Beats version 7.17.14edit

View commits

Breaking changesedit

Affecting all Beats - The Elasticsearch output now enables compression by default. This decreases network data usage by an average of 70-80%, in exchange for 20-25% increased CPU use and ~10% increased ingestion time. The previous default can be restored by setting the flag compression_level: 0 under output.elasticsearch. 36681


Affecting all Beats

  • Eliminate cloning of event in deepUpdate 35945


  • [Gcs Input] - Added missing locks for safe concurrency 34914
  • Fix the ignore_inactive option being ignored in Filebeat’s filestream input 34770
  • Fix TestMultiEventForEOFRetryHandlerInput unit test of CometD input 34903
  • Add input instance ID to request trace filename for httpjson and cel inputs 35024
  • Fixes "Can only start an input when all related states are finished" error when running under Elastic-Agent 35250 33653
  • [GCS Input] - Fixed an issue where bucket_timeout was being applied to the entire bucket poll interval and not individual bucket object read operations. Fixed a map write concurrency issue arising from data races when using a high number of workers. Fixed the flaky tests that were present in the GCS test suit. 35605
  • Fix error message formatting from filestream input. 35658
  • Fix error when trying to use include_message parser 35440
  • Fix handling of IPv6 unspecified addresses in TCP input. 35064 35637
  • Fixed a minor code error in the GCS input scheduler where a config value was being used directly instead of the source struct. 35729
  • Improve error reporting and fix IPv6 handling of TCP and UDP metric collection. 35772
  • Fix CEL input JSON marshalling of nested objects. 35763 35774
  • Fix metric collection in GCPPubSub input. 35773
  • Fix end point deregistration in http_endpoint input. 35899 35903
  • Fix duplicate ID panic in filestream metrics. 35964 35972
  • Improve error reporting and fix IPv6 handling of TCP and UDP metric collection. 35996
  • Fix handling of NUL-terminated log lines in Fortinet Firewall module. 36026 36027
  • Make redact field configuration recommended in CEL input and log warning if missing. 36008
  • Fix handling of region name configuration in awss3 input 36034
  • Fixed concurrency and flakey tests issue in Azure Blob Storage input. 35983 36124
  • Fix panic when sqs input metrics getter is invoked 36101 36077
  • Make CEL input’s now global variable static for evaluation lifetime. 36107
  • Update mito CEL extension library to v1.5.0. 36146
  • Fix handling of TCP/UDP address resolution during metric initialization. 35064 36287
  • Fix handling of Juniper SRX structured data when there is no leading Junos element. 36270 36308
  • Remove erroneous error log in GCPPubSub input. 36296
  • Fix Filebeat Cisco module with missing escape character 36325 36326
  • Fix panic when redact option is not provided to CEL input. 36387 36388
  • Remove onFilteredOut and onDroppedOnPublish callback logs 36299 36399
  • Added a fix for Crowdstrike pipeline handling process arrays 36496
  • Revert error introduced in 35734 when symlinks can’t be resolved in filestream. 36557


  • Fix panic in HTTP protocol parsing when host header has empty host part. 36497 36518
  • Fix default cache size calculation. 36723



  • Re-use buffers to optimise memory allocation in fingerprint mode of filestream 36736