IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Beats version 7.9.1 Beats version 7.8.1 »
Elastic Docs Beats Platform Reference [7.9] Release notes

Beats version 7.9.0

edit

Beats version 7.9.0

edit

View commits

Breaking changes

edit

Affecting all Beats

  • Ensure dynamic template names are unique for the same field. 18849

Filebeat

  • With the default configuration the cloud modules (AWS, Azure, Googlecloud, o365, Okta) will no longer send the host field that contains information about the host Filebeat is running on. This is because the host field specifies the host on which the event happened. 13920 18223

  • With the default configuration the following modules will no longer send the host field. You can revert this change by configuring tags for the module and omitting forwarded from the list.

    • Cisco 18753
    • CrowdStrike 19132
    • Fortinet 19133
    • Iptables 18756
    • Checkpoint 18754
    • Netflow 19087
    • Zeek 19113 (forwarded tag is not included by default)
    • Suricata 19107 (forwarded tag is not included by default)
    • CoreDNS 19134 (forwarded tag is not included by default)
    • Envoy Proxy 19134 (forwarded tag is not included by default)
    • CEF module 13920 18223
    • Palo Alto Networks module 13920 18223
  • Okta module now requires objects instead of JSON strings for the http_headers, http_request_body, pagination, rate_limit, and ssl variables. 18953
  • Adds oauth support for httpjson input. 18415 18892
  • Adds split_events_by option to httpjson input. 19246
  • Adds date_cursor option to httpjson input. 19483
  • Adds Gsuite module with SAML support. 19329
  • Adds Gsuite User Accounts support. 19329
  • Adds Gsuite Login audit support. 19702
  • Adds Gsuite Admin support. 19769
  • Adds Gsuite Drive support. 19704
  • Adds Gsuite Groups support. 19725
  • Disable the option of running --machine-learning on its own. 20241

Metricbeat

  • Move service config under metrics and simplify metric types. 18691
  • Fix ECS compliance of user.id field in system/users metricset. 19019
  • Rename googlecloud stackdriver metricset to metrics. 19718

Winlogbeat

  • Add PowerShell module. Support for event ID’s: 400, 403, 600, 800, 4103, 4014, 4105, 4106. 16262 18526
  • Fix PowerShell processing of downgraded engine events. 18966
  • Fix unprefixed fields in fields.yml for PowerShell module. 18984

Bugfixes

edit

Affecting all Beats

  • Fix potential race condition in fingerprint processor. 18738
  • Add better handling for Kubernetes Update and Delete watcher events. 18882
  • Fix config reload metrics (libbeat.config.module.start/stops/running). 19168
  • Fix metrics hints builder to avoid wrong container metadata usage when port is not exposed. 18979
  • Server-side TLS config now validates that certificate and key settings are both specified. 19584
  • Fix terminating pod autodiscover issue. 20084
  • Output errors when Kibana index pattern setup fails. 20121
  • Fix issue in autodiscover that kept inputs stopped after config updates. 20305
  • Add service resource in k8s cluster role. 20546

Auditbeat

  • system/socket: Fix issue with dataset using 100% CPU and becoming unresponsive in some scenarios. 19033 19764
  • system/socket: Fix kprobe grouping to allow running more than one instance. 20325

Filebeat

  • Fix Kubernetes Watcher goroutine leaks when input config is invalid and input.reload is enabled. 18629 18630
  • Okta module now sets the Elasticsearch _id field to the Okta UUID value contained in each system log to minimize the possibility of duplicating events. 18953
  • Fix netflow module to support 7 bytepad for IPFIX template. 18098
  • Fix improper nesting of session_issuer object in AWS cloudtrail fileset. 18894 18915
  • Fix Cisco ASA 3020** and 106023 messages. 17964
  • Add missing default_field: false to AWS filesets fields.yml. 19568
  • Fix memory leak in tcp and unix input sources. 19459
  • Fix Cisco ASA dissect pattern for 313008 and 313009 messages. 19149
  • Fix bug with empty filter values in system/service. 19812
  • Update container name for the Azure filesets. 19899
  • Fix S3 input to trim delimiter /n from each log line. 19972
  • Fix Zeek module to ignore missing fields when attempting to drop unnecessary fields. 19984
  • Fix s3 input parsing json file without expand_event_list_from_field. 19902 19962 20370
  • Fix millisecond timestamp normalization issues in CrowdStrike module. 20035 20138
  • Fix support for message code 106100 in Cisco ASA and FTD. 19350 20245
  • Fix fortinet setting event.timezone to the system one when no tz field present. 20273
  • Fix okta geoip lookup in pipeline for destination.ip. 20454
  • Fix mapping exception in the googlecloud/audit dataset pipeline. 18465 20465
  • Fix cisco asa and ftd parsing of messages 106102 and 106103. 20469

Metricbeat

  • Fix SQL module mapping NULL values as string 18955 18898
  • Fix incorrect usage of hints builder when exposed port is a substring of the hint 19052
  • Stop counterCache only when already started 19103
  • Remove dedot for tag values in aws module. 19112 19221
  • Fix empty field name errors in the application pool metricset. 19537
  • Fix mapping of service start type in the service metricset of the Windows module. 19551
  • Fix config example in the perfmon configuration files. 19539
  • Fix k8s scheduler compatibility issue. 19699
  • Modify doc for app_insights metricset to contain example of config. 20185
  • Add required option for metrics in app_insights. 20406
  • Groups same timestamp metric values to one event in the app_insights metricset. 20403

Packetbeat

  • Fix process monitoring when ipv6 is disabled under Linux. 19941 19945

Added

edit

Affecting all Beats

  • Add initial instrument of Beats with APM GO Agent. 17938
  • Add optional regex based cid extractor to add_kubernetes_metadata processor. 17360
  • Add k8s keystore backend. 18096
  • Change ownership of files in docker images so they can be used in secured environments. 12905
  • Upgrade k8s.io/client-go and k8s keystore tests. 18817
  • Add support for multiple sets of hints on autodiscover. 18883
  • Add a configurable delay between retries when app metadata cannot be retrieved by add_cloudfoundry_metadata. 19181
  • Add data type conversion in dissect processor for converting string values to other basic data types. 18683
  • Add the ignore_failure configuration option to the dissect processor. 19464
  • Add the overwrite_keys configuration option to the dissect processor. 19464
  • Add support to trim captured values in the dissect processor. 19464
  • Add the max_cached_sessions option to the script processor. 19562
  • Set index.max_docvalue_fields_search in index template to increase value to 200 fields. 20215

Auditbeat

  • Add ECS categorization info for Auditd module. 18596

Filebeat

  • Add http_endpoint input. 18298
  • Add observer.vendor, observer.product, and observer.type to Palo Alto Networks module events. 18223
  • The logstash module can now automatically detect the log file format (JSON or plaintext) and process it accordingly. 9964 18095
  • Improve ECS categorization field mappings in CoreDNS module. 16159 18424
  • Improve ECS categorization field mappings in Envoyproxy module. 16161 18395
  • Improve ECS categorization field mappings in Cisco module. 16028 18537
  • The s3 input can now automatically detect gzipped objects. 18283 18764
  • Add geoip AS lookup and improve ECS categorization in AWS cloudtrail fileset. 18644 18958
  • Add support for v1 consumer API in Cloud Foundry input and use it by default. 19125
  • Add new mode to multiline reader to aggregate constant number of lines. 18352
  • Explicitly set ECS version in all Filebeat modules. 19198
  • Add awscloudwatch input. 19025
  • Add automatic retries and exponential backoff to httpjson input. 18956
  • Change the Palo Alto Networks module to pass through (rather than drop) message types other than threat and traffic. 16815 19375
  • Improve ECS categorization field mappings in Traefik module. 16183 19379
  • Improve ECS categorization field mappings in Azure module. 16155 19376
  • Add automatic retries and exponential backoff to httpjson input. 18956
  • Add text and flattened versions of fields with unknown subfields in AWS cloudtrail fileset. 18866 19121
  • Add Microsoft Defender ATP Module. 17997 19197
  • Add initial support for configurable file identity tracking. 18748
  • Add experimental dataset tomcat/log for Apache TomCat logs. 19713
  • Add experimental dataset netscout/sightline for Netscout Arbor Sightline logs. 19713
  • Add experimental dataset barracuda/waf for Barracuda Web Application Firewall logs. 19713
  • Add experimental dataset f5/bigipapm for F5 Big-IP Access Policy Manager logs. 19713
  • Add experimental dataset bluecoat/director for Bluecoat Director logs. 19713
  • Add experimental dataset cisco/nexus for Cisco Nexus logs. 19713
  • Add experimental dataset citrix/virtualapps for Citrix Virtual Apps logs. 19713
  • Add experimental dataset cylance/protect for Cylance Protect logs. 19713
  • Add experimental dataset fortinet/clientendpoint for Fortinet FortiClient Endpoint Protection logs. 19713
  • Add experimental dataset imperva/securesphere for Imperva Secure Sphere logs. 19713
  • Add experimental dataset infoblox/nios for Infoblox Network Identity Operating System logs. 19713
  • Add experimental dataset juniper/junos for Juniper Junos OS logs. 19713
  • Add experimental dataset kaspersky/av for Kaspersky Anti-Virus logs. 19713
  • Add experimental dataset microsoft/dhcp for Microsoft DHCP Server logs. 19713
  • Add experimental dataset tenable/nessus_security for Tenable Nessus Security Scanner logs. 19713
  • Add experimental dataset rapid7/nexpose for Rapid7 Nexpose logs. 19713
  • Add experimental dataset radware/defensepro for Radware DefensePro logs. 19713
  • Add experimental dataset sonicwall/firewall for Sonicwall Firewalls logs. 19713
  • Add experimental dataset squid/log for Squid Proxy Server logs. 19713
  • Add experimental dataset zscaler/zia for Zscaler Internet Access logs. 19713

Heartbeat

  • Record HTTP response headers. 18327

Journalbeat

  • Added an id config option to inputs to allow running multiple inputs on the same journal. 18467
  • Add basic ECS categorization and log.syslog fields. 19176

Metricbeat

  • Add client address to events from http server module. 18336
  • Add new fields to HAProxy module. 18523
  • Add Tomcat overview dashboard. 14026
  • Accept prefix as metric_types config parameter in googlecloud stackdriver metricset. 19345
  • Add dashboards for googlecloud load balancing metricset. 18369
  • Add support for v1 consumer API in Cloud Foundry module and use it by default. 19268
  • Add support for named ports in autodiscover. 19398
  • Add param aws_partition to support aws-cn, aws-us-gov regions. 18850 19423
  • Add support for wildcard * in dimension value of AWS CloudWatch metrics config. 18050 19660
  • The elasticsearch/index metricset now collects metrics for hidden indices. 18639 18703
  • Added performance and query metricsets to mysql module. 18955
  • The elasticsearch-xpack/index metricset now reports hidden indices as such. 18639 18706
  • Adds support for app insights metrics in the Azure module. 18570 18940
  • Added cache and connection_errors metrics to status metricset of MySQL module. 16955 19844
  • Update MySQL dashboard with connection errors and cache metrics. 19913 16955

Packetbeat

  • Add ECS fields for x509 certs, event categorization, and related IP info. 19167

Functionbeat

  • Add basic ECS categorization and cloud fields. 19174

Elastic Log Driver

  • Add support for docker logs command 19531

Deprecated

edit

Metricbeat

  • Deprecate tags config parameter in cloudwatch metricset. 16733
  • Deprecate tags.resource_type_filter config parameter and replace with resource_type. 19688

Known Issues

edit

Functionbeat

  • Functionbeat cannot be deployed on Google Cloud Platform. 20830
« Beats version 7.9.1 Beats version 7.8.1 »