beats
Loading

Beats release notes

Review the changes, fixes, and more in each version of Beats.

To check for security updates, go to Security announcements for the Elastic stack.

Affecting all Beats

  • Update Go version to 1.24.5. 45403
  • Improve trimming of BOM from UTF-8 data in the libbeat reader/readfile.EncoderReader. 45742

Filebeat

  • Add mechanism to allow HTTP JSON templates to terminate without logging an error. 45664 45810
  • Add status reporting support for AWS S3 input. 45748

Affecting all Beats

  • Fixed case where Beats would silently fail due to invalid input configuration, now the error is correctly reported. 43118 45733

Filebeat

  • Fix handling of unnecessary BOM in UTF-8 text received by o365audit input. 44327 45739
  • Fix reading journald messages with more than 4kb. 45511 46017
  • Restore the Streaming input on Windows. 46031
  • Fix termination of input on API errors. 45999

Metricbeat

  • Changed Kafka protocol version from 3.6.0 to 2.1.0 to fix compatibility with Kafka 2.x brokers. 45761
  • Enhance behavior of sanitizeError: replace sensitive info even if it is escaped and add pattern-based sanitization. 45857

Filebeat

  • Add status reporting support for AWS CloudWatch input. 45679

Winlogbeat

  • Render data values in XML renderer. 44132

Filebeat

  • Fix error handling in ABS input when both root level max_workers and batch_size are empty. 45680 45743

Filebeat

  • Log CEL single object evaluation results as ECS compliant documents where possible. 45254 45399
  • Enhanced HTTPJSON input error logging with structured error metadata conforming to Elastic Common Schema (ECS) conventions. 45653

Filebeat

  • Fix a panic in the winlog input that prevented it from starting. 45693 45730

Metricbeat

  • Improve error messages in AWS Health 45408
  • Fix URL construction to handle query parameters properly in GET requests for Jolokia 45620

Affecting all Beats

  • Added the now processor, which will populate the specified target field with the current timestamp. 44795

Filebeat

  • Refactor & cleanup with updates to default values and documentation. 41834
  • Add support for SSL and Proxy configurations for websocket type in streaming input. 41934
  • Filestream take over now supports taking over states from other Filestream inputs and dynamic loading of inputs (autodiscover and Elastic Agent). There is a new syntax for the configuration, but the previous one can still be used. 42472 42884 42624
  • Refactor & cleanup with updates to default values and documentation. 41834
  • Segregated max_workers from batch_size in the GCS input. 44311 44333
  • Add milliseconds to document timestamp from awscloudwatch Filebeat input 44306
  • Added support for specifying custom content-types and encodings in azureblobstorage input. 44330 44402
  • Introduce lastSync start position to AWS CloudWatch input backed by state registry. 43251
  • Add proxy support to GCP Pub/Sub input. 44892
  • Segregated max_workers from batch_size in the azure-blob-storage input. 44491 44992
  • Add support for relationship expansion to EntraID entity analytics provider. 43324 44761
  • Update CEL mito extensions to v1.22.0. 45245
  • Add support for generalized token authentication to CEL input. 45359

Metricbeat

  • Add new metricset wmi for the windows module. 42017
  • Changed the Elasticsearch module behavior to only pull settings from non-system indices. 43243
  • Exclude dotted indices from settings pull in Elasticsearch module. 43306
  • Add a jetstream metricset to the NATS module 43310
  • Update NATS module compatibility. Oldest version supported is now 2.2.6 43310
  • Upgrade Prometheus Library to v0.300.1. 43540
  • Add GCP Dataproc metadata collector in GCP module. 43518
  • Updated list of supported vSphere versions in the documentation. 43642
  • Add SSL support for sql module: drivers mysql, postgres, and mssql. 44748
  • Add VPN metrics to meraki module 44851
  • Add GCP cache for metadata collectors. 44432

Auditbeat

  • Fix potential data loss in add_session_metadata. 42795
  • auditbeat/fim: Fix FIM@ebpfevents for new kernels #44371. 44371

Filebeat

  • Log bad handshake details when websocket connection fails 41300
  • Fix aws region in aws-s3 input s3 polling mode. 41572
  • Fix a logging regression that ignored to_files and logged to stdout. 44573
  • Fixed issue for "Root level readerConfig no longer respected" in azureblobstorage input. 44812 44873
  • Fixed password authentication for ACL users in the Redis input of Filebeat. 44137
  • The data and logs path has changed on Windows to $env:ProgramFiles. See the breaking changes page for more details.

Heartbeat

  • Added maintenance windows support for Heartbeat. 41508

Affecting all Beats

  • Update Go version to 1.24.5. 45403

Filebeat

  • Add mechanism to allow HTTP JSON templates to terminate without logging an error. 45664 45810

Winlogbeat

  • Render data values in XML renderer. 44132

Filebeat

  • Fix handling of unnecessary BOM in UTF-8 text received by o365audit input. 44327 45739
  • Fix reading journald messages with more than 4kb. 45511 46017
  • Restore the Streaming input on Windows. 46031
  • Fix termination of input on API errors. 45999
  • Fix filestream registry entries being prematurely removed, which could cause files to be re-ingested after Filebeat restarts. 46007 46032

Metricbeat

  • Changed Kafka protocol version from 3.6.0 to 2.1.0 to fix compatibility with Kafka 2.x brokers. 45761
  • Enhance behavior of sanitizeError: replace sensitive info even if it is escaped and add pattern-based sanitization. 45857

Filebeat

  • Enhanced HTTPJSON input error logging with structured error metadata conforming to Elastic Common Schema (ECS) conventions. 45653

Metricbeat

  • Improve error messages in AWS Health. 45408

Auditbeat

  • Auditd: Request status from a separate socket to avoid data congestion. 41207
  • Fix potential data loss in add_session_metadata. 42795

Metricbeat

  • Fix URL construction to handle query parameters properly in GET requests for Jolokia. 45620

Filebeat

  • Add Fleet status updating to GCS input. 44273 44508
  • Add Fleet status update functionality to udp input. 44419 44785
  • Add Fleet status update functionality to tcp input. 44420 44786
  • Add Fleet status updating to Azure Blob Storage input. 44268 44945
  • Add Fleet status updating to HTTP JSON input. 44282 44365
  • Add input metrics to Azure Blob Storage input. 36641 43954
  • Add support for websocket keep_alive heartbeat in the streaming input. 42277 44204
  • Add missing "text/csv" content-type filter support in GCS input. 44922 44923

Heartbeat

  • Upgrade Node version to latest LTS v20.19.3. 45087
  • Add base64 encoding option to inline monitors. 45100

Metricbeat

  • Upgrade github.com/microsoft/go-mssqldb version from v1.7.2 to v1.8.2. 44990

Affecting all Beats

  • The Elasticsearch output now correctly applies exponential backoff when being throttled by 429s ("too many requests") from Elasticsarch. 36926 45073

Winlogbeat

  • Fix EvtVarTypeAnsiString conversion. 44026

Affecting all Beats

  • Update to Go 1.24.4. 44696

Filebeat

  • Fix handling of ADC (Application Default Credentials) metadata server credentials in HTTPJSON input. 44349 44436
  • Fix handling of ADC (Application Default Credentials) metadata server credentials in CEL input. 44349 44571
  • Filestream now logs at level warn the number of files that are too small to be ingested 44751

Metricbeat

  • Add check for http error codes in the Metricbeat's Prometheus query submodule 44493
  • Increase default polling period for MongoDB module from 10s to 60s 44781

Affecting all Beats

  • Fix dns processor to handle IPv6 server addresses properly. 44526
  • Fix an issue where the Kafka output could get stuck if a proxied connection to the Kafka cluster was reset. 44606
  • Use Debian 11 to build linux/arm to match linux/amd64. Upgrades linux/arm64's statically linked glibc from 2.28 to 2.31. 44816

Filebeat

  • Handle special values of accountExpires in the Activedirectory Entity Analytics provider. 43364
  • Fix status reporting panic in GCP Pub/Sub input. 44624 44625
  • If a Filestream input fails to be created, its ID is removed from the list of running input IDs 44697
  • Fix timeout handling by Crowdstrike streaming input. 44720
  • Ensure DEPROVISIONED Okta entities are published by Okta entityanalytics provider. 12658 44719
  • Fix handling of cursors by the streaming input for Crowdstrike. 44364 44548
  • Added missing "text/csv" content-type filter support in azureblobsortorage input. 44596 44824
  • Fix unexpected EOF detection and improve memory usage. 44813

Heartbeat

  • Add missing dependencies to ubi9-minimal distro. 44556

Metricbeat

  • Fix panic in kafka consumergroup member assignment fetching when there are 0 members in consumer group. 44576
  • Sanitize error messages in Fetch method of SQL module 44577
  • Upgrade go.mongodb.org/mongo-driver from v1.14.0 to v1.17.4 to fix connection leaks in MongoDB module 44769

Affecting all Beats

  • Update Go version to v1.24.3. 44270

Filebeat

  • Add support for collecting device entities in the Active Directory entity analytics provider. 44309
  • The add_cloudfoundry_metadata processor now uses xxhash instead of SHA1 for sanitizing persistent cache filenames. Existing users will experience a one-time cache invalidation as the cache store will be recreated with the new filename format. 43964

Metricbeat

  • Add checks for the Resty response object in all Meraki module API calls to ensure proper handling of nil responses. 44193
  • Add a latency configuration option to the Azure Monitor module. 44366

Osquerybeat

  • Update osquery version to v5.15.0. 43426

Affecting all Beats

  • Fix the 'add_cloud_metadata' processor to better support custom certificate bundles by improving how the AWS provider HTTP client is overridden. 44189

Auditbeat

  • Fix a potential error in the system/package component that could occur during internal package database schema migration. 44294 44296

Filebeat

  • Fix endpoint path typo in the Okta entity analytics provider. 44147
  • Fix a WebSocket panic scenario that occured after exhausting the maximum number of retries. 44342

Metricbeat

  • Add AWS OwningAccount support for cross-account monitoring. 40570 40691
  • Use namespace for GetListMetrics calls in AWS when available. 41022
  • Limit index stats collection to cluster-level summaries. 36019 42901
  • Omit tier_preference, creation_date and version fields in output documents when not pulled from source indices. 43637
  • Add support for _nodes/stats URIs compatible with legacy Elasticsearch versions. 44307
  • For all Beats: Publish cloud.availability_zone by add_cloud_metadata processor in Azure environments. #42601 #43618
  • Add pagination batch size support to Entity Analytics input's Okta provider in Filebeat. #43655
  • Update CEL mito extensions version to v1.19.0 in Filebeat. #44098
  • Upgrade node version to latest LTS v18.20.7 in Heartbeat. #43511
  • Add enable_batch_api option in Azure monitor to allow metrics collection of multiple resources using Azure batch API in Metricbeat. #41790
  • For all Beats: Handle permission errors while collecting data from Windows services and don't interrupt the overall collection by skipping affected services. #40765 #43665.
  • Fixed WebSocket input panic on sudden network error or server crash in Filebeat. #44063 44068.
  • [Filestream] Log the "reader closed" message on the debug level to avoid log spam in Filebeat. #44051
  • Fix links to CEL mito extension functions in input documentation in Filebeat. #44098
  • Improves logging in system/socket in Auditbeat. #41571
  • Adds out of the box support for Amazon EventBridge notifications over SQS to S3 input in Filebeat. #40006
  • Update CEL mito extensions to v1.16.0 in Filebeat. #41727
  • Filebeat's registry is now added to the Elastic-Agent diagnostics bundle. #33238 and #41795
  • Adds unifiedlogs input for MacOS in Filebeat. #41791
  • Adds evaluation state dump debugging option to CEL input in Filebeat. #41335
  • Rate limiting operability improvements in the Okta provider of the Entity Analytics input in Filebeat. #40106 and #41977
  • Rate limiting fault tolerance improvements in the Okta provider of the Entity Analytics input in Filebeat. #40106 #42094
  • Introduces ignore older and start timestamp filters for AWS S3 input in Filebeat. #41804
  • Journald input now can report its status to Elastic-Agent in Filebeat. #39791 and #42462
  • Publish events progressively in the Okta provider of the Entity Analytics input in Filebeat. #40106 and #42567
  • Journald include_matches.match now accepts + to represent a logical disjunction (OR) in Filebeat. #40185 and #42517
  • The journald input is now generally available in Filebeat. #42107
  • Adds support for RFC7231 methods to HTTP monitors in Heartbeat. #41975
  • Adds use_kubeadm config option in kubernetes module in order to toggle kubeadm-config API requests in Metricbeat. #40086
  • Preserve queries for debugging when merge_results: true in SQL module in Metricbeat. #42271
  • Collect more fields from ES node/stats metrics and only those that are necessary in Metricbeat. #42421
  • Adds benchmark module in Metricbeat. #41801
  • Increase maximum query timeout to 24 hours in Osquerybeat. 42356
  • Properly set events UserData when experimental API is used in Winlogbeat. #41525
  • Include XML is respected for experimental API in Winlogbeat. #41525
  • Forwarded events use renderedtext info for experimental API in Winlogbeat. #41525
  • Language setting is respected for experimental API in Winlogbeat. #41525
  • Language setting also added to decode XML wineventlog processor in Winlogbeat. #41525
  • Format embedded messages in the experimental API in Winlogbeat. #41525
  • Make the experimental API GA and rename it to winlogbeat-raw in Winlogbeat. #39580 and #41770
  • Removes 22 clause limitation in Winlogbeat. #35047 and #42187
  • Adds handling for recoverable publisher disabled errorsin Winlogbeat. #35316 and #42187
  • Removes Functionbeat binaries from CI pipelines. #40745 and #41506
  • Update Go version to 1.24.0. #42705
  • Add etw input fallback to attach an already existing session in Filebeat. #42847
  • Update CEL mito extensions to v1.17.0 in Filebeat. #42851
  • Winlog input in Filebeat cam now report its status to Elastic Agent. #43089
  • Add configuration option to limit HTTP Endpoint body size in Filebeat. #43171
  • Add a new match_by_parent_instance option to perfmon module in Metricbeat. #43002
  • Add a warning log to metricbeat.vsphere in Metricbeat in case vSphere connection has been configured as insecure. #43104
  • hasher: Add a cached hasher for upcoming backend in Auditbeat. #41952
  • Split common tty definitions in Auditbeat. #42004
  • Redact authorization headers in HTTPJSON debug logs in Filebeat. #41920
  • Further rate limiting fix in the Okta provider of the Entity Analytics input in Filebeat. #40106 and #41977
  • The _id generation process for S3 events has been updated to incorporate the LastModified field. This enhancement ensures that the _id is unique in Filebeat. #42078
  • Fixes truncation of bodies in request tracing by limiting bodies to 10% of the maximum file size in Filebeat. #42327
  • [Journald] Fixes handling of journalctl restart. A known symptom was broken multiline messages when there was a restart of journalctl while aggregating the lines in Filebeat. #41331 and #42595
  • Fixwa bug where Metricbeat unintentionally triggers Windows ASR in Metricbeat. #42177
  • Removes hostname field from ZooKeeper's mntr data stream in Metricbeat. 41887
  • Properly marshal nested structs in ECS fields, fixing issues with mixed cases in field names in Packetbeat. 42116
  • Fixed race conditions in the global ratelimit processor that could drop events or apply rate limiting incorrectly in Filebeat. 42966
  • Prevent computer details being returned for user queries by Activedirectory Entity Analytics provider in Filebeat. #11818 and #42796
  • Handle unexpected EOF error in aws-s3 input and enforce retrying using download failed error in Filebeat. #42420
  • Prevent azureblobstorage input from logging key details during blob fetch operations in Filebeat. #43169
  • Add AWS OwningAccount support for cross account monitoring in Metricbeat. #40570 and #40691
  • Fix logging argument number mismatch in Metricbeat(Redis). #43072
  • Reset EventLog if error EOF is encountered in Winlogbeat. #42826
  • Implement backoff on error retrial in Winlogbeat. #42826
  • Fix boolean key in security pipelines and sync pipelines with integration in Winlogbeat. #43027