A newer version is available. For the latest information, see the
current release documentation.
Beats version 7.16.0
editBeats version 7.16.0
editBreaking changes
editAffecting all Beats
-
Load index templates v2 (composable index templates) by default when talking to ES 7.16 or ES 8.x. Please note that you cannot load templates into Elasticsearch 7.8 or older with this default. To load templates to these ES version, set
setup.template.type
tolegacy
. 28538 -
Previously, RE2 and thus Golang had a bug where
(|a)*
matched more characters than(|a)+
. To stay consistent with PCRE, the bug was fixed. Configurations that rely on the old, buggy behaviour need to be adjusted. See more about the Golang bug: https://github.com/golang/go/issues/46123 27543 -
Remove Journalbeat. Use
journald
input of Filebeat instead. 29131
Heartbeat
- Change behavior in case of duplicate monitor IDs in configs to be last monitor wins. 29041
Metricbeat
Functionbeat
- Support for Google Cloud Functions has been removed, as it has been in Beta for a long time and broken for a few releases. Please use other tools provided by Elastic to fetch data from GCP (e.g. Filebeat).
Bugfixes
editAffecting all Beats
- Fix discovery of Nomad allocations with multiple events during startup. 28700
- Fix the wrong beat name on monitoring and state endpoint. 27755
- Skip configuration checks in autodiscover for configurations that are already running. 29048
-
Fix
decode_json_processor
to always respectadd_error_key
. 29107 -
Fix
add_labels
flattening of array values. 29211 -
Skip
add_kubernetes_metadata
processor when Kubernetes metadata are already present 27689
Auditbeat
Filebeat
- Update indentation for Azure Filebeat configuration. 26604
- Tolerate faults when Windows Event Log session is interrupted. 27947 28191
- Add support for username in Cisco ASA security negotiation logs. 26975
- Relax time parsing and capture group and session type in Cisco ASA module. 24710 28325
-
Correctly track bytes read when
max_bytes
is exceeded. 28317 28352 - Fix parsing of apache log levels including numbers. 28717
-
Upgrade
azure-eventhub
SDK reference, contains potential checkpoint fixes. 28919 - Revert usageDetails api version to 2019-01-01. 28995
-
Fix in
aws-s3
input regarding provider discovery through endpoint. 28963 -
Fix
threatintel.misp
filters configuration. 27970 - Fix opening files on Windows in filestream so open files can be deleted. 29113 29180
-
Fix
panw
module ingest errors for GLOBALPROTECT logs 29154
Heartbeat
-
Fix broken seccomp filtering and improve security via
setcap
andsetuid
when running as root on Linux in containers. 27878 -
Log browser
zip_url
download failures aswarn
instead of asinfo
. 28440 - Properly locate base stream in Fleet configs. 28455
- Stop logging params values. 28774
-
Remove accidentally included
cups
library in Docker images. 28853 -
Fix broken monitors with newer versions of image relying on
dup3
. 28938
Metricbeat
Winlogbeat
Added
editAffecting all Beats
-
Allow non-padded base64 data to be decoded by
decode_base64_field
. 27311, 27021 - The Kafka support library Sarama has been updated to 1.29.1. 27717
- Kafka is now supported up to version 2.8.0. 27720
-
Add Huawei Cloud provider to
add_cloud_metadata
. 27607 - Add default seccomp policy for linux arm64. 27955
-
Add cluster level
add_kubernetes_metadata
support for centralized enrichment. 24621 - Update cloud.google.com/go library. 28229
- Add additional metadata to the root HTTP endpoint. 28265
- Upgrade k8s.io/client-go library. 28228
- Update ECS to 1.12.0. 27770
-
Fields mapped as
match_only_text
will automatically fallback to atext
mapping when using Elasticsearch versions that do not supportmatch_only_text
. 27770 - Do not load ML jobs to Elasticsearch 8.x from new Beats 7.x releases. 27771
- Update kubernetes scheduler and controllermanager endpoints in elastic-agent-standalone-kubernetes.yaml with secure ports. 28675
- Add default seccomp policy for Linux arm64. 27955
-
Add
http.pprof.enabled
option to libbeat to allow http/pprof endpoints on the socket that libbeat creates for metrics. 21965 -
Enable IMDSv2 support for
add_cloud_metadata
processor on AWS. 22101 28285
Filebeat
-
Add
timezone
config option to thedecode_cef
processor. 27232 27727 -
Add
timezone
config option to thesyslog
input. 27727 -
Add support for parsing syslog dates containing a leading 0 (e.g.
Sep 01
) rather than a space. 27775 -
Add base64 Encode functionality to
httpjson
input. 27681 -
Add
join
andsprintf
functions tohttpjson
input. 27735 -
Improve memory usage of line reader of
log
andfilestream
input. 27782 -
Add
ignore_empty_value
flag tohttpjson
split
processor. 27880 - Add support for passing a prefix on S3 bucket list mode for AWS-S3 input. 28252 27965
- Update Cisco ASA/FTD ingest pipeline grok/dissect patterns for multiple message IDs. 26869 26879
-
Add write access to
url.value
fromrequest.transforms
inhttpjson
input. 27937 -
Add Base64 encoded HMAC and UUID template functions to
httpjson
input 27873 - Release checkpoint module as GA. 27814
- Make aws-cloudwatch input GA. 28161
- Move processing to ingest node for AWS vpcflow fileset. 28168
- Release zoom module as GA. 28106
- Add support for secondary object attribute handling in ThreatIntel MISP module. 28124
- Azure signinlogs - Add support for ManagedIdentitySignInLogs, NonInteractiveUserSignInLogs, and ServicePrincipalSignInLogs. 23653
-
Add
base64Decode
andbase64DecodeNoPad
functions tohttpsjon
templates. 28385 -
Add
early_limit
config option for rate-limitinghttpjson
. Default rate-limiting for Okta will start when remaining is1
. 28513 -
Add latency config option for
aws-cloudwatch
input. 28509 -
Add proxy support to
threatintel/malwarebazaar
. 28533 - Sophos UTM: Support logs containing hostname in Syslog header. 28638
- Move Oracle Filebeat module to GA. 28754
-
Add support in
aws-s3
input for S3 notification from SNS to SQS. 28800 -
Add support in
aws-s3
input for custom script parsing of S3 notifications. 28946 -
Improve error handling in
aws-s3
input for malformed S3 notifications. 28828 28946 -
filestream
andlog
inputs accept null (\u0000
) as line terminator. 28998
Heartbeat
Metricbeat
-
Enable
journald
input type in Filebeat. 7955 27351 -
Add a new beta
enterprisesearch
module for Elastic Enterprise Search. 27549 -
Register additional name for
storage
metricset in the azure module. 28447 - Update reference to gosigar pacakge for filesystem windows fix. 28909
-
Override
Host()
on statsd MetricSet. 29103 - Add Linux pressure metricset. 27355
- Add User-Agent header to HTTP requests. 18160 27509
Functionbeat
- Add support for AWS Kinesis record deaggregation. 28241
Winlogbeat
- Add support for event language selection from config file. 19818