Beats version 8.14.0
editBeats version 8.14.0
editKnown Issues
editFilebeat
- Filestream input will resend files that have been inactive for 30min or more. Workaround: set clean_inactive
to a very high value, like 5 years: clean_inactive: 43800h0m0s
. 40178
Breaking changes
editFilebeat
- Removed deprecated ZScaler from Beats. Use the Zscaler Internet Access Elastic integration instead. 38037
- Removed deprecated Tomcat from Beats. Use the Apache Tomcat Elastic integration instead. 38037
- Removed deprecated Squid from Beats. See Migrate from a deprecated module for migration options. 38037
- Removed deprecated SonicWall from Beats. Use the SonicWall Firewall Elastic integration instead. 38037
- Removed deprecated Snort from Beats. Use the Snort Elastic integration instead. 38037
- Removed deprecated Radware from Beats. See Migrate from a deprecated module for migration options. 38037
- Removed deprecated Proofpoint from Beats. Use the Proofpoint TAP Elastic integration instead. 38037
- Removed deprecated Netscout from Beats. See Migrate from a deprecated module for migration options. 38037
- Removed deprecated Microsoft DHCP from Beats. Use the Microsoft DHCP Elastic integration instead. 38037
- Removed deprecated Juniper Junos from Beats. Use the Juniper SRX Elastic integration instead. 38037
- Removed deprecated Juniper Netscreen from Beats. See Migrate from a deprecated module for migration options. 38037
- Removed deprecated Infoblox from Beats. Use the Infoblox NIOS Elastic integration instead. 38037
- Removed deprecated Impreva from Beats. See Migrate from a deprecated module for migration options. 38037
- Removed deprecated Fortinet Client Endpoint from Beats. Use the Fortinet FortiClient Logs Elastic integration instead. 38037
- Removed deprecated Fortinet Fortimail from Beats. Use the Fortinet FortiMail Elastic integration instead. 38037
- Removed deprecated Fortinet Fortimanager from Beats. Use the Fortinet FortiManager Logs Elastic integration instead. 38037
- Removed deprecated F5 from Beats. Use the F5 BIG-IP Elastic integration instead. 38037
- Removed deprecated Cylance from Beats. See Migrate from a deprecated module for migration options. 38037
- Removed deprecated Cisco Meraki from Beats. Use the Cisco Meraki Elastic integration instead. 38037
- Removed deprecated Cisco Nexus from Beats. Use the Cisco Nexus Elastic integration instead. 38037
- Removed deprecated Bluecoat from Beats. See Migrate from a deprecated module for migration options. 38037
- Removed deprecated Barracuda from Beats. Use the Barracuda Web Application Firewall Elastic integration instead. 38037
- Removed deprecated Sophos UTM from Beats. Use the Sophos Elastic integration instead. 38037
- Introduce input/netmetrics and refactor netflow input metrics. 38055
- Update Salesforce module to use new Salesforce input. 37509
Heartbeat
- Fix monitor state loader to not wait extra seconds for the last attempt. 39621
Bugfixes
editAuditbeat - Set field types to correctly match ECS in sessionmd processor. 38955 38994 - Fix failing to enrich process events in sessionmd processor. 38955 39173 39243 - Fix seccomp policy of FIM kprobes backend on arm64. 39759
Filebeat
- Fix handling of endpoint for custom domains and ensure region, default_region, and region parsed from queue_url are applied in the order specified in the documentation for the awss3 input. 39709
- Prevent HTTPJSON holding response bodies between executions. 35219 38116
- Fix the incorrect values generated by the uri_parts processor. 38216
- Rename activity_guid
to activity_id
in ETW input events to suit other Windows inputs. 38530
- Add missing provider registration and fix published entity for Active Directory entityanalytics provider. 38645
- Fix handling of un-parsed JSON in O365 module. 37800 38709
- Fix filestream’s registry GC: registry entries are now removed from the in-memory and disk store when they’re older than the set TTL. 36761 38488
- Fix handling of truncated files in Filestream 38070 38416
- Fix panic when more than 32767 pipeline clients are active. 38197 38556
- Fix a bug in CloudWatch task allocation that could skip some logs. 38918 38953
- Prevent GCP Pub/Sub input blockage by increasing default value of max_outstanding_messages
. 35029 38985
- entity-analytics input: Improve structured logging. 38990
- Upgrade azure-event-hubs-go
and azure-storage-blob-go
dependencies. 38861
- Fix concurrency/error handling bugs in the AWS S3 input that could drop data and prevent ingestion of large buckets. 39131
- Fix EntraID query handling. 39419 39420
- Expand ID patterns in request trace logger for HTTP Endpoint. 39656
- Fix awscloudwarch input: set startTime to 0
for the first iteration of retrieving log events from CloudWatch. 40079
Heartbeat
- Redact synthexec cmd output. 39535
Metricbeat
-
RabbitMQ/queue - Change the mapping type of
rabbitmq.queue.consumers.utilisation.pct
toscaled_float
fromlong
because the values fall within the range of[0.0, 1.0]
. Previously, conversion to integer resulted in reporting either0
or1
. - Fix timeout caused by the retrival of which indices are hidden. 39165
Winlogbeat
Added
editAffecting all Beats
Auditbeat
-
Add
add_session_metadata
processor, which enables session viewer on Auditbeat data. 37640 -
Add procfs backend to the
add_session_metadata
processor. 38799 -
Add
process.entity_id
,process.group.name
andprocess.group.id
inadd_process_metadata
processor. Make FIM module with Kprobes backend to always add an appropriately configuredadd_process_metadata
processor to enrich file events. 38776
Filebeat
- Add Saved Object name field to Kibana audit logs. 38307
- Add Salesforce input. 37331
- Add logging for cache processor file reads and writes. 38052
- Support VPC endpoint for aws-s3 input SQS queue url. 38189
- Add support for complex event objects in the HTTP Endpoint input. 37910 38193
- Parse more fields from Elasticsearch slowlogs. 38295
- Update CEL mito extensions to v1.10.0 to add keys/values helper. 38504
- Add support for Active Directory an entity analytics provider. 37919
- Add AWS AWSHealth metricset. 38370
- Add debugging breadcrumb to logs when writing request trace log. 38636
- Add benchmark input and discard output. 37437
Libbeat
-
Add support for Linux capabilities in
add_process_metadata
. 38252
Metricbeat
Winlogbeat