13 September 2017

Brewing in Beats: Running Auditbeat side-by-side with auditd

By Monica Sarbu

Welcome to Brewing in Beats! With this weekly series, we're keeping you up to date with what's new in Beats, including the latest commits and releases.

Last week, we released the second beta release of the Elastic Stack 6.0. Read more details in the blog post about what’s new in the Beats 6.0.0-beta2 release.

Auditbeat: run side-by-side with auditd

Starting with the Linux kernel 3.16, it’s possible to receive the kernel audit logs over a multicast socket. This allows for multiple recipients, which is great because now you can have Auditbeat and the auditd daemon running on the same server. We added support for multicast in go-libaudit and Auditbeat, which will have this feature in 6.0.0-rc1. The feature is enabled by default if the kernel is newer than 3.16.

Lower number of shards in default configurations

We have added a while ago the possibility to change the number of shards and other Elasticsearch mapping templates directly from the Beats configuration files. When we did that, we also changed the number of shards to 1 in the default Metricbeat configuration file, but didn’t change the other Beats. We have now made the changes so that the Beats that create events have a default of 3, and the Beats that create metrics have a default of 1. This should result in a lower amount of shards created for a typical installation of a few Beats and default config.

The new configuration files will be present in 6.0.0-rc1.

Fix: Keep Docker and Kubernetes pod annotations longer

In some cases pod annotations are needed after the container/pod is deleted, for instance when Filebeat is reading the log behind the container.

This change makes sure we keep the metadata after a pod is gone. By storing access times we ensure that it's available as long as it's being used.

Other changes

Repository: elastic/beats

Affecting all Beats

Changes in master:

  • Reorder processors in publisher pipeline #5149
  • Add specialized buffers to memqueue #5148
  • Fix fields.yml lookup when using export template with a custom config path #5091

Changes in 6.0:

  • Fix fields.yml lookup when using export template with a custom config path #5091
Metricbeat

Changes in master:

  • MB mongodb module: connect on fetch, not on init #5120
  • Fix kubernetes events module to be able to index time fields properly #5105

Changes in 6.0:

  • MB mongodb module: connect on fetch, not on init #5120
  • Fix kubernetes events module to be able to index time fields properly #5105
Packetbeat

Changes in master:

  • should use strings.Contains(string(cmdline), process) instead #5102
Filebeat

Changes in master:

  • Add flush timeout setting to filebeat registrar #5146
  • Remove runner creation from every reload check #5141
  • Check modules and prospectors settings when reload is off #5053

Changes in 6.0:

  • Remove runner creation from every reload check #5141
  • Check modules and prospectors settings when reload is off #5053
Testing

Changes in master:

  • Update ES test version to 7.0.0-alpha1 #5142
  • Make test repos overwritable #5094

Changes in 5.5:

  • Update testing env to 5.5.3 #5111

Changes in 6.0:

  • Update testing env for rc1 #5145
  • Run only the required containers when testing #4962
Documentation

Changes in master:

  • Remove alias from perfmon docs #5130
  • Fix doc build on migrating dashboards #5126
  • [Docs] Fix incorrect ES output config example #5118
  • [Docs] Clarify run command syntax #5117
  • Add upgrading guide docs #5068
  • [Docs] Document how to use modules.d directory #4973
  • [Docs] Add option to log messages in JSON #4931
  • Doc about how to migrate 5.x dashboards to 6.x #4929
  • Add missing link texts to fields references #4919

Changes in 5.5:

  • Bump docs version for 5.5.3 #5112

Changes in 5.6:

  • Mark 5.6.0 as released #5108
  • Close changelog for 5.6.0 #5098

Changes in 6.0:

  • [Docs] Clarify run command syntax #5117
  • [Docs] Document how to use modules.d directory #4973
  • Add upgrading guide docs #5068
  • [Docs] Backport to 6.0: Add udp prospector to list of types #4951