Beats version 8.19.3
edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.
Beats version 8.19.3
editKnown Issues
editFilebeat
-
The Filestream input does not enforce the restrictions documented for the
clean_inactiveoption, thus allowing configurations that can lead to data re-ingestion issues. -
When
clean_inactive: 0, Filestream cleans the state of all files on start up, effectively re-ingesting all files on restart. Setclean_inactive: -1to disable this behavior. -
restart_on_cert_changecauses panic due to seccomp policy. In versions 8.19.0 and later, enabling this option causes the Beat to panic on restart. This is due to theeventfd2syscall missing from the default seccomp policy. To fix this, addeventfd2to a custom seccomp policy. For more details, refer to Use Linux Secure Computing Mode (seccomp).
Click to view the policy
seccomp:
syscalls:
- action: allow
names:
- accept
- accept4
- access
- arch_prctl
- bind
- brk
- capget
- chmod
- chown
- clock_gettime
- clock_nanosleep
- clone
- clone3
- close
- connect
- dup
- dup2
- dup3
- epoll_create
- epoll_create1
- epoll_ctl
- epoll_pwait
- epoll_wait
- eventfd2
- execve
- exit
- exit_group
- faccessat
- faccessat2
- fchdir
- fchmod
- fchmodat
- fchown
- fchownat
- fcntl
- fdatasync
- flock
- fstat
- fstatfs
- fsync
- ftruncate
- futex
- getcwd
- getdents
- getdents64
- geteuid
- getgid
- getpeername
- getpid
- getppid
- getrandom
- getrlimit
- getrusage
- getsockname
- getsockopt
- gettid
- gettimeofday
- getuid
- inotify_add_watch
- inotify_init1
- inotify_rm_watch
- ioctl
- kill
- listen
- lseek
- lstat
- madvise
- mincore
- mkdirat
- mmap
- mprotect
- munmap
- nanosleep
- newfstatat
- open
- openat
- pipe
- pipe2
- poll
- ppoll
- prctl
- pread64
- pselect6
- pwrite64
- read
- readlink
- readlinkat
- recvfrom
- recvmmsg
- recvmsg
- rename
- renameat
- rseq
- rt_sigaction
- rt_sigprocmask
- rt_sigreturn
- sched_getaffinity
- sched_yield
- sendfile
- sendmmsg
- sendmsg
- sendto
- set_robust_list
- setitimer
- setrlimit
- setsockopt
- shutdown
- sigaltstack
- socket
- splice
- stat
- statfs
- sysinfo
- tgkill
- time
- tkill
- uname
- unlink
- unlinkat
- wait4
- waitid
- write
- writev
-
journalctlis not present in the Docker images, thus the Journald input will fail withcannot start journalctl: exec: "journalctl": executable file not found in $PATH
Click to view the workaround
Install the systemd package in the Docker image. Create a new Dockerfile (update the base image version to match the version you want to fix):
FROM docker.elastic.co/beats/filebeat:8.19.3
USER root
RUN DEBIAN_FRONTEND=noninteractive apt-get update \
&& apt-get install -y systemd \
&& apt-get clean all
USER 1000
Build it:
docker build . -t "filebeat:8.19.3-journald"
Test:
docker run --rm -it --entrypoint journalctl filebeat:8.19.3-journald No journal files were found. -- No entries --
Use the image filebeat:8.19.3-journald you have just built.
Breaking changes
editAffecting all Beats
-
The base folder for data and logs on Windows has changed from
C:\ProgramData\[BeatName]to toC:\Program Files\[BeatName]-Databecause the latter has stricter permissions. 45948
Bugfixes
editFilebeat
- Fix wrongly emitted missing input ID warning 42969 45747
- Fix handling of unnecessary BOM in UTF-8 text received by o365audit input. 44327 45739
- Fix reading journald messages with more than 4kb. 45511 46017
- Restore the Streaming input on Windows. 46031
- Fix termination of input on API errors. 45999
- Fix filestream registry entries being prematurely removed, which could cause files to be re-ingested after Filebeat restarts. 46007 46032
Metricbeat