The Zeek development team is excited to publish a release candidate of our next feature release, Zeek 4.1. This version includes the following highlights:
- Overhauled SSL/X509 processing to make its logging output more helpful and compact. In particular,
x509.logis now indexed by the SHA256 of the certificates, with deduplication being automatically performed. By default, the same certificate is now only logged once per day, reducing log volume substantially.
- Support for non-TCP/IP protocol stacks. This version rearchitects Zeek’s internal session management to enable plugins to add support for protocols that are not IP-based.
- Support for VN-Tag and Geneve decapsulation.
- Extended OCSP logging that’s now also on by default.
- A new Telemetry API for gathering runtime metrics, including export to Prometheus. This is still work-in-progress, and for now comes only with a low-level API. A higher-level API will follow in future versions.
- The logging framework now provides a global policy hook,
Log::log_stream_policythat can access and veto any log write.
- The ASCII writer gained a new option
LogAscii::logdirto set the logging output directory.
configuregained a new
--include-pluginsoption to specify plugins that will be statically compiled into Zeek (rather than loaded dynamically at runtime).
zeek -uperforms static analysis on Zeek scripts to identify variables that are assigned to, but then not subsequently used (i.e., “dead code”).
- Experimental support for translating Zeek scripts to equivalent C++ code. The generated C++ can then be compiled directly into the Zeek binary, replacing use of the interpreter and producing better runtime performance. See the compiler’s README for more.
- An initial (and still incomplete) version of a new cluster controller framework, along with a new command-line tool
zeek-client. This is work-in-progress that will evolve over the next Zeek versions to eventually replace ZeekControl.
Please help us test this release candidate. Give it a try, and open a ticket if you notice anything you wouldn’t expect. There is also a Wiki page that summarizes some guidelines for testing prerelease versions of Zeek.
As a reminder, please note that all Zeek 3.x versions are out of support now, and will no longer receive any updates. Zeek 4.0 is the current LTS version that we recommend for sites prioritizing stability over new functionality.