🚀 Features
Section titled “🚀 Features”Add pipeline label support to the main repository
Section titled “Add pipeline label support to the main repository”Oct 9, 2023 · @Dakostu · #3541
The pipeline manager now supports user-provided labels for pipelines.
PRs 3461-fluent-bit
Section titled “PRs 3461-fluent-bit”The new fluent-bit source and sink operator provide and interface to the
Fluent Bit ecosystem. The source operator maps to a Fluent Bit input and the
sink operator to a Fluent Bit output.
Add support for reading and writing YAML documents
Section titled “Add support for reading and writing YAML documents”Oct 5, 2023 · @dominiklohmann · #3456
The yaml format supports reading and writing YAML documents and streams.
Improve json parser, add null type, and various fixes
Section titled “Improve json parser, add null type, and various fixes”Sep 21, 2023 · @jachris · #3503
The performance of the json, suricata and zeek-json parsers was improved.
The json parser has a new --raw flag, which uses the raw type of JSON values
instead of trying to infer one. For example, strings with ip addresses are given
the type string instead of ip.
A dedicated null type was added.
Empty records are now allowed. Operators that previously discarded empty records
(for example, drop) now preserve them.
🔧 Changes
Section titled “🔧 Changes”Disable dense indexes
Section titled “Disable dense indexes”Oct 7, 2023 · @dominiklohmann · #3552
Tenzir no longer builds dense indexes for imported events. Dense indexes improved query performance at the cost of a higher memory usage. However, over time the performance improvement became smaller due to other improvements in the underlying storage engine.
Tenzir no longer supports models in taxonomies. Since Tenzir v4.0 they were only
supported in the deprecated tenzir-ctl export and tenzir-ctl count commands.
We plan to bring the functionality back in the future with more powerful
expressions in TQL.
Disable 0mq socket lingering
Section titled “Disable 0mq socket lingering”We made it easier to reuse the default zmq socket endpoint by disabling
socket lingering, and thereby immediately relinquishing resources when
terminating a ZeroMQ pipeline. Changing the linger period from infinite to 0 no
longer buffers pending messages in memory after closing a ZeroMQ socket.
🐞 Bug Fixes
Section titled “🐞 Bug Fixes”Fix timing-related crashes in the web plugin
Section titled “Fix timing-related crashes in the web plugin”Oct 6, 2023 · @Dakostu · #3553
The web server will not crash when receiving requests during shutdown anymore.
Implement serialization_plugins for store_plugins
Section titled “Implement serialization_plugins for store_plugins”Sep 25, 2023 · @Dakostu · #3537
The parquet and feather formats no longer throw assertions during normal
usage anymore.
Fix the wrong type for the version record type in the zeek.software schema
Section titled “Fix the wrong type for the version record type in the zeek.software schema”Sep 25, 2023 · @Dakostu · #3538
The zeek.software does not contain an incomplete version record type
anymore.
The version.minor type in the zeek.software schema is now a uint64
instead of a double to comply with Zeek’s version structure.
Change type of version in suricata.quic to string
Section titled “Change type of version in suricata.quic to string”Sep 21, 2023 · @jachris · #3533
The type of the quic.version field in the built-in suricata.quic schema was
fixed. It now is a string instead of an integer.
Improve json parser, add null type, and various fixes
Section titled “Improve json parser, add null type, and various fixes”Sep 21, 2023 · @jachris · #3503
The json, suricata and zeek-json parsers are now more stable and should
now parse all inputs correctly.
null records are no longer incorrectly transformed into records with null
fields anymore.
Fix processing of http arguments
Section titled “Fix processing of http arguments”The http loader no longer ignores the value user-provided custom headers.