Skip to content

Latest commit

 

History

History
917 lines (577 loc) · 29.9 KB

CHANGELOG.asciidoc

File metadata and controls

917 lines (577 loc) · 29.9 KB

Beats version 5.0.0-alpha5

Breaking changes

Affecting all Beats

  • Rename the filters section to processors. 1944

  • Introduce the condition with when in the processor configuration. 1949

  • The Elasticsearch template is now loaded by default. 1993

  • The Redis output index setting is renamed to key. index still works but it’s deprecated. 2077

  • The undocumented file output index setting was removed. Use filename instead. 2077

Metricbeat

  • Create a separate metricSet for load under the system module and remove load information from CPU stats. 2101

  • Add system.load.norm.1, system.load.norm.5 and system.load.norm.15. 2101

Packetbeat

  • Set enabled ` in packetbeat.protocols.icmp configuration to true by default. 1988

Bugfixes

Affecting all Beats

  • Fix sync publisher PublishEvents return value if client is closed concurrently. 2046

Metricbeat

  • Do not send zero values when no value was present in the source. 1972

Filebeat

  • Fix potential data loss between Filebeat restarts, reporting unpublished lines as published. 2041

  • Fix open file handler issue. 2028 2020

  • Fix filtering of JSON events when using integers in conditions. 2038

Winlogbeat

  • Fix potential data loss between Winlogbeat restarts, reporting unpublished lines as published. 2041

Added

Affecting all Beats

  • Periodically log internal metrics. 1955

  • Add enabled setting to all output modules. 1987

  • Command line flag -c can be used multiple times. 1985

  • Add OR/AND/NOT to the condition associated with the processors. 1983

  • Add -E CLI flag for overwriting single config options via command line. 1986

  • Choose the mapping template file based on the Elasticsearch version. 1993

  • Check stdout being available when console output is configured. 2035

Metricbeat

Packetbeat

  • Add enabled setting to Packetbeat protocols. 1988

  • Add enabled setting to Packetbeat network flows configuration. 1988

Filebeat

  • Introduce close_removed and close_renamed harvester options. 1600

  • Introduce close_eof harvester option. 1600

  • Add clean_removed and clean_inactive config option. 1600

Deprecated

Filebeat

  • Deprecate close_older option and replace it with close_inactive. 2051

  • Deprecate force_close_files option and replace it with close_removed and close_renamed. 1600

Beats version 5.0.0-alpha4

Breaking changes

Affecting all Beats

  • The topology_expire option of the Elasticserach output was removed. 1907

Filebeat

  • Stop following symlink. Symlinks are now ignored: 1686

Bugfixes

Affecting all Beats

  • Reset backoff factor on partial ACK. 1803

  • Fix beats load balancer deadlock if max_retries: -1 or publish_async is enabled in filebeat. 1829

  • Fix logstash output with pipelining mode enabled not reconnecting. 1876

  • Empty configuration sections become merge-able with variables containing full path. 1900

  • Fix error message about required fields missing not printing the missing field name. 1900

Metricbeat

  • Fix the CPU values returned for each core. 1863

Packetbeat

  • Add missing nil-check to memcached GapInStream handler. 1162

  • Fix NFSv4 Operation returning the first found first-class operation available in compound requests. 1821

  • Fix TCP overlapping segments not being handled correctly. 1898

Winlogbeat

  • Fix issue with rendering forwarded event log records. 1891

Added

Affecting all Beats

  • Improve error message if compiling regular expression from config files fails. 1900

  • Compression support in the Elasticsearch output. 1835

Metricbeat

  • Add MongoDB module. 1837

Beats version 5.0.0-alpha3

Breaking changes

Affecting all Beats

  • All configuration settings under shipper: are moved to be top level configuration settings. I.e. shipper.name: becomes name: in the configuration file. 1570

Topbeat

  • Topbeat is replaced by Metricbeat.

Filebeat

  • The state for files which fall under ignore_older is not stored anymore. This has the consequence, that if a file which fell under ignore_older is updated, the whole file will be crawled.

Bugfixes

Winlogbeat

  • Adding missing argument to the "Stop processing" log message. 1590

Added

Affecting all Beats

  • Add conditions to generic filtering. 1623

Metricbeat

  • First public release, containing the following modules: apache, mysql, nginx, redis, system, and zookeeper.

Filebeat

  • The registry format was changed to an array instead of dict. The migration to the new format will happen automatically at the first startup. 1703

Deprecated

Affecting all Beats

  • The support for doing GeoIP lookups is deprecated and will be removed in version 6.0. 1601

Beats version 1.2.3

Bugfixes

Topbeat

  • Fix high CPU usage when using filtering under Windows. 1598

Filebeat

  • Fix rotation issue with ignore_older. 1528

Winlogbeat

  • Fix panic when reading messages larger than 32K characters on Windows XP and 2003. 1498

Added

Filebeat

  • Prevent file opening for files which reached ignore_older. 1649

Beats version 5.0.0-alpha2

Breaking changes

Affecting all Beats

  • On DEB/RPM installations, the binary files are now found under /usr/share/{{beat_name}}/bin, not in /usr/bin. 1385

  • The logs are written by default to self rotating files, instead of syslog. 1371

  • Remove deprecated host option from elasticsearch, logstash and redis outputs. 1474

Packetbeat

  • Configuration of redis topology support changed. 1353

  • Move all Packetbeat configuration options under the packetbeat namespace 1417

Filebeat

  • Default location for the registry file was changed to be data/registry from the binary directory, rather than .filebeat in the current working directory. This affects installations for zip/tar.gz/source, the location for DEB and RPM packages stays the same. 1373

Bugfixes

Affecting all Beats

  • Drain response buffers when pipelining is used by Redis output. 1353

  • Unterminated environment variable expressions in config files will now cause an error 1389

  • Fix issue with the automatic template loading when Elasticsearch is not available on Beat start. 1321

  • Fix bug affecting -cpuprofile, -memprofile, and -httpprof CLI flags 1415

  • Fix race when multiple outputs access the same event with logstash output manipulating event 1410 1428

  • Seed random number generator using crypto.rand package. https://github.com/elastic/beats/pull/1503{1503]

  • Fix beats hanging in -configtest 1213

  • Fix kafka log message output 1516

Filebeat

  • Improvements in registrar dealing with file rotation. 1281

  • Fix issue with JSON decoding where @timestamp or type keys with the wrong type could cause Filebeat to crash. 1378

  • Fix issue with JSON decoding where values having null as values could crash Filebeat. 1466

  • Multiline reader normalizing newline to use \n. 1552

Winlogbeat

  • Fix panic when reading messages larger than 32K characters on Windows XP and 2003. 1498

  • Fix panic that occurs when reading a large events on Windows Vista and newer. 1499

Added

Affecting all Beats

  • Add support for TLS to Redis output. 1353

  • Add SOCKS5 proxy support to Redis output. 1353

  • Failover and load balancing support in redis output. 1353

  • Multiple-worker per host support for redis output. 1353

  • Added ability to escape ${x} in config files to avoid environment variable expansion 1389

  • Configuration options and CLI flags for setting the home, data and config paths. 1373

  • Configuration options and CLI flags for setting the default logs path. 1437

  • Update to Go 1.6.2 1447

  • Add Elasticsearch template files compatible with Elasticsearch 2.x. 1501

  • Add scripts for managing the dashboards of a single Beat 1359

Packetbeat

  • Fix compile issues for OpenBSD. 1347

Topbeat

  • Updated elastic/gosigar version so Topbeat can compile on OpenBSD. 1403

Beats version 1.2.2

Bugfixes

Affecting all Beats

  • Fix race when multiple outputs access the same event with Logstash output manipulating event. 1410

  • Fix go-daemon (supervisor used in init scripts) hanging when executed over SSH. 1394

Filebeat

  • Improvements in registrar dealing with file rotation. 1281

Beats version 1.2.1

Breaking changes

Affecting all Beats

  • Require braces for environment variable expansion in config files 1304

  • Removed deprecation warning for the Redis output. 1282

Topbeat

  • Fixed name of the setting stats.proc to stats.process in the default configuration file. 1343

  • Fix issue with cpu.system_p being greater than 1 on Windows 1128

Added

Topbeat

  • Add username to processes 845

Beats version 5.0.0-alpha1

Breaking changes

libbeat

  • Run function to start a Beat now returns an error instead of directly exiting. 771

  • The method signature of HandleFlags() was changed to allow returning an error 1249

  • Require braces for environment variable expansion in config files 1304

Packetbeat

  • Rename output fields in the dns package. Former flag recursion_allowed becomes recursion_available. 803 Former SOA field ttl becomes minimum. 803

  • The fully qualified domain names which are part of output fields values of the dns package now terminate with a dot. 803

  • Remove the count field from the exported event 1210

Topbeat

  • Rename proc.cpu.user_p with proc.cpu.total_p as it includes CPU time spent in kernel space 631

  • Remove count field from the exported fields 1207

  • Rename input top level config option to topbeat

Filebeat

  • Scalar values in used in the fields configuration setting are no longer automatically converted to strings. 1092

  • Count field was removed from event as not used in filebeat 778

Winlogbeat

  • The message_inserts field was replaced with the event_data field 1053

  • The category field was renamed to task to better align with the Windows Event Log API naming 1053

  • Remove the count field from the exported event 1218

Bugfixes

Affecting all Beats

  • Logstash output will not retry events that are not JSON-encodable 927

Packetbeat

  • Create a proper BPF filter when ICMP is the only enabled protocol 757

  • Check column length in pgsql parser. 565

  • Harden pgsql parser. 565

Topbeat

  • Fix issue with cpu.system_p being greater than 1 on Windows 1128

Filebeat

  • Stop filebeat if started without any prospectors defined or empty prospectors 644 647

  • Improve shutdown of crawler and prospector to wait for clean completion 720

  • Omit fields from Filebeat events when null 899

Winlogbeat

Added

Affecting all Beats

  • Update builds to Golang version 1.6

  • Add option to Elasticsearch output to pass http parameters in index operations 805

  • Improve Logstash and Elasticsearch backoff behavior. 927

  • Add experimental Kafka output. 942

  • Add config file option to configure GOMAXPROCS. 969

  • Improve shutdown handling in libbeat. 1075

  • Add fields and fields_under_root options under the shipper configuration 1092

  • Add the ability to use a SOCKS5 proxy with the Logstash output 823

  • The -configtest flag will now print "Config OK" to stdout on success 1249

Packetbeat

  • Change the DNS library used throughout the dns package to github.com/miekg/dns. 803

  • Add support for NFS v3 and v4. 1231

  • Add support for EDNS and DNSSEC. 1292

Topbeat

  • Add username to processes 845

Filebeat

  • Add the ability to set a list of tags for each prospector 1092

  • Add JSON decoding support 1143

Winlogbeat

  • Add caching of event metadata handles and the system render context for the wineventlog API 888

  • Improve config validation by checking for unknown top-level YAML keys. 1100

  • Add the ability to set tags, fields, and fields_under_root as options for each event log 1092

  • Add additional data to the events published by Winlogbeat. The new fields are activity_id, event_data, keywords, opcode, process_id, provider_guid, related_activity_id, task, thread_id, user_data, and version. 1053

  • Add event_id, level, and provider configuration options for filtering events 1218

  • Add include_xml configuration option for including the raw XML with the event 1218

Known issues

  • All Beats can hang or panic on shutdown if the next server in the pipeline (e.g. Elasticsearch or Logstash) is not reachable. 1319

  • When running the Beats as a service on Windows, you need to manually load the Elasticsearch mapping template. 1315

  • The ES template automatic load doesn’t work if Elasticsearch is not available when the Beat is starting. 1321

Beats version 1.2.0

Breaking changes

Filebeat

  • Default config for ignore_older is now infinite instead of 24h, means ignore_older is disabled by default. Use close_older to only close file handlers.

Bugfixes

Packetbeat

  • Split real_ip_header value when it contains multiple IPs 1241

Winlogbeat

  • Fix invalid event_id on Windows XP and Windows 2003 1227

Added

Affecting all Beats

  • Add ability to override configuration settings using environment variables 114

  • Libbeat now always exits through a single exit method for proper cleanup and control 736

  • Add ability to create Elasticsearch mapping on startup 639

Topbeat

  • Add the command line used to start processes 533

Filebeat

  • Add close_older configuration option to complete ignore_older 181

Beats version 1.1.2

Bugfixes

Filebeat

  • Fix registrar bug for rotated files 1010

Beats version 1.1.1

Bugfixes

Affecting all Beats

  • Fix logstash output loop hanging in infinite loop on too many output errors. 944

  • Fix critical bug in filebeat and winlogbeat potentially dropping events. 953

Beats version 1.1.0

Bugfixes

Affecting all Beats

  • Fix logging issue with file based output where newlines could be misplaced during concurrent logging 650

  • Reduce memory usage by separate queue sizes for single events and bulk events. 649 516

  • Set default default bulk_max_size value to 2048 628

Packetbeat

  • Fix setting direction to out and use its value to decide when dropping events if ignore_outgoing is enabled 557

  • Fix logging issue with file-based output where newlines could be misplaced during concurrent logging 650

  • Reduce memory usage by having separate queue sizes for single events and bulk events. 649 516

  • Set default bulk_max_size value to 2048 628

  • Fix logstash window size of 1 not increasing. 598

Packetbeat

  • Fix the condition that determines whether the direction of the transaction is set to "outgoing". Packetbeat uses the direction field to determine which transactions to drop when dropping outgoing transactions. 557

  • Allow PF_RING sniffer type to be configured using pf_ring or pfring 671

Filebeat

  • Set spool_size default value to 2048 628

Added

Affecting all Beats

  • Add include_fields and drop_fields as part of generic filtering 1120

  • Make logstash output compression level configurable. 630

  • Some publisher options refactoring in libbeat 684

  • Move event preprocessor applying GeoIP to packetbeat 772

Packetbeat

  • Add support for capturing DNS over TCP network traffic. 486 554

Topbeat

  • Group all CPU usage per core statistics and export them optionally if cpu_per_core is configured 496

Filebeat

  • Add multiline support for combining multiple related lines into one event. 461

  • Add exclude_lines and include_lines options for regexp based line filtering. 430

  • Add exclude_files configuration option. 563

  • Add experimental option to enable filebeat publisher pipeline to operate asynchonrously 782

Winlogbeat

  • First public release of Winlogbeat

Beats version 1.0.1

Bugfixes

Filebeat

  • Fix force_close_files in case renamed file appeared very fast. 302

Packetbeat

  • Improve MongoDB message correlation. 377

  • Improve redis parser performance. 422

  • Fix panic on nil in redis protocol parser. 384

  • Fix errors redis parser when messages are split in multiple TCP segments. 402

  • Fix errors in redis parser when length prefixed strings contain sequences of CRLF. 402

  • Fix errors in redis parser when dealing with nested arrays. 402

Beats version 1.0.0

Breaking changes

Topbeat

  • Change proc type to process #138

Bugfixes

Affecting all Beats

  • Fix random panic on shutdown by calling shutdown handler only once. elastic/filebeat#204

  • Fix credentials are not send when pinging an elasticsearch host. elastic/fileabeat#287

Filebeat

  • Fix problem that harvesters stopped reading after some time and filebeat stopped processing events #257

  • Fix line truncating by internal buffers being reused by accident #258

  • Set default ignore_older to 24 hours #282

Beats version 1.0.0-rc2

Breaking changes

Affecting all Beats

  • The shipper output field is renamed to beat.name. #285

  • Use of enabled as a configuration option for outputs (elasticsearch, logstash, etc.) has been removed. #264

  • Use of disabled as a configuration option for tls has been removed. #264

  • The -test command line flag was renamed to -configtest. #264

  • Disable geoip by default. To enable it uncomment in config file. #305

Filebeat

  • Removed utf-16be-bom encoding support. Support will be added with fix for #205

  • Rename force_close_windows_files to force_close_files and make it available for all platforms.

Bugfixes

Affecting all Beats

  • Disable logging to stderr after configuration phase. #276

  • Set the default file logging path when not set in config. #275

  • Fix bug silently dropping records based on current window size. elastic/filebeat#226

  • Fix direction field in published events. #300

  • Fix elasticsearch structured errors breaking error handling. #309

Packetbeat

  • Packetbeat will now exit if a configuration error is detected. #357

  • Fixed an issue handling DNS requests containing no questions. #369

Topbeat

  • Fix leak of Windows handles. #98

  • Fix memory leak of process information. #104

Filebeat

  • Filebeat will now exit if a configuration error is detected. #198

  • Fix to enable prospector to harvest existing files that are modified. #199

  • Improve line reading and encoding to better keep track of file offsets based on encoding. #224

  • Set input_type by default to "log"

Added

Affecting all Beats

  • Added beat.hostname to contain the hostname where the Beat is running on as returned by the operating system. #285

  • Added timestamp for file logging. #291

Filebeat

  • Handling end of line under windows was improved #233

Beats version 1.0.0-rc1

Breaking changes

Affecting all Beats

  • Rename timestamp field with @timestamp. #237

Packetbeat

  • Rename timestamp field with @timestamp. #343

Topbeat

  • Rename timestamp field with @timestamp for a better integration with Logstash. #80

Filebeat

  • Rename the timestamp field with @timestamp #168

  • Rename tail_on_rotate prospector config to tail_files

  • Removal of line field in event. Line number was not correct and does not add value. #217

Bugfixes

Affecting all Beats

  • Use stderr for console log output. #219

  • Handle empty event array in publisher. #207

  • Respect '*' debug selector in IsDebug. #226 (elastic#339)

  • Limit number of workers for Elasticsearch output. elastic#226

  • On Windows, remove service related error message when running in the console. #242

  • Fix waitRetry no configured in single output mode configuration. elastic/filebeat#144

  • Use http as the default scheme in the elasticsearch hosts #253

  • Respect max bulk size if bulk publisher (collector) is disabled or sync flag is set.

  • Always evaluate status code from Elasticsearch responses when indexing events. #192

  • Use bulk_max_size configuration option instead of bulk_size. #256

  • Fix max_retries=0 (no retries) configuration option. #266

  • Filename used for file based logging now defaults to beat name. #267

Packetbeat

  • Close file descriptors used to monitor processes. #337

  • Remove old RPM spec file. It moved to elastic/beats-packer. #334

Topbeat

  • Don’t wait for one period until shutdown #75

Filebeat

  • Omit 'fields' from event JSON when null. #126

  • Make offset and line value of type long in elasticsearch template to prevent overflow. #140

  • Fix locking files for writing behaviour. #156

  • Introduce 'document_type' config option per prospector to define document type for event stored in elasticsearch. #133

  • Add 'input_type' field to published events reporting the prospector type being used. #133

  • Fix high CPU usage when not connected to Elasticsearch or Logstash. #144

  • Fix issue that files were not crawled anymore when encoding was set to something other then plain. #182

Added

Affecting all Beats

  • Add Console output plugin. #218

  • Add timestamp to log messages #245

  • Send @metadata.beat to Logstash instead of @metadata.index to prevent possible name clashes and give user full control over index name used for Elasticsearch

  • Add logging messages for bulk publishing in case of error #229

  • Add option to configure number of parallel workers publishing to Elasticsearch or Logstash.

  • Set default bulk size for Elasticsearch output to 50.

  • Set default http timeout for Elasticsearch to 90s.

  • Improve publish retry if sync flag is set by retrying only up to max bulk size events instead of all events to be published.

Filebeat

  • Introduction of backoff, backoff_factor, max_backoff, partial_line_waiting, force_close_windows_files config variables to make crawling more configurable.

  • All Godeps dependencies were updated to master on 2015-10-21 [#122]

  • Set default value for ignore_older config to 10 minutes. #164

  • Added the fields_under_root setting to optionally store the custom fields top level in the output dictionary. #188

  • Add more encodings by using x/text/encodings/htmlindex package to select encoding by name.

Beats version 1.0.0-beta4

Breaking changes

Affecting all Beats

  • Update tls config options naming from dash to underline #162

  • Feature/output modes: Introduction of PublishEvent(s) to be used by beats #118 #115

Packetbeat

  • Renamed http module config file option 'strip_authorization' to 'redact_authorization'

  • Save_topology is set to false by default

  • Rename elasticsearch index to [packetbeat-]YYYY.MM.DD

Topbeat

  • Percentage fields (e.g user_p) are exported as a float between 0 and 1 #34

Bugfixes

Affecting all Beats

  • Determine Elasticsearch index for an event based on UTC time #81

  • Fixing ES output’s defaultDeadTimeout so that it is 60 seconds #103

  • ES outputer: fix timestamp conversion #91

  • Fix TLS insecure config option #239

  • ES outputer: check bulk API per item status code for retransmit on failure.

Packetbeat

  • Support for lower-case header names when redacting http authorization headers

  • Redact proxy-authorization if redact-authorization is set

  • Fix some multithreading issues #203

  • Fix negative response time #216

  • Fix memcache TCP connection being nil after dropping stream data. #299

  • Add missing DNS protocol configuration to documentation #269

Topbeat

  • Don’t divide the reported memory by an extra 1024 #60

Added

Affecting all Beats

  • Add logstash output plugin #151

  • Integration tests for Beat → Logstash → Elasticsearch added #195 #188 #168 #137 #128 #112

  • Large updates and improvements to the documentation

  • Add direction field to publisher output to indicate inbound/outbound transactions #150

  • Add tls configuration support to elasticsearch and logstash outputers #139

  • All external dependencies were updated to the latest version. Update to Golang 1.5.1 #162

  • Guarantee ES index is based in UTC time zone #164

  • Cache: optional per element timeout #144

  • Make it possible to set hosts in different ways. #135

  • Expose more TLS config options #124

  • Use the Beat name in the default configuration file path #99

Packetbeat

  • add [.editorconfig file](http://editorconfig.org/)

  • add (experimental/unsupported?) saltstack files

  • Sample config file cleanup

  • Moved common documentation to [libbeat repository](https://github.com/elastic/libbeat)

  • Update build to go 1.5.1

  • Adding device descriptions to the -device output.

  • Generate coverage for system tests

  • Move go-daemon dependency to beats-packer

  • Rename integration tests to system tests

  • Made the -devices option more user friendly in case sudo is not used. Issue #296.

  • Publish expired DNS transactions #301

  • Update protocol guide to libbeat changes

  • Add protocol registration to new protocol guide

  • Make transaction timeouts configurable #300

  • Add direction field to the exported fields #317

Topbeat

  • Document fields in a standardized format (etc/fields.yml) #34

  • Updated to use new libbeat Publisher #37 #41

  • Update to go 1.5.1 #43

  • Updated configuration files with comments for all options #65

  • Documentation improvements

Deprecated

Affecting all Beats

  • Redis output was deprecated #169 #145

  • Host and port configuration options are deprecated. They are replaced by the hosts configuration option. #141