This is a cache of https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-8.19.0.html. It is a snapshot of the page at 2025-09-25T04:13:21.447+0000.
Beats version 8.19.0 | Beats Platform Reference [8.19] | Elastic
« Beats version 8.19.1 Beats version 8.18.5 »
Elastic Docs Beats Platform Reference [8.19] Release notes

Beats version 8.19.0

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Beats version 8.19.0

edit

View commits

Known Issues

edit

Filebeat

  • The Filestream input does not enforce the restrictions documented for the clean_inactive option, thus allowing configurations that can lead to data re-ingestion issues.
  • When clean_inactive: 0, Filestream cleans the state of all files on start up, effectively re-ingesting all files on restart. Set clean_inactive: -1 to disable this behavior.
  • restart_on_cert_change causes panic due to seccomp policy. In versions 8.19.0 and later, enabling this option causes the Beat to panic on restart. This is due to the eventfd2 syscall missing from the default seccomp policy. To fix this, add eventfd2 to a custom seccomp policy. For more details, refer to Use Linux Secure Computing Mode (seccomp).
Click to view the policy 
seccomp:
  syscalls:
    - action: allow
      names:
        - accept
        - accept4
        - access
        - arch_prctl
        - bind
        - brk
        - capget
        - chmod
        - chown
        - clock_gettime
        - clock_nanosleep
        - clone
        - clone3
        - close
        - connect
        - dup
        - dup2
        - dup3
        - epoll_create
        - epoll_create1
        - epoll_ctl
        - epoll_pwait
        - epoll_wait
        - eventfd2
        - execve
        - exit
        - exit_group
        - faccessat
        - faccessat2
        - fchdir
        - fchmod
        - fchmodat
        - fchown
        - fchownat
        - fcntl
        - fdatasync
        - flock
        - fstat
        - fstatfs
        - fsync
        - ftruncate
        - futex
        - getcwd
        - getdents
        - getdents64
        - geteuid
        - getgid
        - getpeername
        - getpid
        - getppid
        - getrandom
        - getrlimit
        - getrusage
        - getsockname
        - getsockopt
        - gettid
        - gettimeofday
        - getuid
        - inotify_add_watch
        - inotify_init1
        - inotify_rm_watch
        - ioctl
        - kill
        - listen
        - lseek
        - lstat
        - madvise
        - mincore
        - mkdirat
        - mmap
        - mprotect
        - munmap
        - nanosleep
        - newfstatat
        - open
        - openat
        - pipe
        - pipe2
        - poll
        - ppoll
        - prctl
        - pread64
        - pselect6
        - pwrite64
        - read
        - readlink
        - readlinkat
        - recvfrom
        - recvmmsg
        - recvmsg
        - rename
        - renameat
        - rseq
        - rt_sigaction
        - rt_sigprocmask
        - rt_sigreturn
        - sched_getaffinity
        - sched_yield
        - sendfile
        - sendmmsg
        - sendmsg
        - sendto
        - set_robust_list
        - setitimer
        - setrlimit
        - setsockopt
        - shutdown
        - sigaltstack
        - socket
        - splice
        - stat
        - statfs
        - sysinfo
        - tgkill
        - time
        - tkill
        - uname
        - unlink
        - unlinkat
        - wait4
        - waitid
        - write
        - writev
  • journalctl is not present in the Docker images, thus the Journald input will fail with cannot start journalctl: exec: "journalctl": executable file not found in $PATH
Click to view the workaround

Install the systemd package in the Docker image. Create a new Dockerfile (update the base image version to match the version you want to fix):

FROM docker.elastic.co/beats/filebeat:8.19.3
USER root
RUN DEBIAN_FRONTEND=noninteractive apt-get update \
    && apt-get install -y systemd \
    && apt-get clean all
USER 1000

Build it:

docker build . -t "filebeat:8.19.3-journald"

Test:

docker run --rm -it --entrypoint journalctl filebeat:8.19.3-journald
No journal files were found.
-- No entries --

Use the image filebeat:8.19.3-journald you have just built.

Breaking changes

edit

Filebeat

  • The Filestream input only starts to ingest a file when it is >= 1024 bytes in size. This happens because the fingerprint` is the default file identity now. To restore the previous behaviour, set file_identity.native: ~ and prospector.scanner.fingerprint.enabled: false 40197 41762

Metricbeat

  • Add VPN metrics to meraki module 44851

Bugfixes

edit

Auditbeat

  • Fix potential data loss in add_session_metadata. 42795
  • auditbeat/fim: Fix FIM@ebpfevents for new kernels #44371. 44371

Filebeat

  • Handle special values of accountExpires in the Activedirectory Entity Analytics provider. 43364
  • Fix status reporting panic in GCP Pub/Sub input. 44624 44625
  • Fix a logging regression that ignored to_files and logged to stdout. 44573

Heartbeat

  • Added maintenance windows support for Heartbeat. 41508

Packetbeat

  • Properly marshal nested structs in ECS fields, fixing issues with mixed cases in field names 42116

Added

edit

Affecting all Beats

  • Publish cloud.availability_zone by add_cloud_metadata processor in azure environments 42601 43618

Filebeat

  • Winlog input now can report its status to Elastic-Agent 43089
  • Update CEL mito extensions to v1.18.0. 43855
  • Add milliseconds to document timestamp from awscloudwatch Filebeat input 44306
  • Add support to the Active Directory entity analytics provider for device entities. 44309
  • Add support for OPTIONS request to HTTP Endpoint input. 43930 44387
  • Add Fleet status update functionality to lumberjack input. 44283 44339
  • Add Fleet status updating to HTTP Endpoint input. 44281 44310
  • Add Fleet status updating to streaming input. 44284 44340
  • Add Fleet status update functionality to gcppubsub input. 44272 44507
  • Add Fleet status updating to GCS input. 44273 44508
  • Introduce lastSync start position to AWS CloudWatch input backed by state registry. 43251
  • Add Fleet status update functionality to tcp input. 44420 44786
  • Add Fleet status update functionality to udp input. 44419 44785
  • Add Fleet status updating to Azure Blob Storage input. 44268 44945
  • Add Fleet status updating to HTTP JSON input. 44282 44365
  • Add proxy support to GCP Pub/Sub input. 44892
  • Add support for relationship expansion to EntraID entity analytics provider. 43324 44761
  • Added support for websocket keep_alive heartbeat in the streaming input. 42277 44204
  • Update CEL mito extensions to v1.21.0. 40762 45107
  • Add Fleet health status reporting to the entity analytics input. 44269 45152
  • Add Fleet status updating to o356audit input. 44651 44957
  • Update CEL mito extensions to v1.22.0. 45245
  • Allow empty HTTPJSON cursor template value evaluations to be ignored by Fleet health status updates. 45361
  • Reuse OAuth2 clients in HTTP JSON input where possible. 34834 44976
  • Add support for generalized token authentication to CEL input. 45359
  • The add_cloudfoundry_metadata processor now uses xxhash instead of SHA1 for sanitizing persistent cache filenames. Existing users will experience a one-time cache invalidation as the cache store will be recreated with the new filename format. 43964

Metricbeat

  • Add a new match_by_parent_instance option to perfmon module. 43002
  • Changed the elasticsearch module behavior to only pull settings from non-system indices. 43243
  • Exclude dotted indices from settings pull in elasticsearch module. 43306
  • Upgrade Prometheus Library to v0.300.1. 43540
  • Add GCP metadata cache. 44432
  • Add VPN metrics to meraki module 44851
« Beats version 8.19.1 Beats version 8.18.5 »