CHANGELOG.next.asciidoc

Beats version HEAD

Check the HEAD diff

Breaking changes

Affecting all Beats

• Update add_cloud_metadata fields to adjust to ECS. 9265

• Automaticall cap signed integers to 63bits. 8991

• Rename beat.timezone to event.timezone. 9458

• Use _doc as document type. 9056https://github.com/elastic/beats/pull/9573[9573]

• Update to Golang 1.11.3. 9560

• Embedded html is not escaped anymore by default. 9914

• Remove port settings from Logstash and Redis output. 9934

• Fix registry handle leak on Windows (elastic/go-sysinfo#33). 9920

• Rename process.exe to process.executable in add_process_metadata to align with ECS. 9949

Auditbeat - Rename process.exe to process.executable in auditd module to align with ECS. 9949 - Rename process.cwd to process.working_directory in auditd module to align with ECS. 10195 - Change data type of process.pid and process.ppid to number in JSON output of the auditd module. 10195 - Change data type of file.uid and file.gid to string in JSON output of the FIM module. 10195

Filebeat

• Modify apache/error dataset to follow ECS. 8963

• Rename many traefik.access.* fields to map to ECS. 9005

• Fix parsing of GC entries in elasticsearch server log. 9513 9810

• Rename read_timestamp to event.created for Redis input. 9924

• Rename a few elasticsearch.audit.* fields to map to ECS. 9293

• Rename read_timestamp to event.created for all Filebeat modules using it. 10139

• Rename many iis.error.* fields to map to ECS. 9955

• Adjust fileset haproxy.log to map to ECS. 10143

• Rename a few logstash.* fields to map to ECS, remove logstash.slowlog.message. 9935

• Rename a few mongodb.* fields to map to ECS. 10009

• Rename a few mysql.* fields to map to ECS. 10008

• Rename a few nginx.error.* fields to map to ECS. 10007

• Filesets with multiple ingest pipelines added in 8914 only work with Elasticsearch >= 6.5.0 10001

• Remove service.name from Elastcsearch module. Replace by service.type. 10042

• Add grok pattern to support redis 5.0.3 log timestamp. 9819 10033

• Now save the 'first seen' timestamp in event.created (previously read_timestamp), instead of saving the parsed date. Now aligned with event.created semantics elsewhere. 10139

• Rename mysql.error.thread_id and mysql.slowlog.id to mysql.thread_id. 10161

• Remove mysql.error.timestamp and mysql.slowlog.timestamp. 10161

Heartbeat

• Remove monitor generator script that was rarely used. 9648

• monitor IDs are now configurable. Auto generated monitor IDs now use a different formula based on a hash of their config values. If you wish to have continuity with the old format of monitor IDs you’ll need to set the id property explicitly. 9697

• A number of fields have been aliased to their relevant counterparts in the url.* field. Existing visualizations should mostly work. The fields that have been moved are monitor.scheme → url.scheme, monitor.host → url.domain, resolve.host → url.domain, http.url → url.full, tcp.port → url.port. In addition to these moves the new fields url.username, url.password, url.path, and url.query are now present. It should be noted that the url.password field does not contain actual password values, but rather the text <hidden> 9570.

Journalbeat

• Rename read_timestamp to event.created to align with ECS. 10043, 10139

• Rename host.name to host.hostname to align with ECS. 10043

Metricbeat

Packetbeat

• Adjust Packetbeat http fields to ECS Beta 2 9645

• http.request.body moves to http.request.body.content

• http.response.body moves to http.response.body.content

• Changed DNS protocol fields to align with ECS. 9941

• Removed trailing dot from domain names reported by the DNS protocol. 9941

• Changed TLS protocol fields to align with ECS. 9980

• Changed ICMP protocol fields to align with ECS. 10062

• Changed DHCPv4 protocol fields to align with ECS. 10089

• Changed AMQP protocol fields to align with ECS. 10090

• Changed Redis protocol fields to align with ECS. 10126

• Changed HTTP protocol fields to align with ECS. 9976

• Changed MongoDB protocol fields to align with ECS. 10158

• Changed MySQL protocol fields to align with ECS. 10155

• Changed NFS protocol fields to align with ECS. 10153

• Changed Thrift protocol fields to align with ECS. 10125

• Changed Cassandra protocol fields to align with ECS. 10093

• Changed Memcache protocol fields to align with ECS. 10189

Winlogbeat

Functionbeat

• Correctly normalize Cloudformation resource name. 10087

Bugfixes

Affecting all Beats

• Enforce validation for the Central Management access token. 9621

• Fix config appender registration. 9873

• Gracefully handle TLS options when enrolling a Beat. 9129

• The backing off now implements jitter to better distribute the load. 10172

Auditbeat

Filebeat

• Add convert_timezone option to Elasticsearch module to convert dates to UTC. 9756 9761

• Support IPv6 addresses with zone id in IIS ingest pipeline. 9836 error log: 9869, access log: 9955.

• Support haproxy log lines without captured headers. 9463 9958

• Make elasticsearch/audit fileset be more lenient in parsing node name. 10035 10135

• Fix bad bytes count in docker input when filtering by stream. 10211

Heartbeat

• Made monitors.d configuration part of the default config. 9004

Journalbeat

Metricbeat

• Fix panics in vsphere module when certain values where not returned by the API. 9784

• Fix pod UID metadata enrichment in Kubernetes module. 10081

• Fix issue that would prevent collection of processes without command line on Windows. 10196

Packetbeat

• Fix DHCPv4 dashboard that wouldn’t load in Kibana. 9850

Winlogbeat

Functionbeat

Added

Affecting all Beats

• Update field definitions for http to ECS Beta 2 9645

• Add agent.id and agent.ephemeral_id fields to all beats. 9404

• Add name config option to add_host_metadata processor. 9943

• Add add_labels and add_tags processors. 9973

• Add missing file encoding to readers. 10080

• Introduce migration.enabled configuration. 9805

• Add alias field support in Kibana index pattern. 10075

• Add add_fields processor. 10119

Auditbeat

• Add system module. 9546

• Add user.id (UID) and user.name for ECS. 10195

• Add group.id (GID) and group.name for ECS. 10195

Filebeat

• Added module for parsing Google Santa logs. 9540

• Added netflow input type that supports NetFlow v1, v5, v6, v7, v8, v9 and IPFIX. 9399

• Add option to modules.yml file to indicate that a module has been moved 9432.

• Fix parsing of GC entries in elasticsearch server log. 9513 9810

• Support mysql 5.7.22 slowlog starting with time information. 7892 9647

• Add support for ssl_request_log in apache2 module. 8088 9833

• Add support for iis 7.5 log format. 9753 9967

• Add service.type field to all Modules. By default the field is set with the module name. It can be overwritten with service.type config. 10042

• Add support for MariaDB in the slowlog fileset of mysql module. 9731

• Elasticsearch module’s slowlog now populates event.duration (ECS). 9293

• HAProxy module now populates event.duration and http.response.bytes (ECS). 10143

• Teach elasticsearch/audit fileset to parse out some more fields. 10134 10137

• Add convert_timezone to nginx module. 9839 10148

• Add support for Percona in the slowlog fileset of mysql module. 6665 10227

Heartbeat

• Fixed rare issue where TLS connections to endpoints with x509 certificates missing either notBefore or notAfter would cause the check to fail with a stacktrace. 9566

Journalbeat

Metricbeat

• Add key metricset to the Redis module. 9582 9657 9746

• Add socket_summary metricset to system defaults, removing experimental tag and supporting Windows 9709

• Add docker event metricset. 9856

• Add 'performance' metricset to x-pack mssql module 9826

• Add DeDot for kubernetes labels and annotations. 9860 9939

• Add more meaningful metrics to 'performance' Metricset on 'MSSQL' module 10011

• Rename some fields in performance Metricset on MSSQL module to match the updated documentation from Microsoft 10074

• Add AWS EC2 module. 9257 9300

• Release windows Metricbeat module as GA. 10163

• Release traefik Metricbeat module as GA. 10166

• Release Elastic stack modules (Elasticsearch, Logstash, and Kibana) as GA. 10094

• List filesystems on Windows that have an access path but not an assigned letter 8916 10196

• Add nats module. 10071

• Release uswgi Metricbeat module GA. 10164

• Release php_fpm module as GA. 10198

• Release Memcached module as GA. 10199

• Release etcd module as GA. 10200

• Release Ceph module as GA. 10202

• Release aerospike module as GA. 10203

• Release kubernetes apiserver and event metricsets as GA 10212

• Release Couchbase module as GA. 10201

• Release RabbitMQ module GA. 10165

• Release envoyproxy module GA. 10223

• Making RabbitMQ Metricbeat module GA. 10165

• Release mongodb.metrics and mongodb.replstatus as GA. 10242

• Release mysql.galera_status as GA. 10242

• Release postgresql.statement as GA. 10242

• Release RabbitMQ Metricbeat module GA. 10165

• Release Dropwizard module as GA. 10240

• Release Graphite module as GA. 10240

• Release http.server metricset as GA. 10240

Packetbeat

• Add network.community_id to Packetbeat flow events. 10061

• Add aliases for flow fields that were renamed. 7968 10063

Functionbeat

Deprecated

Affecting all Beats

Filebeat

Heartbeat

Journalbeat

Metricbeat

Packetbeat

Winlogbeat

• Close handle on signalEvent. 9838

Functionbeat

Known Issue