Brewing in Beats: Running Auditbeat side-by-side with auditd
Welcome to Brewing in Beats! With this weekly series, we're keeping you up to date with what's new in Beats, including the latest commits and releases.
Last week, we released the second beta release of the Elastic Stack 6.0. Read more details in the blog post about what’s new in the Beats 6.0.0-beta2 release.
Auditbeat: run side-by-side with auditd
Starting with the Linux kernel 3.16, it’s possible to receive the kernel audit logs over a multicast socket. This allows for multiple recipients, which is great because now you can have Auditbeat and the auditd daemon running on the same server. We added support for multicast in go-libaudit and Auditbeat, which will have this feature in 6.0.0-rc1. The feature is enabled by default if the kernel is newer than 3.16.
Lower number of shards in default configurations
We have added a while ago the possibility to change the number of shards and other Elasticsearch mapping templates directly from the Beats configuration files. When we did that, we also changed the number of shards to 1 in the default Metricbeat configuration file, but didn’t change the other Beats. We have now made the changes so that the Beats that create events have a default of 3, and the Beats that create metrics have a default of 1. This should result in a lower amount of shards created for a typical installation of a few Beats and default config.
The new configuration files will be present in 6.0.0-rc1.
Fix: Keep Docker and Kubernetes pod annotations longer
In some cases pod annotations are needed after the container/pod is deleted, for instance when Filebeat is reading the log behind the container.
This change makes sure we keep the metadata after a pod is gone. By storing access times we ensure that it's available as long as it's being used.
Other changes
Repository: elastic/beats
Affecting all Beats
Changes in master:
- Reorder processors in publisher pipeline #5149
- Add specialized buffers to memqueue #5148
- Fix
fields.ymllookup when usingexport templatewith a custom config path #5091
Changes in 6.0:
- Fix
fields.ymllookup when usingexport templatewith a custom config path #5091
Metricbeat
Changes in master:
- MB mongodb module: connect on fetch, not on init #5120
- Fix kubernetes events module to be able to index time fields properly #5105
Changes in 6.0:
- MB mongodb module: connect on fetch, not on init #5120
- Fix kubernetes events module to be able to index time fields properly #5105
Packetbeat
Changes in master:
- should use
strings.Contains(string(cmdline), process)instead #5102
Filebeat
Changes in master:
- Add flush timeout setting to filebeat registrar #5146
- Remove runner creation from every reload check #5141
- Check modules and prospectors settings when reload is off #5053
Changes in 6.0:
- Remove runner creation from every reload check #5141
- Check modules and prospectors settings when reload is off #5053
Testing
Changes in master:
Changes in 5.5:
- Update testing env to 5.5.3 #5111
Changes in 6.0:
Documentation
Changes in master:
- Remove alias from perfmon docs #5130
- Fix doc build on migrating dashboards #5126
- [Docs] Fix incorrect ES output config example #5118
- [Docs] Clarify run command syntax #5117
- Add upgrading guide docs #5068
- [Docs] Document how to use modules.d directory #4973
- [Docs] Add option to log messages in JSON #4931
- Doc about how to migrate 5.x dashboards to 6.x #4929
- Add missing link texts to fields references #4919
Changes in 5.5:
- Bump docs version for 5.5.3 #5112
Changes in 5.6:
Changes in 6.0: