This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.

› ›

Beats version 8.18.0

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Beats version 8.18.0

edit

View commits

Breaking changes

edit

Affecting all Beats

Removed support for a single - to precede multi-letter command line arguments. Use -- instead. 42117 42209

Filebeat

The fields produced by the Journald input are updated to better match ECS. Renamed fields: Dropped fields: syslog.priority and syslog.facility while keeping their duplicated equivalent: log.syslog.priority,log.syslog.facility.code. Renamed fields: syslog.identifier → log.syslog.appname, syslog.pid → log.syslog.procid. container.id_truncated is dropped because the full container ID is already present as container.id and container.log.tag is dropped because it is already present as log.syslog.appname. The field container.partial is replaced by the tag partial_message if it was true, otherwise no tag is added. 42208 42403

Osquerybeat

Upgrade osquery version to 5.13.1. 40849

Packetbeat

Use base-16 for reporting serial_number value in TLS fields in line with the ECS recommendation. 41542

Bugfixes

edit

Auditbeat

Add a cached hasher for upcoming backend. 41952
Split common tty definitions. 42004

Filebeat

Redact authorization headers in HTTPJSON debug logs. 41920
The _id generation process for S3 events has been updated to incorporate the LastModified field. This enhancement ensures that the _id is unique. 42078
Fix truncation of bodies in request tracing by limiting bodies to 10% of the maximum file size. 42327

Metricbeat

Fix the function to determine CPU cores on windows. 42593 43409

Winlogbeat

Reset EventLog if error EOF is encountered. 42826
Implement backoff on error retrial. 42826

Added

edit

Auditbeat

Improve logging in system/socket. 41571

Filebeat

Update CEL mito extensions version to v1.16.0. 41727
Filebeat’s registry is now added to the Elastic-Agent diagnostics bundle. 33238 41795
Add unifiedlogs input for MacOS. 41791
Add evaluation state dump debugging option to CEL input. 41335
The Filestream input can automatically migrate state from files when changing the file_identity if the previous file identity was native (the default) or path. 40197 41762
Rate limiting operability improvements in the Okta provider of the Entity Analytics input. 40106 41977
Journald input now can report its status to Elastic-Agent 39791 42462
The journald input is now generally available. 42107
Add etw input fallback to attach an already existing session. 42847
Update CEL mito extensions to v1.17.0. 42851
Allow a grace time for awss3 input shutdown to enable incomplete SQS message processing to be completed. 43369

Heartbeat

Upgrade node version to latest LTS v18.20.7. 43511

Metricbeat

Add support for podman metrics in docker module. 41889
Add new OpenAI (openai) module for tracking usage data. 41516
Preserve queries for debugging when merge_results: true in SQL module. 42271
Add a warning log to metricbeat.vsphere in case vSphere connection has been configured as insecure. 43104

Metricbeat - Add benchmark module. 41801

Packetbeat - Add tls.server.ja3s tls fingerprint 43284

Winlogbeat

Properly set events UserData when experimental API is used. 41525
Include XML is respected for experimental API. 41525
Forwarded events use renderedtext info for experimental API. 41525
Language setting is respected for experimental API. 41525
Language setting also added to decode xml wineventlog processor. 41525
Format embedded messages in the experimental API. 41525
Make the experimental API GA and rename it to winlogbeat-raw. 39580 41770
Remove 22 clause limitation. 35047 42187
Add handling for recoverable publisher disabled errors. 35316 42187

« Release notes Beats version 8.17.4 »