Beats version 8.5.0edit
Known issuesedit
Affecting most Beats
Due to a recent change in the Red Hat scan verification process, this version of Heartbeat, Filebeat, Metricbeat, and Auditbeat are not available in the Red Hat Ecosystem Catalog. This bug will be fixed in the next release. Please use the Elastic docker registry to download 8.5.0 images.
Heartbeat
Heartbeat mappings have introduced a new section to improve state tracking, state. Due to inconsistent serialization of the underlying data type,
documents will be rejected upon index after a few minutes, producing the following error message:
{..., "reason":"failed to parse date field [4.0614878e+07] with format [strict_date_optional_time||epoch_millis]","caused_by":{"type":"date_time_parse_exception","reason":"date_time_parse_exception: Failed to parse with all enclosed parsers"}
It is strongly recommended to update directly to v8.5.1 when it is available. If not possible to update, please continue to the suggested solution.
Suggested resolution: Manually update Heartbeat index template mappings. The instructions provided below assume access to heartbeat executable
and familiarity with ES APIs. For a detailed GUI walkthrough, please check this thread.
Start by exporting the actual mappings:
$ ./heartbeat export template > /tmp/idx-pattern.json
Inside the exported file, locate the field duration_ms and change the type to long:
"state": {
"properties": {
...,
"duration_ms": {
"type": "long"
},
Copy the contents of this file and log into Kibana.
Once in Kibana, go to Dev Tools, write the request URL to update the index template and paste file contents underneath:
PUT /_index_template/heartbeat-8.5.0
{
"data_stream": {},
"index_patterns": [
"heartbeat-8.5.0"
],
...
Execute the request and check that the operation has been acknowledged:
{
"acknowledged": true
}
Finally, execute the following request, also in Kibana Dev Tools, to perform an index rollover:
POST heartbeat-8.5.0/_rollover
This should create a new backing index with the correct mappings.
Breaking changesedit
Affecting all Beats
- Upgrade to Go 1.18. Certificates signed with SHA-1 are now rejected. See the Go 1.18 release notes for details. 32493
- Fix formatting of MAC hardware addresses populated by the add_host_metadata processor. 32264 32265
Bugfixesedit
Affecting all Beats
- Fix metric namespacing for self-monitoring to correct some process incorrectly reading as zero. 32336
Auditbeat
Filebeat
- Fix rendering of MAC addresses to conform to ECS. 32621 32622
- Import dashboards from CEF integration. 32766
-
Fix how to handle IPv6 addresses in the fileset
nginx/ingress_controllerfor Filebeat. 32989 - Fix requestID parsing in AWS cloudtrail fileset. 33143
- Fix input metrics not being unregistered when an input closes. This led to panics when configuration was reloaded for the aws-s3, aws-cloudwatch, and lumberjack inputs. 33259
- Add handling of AAA operations for Cisco ASA module. 32257 32789
- Fix gc.log always shipped even if gc fileset is disabled 30995
- Fix handling of Cisco 302020 messages in ASA and FTD modules. 33089
Heartbeat - Fix bug affecting Let’s Encrypt and other users of cross-signed certs, where cert expiration was incorrectly calculated. 33215 - Fix broken disable feature for Kibana-configured monitors. 33293
Metricbeat
- Fix GCP storage field naming 32806
-
In
module/windows/perfmon, changed collection method of the second counter value required to create a displayable value 32305 - Change max query size for GetMetricData API to 500 and add RecentlyActive for ListMetrics API call. 33105
- Add GCP CloudSQL region filter. 32943
- Fix Logstash cgroup mappings. 33131
-
Remove unused
elasticsearch.node_stats.indices.bulk.avg_time.bytesmapping. 33263
Packetbeat
Winlogbeat
- Reduce severity of message salvage failure logging. 32697
Addededit
Filebeat - Import dashboard from Fortinet Fortigate firewall integration. 19810 33003
Heartbeat - Add new states field for internal use by new synthetics app. 30632
Packetbeat - Add option to allow sniffer to change device when default route changes. 31905 32681 - Add option to allow sniffing multiple interface devices. 31905 32933 - Bump Windows Npcap version to v1.71. 33164 33172