The Zeek team is proud to announce Zeek 8.2! This release marks our final checkpoint on the road to Zeek 9, and rounds out our new ZeroMQ support in important ways. It also includes a range of new features and improvements, so let’s cover the highlights in this blog post.
A new way to propagate state across the cluster
Arguably the most important new feature in this release, the scripting language’s tables and sets now support a new attribute, &publish_on_change, that transparently propagates container updates across the cluster via behind-the-scenes eventing. A script-layer record, assigned to the attribute, controls the nature of the updates, the pub/sub topic, and more.
This feature complements the state management controls provided by traditional “manual” eventing and the storage framework’s centralization and persistence features. It particularly aims to replace Broker-backed tables for state propagation, which we’ve deprecated due to our shift to ZeroMQ. At the same time, it provides more fine-grained control and simpler semantics than the old (and unpredictable) &synchronized feature that Bro-era users might remember.
ZeroMQ improvements
Recall that Zeek 8.1 introduced the ZeroMQ backend as the default messaging layer that Zeek uses to communicate across the cluster. Users may now encrypt ZeroMQ communication via its CURVE mechanism. We’ve also added telemetry to cover the ZeroMQ message volume for eventing, as well as message drops.
Configurable well-known ports for analyzers
Many of Zeek’s analyzers support sets of well-known ports, for example via HTTP::ports or SSL::ssl_ports, that direct Zeek to attach these analyzers regardless of dynamic protocol detection. You can now adjust these ports via simple redefs to accommodate site-local preferences.
Yes, VLAN IDs can be 0
Zeek now properly distinguishes VLAN tags with ID 0 from absent VLAN tags. While rare, VLAN ID 0 is valid for priority tagging and other uses. This required changes to the VLAN representation in Zeek’s core, so plugins accessing that information in the Packet class will need minor updates.
Spicy 1.16
Zeek 8.2 ships with a new Spicy release, in which we continued our work to improve the C++ code generated from Spicy grammars by removing artifacts from automated parser construction, and observed throughput improvements in microbenchmarks. These improvements are powered by the existing machinery and new optimizer passes.
Other updates
The scripting language’s enum types now feature stronger type-checking. This addresses potentially confusing behavior when a single enum variable holds different enum types over time. This now triggers a warning, as you can see in this example.
The Prometheus scraping port now listens locally on 127.0.0.1, rather than 0.0.0.0, by default. In your zeekctl configuration, the MetricsAddress config setting adjusts this behavior, as does Telemetry::metrics_address in the script layer.
We reverted a change we made in 8.1 to the escaping of nonprintable content in JSON data, after user feedback. In 8.2, the behavior matches that of 8.0. There’s since been considerable further debate on this topic, and you can see our plan for 9.0 in this discussion.
Schema changes
Zeek 8.2 includes no structural log changes over 8.1: we added no new logs, and the existing logs maintain the same fields and types. However, log semantics have changed in two ways: the dns.log now also reports DNS NOTIFY updates as per RFC 1996, and logged VLAN IDs will now show “0”, rather than being absent, when VLAN tags bear ID 0.
Documentation revamped, with a new tutorial
This release also introduces a new documentation layout and features substantial new content. We’ve simplified the top-level structure, including a brand new tutorial to show you around. We finally cover the command line, packages, logs, the cluster, and scripting basics in one place! A new reference section more intuitively groups common logs, the language reference, and frameworks. We’ve added a healthy dose of redirects too, so old links will continue to find relevant content.
Zeek 8.2 in context
This release contains many additional changes and improvements, so please take a moment to read Zeek’s and Spicy’s release notes for the full list of changes.
As per our usual release cadence, the arrival of 8.2 means we no longer support the 8.1 series, which concluded with 8.1.2. Support for the 8.0.x long-term support (LTS) line continues, and we just released 8.0.8 with a set of bug fixes. Our next LTS release, 9.0, is slated to arrive in August. If you’re curious about what’s coming, our Zeek community call, on the first Wednesday of each month, is a great way to stay in the loop on feature development and to ask questions.
Thanks to our contributors!
Our work on Zeek 8.2 began in December 2025 and includes some 1,100 commits in 340 merged pull requests. About 70 of those PRs came from our community members. We couldn’t do all this without you, so we’re particularly grateful to our contributors to this release — thank you!
Aaron J. Scantlin (@scantlina), Aashish Sharma (@initconf), AbdolRashid Forghani (@soorooghadim), Anthony Alayo (@anthonyalayo), Bauti Peirone (@bautipeirone), @Breppe, @cccs-graeme, @cccs-will, Connor (@agent-connor), Craig Leres (@leres), @dagecko, Doğukan Çağatay (@dogukancagatay), Fatema Bannat Wala (@fatemabw), François De Keersmaeker (@fdekeers), Jan Grashöfer (@J-Gras), Klemens Nanni (@klemensn), Maor Hamami (@mamaorha), Martin Camara (@martincmr), Michael Peters (@MP-Corelight), Mohan Dhawan (@Mohan-Dhawan), Octave Charrin (@OctaveCharrin), Peter Cullen (@pbcullen), @RageAgainstTheOrganic, @siavashta, Steve Smoot (@stevesmoot), Stefan Götz (@stefangotz), @timo-mue and Zach Robinette (@zrobinette12).
You too can be in this list! Are you interested in contributing to Zeek but unsure how? Here are 5 ways to get started.
As always, we also thank Corelight for its continued support of the Zeek project.
RSS - Posts