IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Repositories for APT and YUM Setting up and running Auditbeat »

›

Breaking changes in 6.2

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Breaking changes in 6.2

edit

As a general rule, we strive to keep backwards compatibility between minor versions (e.g. 6.x to 6.y) so you can upgrade without any configuration file changes, but there are breaking changes between the earlier beta releases and the 6.2 GA release.

There are changes that affect both the configuration and the event schema.

Configuration Changes

edit

The audit module has been renamed and is now two separate modules: the auditd module and the file_integrity module. You must update your configuration to use these modules.

The kernel metricset has become the auditd module.

Old Config.

- module: audit
  metricsets: ["kernel"]
  kernel.resolve_ids: true
  kernel.failure_mode: silent
  kernel.backlog_limit: 8196
  kernel.rate_limit: 0
  kernel.include_raw_message: false
  kernel.include_warnings: false
  kernel.audit_rules: |
    # Rules

New Config.

- module: auditd
  resolve_ids: true
  failure_mode: silent
  backlog_limit: 8196
  rate_limit: 0
  include_raw_message: false
  include_warnings: false
  audit_rules: |
    # Rules

The file metricset has become the file_integrity module.

Old Config.

- module: audit
  metricsets: [file]
  file.paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
  file.scan_at_start: true
  file.scan_rate_per_sec: 50 MiB
  file.max_file_size: 100 MiB
  file.hash_types: [sha1]

New Config.

- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
  scan_at_start: true
  scan_rate_per_sec: 50 MiB
  max_file_size: 100 MiB
  hash_types: [sha1]
  recursive: false

recursive is a new option in 6.2 and is disabled by default. Set the value to true to watch for changes in all sub-directories.

Event Schema Changes

edit

Most field names were changed in 6.2. We wanted to rename the modules and use common field names for similar data types across all the modules. The table below provides a summary of the field changes.

In Kibana you need to import the latest dashboards that work with the new event format. The new dashboards will not work with data produced by older versions of Auditbeat.

Table 1. Renamed Fields

Old Field	New Field
`metricset.module`	`event.module`
`metricset.name`	Removed
`audit.kernel.action`	`event.action`
`audit.kernel.category`	`event.category`
`audit.kernel.record_type`	`event.type`
`audit.kernel.key`	`tags`
`audit.kernel.actor.attrs`	`user`
`audit.kernel.actor`	`auditd.summary.actor`
`audit.kernel.thing`	`auditd.summary.object`
`audit.kernel.how`	`auditd.summary.how`
`audit.kernel.socket`	`auditd.data.socket`, `source`, `destination` ^[1]
`audit.kernel.data.*`	`process.*` ^[2]
`audit.kernel.data.*`	`file.*` ^[3]
`audit.kernel.data`	`auditd.data`
`audit.file.action`	`event.action`
`audit.file.hash`	`hash`
`audit.file`	`file`

^[1] Based on the syscall type either the source or destination may also be populated.

^[2] Fields related to a process will be moved under the process namespace.

^[3] Fields related to a file will be moved under the file namespace.

« Repositories for APT and YUM Setting up and running Auditbeat »