Beats version 8.4.0edit

View commits

Known Issuesedit


Auditbeat/auditd integration will send malformed data and may crash in version 8.4.0. 32818

Suggested resolution: Do not start Auditbeat or auditd integration on Elastic Agent at version 8.4.0. Skip 8.4.0 and upgrade directly to 8.4.1.

This issue is resolved in 8.4.1 and later.


Filebeat agents configured to read from AWS inputs may return an error similar to the following:

sqs ReceiveMessage failed: operation error SQS: ReceiveMessage, https response
error StatusCode: 403, RequestID: cb57783a-505f-5099-9160-23b8eea8ddbb,
api error SignatureDoesNotMatch: Credential should be scoped to a valid region.

This error was introduced by a breaking change in the AWS library.

This issue also affects FIPS-enabled endpoints. If you rely on FIPS, do not upgrade until version 8.4.2 of the Elastic Stack is available. The workaround documented here will not resolve this problem.

Suggested resolution: In the Filebeat configuration, if an AWS input or module configuration sets endpoint to a non empty string, set it to an empty string instead. Also make sure the default AWS region is set in an environment variable, credentials or instance profile, or in the default_region setting in the configuration. For example:

- type: aws-s3
  endpoint: "" 
  default_region: us-east-1

You can set this value to an empty string or remove the configuration setting.

Or for modules:

    enabled: false
    var.endpoint: "" 
    var.default_region: us-east-1

You can set this value to an empty string or remove the configuration setting

Breaking changesedit

Heartbeat - Browser monitors (beta) now write to the synthetics-* index prefix. 32064 - Setting a custom index for a given monitor is now deprecated. Streams are preferred. 32064 - Browser monitors now default to a max concurrency of two. 32564


Affecting all Beats

  • Fix namespacing for agent self-monitoring, CPU no longer reports as zero. 32336
  • Expand fields in decode_json_fields if target is set. 31712 32010


  • auditd module: Fix parsing of audit rules where arguments are quoted (like file paths containing spaces). 32421
  • auditd module: Fix minimum AuditStatus length so that library can support kernels from 2.6.32. 32421
  • system/socket: Reduce memory usage of the dataset. 32191 32192


  • Fix counter for number of events published in httpjson input. 31993
  • Fix handling of Checkpoint event for R81. 32380 32458
  • gcp-pubsub input: Restart Pub/Sub client on all errors. 32550 32712


  • Send targetted error message for unexpected synthetics exits. 31936
  • Reduced memory usage slightly for browser monitors. 32317
  • Automatically kill zombie-ish node processes. 32393
  • Added timeout for browser monitors. 32434
  • Fix bug with browser jobs that had missing check groups or sent empty events. 32542


  • Update Kubernetes apiserver metricset to not collect deprecated metrics and fix dashboard. 31973
  • Check for nil metadata in GCP. 32281
  • Update Kubernetes controllermanager metricset to not collect deprecated metrics and fix dashboard. 32037
  • Fix ARN parsing for Cloudwatch resource names with leading slashes. 32358
  • Fix an infinite loop in AWS billing metricset. 32626
  • Add missing metrics in AWS Transit Gateway module 32617
  • Replace internal expiring cache used by the Kubernetes module with in-memory dictionary. 32539
  • Oracle Module: Refactor module to use existing host parsers instead of doing its own parsing of hosts. 31611 #31692
  • Oracle Module: Correctly handle special characters in the connection string. 24609 #31368


  • Powershell: Fix processing of parameter details. 31833
  • Security: Fix processing of sidlist, access list and access mask. 31833
  • Fix fatal invalid memory write on Windows 11. 32469 32519
  • Fix handling of event formatting when no metadata is available on Windows 11. 32468 32519


Affecting all Beats

  • Improve performance of disk queue by coalescing writes. 31935


  • Add immutable option to the auditd module. 8352 32381


  • Add option to httpjson input. 31750
  • Add authentication fields to RabbitMQ module documents. 31159 31680
  • Add template helper function for decoding hexadecimal strings. 31886
  • Add new parser called include_message to filter based on message contents. 31794 32094
  • Extend list of mapped record types in o365 Audit module. 32217
  • Add references for CRI-O configuration in input-container and in our Kubernetes manifests. 32149 32151
  • httpjson input: Add replaceAll helper function to template context. 32365
  • Optimize grok patterns in system.auth module pipeline. 32360
  • Checkpoint module: add authentication operation outcome enrichment. 32230 32431
  • Add documentation for decode_xml_wineventlog processor field mappings. 32456


  • Oracle Module: New sysmetric metricset. 30946 #31462
  • AWS Fargate: Added support for DesiredStatus and KnownStatus. 32077 #32342
  • Enable Generic SQL merge metrics to a single event for sql_queries using new flag. 32394
  • Add distribution type metrics for GCP. 32170


  • Add support for specifying default route interface sniffing. 31905 31950
  • Add support for TCP transport to the SIP protocol. 28166 32346