🚀 Features
Section titled “🚀 Features”Add new loading mechanism for GeoIP context
Section titled “Add new loading mechanism for GeoIP context”May 10, 2024 · @balavinaithirthan · #4158
The geoip context now supports loading in a MaxMind database with context load <ctx>. For example, load s3://my-bucket/file.mmdb | context load my-ctx
makes the GeoIP context use a remotely stored database.
Add cron operator
Section titled “Add cron operator”May 9, 2024 · @IyeOnline · #4192
The cron "<cron expression>" operator modifier executes an operator
on a schedule.
For example, cron "* */10 * * * MON-FRI" from https://example.org/api
queries an endpoint on every 10th minute, Monday through Friday.
Add LEEF parser
Section titled “Add LEEF parser”The new leef parser supports parsing Log Event Extended Format (LEEF) version
1.0 and 2.0 events, e.g.,
LEEF:1.0|Microsoft|MSExchange|4.0 SP1|15345|src=192.0.2.0\tdst=172.50.123.1.
Add --precise mode to JSON parser
Section titled “Add --precise mode to JSON parser”May 6, 2024 · @jachris · #4169
The json parser has a new --precise flag, which ensures that the layout of
the emitted events precisely match the input. For example, it guarantees that no
additional null fields will be added. This mode is implicitly enabled when
using read gelf.
🔧 Changes
Section titled “🔧 Changes”Fix a hang on shutdown and remove deprecated things
Section titled “Fix a hang on shutdown and remove deprecated things”May 6, 2024 · @dominiklohmann · #4187
The deprecated matcher plugin no longer exists. Use the superior lookup
operator and contexts instead.
The deprecated tenzir-ctl import and tenzir-ctl export commands no longer
exists. They have been fully superseded by pipelines in the form … | import
and export | …, respectively.
Remove the —clear parameter for lookup table contexts
Section titled “Remove the —clear parameter for lookup table contexts”May 2, 2024 · @Dakostu · #4179
The --clear parameter for clearing lookup table contexts during an update no
longer exists. It has been superseded by the more robust context reset
operator.
🐞 Bug Fixes
Section titled “🐞 Bug Fixes”Make python venv creation independent from the user
Section titled “Make python venv creation independent from the user”A permission error caused python operator to fail when it was previously used
by another system user with the same set of requirements. There now is a one
Python environment per user and set of requirements.
Update the repository to include retry delay-related bug fixes
Section titled “Update the repository to include retry delay-related bug fixes”May 10, 2024 · @Dakostu · #4184
Some pipelines did not restart on failure. The retry mechanism now works for all kinds of failures.
Pipelines that are configured to automatically restart on failure can now be stopped explicitly. Stopping a failed pipeline now always changes its state to the stopped state.
Fix CSV/XSV format printing the header once for each batch
Section titled “Fix CSV/XSV format printing the header once for each batch”May 8, 2024 · @jachris · #4195
The CSV, TSV, and SSV printers no longer erroneously print the header multiple times when more than one event batch of events arrives.
Add LEEF parser
Section titled “Add LEEF parser”The syslog parser no longer crops messages at unprintable characters, such as
tab (\t).
The syslog parser no longer eagerly attempts to grab an application name from
the content, fixing issues when combined with CEF and LEEF.
Fix a hang on shutdown and remove deprecated things
Section titled “Fix a hang on shutdown and remove deprecated things”May 6, 2024 · @dominiklohmann · #4187
Startup failures caused by invalid pipelines or contexts deployed as code in the configuration file sometimes caused the node to hang instead of shutting down with an error message. The node now shuts down as expected when this happens.