Datadog
$npx @buildinternet/releases get datadog
Datadog Agent
$npx @buildinternet/releases get datadog-agent
Mon
Wed
Fri
MayJunJulAugSepOctNovDecJanFebMarAprMay
LessMore
Releases15Avg5/moVersionsv7.75.2 → v7.78.3
Last Checked
20m ago
.. _Release Notes_7.78.3:
.. _Release Notes_7.78.3_Prelude:
Released on: 2026-05-07
7.78.3 tag on integrations-core <https://github.com/DataDog/integrations-core/blob/master/AGENT_CHANGELOG.md#datadog-agent-version-7783>_ for the list of changes on the Core Checks.. _Release Notes_7.78.3_Security Notes:
go.opentelemetry.io/otel/sdk to v1.43.0 to address
CVE-2026-39883 <https://nvd.nist.gov/vuln/detail/CVE-2026-39883>_,
a PATH-hijacking vulnerability in the OpenTelemetry Go SDK's host
detection on BSD and Solaris platforms (the SDK invoked the
kenv command without an absolute path). The Datadog Agent's
primary supported platforms (Linux, Windows, macOS) are not
affected at runtime, but the dependency is upgraded to keep the
shipped binary free of the vulnerable code... _Release Notes_7.78.2:
.. _Release Notes_7.78.2_Prelude:
Released on: 2026-04-29
7.78.2 tag on integrations-core <https://github.com/DataDog/integrations-core/blob/master/AGENT_CHANGELOG.md#datadog-agent-version-7782>_ for the list of changes on the Core Checks.. _Release Notes_7.78.2_Enhancement Notes:
datadog-agent otel command to install/remove DDOT from an OCI package... _Release Notes_7.78.2_Deprecation Notes:
Install-Datadog.ps1 PowerShell script is deprecated and will be removed in a future version. Please use datadog-installer.exe or the MSI installer instead.
Visit the in-app installation guide <https://app.datadoghq.com/fleet/install-agent/latest?platform=windows>_ for complete up-to-date installation instructions... _Release Notes_7.78.2_Bug Fixes:
The signature check in Install-Datadog.ps1 is now more accomodating to formatting variations in the CN field.
Refer to the Agent Data Security <https://docs.datadoghq.com/data_security/agent/#windows-msi>_ page for more information on validating signatures.
Fixes user-defined network_path.collector.filters being silently
dropped when infrastructure_mode is set to end_user_device.
Custom filters are now correctly appended to the built-in EUDM defaults.
.. _Release Notes_7.78.1:
.. _Release Notes_7.78.1_Prelude:
Released on: 2026-04-23
7.78.1 tag on integrations-core <https://github.com/DataDog/integrations-core/blob/master/AGENT_CHANGELOG.md#datadog-agent-version-7781>_ for the list of changes on the Core Checks.. _Release Notes_7.78.1_Enhancement Notes:
The Agent's embedded Python has been upgraded from 3.13.12 to 3.13.13
Agents are now built with Go 1.25.9.
.. _Release Notes_7.78.1_Bug Fixes:
Fix missing signature on macOS Agent packages
Fix the system-probe SELinux policy module failing to load on RHEL 7
with policydb module version 21 does not match my version range 4-19.
The module is now compiled against modular policy version 19, which is
the highest version supported by RHEL 7 and is backward-compatible with
newer RHEL releases.
Add logic to include integrations that do not have a manifest.json file in the Agent.
Adds the tasks/agent.py file to the list of files used to compute the global omnibus cache.
.. _Release Notes_7.78.0:
.. _Release Notes_7.78.0_Prelude:
Released on: 2026-04-15
7.78.0 tag on integrations-core <https://github.com/DataDog/integrations-core/blob/master/AGENT_CHANGELOG.md#datadog-agent-version-7780>_ for the list of changes on the Core Checks.. _Release Notes_7.78.0_Upgrade Notes:
APM OTLP: Changed attribute precedence behavior when looking up OpenTelemetry semantic convention attributes that have multiple equivalent keys (e.g., http.status_code vs http.response.status_code, deployment.environment vs deployment.environment.name).
Previous behavior: When both old and new semantic convention keys existed, the lookup would check ALL keys in span attributes before checking ANY key in resource attributes. So whichever key appeared in span attributes would win, regardless of which key was in resource attributes.
New behavior: The lookup now uses a per-concept precedence order. For each semantic concept, the registry defines an ordered list of attribute keys; the first key that has a value is returned. The precedence order (which key takes priority) depends on the concept and may prefer either the newer or the older convention key. Span vs resource precedence (which map is checked first) is unchanged and still depends on the function.
Who is affected: This change only affects users who have the same concept represented by different convention-version keys in span vs resource attributes. The returned value may now come from a different key than before, according to the concept's precedence order.
This is an uncommon configuration since most instrumentation libraries use consistent semantic convention versions across span and resource attributes.
.. _Release Notes_7.78.0_New Features:
Allows the Agent to get an API key in exchange for an AWS cloud authorization proof. This allows you to use your AWS credentials against Datadog and removes the need for you to manage an API key. More details can be found here: https://docs.datadoghq.com/account_management/cloud_provider_authentication/
The autoscaling vertical controller now supports in-place vertical pod resizing.
Add a new configuration provider, which schedules new instances of KSM checks to generate metrics
from CustomResourceDefinitions.
This new provider works with the kube_crd listener which listens for CustomResourceDefinitions
created on the cluster and triggers a new autodiscovery-service for each one.
This new configuration provider must use the standard kubernetes GroupVersionKind format in its
AdvancedADIdentifier section to apply to a matching CustomResourceDefinition.
The rest of the configuration is a standard KSM configuration instance.
CNM - Add 7 per-connection TCP congestion signals: rto_count (RTO loss events), recovery_count (fast recovery events), reord_seen (send-side reordering), rcv_ooopack (receive-side out-of-order packets), delivered_ce (ECN CE-marked segments), ecn_negotiated (ECN negotiation status), and probe0_count (zero-window probes). Collected via eBPF on CO-RE and runtime-compiled tracers, Linux only.
dd-procmgrd can now read process definitions and manage child process lifecycles with graceful shutdown.
dd-procmgrd now supervises managed processes with configurable restart policies, exponential backoff, and burst limiting.
dd-procmgrd can now manage the DDOT (Datadog Distribution of OpenTelemetry) collector process via a dual-mode mechanism. When a processes.d/datadog-agent-ddot.yaml config is present, dd-procmgrd takes over DDOT lifecycle management; otherwise the existing systemd unit manages it directly.
Automatic SBOM generation for running containers via system-probe
Runtime usage tracking - identifies which files and packages are actively accessed by running processes
Security enrichment - flags SUID binaries and processes running as root
gRPC streaming from system-probe to core agent for efficient SBOM forwarding
Automatic CWS policy generation based on running container SBOMs.
.. _Release Notes_7.78.0_Enhancement Notes:
The agent now supports explicitly set cluster names that start with a digit or contain underscores.
Add source and provider fields to rtloader API and add integration_security configuration properties.
secrets-generic-connector: Allow configuration of X-Vault-AWS-IAM-Server-ID header for Hashicorp Vault AWS authentication method.
Helps to prevent different types of replay attacks.
APM: When a 403 is received from the backend, trigger an API Key refresh, and retry the payload submission.
Secret Generic Connector: The Azure Key Vault backend now supports
Service Principal authentication with client secret or client certificate,
in addition to Managed Identity. Credentials are configured under the
azure_session block (azure_tenant_id, azure_client_id,
azure_client_secret or azure_client_certificate_path).
Agents are now built with Go 1.25.8.
dd-procmgr: Add CLI for the dd-procmgrd process manager. Processes are addressable by name or UUID.
dd-procmgrd: Add gRPC server over Unix socket with read-only RPCs (List, Describe, GetStatus) for querying managed process state.
dd-procmgrd: Add multi-process startup ordering via after/before config fields with topological sort and reverse shutdown order.
dd-procmgrd: Add write RPCs (Create, Start, Stop, ReloadConfig, GetConfig) for runtime control of managed processes.
The disk check now falls back to lsblk when blkid fails or
returns no labels for disk label tagging. This ensures label and
device_label tags are present on disk metrics even when the agent
runs as a non-root user, since lsblk reads from sysfs and does
not require elevated privileges.
Document kubernetes_use_endpoint_slices flag
Add X-Datadog-Additional-Tags header with hostname and agent version to data-streams-message HTTP requests.
DSM: The kafka_actions check now automatically inherits Schema Registry
configuration (URL, credentials, TLS, OAuth) from the kafka_consumer
integration, enabling schema registry support without additional configuration.
DDOT now sets deployment_type on the Datadog extension to by default, or when Gateway mode is enabled.
.. _Release Notes_7.78.0_Security Notes:
.. _Release Notes_7.78.0_Bug Fixes:
APM: Fix an issue where SQL stats group resources longer than 5000 characters were truncated before obfuscation, causing the trace-agent to fail to parse mid-token fragments and log an error instead of correctly obfuscating the query.
Use atomic file replacement (write to temp file then rename) when writing APM workload selection policy files, preventing concurrent readers from seeing partially-written data.
Fixed a race condition in the logs auditor where Flush() could write a
stale registry to disk during a transport restart. The auditor now drains
all pending payloads from its input channel before flushing, ensuring file
offsets are up to date and reducing duplicate log processing after a
TCP-to-HTTP transport switch.
[DBM] Bump go-sqllexer to v0.2.1 to fix the following bugs:
SELECT * FROM t1, t2).The diagnose command now returns an error if an API key is not configured.
Fixes panic when advanced dispatching is disabled when KSM Core is ran as a cluster check.
Fix support of Kafka actions for configurations where kafka_connect_str is a list.
Fixed a bug in the disk Go check (diskv2) where partition enumeration could hang indefinitely on Windows when an orphaned or offline volume is present on the system. The check now applies the configured timeout (default 5s) to partition discovery and guards against spawning duplicate goroutines on subsequent check runs, preventing permanent worker starvation, goroutine buildup, and high CPU utilization.
The process check now reports the correct container host type on ECS Managed Instances when the agent runs as a daemon.
Fixed kafka actions failing to match the local kafka_consumer integration
when the bootstrap_servers tag exceeds the 200-character backend tag
limit. Long broker lists (e.g. 3+ MSK brokers) are now truncated to match
the backend's tag normalization.
APM: Fix base_service tag being missed on a subset of APM stats matching span.kind=server.
Fix kube_distribution tag value detection logic by analyzing node system info first.
Fixed a memory leak in the kubernetes_state_core check caused by
orphaned reflector goroutines in the KSM store during rebuilds. This led
to unbounded memory growth and potential OOM kills.
The Go network v2 check now correctly monitors the host network namespace when running in a container, similar to the Python version's behavior.
.. _Release Notes_7.78.0_Other Notes:
The agent status output and process-agent endpoint list now display only the last 4 characters
of the API key (previously 5), aligning with the Datadog UI.
Added functions to support delegated authentication with the agent in order to exchange AWS proofs for API keys for use by the agent. This does not actually enable this functionality yet.
Add metric origin for Dell Powerflex. Fix metric origins for Control-M and Prefect.
.. _Release Notes_7.77.3:
.. _Release Notes_7.77.3_Prelude:
Released on: 2026-04-08
7.77.3 tag on integrations-core <https://github.com/DataDog/integrations-core/blob/master/AGENT_CHANGELOG.md#datadog-agent-version-7773>_ for the list of changes on the Core Checks.. _Release Notes_7.77.3_Bug Fixes:
.. _Release Notes_7.77.2:
.. _Release Notes_7.77.2_Prelude:
Released on: 2026-04-01
7.77.2 tag on integrations-core <https://github.com/DataDog/integrations-core/blob/master/AGENT_CHANGELOG.md#datadog-agent-version-7772>_ for the list of changes on the Core Checks.. _Release Notes_7.77.2_Enhancement Notes:
Hide GUI app by default for MacOS agent per-user install.
Windows: Add PAR self-enrollment to installer.
.. _Release Notes_7.77.2_Bug Fixes:
Fixes Workload Protection raw-packet eBPF programs when multiple packet filters are compiled together. The generated assembly reused register R8 both as the event pointer expected by the filter chain and to hold immediate values, which corrupted the pointer and caused the kernel BPF verifier to reject the program. The code now uses a separate register for those immediates so the pointer is preserved across filters.
Workload Protection: resolves an issue in in-kernel cgroup tracking, enabling packet filtering to be correctly applied to containers.
.. _Release Notes_7.77.1:
.. _Release Notes_7.77.1_Prelude:
Released on: 2026-03-24
7.77.1 tag on integrations-core <https://github.com/DataDog/integrations-core/blob/master/AGENT_CHANGELOG.md#datadog-agent-version-7771>_ for the list of changes on the Core Checks.. _Release Notes_7.77.1_Enhancement Notes:
1.25.8... _Release Notes_7.77.1_Bug Fixes:
Fixed a bug introduced in 7.77.0 that prevents system-probe from starting on Fargate environments when Workload Protection is enabled
Fixed a command injection vulnerability in the Private Action Runner's inline PowerShell script execution. Parameter values are now assigned as PowerShell single-quoted string literals in a preamble instead of being substituted directly into the script body, preventing arbitrary code execution via crafted parameter inputs.
.. _Release Notes_7.77.0:
.. _Release Notes_7.77.0_Prelude:
Released on: 2026-03-18
7.77.0 tag on integrations-core <https://github.com/DataDog/integrations-core/blob/master/AGENT_CHANGELOG.md#datadog-agent-version-7770>_ for the list of changes on the Core Checks.. _Release Notes_7.77.0_Upgrade Notes:
APM OTLP: The datadog.* namespaced span attributes are no longer used to construct Datadog span fields. Previously, attributes like datadog.service, datadog.env, and datadog.container_id were used to directly set corresponding Datadog span fields. This functionality has been removed and the Agent now relies solely on standard OpenTelemetry semantic conventions.
Exceptions:
datadog.host.name attribute continues to be respected for hostname resolution as documented at https://docs.datadoghq.com/opentelemetry/mapping/hostname/.datadog.container.tag.* attributes continue to be supported for custom container tags.The configuration option otlp_config.traces.ignore_missing_datadog_fields (and corresponding environment variable DD_OTLP_CONFIG_IGNORE_MISSING_DATADOG_FIELDS) is deprecated and no longer has any effect. The Agent now always uses standard OTel semantic conventions.
Migration: If you were using datadog.* attributes, switch to the standard OpenTelemetry semantic conventions:
datadog.service → service.namedatadog.env → deployment.environment.name (OTel 1.27+) or deployment.environmentdatadog.version → service.versiondatadog.container_id → container.idWho is affected: Users who explicitly set datadog.* attributes (other than datadog.host.name and datadog.container.tag.*) in their OpenTelemetry instrumentation to override default field mappings. Users relying solely on standard OpenTelemetry semantic conventions are not affected.
.. _Release Notes_7.77.0_New Features:
Add dd-procmgrd, a minimal Rust daemon for the Datadog process manager. The daemon starts, logs, and waits for a shutdown signal. It does not provide user-facing functionality.
Add a new listener based on all Custom Resource Definitions (CRDs) found on the cluster.
Logs pipeline failover: Added automatic failover capability to prevent log loss when compression blocks pipelines.
When a pipeline becomes blocked during compression, log messages are automatically routed to healthy pipelines.
N router channels (one per pipeline) distribute tailers via round-robin, each with its own forwarder goroutine
that handles failover independently across all pipelines.
Enable with logs_config.pipeline_failover.enabled: true (default: false).
When all pipelines are blocked, backpressure is applied to prevent data loss.
The system memory check on Linux can now collect memory pressure metrics
from /proc/vmstat to help detect memory pressure before OOM events occur.
To enable, set collect_memory_pressure: true in the memory check configuration.
New metrics: system.mem.allocstall (with zone tag),
system.mem.pgscan_direct, system.mem.pgsteal_direct,
system.mem.pgscan_kswapd, system.mem.pgsteal_kswapd.
APM: Add support for span-derived primary tags in APM stats aggregation.
This allows configuring tag keys via apm_config.span_derived_primary_tags
that will be extracted from span tags and used as additional aggregation
dimensions for APM statistics.
APM: Add initial support for converting trace payload formats to the new "v1.0" format. This feature is disabled by default but can be enabled by adding the feature flag "convert-traces" to apm_config.features. It is not recommended to use this flag without direction from Datadog Support.
Integrate the Private Action Runner into the Datadog Cluster Agent.
The Private Action Runner (PAR) now runs in the Datadog Cluster Agent with improved identity management for Kubernetes environments. PAR identity (URN and private key) is now stored in a Kubernetes secret and shared across all DCA replicas using leader election. The leader replica handles enrollment and secret creation, while follower replicas wait for and read the shared identity. This enables multiple DCA replicas to execute PAR tasks using a single cluster identity, eliminating the need for per-replica enrollment.
Add a Windows PowerShell example config for private action runner scripts.
APM: Add image_volume-based library injection as an alternative to init containers and csi driver (experimental). Available only for Kubernetes 1.33+. This provides faster pod startup.
.. _Release Notes_7.77.0_Enhancement Notes:
The Agent's embedded Python has been upgraded from 3.13.11 to 3.13.12.
Add ntp.offset metric with source:intake tag to monitor clock drift using
Datadog intake server timestamps. Original ntp.offset metric calculated from
an NTP server is now tagged source:ntp.
As of Kubernetes version 1.33, the Endpoint API object has been deprecated in favor of EndpointSlice.
Autodiscovery now supports the use of an EndpointSlice listener and provider to collect endpoint checks.
To enable this feature, set kubernetes_use_endpoint_slices to true in your Datadog Agent configuration.
Add bucket label to image_resolution_attempts telemetry to track gradual rollout progress.
Added a private action runner bundle that exposes the Network Path
traceroute functionality through the getNetworkPath action.
Sends telemetry for synthetics tests run on the agent, including checks received, checks processed, and error counts for test configuration, traceroute, and event platform result submission.
Added support for two new configurations for tag-based gradual rollout in Kubernetes SSI deployments. The gradual rollout can be configured using the following parameters:
DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_GRADUAL_ROLLOUT_ENABLED: Whether to enable gradual rollout (default: true)DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_GRADUAL_ROLLOUT_CACHE_TTL: The cache TTL duration for the gradual rollout image cache (default: 1h)
Agent metrics now include a connection_type tag with a value of
tcp, uds, or pipe for lib-to-agent communications.
Automatically collect the team tag when a Kubernetes resource has a team
label or annotation and explicit team tag extraction is not configured.
Enables the agent to support built-in credentials like IRSA for AWS cloud environments.
Bump go-sqllexer to v0.1.13, improving SQL obfuscation performance
and fixing incorrect tokenization of multi-byte UTF-8 characters
(e.g., CJK characters, full-width punctuation).
.. _Release Notes_7.77.0_Deprecation Notes:
.. _Release Notes_7.77.0_Security Notes:
Oracle check: PDB names in ALTER SESSION SET CONTAINER statements
are now properly quoted to prevent SQL injection.
The Jetson integration now validates the tegrastats_path configuration option to prevent command injection.
The path must be absolute and cannot contain shell metacharacters or whitespace.
.. _Release Notes_7.77.0_Bug Fixes:
APM: Fix panic that could occur when decoding malformed v1.0 trace payloads.
APM: Correctly mark traces as probability sampled when using the trace V1 format. APM: Fix issue where v1 trace writer might not flush traces during an agent shutdown.
The container and process discovery checks are now disabled when the process check is enabled for service discovery.
Detect correct launch type for ECS Managed Instances when running in daemon mode.
Fixed a minor but persistent memory leak in the logs endpoint diagnostic behavior.
Fixes an issue where agent check --flare created the checks directory with 0000 permissions, preventing check output files from being written. The directory is now created with 0750 permissions.
Changed integration log file behavior to delete and recreate instead of truncating. This should help prevent duplicate and missing logs from integrations.
Fixes using ReplicaSet creation time for rollout duration, because rollbacks reuse existing ReplicaSets, causing durations to show as hours/days instead of the actual rollback time. The fix tracks revision annotation changes and resets the start time to now when a rollback is detected.
Oracle check: Fix a bug where custom queries accumulated metrics across iterations, causing metrics from earlier queries to be re-sent with each subsequent query in the same check run.
Oracle check: Fix potential panic in sendMetric when the sender or
metric function cannot be resolved.
Oracle check: Fix custom query error accumulation so that type errors from earlier queries are no longer silently discarded.
Oracle check: Report a clear error when a custom query returns a NULL value for a metric column instead of an "UNKNOWN" type error message.
Oracle check: Detect column count mismatches in both directions (too many or too few) between custom query results and configured column mappings.
Oracle check: Remove redundant GetSender call in custom query
handling in favor of the existing commit helper.
Oracle check: Replace per-call map allocations with switch statements in custom query metric helpers for improved performance.
Fixed a bug where log lines exactly at the logs_config.max_message_size_bytes
limit (default 900KB) were incorrectly marked as truncated. This caused the
...TRUNCATED... marker to appear in logs that fit within the size limit,
and incorrectly marked the subsequent log line as a truncated remainder.
Additionally, improved truncation detection by extending the FrameMatcher interface
to explicitly signal when content is truncated, ensuring consistent truncation state
across the framer and handler components.
.. _Release Notes_7.77.0_Other Notes:
.. _Release Notes_7.76.3:
.. _Release Notes_7.76.3_Prelude:
Released on: 2026-03-09
7.76.3 tag on integrations-core <https://github.com/DataDog/integrations-core/blob/master/AGENT_CHANGELOG.md#datadog-agent-version-7763>_ for the list of changes on the Core Checks.. _Release Notes_7.76.3_Security Notes:
Bump github.com/cloudflare/circl to fix v1.6.3 to fix CVE-2026-1229.
Fixed a limited out-of-bounds memory read and DoS vulnerability in Windows kernel driver while handling TLS traffic. The host must have the ddnpm kernel driver service running, by having system_probe_config and network_config enabled, to be affected. This configuration is not enabled by default. Query with PowerShell: Get-Service ddnpm Query with command prompt: sc query ddnpm
.. _Release Notes_7.76.3_Bug Fixes:
On Windows, the APM SSI installer now automatically enables system-probe to report injection telemetry from the ddinjector driver.
Kubernetes pod check annotations: Invalid JSON in pod check annotations
(ad.datadoghq.com/<container>.checks) now produces a clear error message
in the "Configuration Errors" section of agent status. A new CLI command
agent validate-pod-annotation validates annotation JSON from a file or
stdin and exits with an error on invalid syntax, so you can catch mistakes
before applying annotations to pods.
daemonsetgatewayThe podman_db_path configuration option now accepts a comma-separated list of paths to support monitoring containers from multiple users simultaneously (e.g. root and rootless users). Example: podman_db_path: "/var/lib/containers/storage/db.sql,/home/myuser/.local/share/containers/storage/db.sql". When podman_db_path is not set, the Agent automatically discovers Podman databases for the root user and for all users under /home/. Log collection (logs_config.use_podman_logs) is also updated to work correctly with both explicit multi-path configuration and auto-discovery.
FIPS variants of the ddot-collector and agent -full images are now published.
Remote Agent Management is now enabled by default on FIPS environments when Remote Configuration is explicitly enabled.
The resource discovery agent (system-probe-lite) now wraps system-probe,
acting as a loader for it. system-probe-lite will automatically fallback to
system-probe when one of the following is true:
discovery.useSystemProbeLite is set to false (the default).system-probe is enabled.Bumped the Security Agent policies to v0.78.0 <https://github.com/DataDog/security-agent-policies/compare/v0.77.0...v0.78.0>_
Fixes system.net.* metrics when the Agent runs in Docker with the host's procfs
mounted (for example /host/proc with host PID namespace). The Go network check
(network v2) now reads /proc/1/net/dev under that mount so interface stats match
the host; previously /proc/net/dev could resolve in the container network namespace
and report wrong or missing traffic (regression in Agent 7.73+).
Fixed a race condition in the workloadmeta process collector where a containerized process could be permanently stuck with an empty container ID if it was collected before the container runtime reported the PID-to-container mapping.
Fixed a bug in the kubeapiserver check where the eventText length was reported as 0 when it did not fit in the event bundle.
The API server now logs errors from srv.Serve that were previously silently discarded.
When a multiline log processing rule has a pattern that never matches, the logs agent now sends lines individually instead of joining all lines into a single oversized message. Normal multiline aggregation begins once the pattern matches for the first time.
Fixed the network check (v2) ignoring the combine_connection_states configuration option.
When set to false, the check now emits granular per-state TCP metrics
(e.g. system.net.tcp4.close_wait, system.net.tcp4.syn_sent) instead of only
the combined ones (e.g. system.net.tcp4.closing, system.net.tcp4.opening),
restoring parity with the previous Python-based network check.
Fixes a bug in the Network Configuration Management (NCM) module where the SSH Timeout settings were parsed as nanoseconds instead of seconds. This issue caused SSH sessions to time out prematurely, leading to errors like::
Error running check: failed to connect to 192.168.0.1:22: dial tcp 192.168.0.1:22: i/o timeout
Fixed the Datadog Agent installer on Windows: when DD_PRIVATE_ACTION_RUNNER_ENABLED=true
is set without an explicit DD_PRIVATE_ACTION_RUNNER_ACTIONS_ALLOWLIST, the
Private Action Runner now defaults to com.datadoghq.script.runPredefinedPowershellScript
on Windows and com.datadoghq.script.runPredefinedScript on Linux/macOS.
Preserve odbc.ini and odbcinst.ini across Fleet Automation upgrades on Linux.
Add missing node name to the manifests for Kubernetes resources in the OTEL logs agent exporter.
With systemd, the system-probe service now checks environment variables for
configuration even if system-probe.yaml does not exist.
Fixed an issue on Windows where Cloud Network Monitoring reported TCP failure rates greater than 100%. The Windows kernel driver can report a TCP failure (reset, timeout, or refused connection) without also setting the flow-closed flag. The agent now correctly marks any connection with a TCP failure as closed.
Fixed discovery of Windows processes to identify reused PIDs between process snapshots and correctly track these processes.
Autodiscovery template variables are now supported in ad.datadoghq.com/tags and
ad.datadoghq.com/<container>.tags Kubernetes pod annotations. Template variables
are resolved at runtime, enabling dynamic tagging based on pod and container metadata.
This allows centralized tag configuration that applies to all checks, logs, and traces
without hardcoding pod-specific values.
Start the Windows Private Action Runner service alongside the Agent
when private_action_runner.enabled is set in datadog.yaml.
On Windows, the private action runner binary is now included in the MSI
installer and registered as the datadog-agent-action Windows
service. The service is installed as demand-start with a dependency on the
main Agent service, and its credentials and ACLs are managed alongside the
other Agent services during install, upgrade, and repair.
Add runPredefinedPowershellScript action to the Private Action Runner on Windows.
This action allows running predefined PowerShell scripts (inline or file-based) with
optional parameter templating, JSON schema parameter validation, environment variable
allowlisting, configurable timeouts, and a 10 MB output limit.
On Windows, the Agent stops the private action runner service during MSI upgrades and fleet-driven stop-all operations so it is shut down alongside the Agent.
Agents are now built with Go 1.25.7.
NDM: Cisco SD-WAN interface metadata now includes the is_physical field to distinguish physical
from virtual interfaces (loopback, tunnel). cEdge interfaces also include the type field with
the IANA interface type number.
In the Cluster Autoscaling controller, use Kubernetes client update
instead of patch.
On ECS Managed Instances, detect hostname from IMDS when the agent runs in daemon mode.
On ECS Managed Instances with daemon scheduling, the agent uses ECS_CONTAINER_METADATA_URI_V4 environment variable as a fallback signal for v4 availability.
Expose a new metric kube_apiserver.api_resource that holds the name, kind, group, and version
of all known cluster-wide (non namespaced) resources on the cluster.
Add new DDOT feature gate 'exporter.datadogexporter.DisableAllMetricRemapping' to disable all client-side metric remapping.
Increases the reliability of namespaceLabelsAsTags and
namespaceAnnotationsAsTags for new pods by caching the
last seen namespace metadata.
Added a new, optional configuration setting for journald logs: default_application_name.
If set to a non-empty string, the value will replace "docker" as the default application
name for contained based journald logs.
If set to an empty string, the application name will be determined by the systemd journal fields,
like all non-container based journald logs.
Simplified location permission detection on MacOS by removing the first detection with polling at the time of app startup. The permission detection now happens only at the time of WLAN data collection.
Use config flag 'request_location_permission' in WLAN config to gate location permission request on MacOS
Added the enable_otlp_container_tags_v2 feature flag,
which may reduce the Agent's outgoing traffic when ingesting OTLP traces from containerized applications.
However, the flag introduces some breaking changes:
@);k8s.pod.uid attribute as a fallback container ID is no longer supported;The datadog.yaml configuration file now includes a commented-out
private_action_runner section on all platforms.
The Private Action Runner now supports Datadog's secret management features.
It can now resolve secrets using the ENC[...] notation in configuration files,
supporting all secret backends via secret_backend_type and
secret_backend_config settings.
Private Action Runner now supports running as a Windows service via Service Control Manager (SCM).
Bumped the Security Agent policies to v0.77.0 <https://github.com/DataDog/security-agent-policies/compare/v0.76.0...v0.77.0>_
SNMP interface metadata now includes type (IF-MIB ifType) and is_physical fields.
The is_physical field is set to true for physical ethernet interface types
(ethernetCsmacd, fastEther, fastEtherFX, gigabitEthernet).
Add support for unconnected UDP sockets in the SNMP corecheck. Automatically fallback to unconnected UDP sockets if the connected UDP socket times out.
APM: Added a new health metric, datadog.trace_agent.receiver.payload_timeout, to track incoming trace payload timeouts caused by client connection closures or middleware timeouts.
Upgraded the Datadog Agent Windows installer from WiX 3 to WiX 5.
Reports telemetry from the Windows Injector, enabled by default.
Disable this feature by setting injector.enable_telemetry=false in system-probe.yaml when running system-probe.
Add Windows version information to the Private Action Runner executable. The version info is now visible in Windows Explorer file properties.
Added a telemetry metric to track pending events in workloadmeta: "workloadmeta.pending_event_bundles".
Avoid blocking workloadmeta collectors when streaming events to remote agents.
Fixes a bug in the admission controller webhook that allowed admission to re-run for pods that already had APM injection in image-volume mode.
Refined location permission checks to avoid unnecessary system prompt. Added prevention for possible installation conflict between per-user and system-wide installations.
Fix data race in opentelemetry-mapping-go/inframetadata.Reporter which could cause a crash with error message "concurrent map iteration and map write".
OTLP logs now support array type attributes. Arrays containing primitive values or nested maps are now correctly preserved in the log output.
Align Private Action Runner configuration keys and log guidance to the
private_action_runner.* snake-case names.
Fix the private action runner PowerShell example config not being installed on Windows.
The file is now correctly placed at C:\ProgramData\Datadog\private-action-runner\powershell-script-config.yaml.
Fix process collection to detect command line changes for processes with the same PID and creation time by hashing the command line.
Fixed a bug where tailing UTF-16 encoded log files (UTF-16-LE or UTF-16-BE) could
produce mojibake (garbled text) when log lines exceeded the configured
logs_config.max_message_size_bytes limit (default 900KB). The truncation was
performed at the byte level without respecting 2-byte UTF-16 character boundaries,
which could split a character in half and produce Unicode replacement characters
(U+FFFD) after decoding. The framer now aligns the truncation limit to a 2-byte
boundary for UTF-16 encodings, ensuring that truncated frames always contain
valid UTF-16 data.