Active Directory an entity analytics provider. 37919
  • Add AWS AWSHealth metricset. 38370
  • Add debugging breadcrumb to logs when writing request trace log. 38636
  • Add benchmark input and discard output. 37437

Libbeat

  • Add support for Linux capabilities in add_process_metadata. 38252

Metricbeat

  • Add support for shards_stats.total_count in Elasticsearch Monitoring data. 38891
  • Add SSL support to MySQL module. 37997
  • Add SSL support for Aerospike module. 38126

Winlogbeat

  • Use fixed size buffer at first pass for event parsing, improving throughput. 39530 39544

Deprecated

edit

Filebeat

  • Deprecate syslog input in favor of syslog processor. 37555 38277
  • Deprecate o365audit input in favor of CEL input. 37719 38922