Beats version 8.15.0

edit

View commits

Known issues

edit

Filebeat

  • The Azure EventHub input in Filebeat is not found when running on Windows. Please refrain from upgrading to 8.15. See 40608 for details.
  • Memory usage is not correctly limited by the number of events actively in the memory queue, but rather the maximum size of the memory queue regardless of usage. 41355 Filebeat
  • The AWS S3 input polling mode is not working when the S3 bucket is not in the us-east-1 default region. This also impacts all AWS integrations and any custom AWS log integration which uses the aws-s3 input polling mode. When using Filebeat, please add a default_region configuration with the region of the S3 bucket. For example:

    filebeat.inputs:
    - type: aws-s3
      enabled: true
      credential_profile_name: elastic-observability
      default_region: us-east-2
      number_of_workers: 5
      bucket_arn: 'arn:aws:s3:::test1'

Metricbeat

  • Metrics can be lost when using Metricbeat due to the total fields limit of the Metricbeat index template. We recommend increasing the index.mapping.total_fields.limit setting of the Metricbeat index template to 12500 and perform a rollover of the Metricbeat data stream. If you’ve customized the name of the index associated to Metricbeat, apply the same change accordingly.

Breaking changes

edit

Filebeat

  • Tag events that come from a filestream in "take over" mode. 39828
  • Fix filestream’s registry garbage collection: registry entries will never be removed if clean_inactive is set to "-1". 40258

Metricbeat

  • Remove fallback to the node limit for the kubernetes.pod.cpu.usage.limit.pct and kubernetes.pod.memory.usage.limit.pct metrics calculation.
  • Add support for Kibana status metricset in v8 format. 40275

Osquerybeat

  • Add action responses data stream, allowing Osquerybeat to post action results directly to Elasticsearch. 39143

Bugfixes

edit

Affecting all Beats

  • Rename the field "apache2.module.error" to "apache.module.error" in Apache error visualization. 39480 39481
  • Validate config of the replace processor. 40047

Filebeat

  • Fix for Google Workspace duplicate events issue by adding canonical sorting over fingerprint keys array to maintain key order. 40055 39859
  • Prevent panic in CEL and salesforce inputs when github.com/hashicorp/go-retryablehttp exceeds maximum retries. 40144
  • Update CEL mito extensions to v1.13.1. 40307
  • Fix bug in CEL input rate limit logic. 40106 40270

Metricbeat

  • Set GCP metrics config period to the default (60s) when the value is below the minimum allowed period. 30434 40020
  • Fix statistic methods for metrics collected for SQS. 40207
  • Update beat module with apm-server monitoring metrics fields. 40127
  • Fix Azure Monitor metric timespan to restore Storage Account PT1H metrics. 40376 40367

Added

edit

Affecting all Beats

  • Update Go version to 1.22.5. 40082
  • Introduce log message for not supported annotations for Hints based autodiscover. 38213
  • Add persistent volume claim name to volume if available. 38839
  • Raw events are now logged to a different file, this prevents potentially sensitive information from leaking into log files. 38767
  • Websocket input: Added runtime URL modification support based on state and cursor values. 39858 39997

Auditbeat

  • Reduce data size for add_session_metadata processor by removing unneeded fields. 39500
  • Enrich process events with user and group names, with add_session_metadata processor. 39537

Filebeat

  • Ensure all responses sent by HTTP Endpoint are HTML-escaped. 39329
  • Improve logging of request and response with request trace logging in error conditions. 39455
  • Implement Elastic Agent status and health reporting for CEL Filebeat input. 39209
  • Add HTTP metrics to CEL input. 39501 39503
  • Add default user-agent to CEL HTTP requests. 39502 39587
  • Improve reindexing support in security module pipelines. 38224 39588
  • Make HTTP Endpoint input GA. 38979 39410
  • Add support for base64-encoded HMAC headers to HTTP Endpoint. 39655
  • Add user group membership support to Okta entity analytics provider. 39814 39815
  • Add request trace support for Okta and EntraID entity analytics providers. 39821
  • Allow elision of set and append failure logging. 34544 39929
  • Add ability to remove request trace logs from CEL input. 39969
  • Add ability to remove request trace logs from HTTPJSON input. 40003
  • Update CEL mito extensions version to v1.13.0 40035
  • Add Jamf entity analytics provider. 39996
  • Add ability to remove request trace logs from http_endpoint input. 40005
  • Add ability to remove request trace logs from entityanalytics input. 40004
  • Relax constraint on Base DN in entity analytics Active Directory provider. 40054
  • Enhance input state reporting for CEL evaluations that return a single error object in events. 40083
  • Allow absent credentials when using GCS with Application Default Credentials. 39977 40072
  • Allow cross-region bucket configuration in S3 input. 22161 40309

Metricbeat

  • Support schema_name for MySQL performance metricset. 38363
  • Add last_terminated_timestamp metric in Kubernetes module. 39200 3802
  • Add pod.status.ready_time and pod.status.reason metrics in Kubernetes module. 39316
  • Add "Buffer cache hit ratio base" to calculate "Buffer cache hit ratio" for performance metrics. 40022
  • Add support of Graphite series 1.1.0+ tagging extension for statsd module. 39619