New

The executive guide to generative AI

Read more
About usPartnersSupport|Login
This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
« Release notes Elastic Security release notes »
Elastic Docs Elastic Installation and Upgrade Guide [9.0] Release notes

Beats release notes

edit

Beats release notes

edit

Beats version 9.0.0-rc1

edit

Coming in 9.0.0-rc1.

Beats version 9.0.0-beta1

edit

View commits

Breaking changes

edit

Affecting all Beats

  • Set default Kafka version to 2.1.0 in Kafka output and Filebeat. 41662
  • Replace default Ubuntu-based images with UBI-minimal-based ones. 42150
  • removed support for a single - to precede multi-letter command line arguments. Use -- instead. 42117 42209

Filebeat

  • Filebeat fails to start if there is any input with a duplicated ID. It logs the duplicated IDs and the offending inputs configurations. 41731
  • Filestream inputs with duplicated IDs will fail to start. An error is logged showing the ID and the full input configuration. 41938 41954
  • Filestream inputs can define allow_deprecated_id_duplication: true to run keep the previous behaviour of running inputs with duplicated IDs. 41938 41954
  • The Filestream input only starts to ingest a file when it is >= 1024 bytes in size. This happens because the fingerprint is the default file identity now. To restore the previous behaviour, set file_identity.native: ~ and prospector.scanner.fingerprint.enabled: false. 40197 41762
  • Filebeat fails to start when its configuration contains usage of the deprecated log or container inputs. However, they can still be used when allow_deprecated_use: true is set in their configuration. 42295

Osquerybeat

  • Upgrade osquery version to 5.13.1. 40849

Packetbeat

  • Use base-16 for reporting serial_number value in TLS fields in line with the ECS recommendation. 41542

Winlogbeat

  • Default to use raw API and delete older XML implementation. 42275

Bug fixes

edit

Auditbeat

  • hasher: Add a cached hasher for upcoming backend. 41952
  • Split common tty definitions. 42004

Filebeat

  • Redact authorization headers in HTTPJSON debug logs. 41920
  • Further rate limiting fix in the Okta provider of the Entity Analytics input. 40106 41977
  • The _id generation process for S3 events has been updated to incorporate the LastModified field. This enhancement ensures that the _id is unique. 42078
  • Fix truncation of bodies in request tracing by limiting bodies to 10% of the maximum file size. 42327
  • [Journald] Fixes handling of journalctl restart. A known symptom was broken multiline messages when there was a restart of journalctl while aggregating the lines. 41331 42595

Metricbeat

  • Fix bug where Metricbeat unintentionally triggers Windows ASR. 42177
  • Remove hostname field from ZooKeeper’s mntr data stream. 41887

Packetbeat

  • Properly marshal nested structs in ECS fields, fixing issues with mixed cases in field names. 42116

Added

edit

Auditbeat

  • Improve logging in system/socket. 41571

Filebeat

  • Added out of the box support for Amazon EventBridge notifications over SQS to S3 input. 40006
  • Update CEL mito extensions to v1.16.0. 41727
  • Filebeat’s registry is now added to the Elastic-Agent diagnostics bundle. 33238 41795
  • Add unifiedlogs input for MacOS. 41791
  • Add evaluation state dump debugging option to CEL input. 41335
  • Rate limiting operability improvements in the Okta provider of the Entity Analytics input. 40106 41977
  • Rate limiting fault tolerance improvements in the Okta provider of the Entity Analytics input. 40106 42094
  • Introduce ignore older and start timestamp filters for AWS S3 input. 41804
  • Journald input now can report its status to Elastic-Agent. 39791 42462
  • Publish events progressively in the Okta provider of the Entity Analytics input. 40106 42567
  • Journald include_matches.match now accepts + to represent a logical disjunction (OR). 40185 42517
  • The journald input is now generally available. 42107

Heartbeat

  • Add support for RFC7231 methods to HTTP monitors. 41975

Metricbeat

  • Add use_kubeadm config option in kubernetes module in order to toggle kubeadm-config API requests. 40086
  • Preserve queries for debugging when merge_results: true in SQL module. 42271
  • Collect more fields from ES node/stats metrics and only those that are necessary. 42421

Metricbeat - Add benchmark module. 41801

Osquerybeat

  • Increase maximum query timeout to 24 hours. 42356

Winlogbeat

  • Properly set events UserData when experimental API is used. 41525
  • Include XML is respected for experimental API. 41525
  • Forwarded events use renderedtext info for experimental API. 41525
  • Language setting is respected for experimental API. 41525
  • Language setting also added to decode XML wineventlog processor. 41525
  • Format embedded messages in the experimental API. 41525
  • Make the experimental API GA and rename it to winlogbeat-raw. 39580 41770
  • Remove 22 clause limitation. 35047 42187
  • Add handling for recoverable publisher disabled errors. 35316 42187

Functionbeat

  • Remove Functionbeat binaries from CI pipelines. 40745 41506
« Release notes Elastic Security release notes »
Was this helpful?
Feedback