NOTE: You are looking at documentation for an older release. For the latest information, see the current release documentation.
Breaking changes in 6.2
editBreaking changes in 6.2
editAs a general rule, we strive to keep backwards compatibility between minor versions (e.g. 6.x to 6.y) so you can upgrade without any configuration file changes, but there are breaking changes between the earlier beta releases and the 6.2 GA release.
There are changes that affect both the configuration and the event schema.
Configuration Changes
editThe audit module has been renamed and is now two separate modules: the auditd module and the file_integrity module. You must update your configuration to use these modules.
The kernel
metricset has become the auditd module.
Old Config.
- module: audit metricsets: ["kernel"] kernel.resolve_ids: true kernel.failure_mode: silent kernel.backlog_limit: 8196 kernel.rate_limit: 0 kernel.include_raw_message: false kernel.include_warnings: false kernel.audit_rules: | # Rules
New Config.
- module: auditd resolve_ids: true failure_mode: silent backlog_limit: 8196 rate_limit: 0 include_raw_message: false include_warnings: false audit_rules: | # Rules
The file
metricset has become the
file_integrity module.
Old Config.
- module: audit metricsets: [file] file.paths: - /bin - /usr/bin - /sbin - /usr/sbin - /etc file.scan_at_start: true file.scan_rate_per_sec: 50 MiB file.max_file_size: 100 MiB file.hash_types: [sha1]
New Config.
- module: file_integrity paths: - /bin - /usr/bin - /sbin - /usr/sbin - /etc scan_at_start: true scan_rate_per_sec: 50 MiB max_file_size: 100 MiB hash_types: [sha1] recursive: false
|
Event Schema Changes
editMost field names were changed in 6.2. We wanted to rename the modules and use common field names for similar data types across all the modules. The table below provides a summary of the field changes.
In Kibana you need to import the latest dashboards that work with the new event format. The new dashboards will not work with data produced by older versions of Auditbeat.
Table 1. Renamed Fields
Old Field | New Field |
---|---|
|
|
|
Removed |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|