CHANGELOG.next.asciidoc

Beats version HEAD

Check the HEAD diff

Breaking changes

Affecting all Beats

Auditbeat

Filebeat

• Fixed error spam from add_kubernetes_metadata processor when running on AKS. 33697

• Metrics hosted by the HTTP monitoring endpoint for the aws-cloudwatch, aws-s3, cel, and lumberjack inputs are now available under /inputs/ instead of /dataset.

Heartbeat

Metricbeat

Packetbeat

Winlogbeat

Functionbeat

Bugfixes

Affecting all Beats

• Fix namespacing for agent self-monitoring, CPU no longer reports as zero. 32336

• Fix namespacing on self-monitoring 32336

• Fix race condition when stopping runners 32433

• Fix concurrent map writes when system/process code called from reporter code 32491

• Fix Windows service install/uninstall when Win32_Service returns error, add logic to wait until the Windows Service is stopped before proceeding. 33322

• Support for multiline zookeeper logs 2496

• Allow clock_nanosleep in the default seccomp profiles for amd64 and 386. Newer versions of glibc (e.g. 2.31) require it. 33792

• Disable lockfile when running under elastic-agent. 33988

Auditbeat

Filebeat - [httpsjon] Improved error handling during pagination with chaining & split processor 34127 - [Azure blob storage] Added support for more mime types & introduced offset tracking via cursor state. 33981 - Fix EOF on single line not producing any event. 30436 33568 - Fix handling of error in states in direct aws-s3 listing input 33513 33722 - Fix httpjson input page number initialization and documentation. 33400 - Add handling of AAA operations for Cisco ASA module. 32257 32789 - Fix gc.log always shipped even if gc fileset is disabled 30995 - Fix handling of empty array in httpjson input. 32001 - Fix reporting of filebeat.events.active in log events such that the current value is always reported instead of the difference from the last value. 33597 - Fix splitting array of strings/arrays in httpjson input 30345 33609 - Fix Google workspace pagination and document ID generation. 33666 - Fix PANW handling of messages with event.original already set. 33829 33830 - Rename identity as identity_name when the value is a string in Azure Platform Logs. 33654 - Fix 'requires pointer' error while getting cursor metadata. 33956 - Fix input cancellation handling when HTTP client does not support contexts. 33962 33968 - Update mito CEL extension library to v0.0.0-20221207004749-2f0f2875e464 33974 - Fix CEL result deserialisation when evaluation fails. 33992 33996 - Fix handling of non-200/non-429 status codes. 33999 34002 - [azure-eventhub input] Switch the run EPH run mode to non-blocking 34075

Heartbeat - Fix broken zip URL monitors. NOTE: Zip URL Monitors will be removed in version 8.7 and replaced with project monitors. 33723 - Fix bug where states.duration_ms was incorrect type. 33563 - Fix handling of long UDP messages in UDP input. 33836 33837 - Fix browser monitor summary reporting as up when monitor is down. 33374 33819

Auditbeat

Filebeat

Auditbeat

Filebeat

Heartbeat

Metricbeat

• Fix GCP storage field naming 32806

• in module/windows/perfmon, changed collection method of the second counter value required to create a displayable value 32305

• Fix and improve AWS metric period calculation to avoid zero-length intervals 32724

• Add missing cluster metadata to k8s module metricsets 32979 33032

• Change max query size for GetMetricData API to 500 and add RecentlyActive for ListMetrics API call 33105

• Add GCP CloudSQL region filter 32943

• Fix logstash cgroup mappings 33131

• Remove unused elasticsearch.node_stats.indices.bulk.avg_time.bytes mapping 33263

• Fix kafka dashboard field names 33555

• Add tags to events based on parsed identifier. 33472

• Support Oracle-specific connection strings in SQL module 32089 32293

Packetbeat

• Fix panic on memcache transaction with no request or response. 33852 33853

• Fix termination logic. 33979

Winlogbeat

Functionbeat

• Fix Kinesis events timestamp to use timestamp of the event record instead of when the record was processed 33593

Elastic Logging Plugin

Added

Affecting all Beats

• Beats will now attempt to recover if a lockfile has not been removed 33169

• Add http.pprof config options for enabling block and mutex profiling. 33572 33576

• Added append Processor which will append concrete values or values from a field to target. 29934 33364

• Add add_formatted_index processor that allows the resulting index for an event to be changed based on content from the event. 33800

• deps: Updated to github.com/elastic/go-sysinfo v1.9.0. 33864

• Fix panic due to close of already closed channel during shutdown 33971

Auditbeat

• Add file parser processor to file_integrity module. 28802

• Improve documentation for symlink handling behaviour in file integrity module. 33430

• Ensure file integrity module watch paths are absolute. 33430

Filebeat

• Add text/csv decoder to httpjson input 28564

• Update aws-s3 input to connect to non AWS S3 buckets 28222 28234

• Add support for '/var/log/pods/' path for add_kubernetes_metadata processor with resource_type: pod. 28868

• Add documentation for add_kubernetes_metadata processors log_path matcher. 28868

• Add support for parsers on journald input 29070

• Add support in httpjson input for oAuth2ProviderDefault of password grant_type. 29087

• threatintel module: Add new Recorded Future integration. 30030

• Support SASL/SCRAM authentication in the Kafka input. 31167

• checkpoint module: Add network.transport derived from IANA number. 31076

• Add URL Encode template function for httpjson input. 30962

• Add application/zip decoder to the httpsjon input. 31282 31304

• Default value of filebeat.registry.flush increased from 0s to 1s. CPU and disk I/O usage are reduced because the registry is not written to disk for each ingested log line. 30279

• Cisco ASA/FTD: Add support for messages 434001 and 434003. 31533

• Change threatintel module from beta to GA. 31693

• Add template helper function for hashing strings. 31613 31630

• Add extended okta.debug_context.debug_data handling. 31676

• Add auth.oauth2.google.jwt_json option to httpjson input. 31750

• Add authentication fields to RabbitMQ module documents. 31159 31680

• Add template helper function for decoding hexadecimal strings. 31886

• Add new parser called include_message to filter based on message contents. 31794 32094

• Allow iptables module to parse ulogd v2 TOS field in logs. 32126

• httpjson input: Add toJSON helper function to template context. 32472

• Optimize grok patterns in system.auth module pipeline. 32360

• Checkpoint module: add authentication operation outcome enrichment. 32230 32431

• add documentation for decode_xml_wineventlog processor field mappings. 32456

• httpjson input: Add request tracing logger. 32402 32412

• Add cloudflare R2 to provider list in AWS S3 input. 32620

• Add support for single string containing multiple relation-types in getRFC5988Link. 32811

• Fix handling of invalid UserIP and LocalIP values. 32896

• Allow http_endpoint instances to share ports. 32578 33377

• Improve httpjson documentation for split processor. 33473

• Added separation of transform context object inside httpjson. Introduced new clause .parent_last_response.* 33499

• Cloud Foundry input uses server-side filtering when retrieving logs. 33456

• Add parse_aws_vpc_flow_log processor. 33656

• Update aws.vpcflow dataset in AWS module have a configurable log format and to produce ECS 8.x fields. 33699

• Modified aws-s3 input to reduce mutex contention when multiple SQS message are being processed concurrently. 33658

• Disable "event normalization" processing for the aws-s3 input to reduce allocations. 33673

• Add Common Expression Language input. 31233

• Add support for http+unix and http+npipe schemes in httpjson input. 33571 33610

• Add support for http+unix and http+npipe schemes in cel input. 33571 33712

• Add decode_duration, move_fields processors. 31301

• Add backup to bucket and delete functionality for the aws-s3 input. 30696 33559

• Add metrics for UDP packet processing. 33870

• Convert UDP input to v2 input. 33930

• Improve collection of risk information from Okta debug data. 33677 34030

• Adding filename details from zip to response for httpjson 33952 34044

• Allow user configuration of keep-alive behaviour for HTTPJSON and CEL inputs. 33951 34014

• Add support for polling system UDP stats for UDP input metrics. 34070

Auditbeat

Filebeat

Heartbeat

• Add new states field for internal use by new synthetics app. 30632

• Upgrade node to 18.12.0

Metricbeat

• Add Data Granularity option to AWS module to allow for for fewer API calls of longer periods and keep small intervals. 33133 33166

• Update README file on how to run Metricbeat on Kubernetes. 33308

• Add per-thread metrics to system_summary 33614

• Add GCP CloudSQL metadata 33066

• Remove GCP Compute metadata cache 33655

• Add support for multiple regions in GCP 32964

• Add GCP Redis regions support 33728

• Add namespace metadata to all namespaced kubernetes resources. 33763

• Changed cloudwatch module to call ListMetrics API only once per region, instead of per AWS namespace 34055

Packetbeat

• Add option to allow sniffer to change device when default route changes. 31905 32681

• Add option to allow sniffing multiple interface devices. 31905 32933

• Bump Windows Npcap version to v1.71. 33164 33172

• Add fragmented IPv4 packet reassembly. 33012 33296

• Reduce logging level for ENOENT to WARN when mapping sockets to processes. 33793 https://github.com/elastic/beats/pull/

Functionbeat

Winlogbeat

Elastic Log Driver

Deprecated

Affecting all Beats

Filebeat

Heartbeat

Metricbeat

Packetbeat

Winlogbeat

Functionbeat

Known Issue