Agent

Known Issues

• This version does not work properly on versions of macOS older than 13.3, due to a dependency (libz) issue. There is currently no workaround and the recommendation at this time is to downgrade to Agent v7.71.2 or upgrade to v7.72.1 when it becomes available.

Prelude

Release on: 2025-11-03

• Please refer to the 7.72.0 tag on integrations-core for the list of changes on the Core Checks

Upgrade Notes

• The Agent's embedded Python has been upgraded from 3.12.11 to 3.13.7

• The PowerShell install script Install-Datadog.ps1 now executes a different datadog-installer-x86_64.exe subcommand.

  If you always download a fresh Install-Datadog.ps1, then no changes are needed.

  If you have a cached or modified copy of Install-Datadog.ps1, then you must merge the latest changes, or migrate to use the executable setup instead. See the features section for more information.

  Install-Datadog.ps1 is now a light wrapper for downloading and executing datadog-installer-x86_64.exe. The rest of the setup responsibility has been moved into the executable.

New Features

• The Agent now emits the kube_distribution tag based on labels in managed Kubernetes installations with values: eks, gke and aks.

• Add the new metric kubernetes.pod.resize.pending to kubelet check to track pods that have pending resource resize request that can't be satisfied right now. Metrics has reason tag.

• Print service details in the Agent configcheck verbose command output.

• Add Windows DDOT OCI package to support Datadog OpenTelemetry

• The trace-agent running in the Azure App Services Extension now adds function tags to the tracer payloads that it sends to Datadog. This allows the traces to be queried by the trace tags, which is particularly useful for standard filtering in the Datadog UI.

• Add support of CIS Red Hat Enterprise Linux 10 Benchmark in CSPM.

• Add support of CIS Ubuntu 24.04 Benchmark in CSPM.

• Added Datadog OTEL agent as Windows service

  This is part of the effort to add Datadog OpenTelemetry agent as a Windows service.

• Adds support for UDP, ICMP, and TCP Network Path for Windows Client OSes using ddnpm driver.

• Added new Windows Server 2025 container images:

  Release tags:

  • agent:7-ltsc2025 and agent:latest-ltsc2025
  • agent:7-servercore-ltsc2025 and agent:latest-servercore-ltsc2025
  • agent:7-ltsc2025-jmx and agent:latest-ltsc2025-jmx
  • agent:7-servercore-ltsc2025-jmx and agent:latest-servercore-ltsc2025-jmx

  Release candidate tags:

  • agent:7-rc-ltsc2025
  • agent:7-rc-servercore-ltsc2025
  • agent:7-rc-ltsc2025-jmx
  • agent:7-rc-servercore-ltsc2025-jmx

  Version-specific release candidate tags (such as agent:7.X.Y-rc.Z-ltsc2025, agent:7.X.Y-rc.Z-servercore-ltsc2025) are also supported.

  Updated the base multi-arch images to include Windows 2025 images alongside existing Windows 2019 and Windows 2022 variants.

• The Agent can now be configured to restrict which secrets from Kubernetes can be by integration (only apply to secret using the k8s_secret@ prefix).

  Three new settings have been introduced, allowing different levels of control (see datadog.yaml.example for more information).

  • `secret_scope_integration_to_their_k8s_namespace`: limit containers to their own namespace.
  • `secret_allowed_k8s_namespace`: limit containers to a set of predefined namespaces.
  • `secret_image_to_handle`: explicitly list which secret can be accessed by which container image.

• Added integration test to ensure correct population of service and source tags on the truncate log metric.

• USM HTTP2 monitoring configuration now uses a tree structure for improved organization and consistency with other protocol configurations.

  Configuration changes:

  • service_monitoring_config.enable_http2_monitoring → service_monitoring_config.http2.enabled
  • service_monitoring_config.http2_dynamic_table_map_cleaner_interval_seconds → service_monitoring_config.http2.dynamic_table_map_cleaner_interval_seconds

  The previous configuration paths are deprecated but still supported for backward compatibility. Users will receive deprecation warnings and should migrate to the new tree structure. If both old and new configurations are present, the new tree structure takes precedence.

  Environment variable changes:

  • DD_SERVICE_MONITORING_CONFIG_ENABLE_HTTP2_MONITORING → DD_SERVICE_MONITORING_CONFIG_HTTP2_ENABLED
  • DD_SERVICE_MONITORING_CONFIG_HTTP2_DYNAMIC_TABLE_MAP_CLEANER_INTERVAL_SECONDS → DD_SERVICE_MONITORING_CONFIG_HTTP2_DYNAMIC_TABLE_MAP_CLEANER_INTERVAL_SECONDS

• The datadog-installer-x86_64.exe executable can now be used in place of the Install-Datadog.ps1 PowerShell script. The executable is versioned and will only install that version. For example, to install Agent 7.72.0, download and run https://install.datadoghq.com/datadog-installer-7.72.0-1-x86_64.exe. For more information, refer to the [in-app install instructions](https://app.datadoghq.com/fleet/install-agent/latest?platform=windows).

  To install the latest stable Agent version, download and run https://install.datadoghq.com/datadog-installer-x86_64.exe. This executable file is also versioned and will only install one version. It is updated with each release.

  To check the version, run .\datadog-installer-x86_64.exe version.

Enhancement Notes

• Add resize policies for CPU and memory as tags for containers when they are explicitly set on workloads.

• Fix config path patterns for Python 3.13 and add SpecifierSet error handling.

• The cluster agent API now supports querying for node UIDs by name.

• Add support for KSM custom resource definition metrics of type Info, enabling collection and forwarding of custom resource info metrics

• Added tracking of check worker utilization. Utilization stats can be seen using the agent status command. In addition, the Datadog Agent will log a warning if a worker's utilization exceeds a threshold (95% by default).

• Add support for upstream datadogextension to DDOT.

• Adds kubernetes.statefulset.rollout_duration metric to ksm check.

• Added a new 'process' type to the workload filtering system for future use cases.

• Add --json and --pretty-json flags to the health command that will output the health status as JSON.

• [APM] Add support for sql_obfuscation_mode=normalize_only. This mode configures the SQL obfuscator to only normalize the values, without obfuscating them.

• Agents are now built with Go 1.24.9.

• Windows: Cache event publisher metadata to avoid repeated expensive calls to EvtOpenPublisherMetadata.

• The gcp.run.job.enhanced.task.ended enhanced shutdown metric for Cloud Run Jobs now includes the exit code as a tag.

• Since version 7.67.0, the site is converted to a FQDN if it is one of Datadog's domains. A configuration option convert_dd_site_fqdn.enabled has been added to allow disabling this behavior.

• Add support for oss datadog extension in converter.

• Create TCP endpoints for multi-region failover.

• Support for custom queries based scaling in Datadog Pod Autoscaler

• The agent config command now displays only user-configured settings by default, excluding default values. Use agent config --all to display all settings including defaults (previous behavior).

• Added exponential backoff to host metadata collection at startup to increase early host-payload frequency and speed up node-level tag availability.

• Enhanced fingerprinting configuration with file-specific overrides and improved fallback behavior. logs_config.fingerprint_config can now be set on a per-source and global basis, as either [disabled, line_checksum, byte_checksum].

  File-specific configurations take precedence over global settings, with automatic fallback to global config when file configs are missing or incomplete.

• The Datadog Installer now keeps YAML comments when updating the Agent configuration during installation. While comment text is preserved, its format may not be. Changes to whitespace, indentation, or blank lines may occur.

• Migrates the WorkloadMeta filtering system to use the new filtering component. This ensures a consistent experience across all resources.

• Allows NetPath on Windows without local firewall changes.

• Network Path will now run multiple traceroutes and end-to-end probes for each endpoint.

• Set the 'provider-kind' tag at the beginning of the static tag list.

• For better troubleshooting, secret backend version information is now included in the agent secret command, flare output, and other metadata when secret_backend_type is configured and the backend executable supports the --version flag.

• Avoid ReadString allocation in serverless-init log processing for improved efficiency.

• Use zstd compression on logs in serverless-init for better performance.

• dbm: add SQL obfuscation ReplaceBindParameter option to support obfuscating SQL bind parameters.

• Update database monitoring payloads to use the default compression kind.

• Enhanced Windows BSOD reports to include bugcheck arguments. Updated internal filter that drops irrelevant BSOD reports to look for a Datadog driver in any frames of the callstack instead of only the first frame.

• Enhance Windows BSOD reports to include the crash call stack and the Agent version found in the crash dump.

Deprecation Notes

• The Agent PowerShell module is deprecated. It was previously used only in private previews. Use the new [Remote Agent Management](https://docs.datadoghq.com/agent/fleet_automation/remote_management/?tab=windows) installer instead.
• The --python argument is no longer used in the integrations subcommand.
• USM: HTTP configuration flat keys are now deprecated in favor of tree structure format. The following configuration keys are deprecated: service_monitoring_config.enable_http_monitoring, service_monitoring_config.max_http_stats_buffered, service_monitoring_config.max_tracked_http_connections, service_monitoring_config.http_notification_threshold, service_monitoring_config.http_max_request_fragment, service_monitoring_config.http_map_cleaner_interval_in_s, service_monitoring_config.http_idle_connection_ttl_in_s, and service_monitoring_config.http_replace_rules. Use the new tree structure under service_monitoring_config.http.* instead (e.g., service_monitoring_config.http.enabled, service_monitoring_config.http.max_stats_buffered). The deprecated keys remain fully backward compatible, but the new tree structure takes precedence when both are configured.

Security Notes

• Bumped Bouncy Castle dependencies to mitigate against CVE-2025-8885 and CVE-2025-8916 in FIPS images.

Bug Fixes

• Bug fixes to make sure CRI-O collector populates container WLM image ID and repo digest consistently with containerd and docker implementations
• Fixed a bug which causes the ecs_metadata.json file to not be generating when generating an Agent flare on ECS Fargate.
• Fixes an issue which would result in some container.* metrics showing up without any container-related tags associated with them.
• Utilize single origin information source for DogStatsD tag enrichment to avoid tag duplication.
• Removes unused map that was being mutated in a read lock.
• Fixes a bug in the JSON aggregator where the byte offset was not correctly calculated. This ensures no logs are re-collected when auto multiline detection is enabled when the Agent is restarted.
• Fix an issue with the kube_static_cpus tag that resulted in multiple timeseries for the kubernetes.memory.limits metric.
• Ignore ExternalData for tag enrichment in edge cases where ExternalData is not consistent with LocalData.
• The following Kubernetes State Core check metrics now aggregate only scheduled Pods to reflect actually used resources:
  • kubernetes_state.container.<cpu|memory>_requested.total
  • kubernetes_state.container.<cpu|memory>_limit.total
• Fix a panic that could happen in the kubelet check when a pod was deleted while collecting metrics.
• Fixed the "Load more" button in the Agent GUI log page, which was failing to load additional log lines after the initial load.
• Trace Stats with serverless-init are computed in the Agent only. Backend trace stats computation is disabled.
• Fixed the search (Cmd+F) functionality in the settings page of the GUI.
• Start the Agent service when "Configure" is clicked from the systray, if it is not running
• Fixed an issue where certain autodiscovery errors were not shown in the Autodiscovery section of the agent status command.
• Fixes an issue in the Windows NPM driver, where existing connections were incorrectly marked as timeouts when closed. Fixes handle cleanup issues in the Windows NPM driver. Removes overlapping filter in the Windows NPM driver.
• Warns when Logs Agent log configuration is null and handles gracefully, instead of panicking.

Other Notes

• Added the following agent telemetry metrics for debugging gRPC communication within the agent:

  Metric Name	Type	Description
  grpc.request_count	Counter	Total number of gRPC requests processed by the agent
  grpc.error_count	Counter	Total number of gRPC errors encountered by the agent
  grpc.request_duration_seconds	Histogram	Distribution of gRPC request latencies for agent communication
  grpc.payload_size_bytes	Histogram	Distribution of payload sizes for gRPC calls within the agent

• Add new metric origins to the Agent for BentoML, Hugging Face TGI, and IBM Spectrum LSF.

• CPU and wall clock time collection in Python profiling is temporarily disabled to maintain compatibility with Python 3.13.

• Add new metrics to the Agent's origins for Datadog Operator.

Datadog Cluster Agent

Prelude

Released on: 2025-11-03 Pinned to datadog-agent v7.72.0: CHANGELOG.

Bug Fixes

• Fixes an Admission Controller issue where the UDS socket host path was hardcoded, causing mutated pods to miss APM or DogStatsD sockets when custom hostSocketPath values were set via Helm or the Operator.
• Cluster Agent now scrubs secrets when generating flares and cluster check reports.