bump version to 4.0.1

Author: robcowart

CHANGELOG.md

@@ -2,6 +2,52 @@
 
 ---
 
+## v4.0.1
+
+> **WARNING!** - If you are using a 3.x or earlier release, please refer to the v4.0.0 Breaking Changes.
+
+ElastiFlow v4.0.1 is a minor release. No migration of data from v4.0.0 to v4.0.1 is required.
+
+### Fixes
+
+* Netflow v5 sources reporting zero bytes and packets in ECS fields has been fixed.
+* TSVB visualizations displaying data in bits/s now use the new `bitd` custom formatter.
+
+---
+
+## v4.0.0
+
+> **WARNING!** - ElastiFlow v4.0.0 is a major release, and now supports Elastic Common Schema (ECS). Due to significant data model changes there is no upgrade/migration from ElastiFlow 3.x. You should either remove all 3.x indices or deploy ElastiFlow 4.0.0 to a separate environment.
+
+### Breaking Changes
+
+ElastiFlow v4.0.0 is built for Elasticsearch and Kibana 7.8.1 and later. No earlier versions will be supported. Please use a prior ElastiFlow release if you cannot yet upgrade to Elastic Stack 7.8.1+.
+
+ElastiFlow v4.0.0 takes advantage of X-Pack Basic features, such as the Maps, SIEM and Logs apps, as well as Index Lifecycle Management (ILM). This means that you must use at least the X-Pack Basic licensed release of the Elastic Stack. The pure Apache 2.0 licensed release of the Elastic Stack will not work without disabling many features.
+
+### New Features
+
+* Data model has changed to leverage ECS 1.5.
+* Flow data can now be analyzed using the Kibana SIEM and Log apps.
+* Optional resolution of MAC OUIs to vendor names (disabled by default).
+* Kibana dark theme is now supported.
+* Geo IP dashboards now leverage the new Kibana Maps app.
+* Applications can now be defined manually by IP address and port number.
+* Palo Alto virtual interface indexes are translated to interfaces names.
+* Support for VeloCloud, Calix and various Cisco SD-WAN information elements.
+* KQL is now default
+
+### Updates
+
+* Pipeline refactored to simplify various logic, which might improve performance and throughput for some users.
+* YAML dictionaries intended for customization by users have been moved to the `logstash/elastiflow/user_settings` path.
+
+### Fixes
+
+* Client/Server detection using TCP flags is improved.
+
+---
+
 ## v4.0.0-beta1
 
 v4.0.0 is a major release. A data migration will be required if you want to have your older data available in 4.0.0. This `BETA` release does not yet include a migration method and is intended for testing with new flow data only.
@@ -41,7 +87,7 @@ ElastiFlow v3.5.x provides support Elastic Stack 7.x. The support for document t
 
 * Added support for pmacct IEs (needed for VyOS 1.2.x).
 
-------
+---
 
 ## v3.5.2
 
@@ -68,7 +114,7 @@ ElastiFlow v3.5.x provides support Elastic Stack 7.x. The support for document t
 * Added a lot of new Fortinet application IDs.
 * Update IP reputation dictionary and GeoIP DBs.
 
-------
+---
 
 ## v3.5.1
 

Dockerfile

@@ -24,7 +24,7 @@ LABEL org.opencontainers.image.created="$BUILD_DATE" \
       org.opencontainers.image.url="https://github.com/robcowart/elastiflow/README.md" \
       org.opencontainers.image.documentation="https://github.com/robcowart/elastiflow/DOCKER.md" \
       org.opencontainers.image.source="https://github.com/robcowart/elastiflow" \
-      org.opencontainers.image.version="4.0.0" \
+      org.opencontainers.image.version="4.0.1" \
       org.opencontainers.image.vendor="Robert Cowart" \
       org.opencontainers.image.title="ElastiFlow™ - Logstash" \
       org.opencontainers.image.description="Logstash with the ElastiFlow™ pipeline."

INSTALL.md

@@ -4,19 +4,19 @@
 
 ElastiFlow™ is built using the Elastic Stack, including Elasticsearch, Logstash and Kibana. To install and configure ElastiFlow™, you must first have a working Elastic Stack environment.
 
-> **WARNING!** - ElastiFlow 4.0.0 supports Elastic Common Schema (ECS). Due to significant data model changes there is no upgrade/migration from ElastiFlow 3.x. You should either remove all 3.x indices or deploy ElastiFlow 4.0.0 to a separate environment.
+> **WARNING!** - ElastiFlow 4.0.x supports Elastic Common Schema (ECS). Due to significant data model changes there is no upgrade/migration from ElastiFlow 3.x. You should either remove all 3.x indices or deploy ElastiFlow 4.0.x to a separate environment.
 
 > **IMPORTANT!** - Always use a **RELEASE**. DO NOT use the `master` branch.
 
-> **NOTE** - For full ElastiFlow 4.0.0 functionality, including Kibana's SIEM and Logs apps, you should use X-Pack Basic or one of the commercial X-Pack tiers.
+> **NOTE** - For full ElastiFlow 4.0.x functionality, including Kibana's SIEM and Logs apps, you should use X-Pack Basic or one of the commercial X-Pack tiers.
 
 ## Elastic Stack Compatibility
 
 Refer to the following compatibility chart to choose a release of ElastiFlow™ that is compatible with the version of the Elastic Stack you are using.
 
 Elastic Stack | ElastiFlow™ 3.x | ElastiFlow™ 4.x
 :---:|:---:|:---:
-7.8+ |  | ✓ v4.0.0
+7.8+ |  | ✓ v4.0.x
 7.5-7.7 |  | ✓ v4.0.0-beta
 7.0-7.4 | ✓ v3.5.x |
 6.7 | ✓ v3.4.2 |
@@ -38,7 +38,7 @@ Elastic Stack | ElastiFlow™ 1.x | ElastiFlow™ 2.x | ElastiFlow&trade
 5.5 | ✓ |  |  |
 5.4 | ✓ |  |  |
 
-> NOTE: The instructions that follow are for ElastiFlow™ 4.0.0 and above on Elastic Stack 7.5.x and higher.
+> NOTE: The instructions that follow are for ElastiFlow™ 4.0.0 and above on Elastic Stack 7.8.x and higher.
 
 ## Requirements
 

docker-compose-macos.yml

@@ -91,7 +91,7 @@ services:
       LOGGING_QUIET: 'false'
 
   elastiflow-logstash:
-    image: robcowart/elastiflow-logstash:4.0.0
+    image: robcowart/elastiflow-logstash:4.0.1
     container_name: elastiflow-logstash
     restart: 'no'
     depends_on:

docker-compose.yml

@@ -80,7 +80,7 @@ services:
       LOGGING_QUIET: 'false'
 
   elastiflow-logstash:
-    image: robcowart/elastiflow-logstash:4.0.0
+    image: robcowart/elastiflow-logstash:4.0.1
     container_name: elastiflow-logstash
     restart: 'no'
     depends_on:

docker_build.sh

@@ -15,4 +15,4 @@
 # Robert Cowart are Copyright (C)2020 Robert Cowart. All Rights Reserved.
 #------------------------------------------------------------------------------
 
-docker build --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') --no-cache -t robcowart/elastiflow-logstash:4.0.0 .
+docker build --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') --no-cache -t robcowart/elastiflow-logstash:4.0.1 .

logstash/elastiflow/conf.d/20_filter_10_begin.logstash.conf

@@ -36,12 +36,12 @@ filter {
       "[host][name]" => "%{[@metadata][host]}"
       "[agent][name]" => "elastiflow"
       "[agent][type]" => "logstash"
-      "[agent][version]" => "4.0.0"
+      "[agent][version]" => "4.0.1"
       "[agent][id]" => "${ELASTIFLOW_AGENT_ID:elastiflow}"
       "[event][module]" => "flow"
       "[event][kind]" => "event"
     }
-    replace => { "@version" => "4.0.0" }
+    replace => { "@version" => "4.0.1" }
   }
 
   # Add agent.hostname - the host running the Logstash instance.

logstash/elastiflow/conf.d/30_output_10_single.logstash.conf

@@ -24,9 +24,9 @@ output {
     #cacert => "/PATH/TO/CERT"
     user => "${ELASTIFLOW_ES_USER:elastic}"
     password => "${ELASTIFLOW_ES_PASSWD:changeme}"
-    index => "elastiflow-4.0.0-%{+YYYY.MM.dd}"
+    index => "elastiflow-4.0.1-%{+YYYY.MM.dd}"
     template => "${ELASTIFLOW_TEMPLATE_PATH:/etc/logstash/elastiflow/templates}/elastiflow.template.json"
-    template_name => "elastiflow-4.0.0"
+    template_name => "elastiflow-4.0.1"
     template_overwrite => "true"
   }
 }

logstash/elastiflow/conf.d/30_output_20_multi.logstash.conf.disabled

@@ -24,9 +24,9 @@ output {
     #cacert => "/PATH/TO/CERT"
     user => "${ELASTIFLOW_ES_USER:elastic}"
     password => "${ELASTIFLOW_ES_PASSWD:changeme}"
-    index => "elastiflow-4.0.0-%{+YYYY.MM.dd}"
+    index => "elastiflow-4.0.1-%{+YYYY.MM.dd}"
     template => "${ELASTIFLOW_TEMPLATE_PATH:/etc/logstash/elastiflow/templates}/elastiflow.template.json"
-    template_name => "elastiflow-4.0.0"
+    template_name => "elastiflow-4.0.1"
     template_overwrite => "true"
   }
 }

logstash/elastiflow/templates/elastiflow.template.json

@@ -1,7 +1,7 @@
 {
   "order": 0,
   "version": 40000,
-  "index_patterns": "elastiflow-4.0.0-*",
+  "index_patterns": "elastiflow-4.0.1-*",
   "settings": {
     "index": {
       "number_of_shards": 3,
@@ -21,7 +21,7 @@
   "mappings": {
     "_meta" : {
       "beat" : "elastiflow",
-      "version" : "4.0.0"
+      "version" : "4.0.1"
     },
     "_source" : {
       "enabled" : true