diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index e309fd0cf132..102c8483e8b8 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -72,7 +72,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 * Checkpoint {pull}18754[18754]
 * Netflow {pull}19087[19087]
 * Zeek {pull}19113[19113] (`forwarded` tag is not included by default)
-* Zeek {pull}25564[25564] (Add option for logs with ISO8601 timestamp)
 * Suricata {pull}19107[19107] (`forwarded` tag is not included by default)
 * CoreDNS {pull}19134[19134] (`forwarded` tag is not included by default)
 * Envoy Proxy {pull}19134[19134] (`forwarded` tag is not included by default)
@@ -819,6 +818,19 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - http_endpoint: Support multiple documents in a single request by POSTing an array or NDJSON format. {pull}25764[25764]
 - Make `filestream` input GA. {pull}26127[26127]
 - Add new `parser` to `filestream` input: `container`. {pull}26115[26115]
+- Support X-Forwarder-For in IIS logs. {pull}19142[192142]
+- Add support for logs generated by servers configured with `log_statement` and `log_duration` in PostgreSQL module. {pull}24607[24607]
+- Added fifteen new message IDs to Cisco ASA/FTD pipeline. {pull}24744[24744]
+- Added NTP fileset to Zeek module {pull}24224[24224]
+- Add `proxy_url` config for httpjson v2 input. {issue}24615[24615] {pull}24662[24662]
+- Change `okta.target` to `flattened` field type.  {issue}24354[24354] {pull}24636[24636]
+- Added `http.request.id` to `nginx/ingress_controller` and `elasticsearch/audit`. {pull}24994[24994]
+- Add `awsfargate` module to collect container logs from Amazon ECS on Fargate. {pull}25041[25041]
+- New module `cyberarkpas` for CyberArk Privileged Access Security audit logs. {pull}24803[24803]
+- Add `uri_parts` processor to Apache, Nginx, IIS, Traefik, S3Access, Cisco, F5, Fortinet, Google Workspace, Imperva, Microsoft, Netscout, O365, Sophos, Squid, Suricata, Zeek, Zia, Zoom, and ZScaler modules ingest pipelines. {issue}19088[19088] {pull}24699[24699]
+- New module `zookeeper` for Zookeeper service and audit logs {issue}25061[25061] {pull}25128[25128]
+- Add parsing for `haproxy.http.request.raw_request_line` field  {issue}25480[25480] {pull}25482[25482]
+- Add support for ISO8601 timestamps in Zeek fileset {pull}25564[25564]
 
 *Heartbeat*
 
diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log b/x-pack/filebeat/module/zeek/connection/test/connection-json.log
index 1275e552e3b7..467f28552c17 100644
--- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log
+++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log
@@ -2,3 +2,4 @@
 {"ts":1547188416.857497,"uid":"CAcJw21BbVedgFnYH4","id.orig_h":"192.168.86.167","id.orig_p":38340,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]}
 {"ts":1547188417.857497,"uid":"CAcJw21BbVedgFnYH5","id.orig_h":"4.4.2.2","id.orig_p":38341,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]}
 {"ts":1551399000.57855,"uid":"Cc6NJ3GRlfjE44I3h","id.orig_h":"192.0.2.205","id.orig_p":3,"id.resp_h":"198.51.100.249","id.resp_p":3,"proto":"icmp","conn_state":"OTH","local_orig":false,"local_resp":false,"missed_bytes":0,"orig_pkts":1,"orig_ip_bytes":107,"resp_pkts":0,"resp_ip_bytes":0,"tunnel_parents":[]}
+{"ts":"2021-06-09T20:55:13.160328Z","uid":"C2KP1V3alRLoxl4JB9","id.orig_h":"10.0.2.15","id.orig_p":46408,"id.resp_h":"172.217.9.68","id.resp_p":80,"proto":"tcp","conn_state":"OTH","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"C","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":0,"resp_ip_bytes":0}
diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json
index 088aee7aedf4..ee6333827868 100644
--- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json
+++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json
@@ -218,5 +218,60 @@
         "zeek.connection.state": "OTH",
         "zeek.connection.state_message": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed).",
         "zeek.session_id": "Cc6NJ3GRlfjE44I3h"
+    },
+    {
+        "@timestamp": "2021-06-09T20:55:13.160Z",
+        "destination.address": "172.217.9.68",
+        "destination.as.number": 15169,
+        "destination.as.organization.name": "Google LLC",
+        "destination.bytes": 0,
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 37.751,
+        "destination.geo.location.lon": -97.822,
+        "destination.ip": "172.217.9.68",
+        "destination.packets": 0,
+        "destination.port": 80,
+        "event.category": [
+            "network"
+        ],
+        "event.dataset": "zeek.connection",
+        "event.id": "C2KP1V3alRLoxl4JB9",
+        "event.kind": "event",
+        "event.module": "zeek",
+        "event.type": [
+            "connection",
+            "info"
+        ],
+        "fileset.name": "connection",
+        "input.type": "log",
+        "log.offset": 1488,
+        "network.bytes": 0,
+        "network.community_id": "1:DzqI9CYXjMSYV8VoSAHtMNfMIeU=",
+        "network.direction": "outbound",
+        "network.packets": 0,
+        "network.transport": "tcp",
+        "related.ip": [
+            "10.0.2.15",
+            "172.217.9.68"
+        ],
+        "service.type": "zeek",
+        "source.address": "10.0.2.15",
+        "source.bytes": 0,
+        "source.ip": "10.0.2.15",
+        "source.packets": 0,
+        "source.port": 46408,
+        "tags": [
+            "zeek.connection",
+            "local_orig"
+        ],
+        "zeek.connection.history": "C",
+        "zeek.connection.local_orig": true,
+        "zeek.connection.local_resp": false,
+        "zeek.connection.missed_bytes": 0,
+        "zeek.connection.state": "OTH",
+        "zeek.connection.state_message": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed).",
+        "zeek.session_id": "C2KP1V3alRLoxl4JB9"
     }
 ]
\ No newline at end of file