Beats version 8.1.0edit

View commits

Breaking changesedit


  • Remove Recorded Future fileset integration from threatintel module. 30564



  • auditd: Add error.message to events when processing fails. 30009
  • Fix handling of execve call events which have no argument. 30585 30586


  • Fix ECS version string in threatintel to be consistent with other modules and add event.timezone. 30499 30570
  • Add default paths value to MySQL Enterprise module to prevent issues with pipeline installations 30598


  • Add provider names to Security pipeline conditional check in routing pipeline. 27288 29781


  • Pass AWS region configuration correctly. 28520 30238


Affecting all Beats

  • Name all k8s workqueue. 28085
  • Discover changes in Kubernetes nodes metadata as soon as they happen. 23139
  • Update k8s library 29394
  • Add support for latest k8s versions v1.23 and v1.22 29575
  • Add script processor to all beats 29269 29752
  • Only connect to Elasticsearch instances with the same version or newer. 29683
  • Move umask from code to service files. 29708
  • Add metadata change support for some processors 30183


  • system/socket: Add process.entity_id capture for socket events. 30230 30231


  • Add support for filtering in journald input with unit, kernel, identifiers and include_matches. 29294
  • Add new userAgent and beatInfo template functions for httpjson input 29528
  • Add pipeline in FB’s supported hints. 30212


  • Add add_resource_metadata configuration to Kubernetes module. 29133
  • Add containerd module with cpu, memory, blkio metricsets. 29247
  • Add and container.runtime ECS fields in container metricset. 29560
  • Add memory.workingset.limit.pct field in Kubernetes container/pod metricset. 29547
  • Add k8s metadata in state_cronjob metricset. 29572
  • Add xpack.enabled support for Enterprise Search module. 29871
  • Add gcp firestore metricset. 29918
  • Remove strict parsing on RabbitMQ module 30090


  • Add automated OEM Npcap installation handling. 29112 30438 30493
  • Add support for capturing TLS random number and OCSP status request details. 29962 30102

Known Issueedit

Affecting all Beats

  • During setup the Beat does not load the data stream. Thus, when running the Beat with a user that does not have enough privileges, publishing fails with the following error: action [indices:admin/auto_create] is unauthorized for user [publisher] with roles [publisher], this action is granted by the index privileges [auto_configure,create_index,manage,all]. The workaround is to either install the data stream manually using the following call: PUT /_data_stream/{beatname}-8.1 or to give manage permission on the data stream {beatname}-8.1 to the publishing user temporarily. 30647 31048