CHANGELOG.next.asciidoc

Beats version HEAD

Check the HEAD diff

Breaking changes

Affecting all Beats

• Update Go version to 1.22.5. 40082

• Fix FQDN being lowercased when used as host.hostname 39993

• Beats won’t log start up information when running under the Elastic Agent {40390}40390[40390]

Auditbeat

Filebeat

• Convert netflow input to API v2 and disable event normalisation 37901

• Removed deprecated Squid from Beats. See [migrate-from-deprecated-module] for migration options. 38037

• Removed deprecated Sonicwall from Beats. Use the SonicWall Firewall Elastic integration instead. 38037

• Removed deprecated Radware from Beats. See [migrate-from-deprecated-module] for migration options. 38037

• Removed deprecated Netscout from Beats. See [migrate-from-deprecated-module] for migration options. 38037

• Removed deprecated Juniper Netscreen from Beats. See [migrate-from-deprecated-module] for migration options. 38037

• Removed deprecated Impreva from Beats. See [migrate-from-deprecated-module] for migration options. 38037

• Removed deprecated Cylance from Beats. See [migrate-from-deprecated-module] for migration options. 38037

• Removed deprecated Bluecoat from Beats. See [migrate-from-deprecated-module] for migration options. 38037

• Introduce input/netmetrics and refactor netflow input metrics 38055

• Update Salesforce module to use new Salesforce input. 37509

• Tag events that come from a filestream in "take over" mode. 39828

• Fix high IO and handling of a corrupted registry log file. 35893

• Enable file ingestion to report detailed status to Elastic Agent 40075

• Filebeat, when running with Elastic-Agent, reports status for Filestream input. 40121

• Implement Elastic Agent status and health reporting for Winlog Filebeat input. 40163

• Fix filestream’s registry GC: registry entries will never be removed if clean_inactive is set to "-1". 40258

• Added ignore_empty_values flag in decode_cef Filebeat processor. 40268

Heartbeat

Metricbeat

• Setting period for counter cache for Prometheus remote_write at least to 60sec 38553

• Add support of Graphite series 1.1.0+ tagging extension for statsd module. 39619

• Allow metricsets to report their status via control v2 protocol. 40025

• Remove fallback to the node limit for the kubernetes.pod.cpu.usage.limit.pct and kubernetes.pod.memory.usage.limit.pct metrics calculation

• Add support for Kibana status metricset in v8 format 40275

Osquerybeat

• Add action responses data stream, allowing osquerybeat to post action results directly to elasticsearch. 39143

• Disable allow_unsafe osquery configuration. 40130

• Upgrade to osquery 5.12.1. 40368

Osquerybeat

Packetbeat

Winlogbeat

• Add "event.category" and "event.type" to Sysmon module for EventIDs 8, 9, 19, 20, 27, 28, 255 35193

Functionbeat

Elastic Logging Plugin

Bugfixes

Affecting all Beats

• Support for multiline zookeeper logs 2496

• Add checks to ensure reloading of units if the configuration actually changed. 34346

• Fix namespacing on self-monitoring 32336

• Fix namespacing on self-monitoring 32336

• Fix Beats started by agent do not respect the allow_older_versions: true configuration flag 34227 34964

• Fix performance issues when we have a lot of inputs starting and stopping by allowing to disable global processors under fleet. 35000 35031

• 'add_cloud_metadata' processor - add cloud.region field for GCE cloud provider

• 'add_cloud_metadata' processor - update azure metadata api version to get missing cloud.account.id field

• Upgraded apache arrow library used in x-pack/libbeat/reader/parquet from v11 to v12.0.1 in order to fix cross-compilation issues 35640

• Fix panic when MaxRetryInterval is specified, but RetryInterval is not 35820

• Support build of projects outside of beats directory 36126

• Support Elastic Agent control protocol chunking support 37343

• Lower logging level to debug when attempting to configure beats with unknown fields from autodiscovered events/environments 37816[37816]

• Set timeout of 1 minute for FQDN requests 37756

• Fix the paths in the .cmd script added to the path by the Windows MSI to point to the new C:\Program Files installation location. elastic/elastic-stack-installers#238

• Change cache processor documentation from write_period to write_interval. 38561

• Fix cache processor expiries heap cleanup on partial file writes. 38561

• Fix cache processor expiries infinite growth when large a large TTL is used and recurring keys are cached. 38561

• Fix parsing of RFC 3164 process IDs in syslog processor. 38947 38982

• Rename the field "apache2.module.error" to "apache.module.error" in Apache error visualization. 39480 39481

• Validate config of the replace processor 40047

• Fix handling of escaped brackets in syslog structured data. 40445 40446

Auditbeat

Filebeat

• [Gcs Input] - Added missing locks for safe concurrency 34914

• Fix the ignore_inactive option being ignored in Filebeat’s filestream input 34770

• Fix TestMultiEventForEOFRetryHandlerInput unit test of CometD input 34903

• Add input instance id to request trace filename for httpjson and cel inputs 35024

• Fixes "Can only start an input when all related states are finished" error when running under Elastic-Agent 35250 33653

• [system] sync system/auth dataset with system integration 1.29.0. 35581

• [GCS Input] - Fixed an issue where bucket_timeout was being applied to the entire bucket poll interval and not individual bucket object read operations. Fixed a map write concurrency issue arising from data races when using a high number of workers. Fixed the flaky tests that were present in the GCS test suit. 35605

• Fixed concurrency and flakey tests issue in azure blob storage input. 35983 36124

• Fix panic when sqs input metrics getter is invoked 36101 36077

• Fix handling of Juniper SRX structured data when there is no leading junos element. 36270 36308

• Fix Filebeat Cisco module with missing escape character 36325 36326

• Added a fix for Crowdstrike pipeline handling process arrays 36496

• [threatintel] MISP pagination fixes 37898

• Fix file handle leak when handling errors in filestream 37973

• Fix a race condition that could crash Filebeat with a "negative WaitGroup counter" error 38094

• Fix "failed processing S3 event for object key" error on aws-s3 input when key contains the "+" character 38012 38125

• Fix filebeat gcs input panic 38407

• Fix filestream’s registry GC: registry entries are now removed from the in-memory and disk store when they’re older than the set TTL 36761 38488

• Fix filestream’s registry GC: registry entries are now removed from the in-memory and disk store when they’re older than the set TTL 36761 38488

• [threatintel] MISP splitting fix for empty responses 38739 38917

• Prevent GCP Pub/Sub input blockage by increasing default value of max_outstanding_messages 35029 38985

• Updated Websocket input title to align with existing inputs 39006

• Restore netflow input on Windows 39024

• Upgrade azure-event-hubs-go and azure-storage-blob-go dependencies. 38861

• Fix concurrency/error handling bugs in the AWS S3 input that could drop data and prevent ingestion of large buckets. 39131

• Fix EntraID query handling. 39419 39420

• Fix request trace filename handling in http_endpoint input. 39410

• Fix filestream not correctly tracking the offset of a file when using the include_message parser. 39873 39653

• Upgrade github.com/hashicorp/go-retryablehttp to mitigate CVE-2024-6104 40036

• Fix for Google Workspace duplicate events issue by adding canonical sorting over fingerprint keys array to maintain key order. 40055 39859

• Fix handling of deeply nested numeric values in HTTP Endpoint CEL programs. 40115

• Prevent panic in CEL and salesforce inputs when github.com/hashicorp/go-retryablehttp exceeds maximum retries. 40144

• Fix bug in CEL input rate limit logic. 40106 40270

• Relax requirements in Okta entity analytics provider user and device profile data shape. 40359

• Fix bug in Okta entity analytics rate limit logic. 40106 40267

Heartbeat

Metricbeat

• Fix Azure Monitor 429 error by causing metricbeat to retry the request again. 38294

• Fix fields not being parsed correctly in postgresql/database 25301 37720

• rabbitmq/queue - Change the mapping type of rabbitmq.queue.consumers.utilisation.pct to scaled_float from long because the values fall within the range of [0.0, 1.0]. Previously, conversion to integer resulted in reporting either 0 or 1.

• Fix timeout caused by the retrival of which indices are hidden 39165

• Fix Azure Monitor support for multiple aggregation types 39192 39204

• Fix handling of access errors when reading process metrics 39627

• Fix behavior of cgroups path discovery when monitoring the host system from within a container 39627

• Fix issue where beats may report incorrect metrics for its own process when running inside a container 39627

• Fix for MySQL/Performance - Query failure for MySQL versions below v8.0.1, for performance metric quantile_95. 38710

• Fix Prometheus helper text parser to store each metric family type. 39743

• Normalize AWS RDS CPU Utilization values before making the metadata API call. 39664

• Fix behavior of pagetypeinfo metrics 39985

• Fix query logic for temp and non-temp tablespaces in Oracle module. 38051 39787

• Set GCP metrics config period to the default (60s) when the value is below the minimum allowed period. 30434 40020

• Fix statistic methods for metrics collected for SQS. 40207

• Add GCP 'instance_id' resource label in ECS cloud fields. 40033 40062

• Fix missing metrics from CloudWatch when include_linked_accounts set to false. 40071 40135

• Update beat module with apm-server monitoring metrics fields 40127

• Fix Azure Monitor metric timespan to restore Storage Account PT1H metrics 40376 40367

Osquerybeat

Packetbeat

Winlogbeat

Elastic Logging Plugin

Added

Affecting all Beats

• Added append Processor which will append concrete values or values from a field to target. 29934 33364

• dns processor: Add support for forward lookups (A, AAAA, and TXT). 11416 36394

• [Enhanncement for host.ip and host.mac] Disabling netinfo.enabled option of add-host-metadata processor 36506

• allow queue configuration settings to be set under the output. 35615 36788

• Beats will now connect to older Elasticsearch instances by default 36884

• Raise up logging level to warning when attempting to configure beats with unknown fields from autodiscovered events/environments

• elasticsearch output now supports idle_connection_timeout. 35615 36843

• Enable early event encoding in the Elasticsearch output, improving cpu and memory use 38572

• The environment variable BEATS_ADD_CLOUD_METADATA_PROVIDERS overrides configured/default add_cloud_metadata providers 38669

Auditbeat

• Added add_session_metadata processor, which enables session viewer on Auditbeat data. 37640

• Add linux capabilities to processes in the system/process. 37453

• Add linux capabilities to processes in the system/process. 37453

• Add process.entity_id, process.group.name and process.group.id in add_process_metadata processor. Make fim module with kprobes backend to always add an appropriately configured add_process_metadata processor to enrich file events 38776

Auditbeat

Auditbeat

Filebeat

• add documentation for decode_xml_wineventlog processor field mappings. 32456

• httpjson input: Add request tracing logger. 32402 32412

• Add cloudflare R2 to provider list in AWS S3 input. 32620

• Add support for single string containing multiple relation-types in getRFC5988Link. 32811

• Added separation of transform context object inside httpjson. Introduced new clause .parent_last_response.* 33499

• Added metric sqs_messages_waiting_gauge for aws-s3 input. 34488

• Add nginx.ingress_controller.upstream.ip to related.ip 34645 34672

• Add unix socket log parsing for nginx ingress_controller 34732

• Added metric sqs_worker_utilization for aws-s3 input. 34793

• Add MySQL authentication message parsing and related.ip and related.user fields 34810

• Add nginx ingress_controller parsing if one of upstreams fails to return response 34787

• Add oracle authentication messages parsing 35127

• Add clean_session configuration setting for MQTT input. 16204

• Add support for a simplified input configuraton when running under Elastic-Agent 36390

• Added support for Okta OAuth2 provider in the CEL input. 36336 36521

• Added support for new features & removed partial save mechanism in the Azure Blob Storage input. 35126 36690

• Added support for new features and removed partial save mechanism in the GCS input. 35847 36713

• Use filestream input with file_identity.fingerprint as default for hints autodiscover. 35984 36950

• Add setup option --force-enable-module-filesets, that will act as if all filesets have been enabled in a module during setup. 30915 99999

• Made Azure Blob Storage input GA and updated docs accordingly. 37128

• Made GCS input GA and updated docs accordingly. 37127

• Add parseDateInTZ value template for the HTTPJSON input 37738

• Improve rate limit handling by HTTPJSON 36207 38161 38237

• Parse more fields from Elasticsearch slowlogs 38295

• added benchmark input 37437

• added benchmark input and discard output 37437

• Ensure all responses sent by HTTP Endpoint are HTML-escaped. 39329

• Update CEL mito extensions to v1.11.0 to improve type checking. 39460

• Improve logging of request and response with request trace logging in error conditions. 39455

• Implement Elastic Agent status and health reporting for CEL Filebeat input. 39209

• Add HTTP metrics to CEL input. 39501 39503

• Add default user-agent to CEL HTTP requests. 39502 39587

• Improve reindexing support in security module pipelines. 38224 39588

• Make HTTP Endpoint input GA. 38979 39410

• Update CEL mito extensions to v1.12.2. 39755

• Add support for base64-encoded HMAC headers to HTTP Endpoint. 39655

• Add user group membership support to Okta entity analytics provider. 39814 39815

• Add request trace support for Okta and EntraID entity analytics providers. 39821

• Fix handling of infinite rate values in CEL rate limit handling logic. 39940

• Allow elision of set and append failure logging. 34544 39929

• Add ability to remove request trace logs from CEL input. 39969

• Add ability to remove request trace logs from HTTPJSON input. 40003

• Update CEL mito extensions to v1.13.0. 40035

• Add Jamf entity analytics provider. 39996

• Add ability to remove request trace logs from http_endpoint input. 40005

• Add ability to remove request trace logs from entityanalytics input. 40004

• Relax constraint on Base DN in entity analytics Active Directory provider. 40054

• Implement Elastic Agent status and health reporting for Netflow Filebeat input. 40080

• Enhance input state reporting for CEL evaluations that return a single error object in events. 40083

• Allow absent credentials when using GCS with Application Default Credentials. 39977 40072

• Add SSL and username support for Redis input, now the input includes support for Redis 6.0+. 40111

• Add scaling up support for Netflow input. 37761 40122

• Update CEL mito extensions to v1.15.0. 40294

• Allow cross-region bucket configuration in s3 input. 22161 40309

• Improve logging in Okta Entity Analytics provider. 40106 40347

Auditbeat

Libbeat

Heartbeat

• Added status to monitor run log report.

• Upgrade node to latest LTS v18.20.3. 40038

• Add journey duration to synthetics browser events. 40230

Metricbeat

• Add per-thread metrics to system_summary 33614

• Add GCP CloudSQL metadata 33066

• Add GCP Carbon Footprint metricbeat data 34820

• Add event loop utilization metric to Kibana module 35020

• Add metrics grouping by dimensions and time to Azure app insights 36634

• Align on the algorithm used to transform Prometheus histograms into Elasticsearch histograms 36647

• Add linux IO metrics to system/process 37213

• Add new memory/cgroup metrics to Kibana module 37232

• Add SSL support to mysql module 37997

• Add SSL support for aerospike module 38126

Metricbeat

Osquerybeat

Packetbeat

Winlogbeat

Functionbeat

Elastic Log Driver Elastic Logging Plugin

Deprecated

Auditbeat

Filebeat

Heartbeat

Metricbeat

Osquerybeat

Packetbeat

Winlogbeat

Functionbeat

Elastic Logging Plugin

Known Issues