Product release

Beats 5.4.0 released

Today we are pleased to announce that Beats 5.4.0 was released. This is the latest stable version, and it comes with support for gathering JMX metrics from your Java applications, and Filebeat modules for collecting auditd and authentication logs.

Quick links:

Gather JMX metrics from your Java applications

The Metricbeat 5.4 release comes with the Jolokia module to monitor Java applications. Jolokia provides REST-like access to JMX with JSON over HTTP, and allows easy access to JMX MBeans from everywhere.

Here is an example of the configuration file:

- module: jolokia
  metricsets: ["jmx"]
  enabled: true
  period: 1s
  hosts: ["localhost:8778"]
  namespace: "metrics"
    - mbean: 'java.lang:type=Runtime'
        - attr: Uptime
          field: uptime
    - mbean: 'java.lang:type=GarbageCollector,name=ConcurrentMarkSweep'
        - attr: CollectionTime
          field: gc.cms_collection_time
        - attr: CollectionCount
          field: gc.cms_collection_count
    - mbean: 'java.lang:type=Memory'
        - attr: HeapMemoryUsage
          field: memory.heap_usage
        - attr: NonHeapMemoryUsage
          field: memory.non_heap_usage

The jmx metricset collects metrics from each Jolokia instance that is defined in the mappings section. To define an instance, you specify an MBean ObjectName and an array of attributes. Each attribute specifies the name of the attribute to collect and the event field where the value is exported.

Linux auditd logs

Linux Audit has been part of the Kernel since 2.6.14. It consists of a kernel component to hook and monitor syscalls and a userspace daemon to log these syscall events. Auditd can, for example, write a log line every time a user accesses a file, starts a process, or connects to a socket.

In Filebeat 5.4, we’ve introduced the auditd Filebeat module to collect, parse, and visualize the logs created by auditd.

The auditd module parses the audit event type, unix epoch time, audit event counter, and the arbitrary key/value pairs that follow. It also gives you the Geo location of the audit event addresses for remote logins.


Linux System authentication logs

With the addition of the system.auth fileset in the system module, Filebeat 5.4 brings the ability to parse the system authentication logs. System authentication logs are typically available on Linux systems under /var/log/auth.log or /var/log/secure for Centos/Redhat, and they contain logs for things like:

  • SSH login attempts
  • Commands executed with sudo
  • New users or groups created

Monitoring authentication failures is useful for intrusion detection. For example, every time user logs in via ssh, the authentication log records details like: the user’s IP address, the GeoIP information, the status of the ssh login, and whether the user used a public key or password.


When a sudo command is executed, the authentication logs contain information about the sudo command, the username and the password of the target user, and the execution status.

Also, when a new user is created, you can get details like the username, the user ID, the group ID where the user was created, or the home folder of the user.

For more details about these logs, see the Grokking the Linux authorization logs blog post.


If you want to make use of the new features added in Beats 5.4.0, please download the latest stable version, install it, and let us know what you think on Twitter (@elastic) or in our forum.