Beats breaking changesedit

This list summarizes the most important breaking changes in Beats. For the complete list, go to Beats breaking changes.

Beats dashboard import and export requires Kibana 7.15edit

Loading Kibana assets (such as dashboards and index templates) relies on the Saved Object API. Therefore, to provide a reliable service, Beats requires Kibana 7.15 to import and export dashboards.

Field changesedit

  • In Filebeat, the log.path field has been renamed to log.file.path in the filestream input to be consistent with the log input and ECS.
  • In Filebeat, alias fields that were used to point to ECS fields from modules are now removed. The following alias fields were removed from the Suricata and Traefik modules:

    • suricata.eve.fileinfo.filename
    • suricata.eve.fileinfo.size
    • suricata.eve.dest_port
    • suricata.eve.src_port
    • suricata.eve.proto
    • suricata.eve.src_ip
    • suricata.eve.dest_ip
    • suricata.eve.http.status
    • suricata.eve.http.http_user_agent
    • suricata.eve.http.http_refer
    • suricata.eve.http.url
    • suricata.eve.http.hostname
    • suricata.eve.http.http_refer
    • suricata.eve.http.url
    • suricata.eve.http.hostname
    • suricata.eve.http.length
    • suricata.eve.http.http_method
    • suricata.eve.alert.severity
    • suricata.eve.alert.action
    • suricata.eve.flow.bytes_toclient
    • suricata.eve.flow.start
    • suricata.eve.flow.pkts_toclient
    • suricata.eve.flow.bytes_toserver
    • suricata.eve.flow.pkts_toserver
    • suricata.eve.app_proto
    • traefik.access.user_agent.device
  • In Heartbeat, the event.dataset value is now set to the monitor type / Fleet dataset to fix inconsistencies between Heartbeat and Fleet.

Filebeat Crowdstrike ingest pipeline no longer flattens process fieldsedit

In previous releases, the ingest pipeline used by the Crowdstrike module flattened process fields instead of creating nested fields. The mix of flattened and nested fields with similar names was confusing and led to errors when running queries or automated processes that expect nested fields. To fix this problem, the ingest pipeline no longer flattens process fields.

Heartbeat watch_poll functionality has been removededit

The Heartbeat watch_poll functionality was deprecated a long time ago, and has been completely removed in 7.15.