Download the release on GitHub.
Features
Section titled “Features”Add support for reading and writing YAML documents
Section titled “Add support for reading and writing YAML documents”The yaml format supports reading and writing YAML documents and streams.
By @dominiklohmann in #3456.
PRs 3461-fluent-bit
Section titled “PRs 3461-fluent-bit”The new fluent-bit source and sink operator provide and interface to the
Fluent Bit ecosystem. The source operator maps to a Fluent Bit input and the
sink operator to a Fluent Bit output.
Add pipeline label support to the main repository
Section titled “Add pipeline label support to the main repository”The pipeline manager now supports user-provided labels for pipelines.
Improve json parser, add null type, and various fixes
Section titled “Improve json parser, add null type, and various fixes”The performance of the json, suricata and zeek-json parsers was improved.
The json parser has a new --raw flag, which uses the raw type of JSON values
instead of trying to infer one. For example, strings with ip addresses are given
the type string instead of ip.
A dedicated null type was added.
Empty records are now allowed. Operators that previously discarded empty records
(for example, drop) now preserve them.
Changes
Section titled “Changes”Disable dense indexes
Section titled “Disable dense indexes”Tenzir no longer builds dense indexes for imported events. Dense indexes improved query performance at the cost of a higher memory usage. However, over time the performance improvement became smaller due to other improvements in the underlying storage engine.
Tenzir no longer supports models in taxonomies. Since Tenzir v4.0 they were only
supported in the deprecated tenzir-ctl export and tenzir-ctl count commands.
We plan to bring the functionality back in the future with more powerful
expressions in TQL.
By @dominiklohmann in #3552.
Disable 0mq socket lingering
Section titled “Disable 0mq socket lingering”We made it easier to reuse the default zmq socket endpoint by disabling
socket lingering, and thereby immediately relinquishing resources when
terminating a ZeroMQ pipeline. Changing the linger period from infinite to 0 no
longer buffers pending messages in memory after closing a ZeroMQ socket.
Bug Fixes
Section titled “Bug Fixes”Fix timing-related crashes in the web plugin
Section titled “Fix timing-related crashes in the web plugin”The web server will not crash when receiving requests during shutdown anymore.
Change type of version in suricata.quic to string
Section titled “Change type of version in suricata.quic to string”The type of the quic.version field in the built-in suricata.quic schema was
fixed. It now is a string instead of an integer.
Implement serialization_plugins for store_plugins
Section titled “Implement serialization_plugins for store_plugins”The parquet and feather formats no longer throw assertions during normal
usage anymore.
Fix the wrong type for the version record type in the zeek.software schema
Section titled “Fix the wrong type for the version record type in the zeek.software schema”The zeek.software does not contain an incomplete version record type
anymore.
The version.minor type in the zeek.software schema is now a uint64
instead of a double to comply with Zeek’s version structure.
Improve json parser, add null type, and various fixes
Section titled “Improve json parser, add null type, and various fixes”The json, suricata and zeek-json parsers are now more stable and should
now parse all inputs correctly.
null records are no longer incorrectly transformed into records with null
fields anymore.
Fix processing of http arguments
Section titled “Fix processing of http arguments”The http loader no longer ignores the value user-provided custom headers.