The Zeek team is proud to announce Zeek 8.1! This release achieves a major milestone in our architectural shift away from the Broker messaging backend, includes a bunch of analyzer enhancements, takes first steps to phase out MD5 support, and features a host of other fixes and improvements.
ZeroMQ By Default
Far and away the most important change in this release is our switch of Zeek’s cluster communication from Broker to ZeroMQ by default, culminating our multi-release effort to make cluster backends pluggable. Far from a behind-the-scenes detail, this switch immediately benefits users, script developers, and our own dev team. In preliminary testing the ZeroMQ backend brings double-digit percentage improvements to CPU utilization under comparable traffic loads, relative to Broker. For script authors, the fact that ZeroMQ runs a centralized message broker finally enables proper event pub/sub across the entire cluster, simplifying development. For example, you’re now able to broadcast events across all workers—no more manual routing via other nodes over Broker’s partial point-to-point topology. And for all of us, it brings the benefits of a proven, industrial-strength messaging layer used by thousands of projects around the world.
If you’re using zeekctl to manage your cluster, this change is a drop-in replacement. Zeek takes care of running ZeroMQ’s message queues for you. As with Broker, you need no external service to get up and running—though technically you’re free to do so if you prefer! However, scripts depending on Broker-specific features will need updates. Foremost among these are Broker data stores, commonly used via the &backend and &broker_store attributes to transparently share state across the cluster. Script developers should migrate these to explicit state propagation via Cluster::publish(), or use the storage framework. Zeek will complain at startup if you’re trying to use Broker datastores on a non-Broker cluster backend.
Broker support remains readily available. To switch back, simply add ClusterBackend = Broker to zeekctl.cfg (it already contains a comment to that effect) and run zeekctl deploy.
We’ll have more to say on ZeroMQ in the near future, and a few bits of work remain on the road to Zeek 9. In the meantime, make sure to check out Arne’s new video for a great overview of this change, as well as general background on running Zeek in clusters.
Analyze This
The DNS analyzer now supports Dynamic Update messages. The answer field in dns.log contains prerequisites and updates for dynamic update requests, while the query field logs the zone name. We added new opcode and opcode_name fields to distinguish between normal queries (opcode 0) and dynamic updates (opcode 5), which a policy script removes if not desired. The DNS analyzer now also returns Service Binding parameter sets in the dns_svcb_rr record.
The QUIC analyzer gained new events for discarded packets and short header packet thresholds. When a packet with fixed_bit set to 0 is encountered, the analyzer raises a QUIC::discarded_packet event and adds X to the connection history. The new QUIC::short_header_packet_threshold_crossed() event fires for binary logarithmic thresholds of packets with short headers, adding O or o to the history depending on direction.
The SNMPv3 analyzer now parses Security Parameters for the User-Based Security model, adding data to a new user_security_parameters field. The community field in snmp.log now contains the SNMPv3 username, when present.
We’ve expanded dynamic protocol detection for HTTP to recognize additional request methods, replaced the RFB analyzer’s rfb_auth_result event with rfb_authentication_result, TLS certificates now get logged even when protocol violations subsequently occur, the GSSAPI analyzer gained fixes for processing Kerberos data that isn’t preceded by an OID, and the LDAP analyzer now correctly escapes non-ASCII characters when logging filter strings.
Finally, for plugin developers, the new TapAnalyzer class allows tapping into all packets delivered to child analyzers of session adapters.
Spicy Speedups
The infrastructure set for Spicy in Zeek’s 8.0 release has allowed for more Spicy optimizations. Control-flow-based optimizations are now enabled by default. This includes a few optimizations which will simplify generated code. New optimizations have produced modest improvements in Spicy’s benchmarks, including for Zeek’s Spicy analyzers.
We also have more optimizations planned for the coming release, with extra infrastructure being added for better optimizations.
Logging Improvements
In JSON output, Zeek now always renders non-printable ASCII control characters in “\uXXXX” form. This resolves potential ambiguities with Zeek’s prior “\xXX”-formatted output.
New controls limit the length of fields containing strings and container types in log output. Four new tunables control truncation in terms of bytes and elements. When a log write exceeds those limits, Zeek truncates the write, new weirds report the truncation, while new metrics track such truncations per log stream.
The Notice framework’s suppression implementation now batches information for up to 10ms before distributing to cluster nodes, reducing CPU usage and event traffic during startup.
Phasing Out MD5
This release begins work to remove MD5 hashing from Zeek’s internal code base. The host_key field in ssh.log has been replaced with host_key_fingerprint, which uses SHA256 and matches the formatting of ssh-keygen -l. The auth_ticket and new_ticket fields in krb.log have been replaced with SHA256 equivalents. Policy scripts (ssh, krb) can restore the old fields if needed. The release also adds SHA224, SHA384, and SHA512 hash calculation BIFs and file analyzers. It does not yet deprecate the MD5-related family of BIFs (md5_hash & co), with the exception of md5_hmac and the MD5-based IP anonymizers. The release provides SHA256-based equivalents for both.
JavaScript Support on the Mac
On MacOS, Zeek can at last build with JavaScript support thanks to improvements to the Homebrew formula, which now allows building shared libnode libraries.
Systemd-Powered Single-Host Clusters
This release contains experimental support for a systemd generator that produces unit files for single-host Zeek clusters, bringing many of systemd’s resource management primitives to Zeek. Please refer to the README for more details.
Developer Updates
For those of you working on Zeek we note a few additional updates. We’ve bumped the minimum version requirement for Python to 3.10, since 3.9 reached EOL during this release cycle. We’ve also streamlined our rather complex source tree, inlining several components that previously existed in submodules. This includes our documentation, the AF_PACKET plugin, as well as BinPAC, bifcl, and gen-zam, all of which now live in a new tools directory.
Zeek 8.1 in Context
Zeek 8.1 contains many additional changes, so please take a moment to read the full release notes for the full list of changes.
As a reminder, our x.1 and x.2 feature releases contain work that may change by the time our next LTS release, Zeek 9.0, arrives in the summer. The release of Zeek 8.1 also means we’ll no longer update the 7.0.x LTS series, and encourage all users still on 7.0.x to upgrade to 8.0.x at this time. Zeek package developers, particularly those working on plugins, should review this release’s breaking changes and deprecations, since now is a great time to verify your packages continue to work as expected.
We always welcome your feedback and questions, so please feel free to get in touch via our community channels.
Thanks to our contributors!
Our work on Zeek 8.1 began in August 2025, comprising some 1,500 commits in just under 400 merged pull requests. As always, we couldn’t do this without you, so we’re particularly grateful to our community members who contributed to this release—thank you!
Andrew Raffman (@andyraf), @arm7mm, Artyom Kalabukhov (@predator89090), Benjamin Grap (@blightzero), @biswajitutil, Jean-Samuel Marier (@cccs-jsjm), @chrisjlly, Craig P (@multicast-bytes), @DigiAngel, Mike Dopheide (@dopheide-esnet), Edoardo Mich (@edoardomich), @franky-m, Fupeng Zhao (@AmazingPP), Jan Grashöfer (@J-Gras), Klemens Nanni (@klemens-ya), Klemens Nanni (@klemensn), @kshitiz56, Mark Overholser (@markoverholser), Mohan Dhawan (@Mohan-Dhawan), Peter Cullen (@pbcullen), RyugaXhypeR (@RyugaXhypeR), Seth Hall (@sethhall), Yacin Nadji (@ynadji), Zhang Liang (@JosenLiang), Zach Robinette (@zrobinette12) and @zzzdong for their contributions to this release.
We’d also like to thank Corelight for its continued support of the Zeek project.
RSS - Posts