Agent v2.8.0

Pipeline Secrets, Persistent Queue Strategies, Google SecOps Destination, Kerberos Authentication for Kafka, and Enhanced Destination Configuration Options.

  4 minute read  

December 2, 2025

New Features

  • Pipeline Secrets: Introduced pipeline secrets for storing encrypted credentials in configuration files with placeholder references. Secrets are encrypted at rest using AES-256-GCM and decrypted only at runtime, ensuring sensitive values are never logged or exposed in plaintext. Secrets support both UI-created (default mode) and CLI-created (masterkey mode) encryption methods.
  • Persistent Queue Strategies: Added configurable persistent queue strategies to destination nodes (see S3 for example) for output buffering with three modes: error (default) writes to disk only when destinations are unreachable for lowest latency; backpressure writes to disk when in-memory buffers reach 80% capacity for balanced durability; and always writes every event to disk before sending for maximum durability. The strict_ordering option controls whether newer events can bypass older buffered events during backpressure recovery.
  • Google SecOps Destination: Added Google SecOps destination node for sending telemetry data directly to Google Security Operations (Chronicle) for security analytics and threat detection.
  • Kerberos Authentication for Kafka: Added Kerberos authentication support to Kafka source node, enabling secure data ingestion from Kerberos-protected Kafka clusters in enterprise environments.
  • Apache Kudu Security: Enhanced Apache Kudu destination with Kerberos authentication and encryption support for secure enterprise data warehouse integration.
  • Datadog Trace Support: Added trace capability to Datadog output node, enabling distributed tracing data to be sent directly to Datadog APM for end-to-end observability.
  • Metrics in Splunk HEC Input: Extended Splunk HEC input node to support ingesting metrics in addition to logs, enabling unified telemetry collection from Splunk HEC-compatible sources.
  • Dynamic Elastic Index: Added dynamic index support to Elastic destination via expressions, allowing index names to be computed dynamically based on data item attributes for flexible index routing.
  • Cron-based HTTP Pull Scheduling: Added cron-based scheduling support to HTTP Pull sources, enabling precise scheduling of data retrieval at specific intervals using standard cron syntax.

Enhancements

  • Keep Overridden Fields: Added keep_overridden_index, keep_overridden_token, and similar options to multiple destination nodes including Splunk TCP, Elastic, Splunk HEC, GCS, CloudWatch, and GCL. These options preserve original field values when dynamic expressions override them, enabling dual-write scenarios where both original and computed values are needed.
  • Prometheus Remote Write Authentication: Added authentication and custom header support to Prometheus remote write destination, enabling secure metric forwarding to authenticated Prometheus-compatible endpoints.
  • New Relic Output Buffer: Added output buffering to New Relic destination, improving reliability and throughput when sending telemetry data to New Relic.
  • OTEL Histogram Support: Updated OTLP input and output nodes to support the latest metric histogram structure from OpenTelemetry, ensuring compatibility with current OTEL collector versions.
  • User-Provided Parquet Schema: Added support for user-provided schema definitions when processing raw Parquet files in archive operations (see S3 or GCS), enabling precise control over column types and structure.
  • Raw Schema for Archive: Added support for Raw schema type in archive operations, providing flexibility in how archived data is structured and stored.
  • Buffer Metrics: Added ed.buffer.* metrics for monitoring persistent queue usage and performance, and ed.pipeline.node.throttle metric for tracking node throttling events, improving observability of pipeline backpressure conditions.
  • OTEL Semantic Conventions: Added additional OpenTelemetry semantic convention resource attributes and labels to improve trace and metric correlation.
  • Splunk Field Retention: Ensured Splunk-specific fields are retained after deotel processing, preserving source, sourcetype, and index metadata through OTEL transformations.
  • Trace ID Parsing: Added decimal parsing support for trace and span IDs, improving compatibility with trace systems that use decimal ID formats.
  • S3 Test Event Handling: Enhanced S3 input node to properly handle AWS S3 test events, preventing unnecessary processing of test notifications.
  • Splunk TCP Noise Reduction: Reduced log noise from expected EOF events during Splunk TCP connection handshakes, improving log clarity.
  • GCL Self Telemetry: Fixed self telemetry reporting in GCL destination when using custom item types.

Bug Fixes

  • OTTL Context Filter Deadlock: Fixed a deadlock issue in OTTL context filter processor that could cause agent crashloops under certain conditions.

Security

  • CVE-2025-47913 Fix: Updated golang.org/x/crypto dependency to address CVE-2025-47913, a security vulnerability in the cryptographic library.

Known Issues

  • GCS Destination Excessive Write Requests: A regression in this release causes the GCS destination to issue excessive write requests, potentially increasing costs and API usage. This issue is fixed in v2.11.0. Users experiencing high GCS API usage should upgrade to v2.11.0 or later.

Breaking Changes

  • Source Samples Input Removed: The ed_source_samples_input node type has been removed. Pipelines using this node type will fail to start. This node was previously used for internal source detection and has been replaced with improved mechanisms.