ContextQMD
Back to Beats

Index

docs/release-notes/_snippets/9.2.7/index.md

9.4.07.5 KB
Original Source

9.2.7 [beats-release-notes-9.2.7]

Features and enhancements [beats-9.2.7-features-enhancements]

Elastic agent

  • Fix a bug that could report stopped inputs as still running. #49285 #47769

Filebeat

  • Add optional token_url support for JWT Bearer Flow in Salesforce input. #43933 #43963

    The Salesforce input now supports a separate token_url configuration for JWT Bearer Flow authentication. This allows users with custom Salesforce domains or restrictions on default endpoints (login.salesforce.com/test.salesforce.com) to specify a different token endpoint URL while keeping the audience URL separate. If token_url is not provided, the existing behavior of using the audience URL as the token endpoint is maintained.

  • Empty files are excluded from processing in filestream as early as possible. #49196 #48891

Metricbeat

  • Add zswap compressed swap cache metrics to system memory metricset. #49098 #47605

  • Addition of Elasticsearch index mode and codec settings in Metricbeat index stats module. #49237

  • Add cgroupv2 CPU metrics to system.process dataset. #49098 #47708

  • Report memory pressure stall information (PSI) for cgroup v2. #48054 #47604

    Add memory PSI metrics to system.process.cgroup, complementing existing CPU and IO pressure metrics for cgroupv2

  • Add swap field to system.process.memory metric set in metricbeat. #48334

  • Add new TBS metrics to monitor mappings. #48432

  • Read Kibana status response body on 503 so monitoring captures the reason for outage. #48913

Packetbeat

  • Improves resiliency of the AMQP parser against invalid or corrupt data frames. #48033
  • Bump bundled Windows Npcap OEM installer to v1.87. #49167

Winlogbeat

  • Move winlog filtering to Go-side evaluation and harden recovery paths. #49257

    Winlogbeat and Filebeat winlog input now subscribe with unfiltered queries for non-custom configurations and apply ignore_older, provider, event_id, and level filtering in code. This avoids unreliable Windows query-filter behavior in affected environments while preserving custom xml_query passthrough. The change also improves read/iterator recovery behavior, keeps final-batch publish semantics on EOF, and adds a retry circuit-breaker for persistent render failures without partial events.

Fixes [beats-9.2.7-fixes]

All

  • Update elastic-agent-system-metrics to v0.14.0. #48816

  • Update elastic-agent-autodiscover to v0.10.2. #48817

  • Update elastic-agent-libs to v0.32.2. #48857

  • Update OpenTelemetry SDK to version v1.40.0. #49126

  • Translate_ldap_attribute discovery tries both LDAP and LDAPS per host, LDAPS first. #48818

    When the translate_ldap_attribute processor discovers LDAP servers (using DNS SRV or LOGONSERVER), it now adds the alternate scheme for each discovered address: if LDAP is found it also tries LDAPS for that host, and if LDAPS is found it also tries LDAP. For each host, LDAPS is tried before LDAP to prefer TLS.

  • Improve append processor behavior when merging values and removing duplicates. #49021 #49020

    The append processor now appends values more consistently, avoiding nested entries in the target field. Duplicate removal is also more reliable, reducing processing errors and keeping output stable.

  • Kafka client allows only a single metadata request to each broker in-flight at any given time. #49307 #49210

Elastic agent

  • Fix a bug that could report an invalid number of active otelconsumer events. #48720 #12515

Filebeat

  • Improve in-flight byte accounting in the HTTP Endpoint input. #48571 #48456
  • Honor non-fingerprint file_identity defaults in filestream. #48579
  • Fix handling of Crowdstrike streaming input state in retryable errors. #49077 #49076
  • Fix incremental group updates in Active Directory entity analytics provider. #49089 #49053
  • Demote missing user/device state lookup to debug log in Azure entity analytics provider. #49127 #36447
  • Fix CrowdStrike streaming session refresh scheduling to avoid tight refresh loops. #49175 #49158

Libbeat

  • Add SSPI bind timeout and document Windows account requirements for translate_ldap_attribute processor. #48444

    The translate_ldap_attribute processor SSPI bind could hang indefinitely when running under a local user account (which cannot obtain Kerberos credentials). This fix adds a 10-second timeout to prevent the hang and updates documentation to clearly explain which Windows account types support SSPI authentication: Local System, Network Service, domain users, and gMSA accounts work; local user accounts do not.

Metricbeat

  • Update transient dependency filippo.io/edwards25519 to v1.1.1. #49070

Osquerybeat

  • Update osquery-go dependency to v0.0.0-20260226222546-0cc22f415e57. #49280

Packetbeat

  • Refactor dhcpv4 parsers, fix numerous parsing bugs. The DHCP router field is now a list, as is specified in RFC2132. #48414

Winlogbeat

  • Restore suppression of repeated channel-not-found open errors in Winlogbeat eventlog runner. #48999 #48979

    Reintroduces channel-not-found retry log suppression that was lost during the eventlog runner refactor. The first channel-not-found open error is logged at WARN, subsequent retries are logged at DEBUG, and the suppression state is reset after a successful open. This prevents repeated WARN/ERROR log noise when a configured channel is missing.