Beats version 8.18.0

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Filebeat

The Filestream input does not enforce the restrictions documented for the clean_inactive option, thus allowing configurations that can lead to data re-ingestion issues.
When clean_inactive: 0, Filestream cleans the state of all files on start up, effectively re-ingesting all files on restart. Set clean_inactive: -1 to disable this behavior.

Affecting all Beats

Removed support for a single - to precede multi-letter command line arguments. Use -- instead. 42117 42209

Filebeat

The fields produced by the Journald input are updated to better match ECS. Renamed fields: Dropped fields: syslog.priority and syslog.facility while keeping their duplicated equivalent: log.syslog.priority,log.syslog.facility.code. Renamed fields: syslog.identifier → log.syslog.appname, syslog.pid → log.syslog.procid. container.id_truncated is dropped because the full container ID is already present as container.id and container.log.tag is dropped because it is already present as log.syslog.appname. The field container.partial is replaced by the tag partial_message if it was true, otherwise no tag is added. 42208 42403

Osquerybeat

Packetbeat

Use base-16 for reporting serial_number value in TLS fields in line with the ECS recommendation. 41542

Auditbeat

Filebeat

Redact authorization headers in HTTPJSON debug logs. 41920
The _id generation process for S3 events has been updated to incorporate the LastModified field. This enhancement ensures that the _id is unique. 42078
Fix truncation of bodies in request tracing by limiting bodies to 10% of the maximum file size. 42327

Metricbeat

Winlogbeat

Auditbeat

Filebeat

Update CEL mito extensions version to v1.16.0. 41727
Filebeat’s registry is now added to the Elastic-Agent diagnostics bundle. 33238 41795
Add unifiedlogs input for MacOS. 41791
Add evaluation state dump debugging option to CEL input. 41335
The Filestream input can automatically migrate state from files when changing the file_identity if the previous file identity was native (the default) or path. 40197 41762
Rate limiting operability improvements in the Okta provider of the Entity Analytics input. 40106 41977
Journald input now can report its status to Elastic-Agent 39791 42462
The journald input is now generally available. 42107
Add etw input fallback to attach an already existing session. 42847
Update CEL mito extensions to v1.17.0. 42851
Allow a grace time for awss3 input shutdown to enable incomplete SQS message processing to be completed. 43369

Heartbeat

Metricbeat

Add support for podman metrics in docker module. 41889
Add new OpenAI (openai) module for tracking usage data. 41516
Preserve queries for debugging when merge_results: true in SQL module. 42271
Add a warning log to metricbeat.vsphere in case vSphere connection has been configured as insecure. 43104

Metricbeat - Add benchmark module. 41801

Packetbeat - Add tls.server.ja3s tls fingerprint 43284

Winlogbeat