WARNING: Version 5.0 of the Elastic Stack has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Release Notes
editRelease Notes
editRelease notes for all of the X-Pack components: X-Pack security, X-Pack monitoring, Watcher, X-Pack reporting, and X-Pack graph.
Change List
edit5.0.2
editNovember 29, 2016
Bug Fixes
edit- Monitoring
-
- Add support for custom headers in the monitoring connection and make phone home always return 200.
- Security
-
- Allow reads of native users and roles when the template version hasn’t been updated to match the current version. This prevents failures from occurring during rolling upgrades.
- Retain all user information for run as requests.
- Prevent unknown run as users from executing any APIs. Previously, if an authenticated user with run as permission attempted to run as an unknown user, the unknown user was assigned the default and anonymous roles if they were enabled.
-
If an exception is thrown when resolving the index in an index request, it
is now recorded as
access_denied
in the audit-trail. Previously, no entry was recorded in the audit trail.
5.0.1
editNovember 15, 2016
Bug Fixes
edit- Graph
-
-
Fixed the license check so Graph doesn’t throw an
undefined
error when Security is disabled and you try to load a workspace URL.
-
Fixed the license check so Graph doesn’t throw an
- Monitoring
-
- Show Replica Count not Replication Factor in Overview.
- A non-aliased Monitoring index can now be always be created for the current day when upgrading from Marvel.
- Duplicate shards no longer appear in the shard allocation table.
- The Kibana Cluster Summary now always shows the last-known status.
- Kibana now makes sure Monitoring is enabled before attempting to send stats.
- Security
-
- Security can no longer pollute the thread context with incorrect users, which could cause failures during the discovery process.
-
Security now honors the
action.destructive_requires_name
setting and prevents users from deleting indices with wildcards if it is set totrue
. - Made changes to preserve the context when performing internal actions. This ensures subsequent actions are performed as the correct user.
-
Files generated by the
certgen
tool now have permissions set to 600 so they aren’t world-readable. - The Security UI no longer hangs when you configure field-level security when adding a role.
- When running with a Basic License, the login dialog is no longer displayed and no Security elements are visible in Kibana.
- The last sub URL of each Kibana app is no longer cached between sessions. This means that when a different user logs in, they are longer redirected to the URLs the previous user viewed last.
- Watcher
-
- Chain input: An exception is now thrown if the inputs in the chain are specified with a data structure that does not preserve the input order. The inputs in a chain must be specified as array elements to guarantee the order in which the inputs are processed. (JSON does not guarantee the order of arbitrary objects.)
- Watch history template: Removed the unused Watcher plugin version.
- Email output: Fixed an error that prevented emails from being sent when localhost could not be resolved.
5.0.0
editOctober 26, 2016
Breaking Changes
edit- X-Pack
-
-
All settings have been updated to use the
xpack
prefix. For more information, see Migrating to X-Pack.
-
All settings have been updated to use the
- Licensing
-
-
Licensing endpoint has been renamed from
/_license
to/_xpack/license
.
-
Licensing endpoint has been renamed from
- Monitoring
-
-
http
exporters no longer honor thekeep_alive
setting as this is handled by the low-level REST Client. -
All
monitoring.agent.*
settings have been changed to more closely match other monitoring collection settings:xpack.monitoring.collection.*
andxpack.monitoring.exporters.*
. - The Index page’s Lucene Memory chart was replaced with an Index Memory chart, which includes a superset of the information. Fielddata, which has become a significantly less common issue, has been rolled into the Index Memory chart.
- To use an external monitoring cluster to monitor an Elasticsearch 5.0 cluster, you must run Elasticsearch 5.0 on the monitoring cluster. For more information about external monitoring clusters, see Setting up a Separate Monitoring Cluster.
-
All settings have been updated to use the
xpack.monitoring
prefix. For more information, see Migrating to X-Pack.
-
- Reporting
-
-
Reporting encryption keys configured in
kibana.yml
must now be at least 32 characters.
-
Reporting encryption keys configured in
- Security
-
-
Security encryption keys configured in
kibana.yml
must now be at least 32 characters. - The SSL configuration settings have been changed to use an easier to use format that also supports PEM files.
-
Removed the
files.users
andfiles.users_roles
settings from thefile
realm. -
Removed the setting that allowed for a custom
roles.yml
file location to be specified. Theroles.yml
file must always be in theCONF_DIR/x-pack
directory. -
Removed the setting that allowed for a custom system key location to be
defined. The
system_key
file must always be in theCONF_DIR/x-pack
directory. -
The
logfile
output for auditing no longer uses the log level to determine which events to log. The events are now controlled in the same way as theindex
output. - Changed the syntax for field-level-security. Roles stored in the old format in native or file based realm will continue to work but new roles must use the new format.
-
The
esusers
realm has been renamed tofile
and theesusers
command line tool has been renamed tousers
. Note that the User and Role APIs are the preferred way to manage internal users. -
Elasticsearch enables HTTP compression by default now. To mitigate potential
security risks like the BREACH attack, X-Pack security disables compression if HTTPS
is enabled. If Elasticsearch should compress HTTPS traffic, please explicitly
set
http.compression
totrue
in ‘elasticsearch.yml’. -
You must specify all required values to override the global SSL configuration
in a profile. If any values are omitted, the entire configuration falls back to
the global settings,
xpack.security.ssl.*
. -
The
skipSslCheck
anduseUnsafeSessions
for Kibana have been replaced byxpack.security.secureCookies
inkibana.yml
. SSL is now disabled by default. You can start Kibana without making any changes tokibana.yml
after you install X-Pack. Do not deploy to production without enabling SSL/TLS encryption! - A default role is now applied to all users, including anonymous users. The default role enables users to access the authenticate endpoint, change their own passwords, and get information about themselves.
-
All settings have been updated to use the
xpack.security
prefix. For more information, see Migrating to X-Pack.
-
Security encryption keys configured in
- Watcher
-
-
The
force
parameter of the Delete Watch Action has been removed. -
The use of the
_timestamp
field for the execution time has been removed. The user now needs to set this explicitly in theindex
action. -
The
_xpack/watcher/_start
,_xpack/watcher/_restart
, and_xpack/watcher/_stop
REST endpoints requirePOST
actions instead ofPUT
actions. The deprecated_watcher/_start
,_watcher/_restart
, and_watcher/_stop
endpoints still allowPUT
. -
Watch history now uses a versioned template. The index names also changed
and contain this version. So instead of
.watch_history_2016.02.03
the new index name is.watcher-history-1-2016.02.03
, where1
is the current version. If you are using X-Pack security, this might require you to change roles/permissions because of the different index names! The old index template namedwatch_history
can safely be deleted. However, it does not interfere with the new index template. -
The setting that enables scripting only for Watcher has been renamed from
script.engine.groovy.inline.elasticsearch-watcher_watch
toscript.engine.groovy.inline.xpack_watch
. -
Elasticsearch has several breaking changes in the query DSL, including that
search_type=count
is no longer supported. Check to see if your watches use this search type and upgrade them to usesize: 0
in the request body as needed. For more information about breaking changes including search changes, see breaking changes section in Elasticsearch. -
All account SMTP timeouts (
smtp.timeout
,smtp.connection_timeout
andsmtp.write_timeout
) now require a time value instead of a number in milliseconds. -
The notification settings for PagerDuty, Slack, HipChat, and email have been
moved from
watcher.actions
toxpack.notification
. You need to update your Elasticsearch configuration accordingly. -
All watcher endpoints have been renamed from
/_watcher/XYZ
to/_xpack/watcher/XYZ
. You might need to fix this in external scripts as well as in your watches. -
The notification settings have been stripped of their
service
part. Sowatcher.actions.slack.service.default_account
becomesxpack.notification.slack.default_account
-
The setting
watcher.shield.encrypt_sensitive_data
has been renamed toxpack.watcher.encrypt_sensitive_data
-
The
New Features
edit- Monitoring
-
-
Added new node resolver,
uuid
, to the Monitoring UI configuration and made it the default. Starting with Elasticsearch 5.0, instances of Elasticsearch create a persistent UUID that remains the same across restarts unless the data directory is deleted. If the data directory is deleted, the instance a new UUID on start up. - Latencies calculated against totals use derivatives to get the rate of change. If any derivative is negative, then that time bucket is ignored and left blank on the latency chart. Values that are negative indicate that the underlying total shrank, which means that the data is skewed and showing the result is misleading (for example, due to nodes restarting).
- Added Segment Count memory chart to the Index page.
-
Added new node resolver,
- Security
-
- Support for forest wide authentication in the Active Directory Realm.
-
The default LDAP group search filter now includes
posixGroup
groups. - LDAP user search can now use un-pooled connections.
- Watcher
-
-
Added support for accessing the HTTP status code of a response in the HTTP
input through
ctx.payload._status_code
. -
The new REST endpoint for acknowledging certain actions of a watch is
_xpack/watcher/watch/{watch_id}/_ack/{action_id}
. The old notation waswatcher/watch/{watch_id}/{action_id}/_ack
, which will be removed in future releases.
-
Added support for accessing the HTTP status code of a response in the HTTP
input through
Enhancements
edit- Graph
-
- Added ability to save Graph workspaces
- Added ability to drill-down on Graph selections using other Kibana visualizations
-
In the Graph UI, you can now use an index pattern such as
logstash-*
to select multiple time-based indices instead of a single index.
- Monitoring
-
- Added dots for all points on charts.
- Added the ability to highlight points by hovering close to them. The highlighted point, and those from other series at the X-position, are what are displayed in the legend.
-
Added a monitoring ingest pipeline so that future releases will be compatible
even if backward incompatible changes are made. This is enabled by default, but
can be disabled by setting
use_ingest
tofalse
at the exporter level (for example,xpack.monitoring.exporters.my_exporter.use_ingest: false
). -
Added the ability for HTTP exporters to send arbitrary HTTP headers along
with requests. This allows the HTTP exporter to be used with proxies to route
monitoring data more dynamically, if necessary. This can be used by supplying
name-value pairs at the exporter level (for example,
xpack.monitoring.exporters.my_exporter.headers.X-My-Header: abc123
). - Rewrote the HTTP exporter to use the low-level REST Client and better pool connections. This reduces the resources used for both networking and parsing.
- Added Kibana instance monitoring as part of the same Elastic Cluster.
- Added experimental charts to be used while monitoring Kibana instances.
- Added breadcrumbs to allow simpler navigation between monitoring pages.
- Simplified the Indices tab to remove charts that already appeared on the Overview page so that indices are more accessible.
- Simplified overall status handling so that it is clearer what the status of the current item is (e.g., index view gives index status).
- Added index memory graph to the Node page so that the cost of open indices can be determined more accurately.
- Added the total indexing rate alongside the primary indexing rate. Total includes both primaries and replicas.
- Added color to all charts.
- Added units to all chart titles.
- Added the internals to support monitoring Kibana instances.
- Improved the display of values in the legend.
- Shortened the welcome message.
- Security
-
- Native users and roles can now be used on tribe nodes.
- Added the ability to disable native and reserved users.
- Added ability to define exclusions for fields in field level security.
- Added built-in roles for reporting users, monitoring users, remote monitoring agents, and users of the Kibana ingest feature.
-
Auditing supports an
authentication_success
event that is output after authentication. This event can output the body of the request, so in combination with theauthentication_failed
event all request bodies can be audited. -
Added a X-Pack specific transport client,
PreBuiltXPackTransportClient
, that provides an easy way to use the transport client with X-Pack and other modules of Elasticsearch such as reindex. - Auditing now de-duplicates the names of indices when logging.
- Document and Field Level Security can be used with realtime requests.
-
The
certgen
tool no longer generates file names that would result in hidden files and now offers an option to specify the validity time of the generated certificates. -
Added an
ingest_admin
role that grants the permissions requried to use the ingest feature in Kibana. -
New
elastic
andkibana
built-in users. -
New
superuser
andtransport_client
built-in roles. - Added a password API to enable administrators and users to reset and change passwords.
-
Added a built-in
kibana_user
role that grants the minimum set of privileges needed to use Kibana. -
Default anonymous username changed to
_anonymous
(used to be_es_anonymous_user
)
- Watcher
-
-
Allow use of
inline
attachments in emails, so that desktop clients can display attachments like images embedded in emails. -
The HTTP headers of a response are now part of the payload and can be
accessed via
ctx.payload._headers
- Individual actions now support conditions. This is useful when a single watch contains multiple actions—specific actions can fire based on the current context.
- Watches can now be modified or deleted while they are running, which is especially useful for long running watches
-
Allow use of
Bug Fixes
edit- Security
-
-
Updated document level security to support preventing requests that use
scripts or
now()
from being cached.
-
Updated document level security to support preventing requests that use
scripts or
- Watcher
-
- The watch version is now ignored when deleting a watch.