Features and enhancements
All
- Update OTel Collector components to v0.148.0. #49578
Filebeat
- Add retry back-off logic to streaming input CrowdStrike follower. #48542 #46072
- Add secret_state config to CEL input for encrypted storage of secrets accessible as state.secret. #49207
Add a secret_state configuration field to the CEL input. When configured in a Fleet integration package with secret: true, the values are stored encrypted by Fleet. At runtime, the contents are placed at state.secret and unconditionally redacted in debug logs. The key secret in the plain-text state configuration is reserved and rejected by validation to prevent accidental unencrypted storage of values intended to be secret.
- Allow string and number arrays in httpjson chained configurations. #49391 #16662
- Add support for URL and URL query parsing and formatting in the Streaming input CEL environment. #49653 #17875
Metricbeat
- Add client secret authentication support to Azure App Insights module. #48880
Fixes
Elastic Agent
- Fix an issue that could delay reporting shutdown of Agent components. #49414 #49388
- Reduce AutoOps logging from info to debug for polling. #49507 #49506
Filebeat
- Fix Filestream take_over causing file re-ingestion when used with autodiscover. #49632 #49579
- Fix compatibility of the Journald input with journald/systemd versions < 242. #49445 #48152
- Add rate-limit backoff to CrowdStrike streaming input oauth2 transport. #49453
Wrap the oauth2 HTTP transport used by the CrowdStrike falcon streaming input with a rate-limit-aware transport that intercepts 429 responses, reads the Retry-After header, and backs off before retrying. This prevents the oauth2 token refresh from generating a burst of unauthorized requests that triggers CrowdStrike's 15-per-minute rate limit. The discover endpoint also returns a retry-after hint to the session-level retry loop as a minimum wait floor.
- Skip request tracer path validation when tracing is disabled to prevent input startup failures. #49655
The startup path validation in cel, httpjson, http_endpoint, and entity analytics inputs checked whether the tracer config struct was non-nil rather than whether tracing was enabled. Integration package templates always include a tracer block (with enabled defaulting to false), so the struct is never nil. Under the agentless/otel runtime the relative tracer path resolves outside the permitted directory, causing all affected inputs to fail immediately even though tracing was disabled. The config-level Validate methods already used the correct enabled() guard; the startup paths now do the same.
- Fix Filebeat crash loop when running under Elastic Agent and taking too long to initialise. #49796 #49512
Libbeat
- Fix a bug where escaped characters in syslog structured data caused an EOF error. #49392 #43944
Metricbeat
- Fix unnecessary Windows filesystem metricset errors from non-existent volumes. #49553
Fix an issue where filesystem metric collection on Windows could report errors for volumes that are no longer present. Update to gosigar v0.14.4.
Winlogbeat
- Skip record ID gap detection for forwarded Windows events. #49819
