Brewing in Beats: Collecting auditd logs
Welcome to Brewing in Beats! With this weekly series, we're keeping you up to date with what's new in Beats, including the latest commits and releases.
Filebeat module for auditd logs
The audit fileset is added to the system module of Filebeat to be able to parse the Linux auditd logs. It parses the audit event type, unix epoch time, audit event counter, and the arbitrary key/value pairs that follow. It also gives you the Geo location of the audit event addresses in case of remote logins. This is currently merged in master only (6.0).
Collect performance counters from Windows
The community (more precisely, maddin2016) added the windows module in Metricbeat with the `perfmon` metricset to collect performance counters from Windows. It uses the PDH functions to collect performance data. The module is a migration of the Perfmonbeat into Metricbeat. Currently, this is merged in master and planned for 6.0.
Moving to govendor
For a while now we weren’t happy with the tool we used to manage the Go dependencies, to the point that most of us preffered doing the vendoring work manually. As we were waiting for a new standard tool to emerge, we avoided switching tools. All this changed with a community PR by @vjsamuel, which showed us that govendor actually fits our needs and workflow much better.
All changes in the beats repositories
Libbeat (All beats)
Changes in 5.x:
Changes in master:
- @timestamp doesn't get printed when specified in message codec #3721
Filebeat
Changes in master:
- Allow
-
in Apache access log byte count #3863 - Refactor input.Event similar to
outputs.Data
#3823 - Remove deprecated config options
force_close_files
andclose_older
#3768 - Add fileset for parsing Linux auditd logs #3750
Metricbeat
Changes in 5.x:
- Make HTTP fields in HAProxy optional to improve compatibility with 1.5 #3788
- Make Metricbeat reloading beta instead of experimental #3841
Changes in master:
Packetbeat
Changes in master:
- Second stage of topology cleanup #3818
Documentation
Changes in 5.3:
- Add docs about loading Heartbeat dashboard #3804
- Add link to topic about configuration file format #3822
- Fix configuration keys and Nginx logs path in doc #3859
- Wrong start command for Debian distribution#3855
Changes in master:
- Fix doc build for conf-file-permissions #3875
- Add step to change file ownership on mac #3870
- Clarify docs around setting the index and @metadata fields #3866
- Add newline to end of windows perfmon config #3829
- Update docs about how to create a Beat from Metricbeat #3890
Packaging
Changes in 5.3:
- Fix modules yml files permission on Deb #3879
- Fix packaging which broke because of asciidocs comments #3825
Infrastructure
Changes in master: