Loading

Beats release notes

Stack

Review the changes, fixes, and more in each version of Beats.

To check for security updates, go to Security announcements for the Elastic Stack.

Related release notes

Elastic Agent integrates and manages Beats for data collection. For changes to Elastic Agent, refer to the Elastic Agent release notes.

This release also includes: Breaking changes.

All

  • The following output latency_delta metrics are now included when logging.metrics is enabled: output.latency_delta.{count, max, median, min, p99}. This only includes data collected since the last internal metrics was logged. #45749

Auditbeat

  • Add new ETW FIM backend for Windows. #45887

Filebeat

  • TCP and UDP inputs now support multiple pipeline workers configured using number_of_workers. Increasing the number of workers improves performance when slow processors are used by decoupling reading from the network connection and publishing. #45124 #43674
  • Add beta support for GZIP file ingestion in filestream. #45301
  • Update the parse_aws_vpc_flow_log processor to support AWS VPC flow log versions 6–8. #45746
  • Add OAuth2 support for Okta provider in Entity Analytics input. #45753
  • Improve error reporting for schemeless URLs in HTTP JSON input. #45953
  • Add remaining_executions global to the CEL input evaluation context. #46210
  • Journald input now supports reading from multiple journals, including remote ones. #46722 #46656

Metricbeat

  • Improve the Prometheus helper to handle multiple content types including blank and invalid headers. #47085

Osquerybeat

  • Upgrade osquery version to 5.18.1. #46624

Packetbeat

  • Bump Windows Npcap version to v1.83. #46809

All

  • Make data updates in add_host_metadata processor synchronous. #46546
  • Prevent panic in Logstash output when trying to send events while shutting down. #46960 #46889
  • Prevent panic in the replace processor for non-string values. #47009 #42308
  • Ensure Autodiscover correctly updates Kubernetes metadata on node and pod label changes. #47034 #46979
  • Prevent a 3s startup delay when add_cloud_metadata is used with debug logs. #47058 #44203
  • Update elastic-agent-system-metrics to version v0.13.3. #47104
  • Remove “Accurate CPU counts not available on platform” log spam at the debug level. #47054
  • Allow users to customize their data stream namespace to generic. #47140

Filebeat

  • Fix defer usage for stopped status reporting. #46916

Metricbeat

  • Fix missing AWS cloudwatch metrics with linked accounts and same dimensions. #46978 #15362
  • Add a fix to handle blank content-type headers in HTTP responses for Prometheus. #47027
  • Add pagination support to the device_health metricset in the meraki module. #46938 #15551

Metricbeat

  • Improve the Prometheus helper to handle multiple content types including blank and invalid headers. #47085

All

  • Prevent panic in logstash output when trying to send events while shutting down. #46960

  • Prevent panic in replace processor for non-string values. #47009

  • Autodiscover now correctly updates Kubernetes metadata on node and pod label changes. #47034

  • Prevent 3s startup delay when add_cloud_metadata is used with debug logs. #47058

  • Update elastic-agent-system-metrics to v0.13.3. #47104

    Removes "Accurate CPU counts not available on platform" log spam at the debug log level.

  • Allows users to customize their data stream namespace to "generic". #47140

Filebeat

  • Fix defer usage for stopped status reporting. #46916

Metricbeat

  • Fix missing AWS cloudwatch metrics with linked accounts and same dimensions. #46978
  • Add a fix to handle blank content-type headers in HTTP responses for Prometheus. #47027

This release also includes: Breaking changes

Filebeat

  • Hints based autodiscover now sets close.on_state_change.removed: false in the default configuration to avoid missing the last log lines from a container. 34789 46695

Metricbeat

  • Log every 401 response from Kubernetes API Server. 42714
  • Add new metrics to vSphere Virtual Machine dataset (CPU usage percentage, disk average usage, disk read/write rate, number of disk reads/writes, memory usage percentage). 44205
  • Added checks for the Resty response object in all Meraki module API calls to ensure proper handling of nil responses. 44193
  • Add latency config option to Azure Monitor module. 44366
  • Increase default polling period for MongoDB module from 10s to 60s. 44781
  • Upgrade github.com/microsoft/go-mssqldb version from v1.7.2 to v1.8.2. 44990
  • Add NTP response validation for system/ntp module. 46184
  • Add vertexai_logs metricset to GCP for prompt response collection from VertexAI service. 46383
  • Add default timegrain to Azure Storage Account metricset. 46786

Affecting all Beats

  • Fixed a panic in the Kafka output that could occur when shutting down while final events were being published. 46109 46446

Filebeat

  • [Journald input] Fix reading all files in a folder and watching for new ones. 46657 46682
  • The UDP input now fails if it cannot bind to the configured port and its status is set to failed when running under Elastic Agent. 37216 46302
  • The Unix input now fails on errors listening to the socket and its status is set to failed when running under Elastic Agent. 46302
  • In Filestream, setting clean_inactive: 0 does not re-ingest all files on startup any more. 45601 46373
  • Fix metrics from TCP & UDP inputs when the port number is > 32767 46486
  • [azure-eventhub] Fix handling of connection strings with entity path. 43715 43716

Winlogbeat

  • Fix EventLog reset logic to not close renderers. 46376 {issue}45750{45750}

Filebeat

  • Improve HTTP JSON health status logic for empty template results. 46332
  • Improve CEL input documentation of authentication options. 46253
  • Add status reporting support for Azure Event Hub v2 input. 44846
  • Add documentation for device collection in Entity Analytics Active Directory Filebeat's input. 46363

Metricbeat

  • Add support for Kafka 4.0 in the Kafka module. 44723

Affecting all Beats

  • Fix a race condition during metrics initialization which could cause a panic. 45822 46054
  • Fixed a panic when the beat restarts itself by adding 'eventfd2' to default seccomp policy 46372
  • Update github.com/go-viper/mapstructure/v2 to v2.4.0 46335
  • Update Go version to 1.24.7 46070.
  • Update github.com/docker/docker to v28.3.3 46334

Filebeat

  • Fix wrongly emitted missing input ID warning 42969 45747
  • Fix race condition that could cause Filebeat to hang during shutdown after failing to startup 45034 46331
  • Fixed hints autodiscover for Docker when the configuration is only hints.enabled: true. 45156 45864

Metricbeat

  • Fix an issue where the conntrack metricset entries field reported a count inflated by a factor of the number of CPU cores. 46138 46140

Winlogbeat

  • Fix forwarded event handling and add channel error resilience. 46190

Affecting all Beats

  • Update Go version to 1.24.5. 45403
  • Improve trimming of BOM from UTF-8 data in the libbeat reader/readfile.EncoderReader. 45742

Filebeat

  • Add mechanism to allow HTTP JSON templates to terminate without logging an error. 45664 45810
  • Add status reporting support for AWS S3 input. 45748

Affecting all Beats

  • Fixed case where Beats would silently fail due to invalid input configuration, now the error is correctly reported. 43118 45733

Filebeat

  • Fix handling of unnecessary BOM in UTF-8 text received by o365audit input. 44327 45739
  • Fix reading journald messages with more than 4kb. 45511 46017
  • Restore the Streaming input on Windows. 46031
  • Fix termination of input on API errors. 45999

Metricbeat

  • Changed Kafka protocol version from 3.6.0 to 2.1.0 to fix compatibility with Kafka 2.x brokers. 45761
  • Enhance behavior of sanitizeError: replace sensitive info even if it is escaped and add pattern-based sanitization. 45857

Filebeat

  • Add status reporting support for AWS CloudWatch input. 45679

Winlogbeat

  • Render data values in XML renderer. 44132

Filebeat

  • Fix error handling in ABS input when both root level max_workers and batch_size are empty. 45680 45743

Filebeat

  • Log CEL single object evaluation results as ECS compliant documents where possible. 45254 45399
  • Enhanced HTTPJSON input error logging with structured error metadata conforming to Elastic Common Schema (ECS) conventions. 45653

Filebeat

  • Fix a panic in the winlog input that prevented it from starting. 45693 45730

Metricbeat

  • Improve error messages in AWS Health 45408
  • Fix URL construction to handle query parameters properly in GET requests for Jolokia 45620

Affecting all Beats

  • Added the now processor, which will populate the specified target field with the current timestamp. 44795

Filebeat

  • Refactor & cleanup with updates to default values and documentation. 41834
  • Add support for SSL and Proxy configurations for websocket type in streaming input. 41934
  • Filestream take over now supports taking over states from other Filestream inputs and dynamic loading of inputs (autodiscover and Elastic Agent). There is a new syntax for the configuration, but the previous one can still be used. 42472 42884 42624
  • Refactor & cleanup with updates to default values and documentation. 41834
  • Segregated max_workers from batch_size in the GCS input. 44311 44333
  • Add milliseconds to document timestamp from awscloudwatch Filebeat input 44306
  • Added support for specifying custom content-types and encodings in azureblobstorage input. 44330 44402
  • Introduce lastSync start position to AWS CloudWatch input backed by state registry. 43251
  • Add proxy support to GCP Pub/Sub input. 44892
  • Segregated max_workers from batch_size in the azure-blob-storage input. 44491 44992
  • Add support for relationship expansion to EntraID entity analytics provider. 43324 44761
  • Update CEL mito extensions to v1.22.0. 45245
  • Add support for generalized token authentication to CEL input. 45359

Metricbeat

  • Add new metricset wmi for the windows module. 42017
  • Changed the Elasticsearch module behavior to only pull settings from non-system indices. 43243
  • Exclude dotted indices from settings pull in Elasticsearch module. 43306
  • Add a jetstream metricset to the NATS module 43310
  • Update NATS module compatibility. Oldest version supported is now 2.2.6 43310
  • Upgrade Prometheus Library to v0.300.1. 43540
  • Add GCP Dataproc metadata collector in GCP module. 43518
  • Updated list of supported vSphere versions in the documentation. 43642
  • Add SSL support for sql module: drivers mysql, postgres, and mssql. 44748
  • Add VPN metrics to meraki module 44851
  • Add GCP cache for metadata collectors. 44432

Auditbeat

  • Fix potential data loss in add_session_metadata. 42795
  • auditbeat/fim: Fix FIM@ebpfevents for new kernels #44371. 44371

Filebeat

  • Log bad handshake details when websocket connection fails 41300
  • Fix aws region in aws-s3 input s3 polling mode. 41572
  • Fix a logging regression that ignored to_files and logged to stdout. 44573
  • Fixed issue for "Root level readerConfig no longer respected" in azureblobstorage input. 44812 44873
  • Fixed password authentication for ACL users in the Redis input of Filebeat. 44137
  • The data and logs path has changed on Windows to $env:ProgramFiles. See the breaking changes page for more details.

Heartbeat

  • Added maintenance windows support for Heartbeat. 41508

This release also includes: Breaking changes

Metricbeat

  • Upgrade github.com/microsoft/go-mssqldb version from v1.7.2 to v1.8.2. 44990
  • Add SSL support for SQL modules: drivers Mysql, PostgreSQL, and MSSQL. 44748
  • Add NTP response validation for system/ntp module. 46184
  • Add vertexai_logs metricset to GCP for prompt response collection from VertexAI service. 46383
  • Add default timegrain to Azure Storage Account metricset. 46786

Affecting all Beats

  • Update github.com/docker/docker to v28.3.3 46334
  • Fixed a panic in the Kafka output that could occur when shutting down while final events were being published. 46109 46446

Filebeat

  • The UDP input now fails if it cannot bind to the configured port and its status is set to failed when running under Elastic Agent. 37216 46302
  • The Unix input now fails on errors listening to the socket and its status is set to failed when running under Elastic Agent. 46302
  • [Journald input] Fix reading all files in a folder and watching for new ones. 46657 46682
  • [azure-eventhub] Fix handling of connection strings with entity path. 43715 43716

Metricbeat

  • Do not log an error if metadata enrichment is disabled for K8's module. 46536
  • Fix Azure Monitor wildcard metrics names timegrain issue by using the first, smallest timegrain; fix nil pointer issue. 46145

Winlogbeat

  • Fix EventLog reset logic to not close renderers. 46376 {issue}45750{45750}

Filebeat

  • Improve HTTP JSON health status logic for empty template results. 46332
  • Improve CEL input documentation of authentication options. 46253
  • Add documentation for device collection in Entity Analytics Active Directory Filebeat's input. 46363

Metricbeat

  • Add support for Kafka 4.0 in the Kafka module. 44723

Affecting all Beats

  • Fixed case where Beats would silently fail due to invalid input configuration, now the error is correctly reported. 43118 45733
  • Fix a race condition during metrics initialization which could cause a panic. 45822 46054
  • Update Go version to 1.24.7 46070.
  • Fixed a panic when the beat restarts itself by adding 'eventfd2' to default seccomp policy 46372
  • Update github.com/go-viper/mapstructure/v2 to v2.4.0 46335

Filebeat

  • Fix wrongly emitted missing input ID warning 42969 45747
  • Fix race condition that could cause Filebeat to hang during shutdown after failing to startup 45034 46331

Metricbeat

  • Fix an issue where the conntrack metricset entries field reported a count inflated by a factor of the number of CPU cores. 46138 46140

Winlogbeat

  • Fix forwarded event handling and add channel error resilience. 46190

Affecting all Beats

  • Update Go version to 1.24.5. 45403

Filebeat

  • Add mechanism to allow HTTP JSON templates to terminate without logging an error. 45664 45810

Winlogbeat

  • Render data values in XML renderer. 44132

Filebeat

  • Fix handling of unnecessary BOM in UTF-8 text received by o365audit input. 44327 45739
  • Fix reading journald messages with more than 4kb. 45511 46017
  • Restore the Streaming input on Windows. 46031
  • Fix termination of input on API errors. 45999
  • Fix filestream registry entries being prematurely removed, which could cause files to be re-ingested after Filebeat restarts. 46007 46032

Metricbeat

  • Changed Kafka protocol version from 3.6.0 to 2.1.0 to fix compatibility with Kafka 2.x brokers. 45761
  • Enhance behavior of sanitizeError: replace sensitive info even if it is escaped and add pattern-based sanitization. 45857

Filebeat

  • Enhanced HTTPJSON input error logging with structured error metadata conforming to Elastic Common Schema (ECS) conventions. 45653

Metricbeat

  • Improve error messages in AWS Health. 45408

Auditbeat

  • Auditd: Request status from a separate socket to avoid data congestion. 41207
  • Fix potential data loss in add_session_metadata. 42795

Metricbeat

  • Fix URL construction to handle query parameters properly in GET requests for Jolokia. 45620

Filebeat

  • Add Fleet status updating to GCS input. 44273 44508
  • Add Fleet status update functionality to udp input. 44419 44785
  • Add Fleet status update functionality to tcp input. 44420 44786
  • Add Fleet status updating to Azure Blob Storage input. 44268 44945
  • Add Fleet status updating to HTTP JSON input. 44282 44365
  • Add input metrics to Azure Blob Storage input. 36641 43954
  • Add support for websocket keep_alive heartbeat in the streaming input. 42277 44204
  • Add missing "text/csv" content-type filter support in GCS input. 44922 44923

Heartbeat

  • Upgrade Node version to latest LTS v20.19.3. 45087
  • Add base64 encoding option to inline monitors. 45100

Metricbeat

  • Upgrade github.com/microsoft/go-mssqldb version from v1.7.2 to v1.8.2. 44990

Affecting all Beats

  • The Elasticsearch output now correctly applies exponential backoff when being throttled by 429s ("too many requests") from Elasticsarch. 36926 45073

Winlogbeat

  • Fix EvtVarTypeAnsiString conversion. 44026

Affecting all Beats

  • Update to Go 1.24.4. 44696

Filebeat

  • Fix handling of ADC (Application Default Credentials) metadata server credentials in HTTPJSON input. 44349 44436
  • Fix handling of ADC (Application Default Credentials) metadata server credentials in CEL input. 44349 44571
  • Filestream now logs at level warn the number of files that are too small to be ingested 44751

Metricbeat

  • Add check for http error codes in the Metricbeat's Prometheus query submodule 44493
  • Increase default polling period for MongoDB module from 10s to 60s 44781

Affecting all Beats

  • Fix dns processor to handle IPv6 server addresses properly. 44526
  • Fix an issue where the Kafka output could get stuck if a proxied connection to the Kafka cluster was reset. 44606
  • Use Debian 11 to build linux/arm to match linux/amd64. Upgrades linux/arm64's statically linked glibc from 2.28 to 2.31. 44816

Filebeat

  • Handle special values of accountExpires in the Activedirectory Entity Analytics provider. 43364
  • Fix status reporting panic in GCP Pub/Sub input. 44624 44625
  • If a Filestream input fails to be created, its ID is removed from the list of running input IDs 44697
  • Fix timeout handling by Crowdstrike streaming input. 44720
  • Ensure DEPROVISIONED Okta entities are published by Okta entityanalytics provider. 12658 44719
  • Fix handling of cursors by the streaming input for Crowdstrike. 44364 44548
  • Added missing "text/csv" content-type filter support in azureblobsortorage input. 44596 44824
  • Fix unexpected EOF detection and improve memory usage. 44813

Heartbeat

  • Add missing dependencies to ubi9-minimal distro. 44556

Metricbeat

  • Fix panic in kafka consumergroup member assignment fetching when there are 0 members in consumer group. 44576
  • Sanitize error messages in Fetch method of SQL module 44577
  • Upgrade go.mongodb.org/mongo-driver from v1.14.0 to v1.17.4 to fix connection leaks in MongoDB module 44769

Affecting all Beats

  • Update Go version to v1.24.3. 44270

Filebeat

  • Add support for collecting device entities in the Active Directory entity analytics provider. 44309
  • The add_cloudfoundry_metadata processor now uses xxhash instead of SHA1 for sanitizing persistent cache filenames. Existing users will experience a one-time cache invalidation as the cache store will be recreated with the new filename format. 43964

Metricbeat

  • Add checks for the Resty response object in all Meraki module API calls to ensure proper handling of nil responses. 44193
  • Add a latency configuration option to the Azure Monitor module. 44366

Osquerybeat

  • Update osquery version to v5.15.0. 43426

Affecting all Beats

  • Fix the 'add_cloud_metadata' processor to better support custom certificate bundles by improving how the AWS provider HTTP client is overridden. 44189

Auditbeat

  • Fix a potential error in the system/package component that could occur during internal package database schema migration. 44294 44296

Filebeat

  • Fix endpoint path typo in the Okta entity analytics provider. 44147
  • Fix a WebSocket panic scenario that occured after exhausting the maximum number of retries. 44342

Metricbeat

  • Add AWS OwningAccount support for cross-account monitoring. 40570 40691
  • Use namespace for GetListMetrics calls in AWS when available. 41022
  • Limit index stats collection to cluster-level summaries. 36019 42901
  • Omit tier_preference, creation_date and version fields in output documents when not pulled from source indices. 43637
  • Add support for _nodes/stats URIs compatible with legacy Elasticsearch versions. 44307
  • For all Beats: Publish cloud.availability_zone by add_cloud_metadata processor in Azure environments. #42601 #43618
  • Add pagination batch size support to Entity Analytics input's Okta provider in Filebeat. #43655
  • Update CEL mito extensions version to v1.19.0 in Filebeat. #44098
  • Upgrade node version to latest LTS v18.20.7 in Heartbeat. #43511
  • Add enable_batch_api option in Azure monitor to allow metrics collection of multiple resources using Azure batch API in Metricbeat. #41790
  • For all Beats: Handle permission errors while collecting data from Windows services and don't interrupt the overall collection by skipping affected services. #40765 #43665.
  • Fixed WebSocket input panic on sudden network error or server crash in Filebeat. #44063 44068.
  • [Filestream] Log the "reader closed" message on the debug level to avoid log spam in Filebeat. #44051
  • Fix links to CEL mito extension functions in input documentation in Filebeat. #44098
  • Improves logging in system/socket in Auditbeat. #41571
  • Adds out of the box support for Amazon EventBridge notifications over SQS to S3 input in Filebeat. #40006
  • Update CEL mito extensions to v1.16.0 in Filebeat. #41727
  • Filebeat's registry is now added to the Elastic-Agent diagnostics bundle. #33238 and #41795
  • Adds unifiedlogs input for MacOS in Filebeat. #41791
  • Adds evaluation state dump debugging option to CEL input in Filebeat. #41335
  • Rate limiting operability improvements in the Okta provider of the Entity Analytics input in Filebeat. #40106 and #41977
  • Rate limiting fault tolerance improvements in the Okta provider of the Entity Analytics input in Filebeat. #40106 #42094
  • Introduces ignore older and start timestamp filters for AWS S3 input in Filebeat. #41804
  • Journald input now can report its status to Elastic-Agent in Filebeat. #39791 and #42462
  • Publish events progressively in the Okta provider of the Entity Analytics input in Filebeat. #40106 and #42567
  • Journald include_matches.match now accepts + to represent a logical disjunction (OR) in Filebeat. #40185 and #42517
  • The journald input is now generally available in Filebeat. #42107
  • Adds support for RFC7231 methods to HTTP monitors in Heartbeat. #41975
  • Adds use_kubeadm config option in kubernetes module in order to toggle kubeadm-config API requests in Metricbeat. #40086
  • Preserve queries for debugging when merge_results: true in SQL module in Metricbeat. #42271
  • Collect more fields from ES node/stats metrics and only those that are necessary in Metricbeat. #42421
  • Adds benchmark module in Metricbeat. #41801
  • Increase maximum query timeout to 24 hours in Osquerybeat. 42356
  • Properly set events UserData when experimental API is used in Winlogbeat. #41525
  • Include XML is respected for experimental API in Winlogbeat. #41525
  • Forwarded events use renderedtext info for experimental API in Winlogbeat. #41525
  • Language setting is respected for experimental API in Winlogbeat. #41525
  • Language setting also added to decode XML wineventlog processor in Winlogbeat. #41525
  • Format embedded messages in the experimental API in Winlogbeat. #41525
  • Make the experimental API GA and rename it to winlogbeat-raw in Winlogbeat. #39580 and #41770
  • Removes 22 clause limitation in Winlogbeat. #35047 and #42187
  • Adds handling for recoverable publisher disabled errorsin Winlogbeat. #35316 and #42187
  • Removes Functionbeat binaries from CI pipelines. #40745 and #41506
  • Update Go version to 1.24.0. #42705
  • Add etw input fallback to attach an already existing session in Filebeat. #42847
  • Update CEL mito extensions to v1.17.0 in Filebeat. #42851
  • Winlog input in Filebeat cam now report its status to Elastic Agent. #43089
  • Add configuration option to limit HTTP Endpoint body size in Filebeat. #43171
  • Add a new match_by_parent_instance option to perfmon module in Metricbeat. #43002
  • Add a warning log to metricbeat.vsphere in Metricbeat in case vSphere connection has been configured as insecure. #43104
  • hasher: Add a cached hasher for upcoming backend in Auditbeat. #41952
  • Split common tty definitions in Auditbeat. #42004
  • Redact authorization headers in HTTPJSON debug logs in Filebeat. #41920
  • Further rate limiting fix in the Okta provider of the Entity Analytics input in Filebeat. #40106 and #41977
  • The _id generation process for S3 events has been updated to incorporate the LastModified field. This enhancement ensures that the _id is unique in Filebeat. #42078
  • Fixes truncation of bodies in request tracing by limiting bodies to 10% of the maximum file size in Filebeat. #42327
  • [Journald] Fixes handling of journalctl restart. A known symptom was broken multiline messages when there was a restart of journalctl while aggregating the lines in Filebeat. #41331 and #42595
  • Fixwa bug where Metricbeat unintentionally triggers Windows ASR in Metricbeat. #42177
  • Removes hostname field from ZooKeeper's mntr data stream in Metricbeat. 41887
  • Properly marshal nested structs in ECS fields, fixing issues with mixed cases in field names in Packetbeat. 42116
  • Fixed race conditions in the global ratelimit processor that could drop events or apply rate limiting incorrectly in Filebeat. 42966
  • Prevent computer details being returned for user queries by Activedirectory Entity Analytics provider in Filebeat. #11818 and #42796
  • Handle unexpected EOF error in aws-s3 input and enforce retrying using download failed error in Filebeat. #42420
  • Prevent azureblobstorage input from logging key details during blob fetch operations in Filebeat. #43169
  • Add AWS OwningAccount support for cross account monitoring in Metricbeat. #40570 and #40691
  • Fix logging argument number mismatch in Metricbeat(Redis). #43072
  • Reset EventLog if error EOF is encountered in Winlogbeat. #42826
  • Implement backoff on error retrial in Winlogbeat. #42826
  • Fix boolean key in security pipelines and sync pipelines with integration in Winlogbeat. #43027