Features

OIDC web identity authentication for AWS operators

Feb 4, 2026 · @tobim, @codex · #5703

AWS operators now support OIDC-based authentication via the AssumeRoleWithWebIdentity API.

You can authenticate with AWS resources using OpenID Connect tokens from external identity providers like Azure, Google Cloud, or custom endpoints. This enables secure cross-cloud authentication without sharing long-lived AWS credentials.

Configure web identity authentication in any AWS operator by specifying a token source and target role:

from_s3 "s3://bucket/path", aws_iam={
  region: "us-east-1",
  assume_role: "arn:aws:iam::123456789012:role/cross-cloud-role",
  web_identity: {
    token_file: "/path/to/oidc/token"
  }
}

The web_identity option accepts three token sources: token_file (path to a token file), token_endpoint (HTTP endpoint that returns a token), or token (direct token value). For HTTP endpoints, you can extract tokens from JSON responses using path.

Credentials automatically refresh before expiration, with exponential backoff retry logic for transient failures. This is especially useful for long-running pipelines that need persistent authentication.

Changes

Faster evaluation of logical and conditional expressions

Mar 30, 2026 · @jachris · #5954

Pipelines that use and, or, or if-else expressions run significantly faster in certain cases — up to 30× in our benchmarks. The improvement is most noticeable in pipelines with complex filtering or branching logic. No pipeline changes are needed to benefit.

OCSF 1.8.0 support in ocsf::derive

Mar 23, 2026 · @mavam, @codex · #5939

The ocsf::derive operator now supports OCSF 1.8.0 events.

For example, you can now derive enum and sibling fields for events that declare metadata.version: "1.8.0":

from {metadata: {version: "1.8.0"}, class_uid: 1007}
ocsf::derive

This keeps OCSF normalization pipelines working when producers emit 1.8.0 events.

Platform configuration error message

Feb 10, 2026 · @lava · #5341

Platform configuration validation now provides clearer error messages when an invalid configuration is encountered, helping you quickly diagnose and fix configuration issues.

Bug Fixes

Fix crash when connecting to unresolvable host

Mar 26, 2026 · @lava · #5827

Setting TENZIR_ENDPOINT to an unresolvable hostname no longer crashes the pipeline with a segfault.

Spurious warning for Other (99) enum sibling in ocsf::derive

Mar 25, 2026 · @mavam, @claude · #5949

ocsf::derive no longer emits a false warning when an _id field is set to 99 (Other) and the sibling string contains a source-specific value.

Per the OCSF specification, 99/Other is an explicit escape hatch: the integer signals that the value is not in the schema's enumeration and the companion string must hold the raw value from the data source. For example, the following is now accepted silently:

from {
  metadata: { version: "1.7.0" },
  type_uid: 300201,
  class_uid: 3002,
  auth_protocol_id: 99,
  auth_protocol: "Negotiate",
}
ocsf::derive

Previously this produced a spurious warning: found invalid value for 'auth_protocol' because "Negotiate" is not a named enum caption.

Fix crash on Azure SSL/transport errors

Mar 24, 2026 · @lava

The Azure Blob Storage connector now handles Azure::Core::Http::TransportException (e.g., SSL certificate errors) gracefully instead of crashing. Previously, a self-signed certificate in the certificate chain would cause an unhandled exception and terminate the node.

Features

Add store origin metadata to feather files

Mar 17, 2026 · @tobim

Feather store files now include a TENZIR:store:origin key in the Arrow table schema metadata. The value is "ingest" for freshly ingested data, "rebuild" for partitions created by the rebuild command, and "compaction" for partitions created by the compaction plugin. This allows external tooling such as pyarrow to distinguish how a partition was produced.

Improved Clickhouse Usability

Mar 11, 2026 · @IyeOnline, @codex, @mavam, @raxyte · #5897

The to_clickhouse operator now supports dynamic table names via an expression table=..., which must evaluate to a string. If the value is not a valid table name, the events will be dropped with a warning.

With this change, the operator will also create a database if it does not exist.

The prime use-case for this are OCSF event streams:

subscribe "ocsf"
ocsf::cast encode_variants=true, null_fill=true
to_clickhouse table=f"ocsf.{class_name.replace(" ","_")}", ...

Install Tenzir via Homebrew on macOS

Mar 8, 2026 · @mavam · #5876

You can now install Tenzir on Apple Silicon macOS via Homebrew:

brew tap tenzir/tenzir
brew install --cask tenzir

You can also install directly without tapping first:

brew install --cask tenzir/tenzir/tenzir

The release workflow keeps the Homebrew cask in sync with the signed macOS package so installs and uninstalls stay current across releases.

Changes

Correct AWS Marketplace container image

Mar 19, 2026 · @lava · #5925

The AWS Marketplace ECR repository tenzir-node was incorrectly populated with the tenzir image. It now correctly ships tenzir-node, which runs a Tenzir node by default.

If you relied on the previous behavior, you can restore it by setting tenzir as a custom entrypoint in your ECS task definition.

Add Suricata schema types for IKE, HTTP2, PGSQL, and Modbus

Mar 17, 2026 · @tobim · #5914

The bundled Suricata schema now covers the remaining event types listed in the Suricata 8.0.3 EVE JSON format documentation: IKE (IKEv1/IKEv2), HTTP/2, PostgreSQL, and Modbus. This completes Suricata 8 schema coverage for Tenzir.

Bug Fixes

Support long syslog structured-data parameter names

Mar 19, 2026 · @mavam, @codex

The read_syslog operator and parse_syslog function now accept RFC 5424 structured-data parameter names longer than 32 characters, which some vendors emit despite the specification limit.

For example, this message now parses successfully instead of being rejected:

<134>1 2026-03-18T11:00:51.194137+01:00 HOSTNAME abc 9043 23003147 [F5@12276 thx_f5_for_ignoring_the_32_char_limit_in_structured_data="thx"] broken example

This improves interoperability with vendor syslog implementations that exceed the RFC limit for structured-data parameter names.

Fix batch timeout to flush asynchronously

Mar 14, 2026 · @aljazerzen · #5906

The batch timeout was only checked when a new event arrived, so a single event followed by an idle stream would never be emitted. The timeout now fires independently of upstream activity.

Fix parse_winlog batch splitting

Mar 13, 2026 · @jachris · #5901

The parse_winlog function could fragment output into thousands of tiny batches due to type conflicts in RenderingInfo/Keywords, where events with one <Keyword> emitted a string but events with multiple emitted a list. Additionally, EventData with unnamed <Data> elements is now always emitted as a record with _0, _1, etc. as field names instead of a list.

Optimize `in` operator and fix eq/neq null semantics

Mar 12, 2026 · @jachris · #5899

The in operator for list expressions is up to 33x faster. Previously it created and finalized entire Arrow arrays for every element comparison, causing severe overhead for expressions like EventID in [5447, 4661, ...].

Additionally, comparing a typed null value with == now returns false instead of null, and != returns true, fixing a correctness issue with null handling in equality comparisons.

Fix secret comparison bypass in `in` operator fast path

Mar 12, 2026 · @jachris · #5899

The in operator fast path now correctly prevents comparison of secret values. Previously, secret_value in [...] would silently compare instead of returning null with a warning, bypassing the established secret comparison policy.

Fix pattern equality ignoring case-insensitive flag

Mar 12, 2026 · @jachris · #5900

Pattern equality checks now correctly consider the case-insensitive flag. Previously, two patterns that differed only in case sensitivity were treated as equal, violating the hash/equality contract.

Fix over-reservation in partition_array for string/blob types

Mar 12, 2026 · @jachris · #5899

Splitting Arrow arrays for string and blob types no longer over-reserves memory. Previously both output builders reserved the full input size each, using up to twice the necessary memory.

Bug Fixes

Scheduling issue with detached operators

Mar 16, 2026 · @lava · #5895

Fixed a scheduling issue introduced in v5.24.0 that could cause the node to become unresponsive when too many pipelines using detached operators like from_udp were deployed simultaneously.

Features

Add Suricata schema types for IKE, HTTP2, PGSQL, and Modbus

Mar 17, 2026 · @tobim · #5914

The bundled Suricata schema now includes types for four previously missing event types: ike, http2, pgsql, and modbus.

The ike type supports both IKEv1 and IKEv2 traffic. Version-specific fields are contained within dedicated ikev1 and ikev2 sub-objects, covering key exchange payloads, nonce payloads, client proposals, vendor IDs, and IKEv2 role/notify information.

The http2 type models HTTP/2 request and response streams including settings frames, header lists, error codes, and stream priority.

The pgsql type covers PostgreSQL session events with full request fields (simple queries, startup parameters, SASL authentication) and response fields (row counts, command completion, parameter status).

The modbus type captures industrial Modbus protocol transactions including function codes, access types, exception responses, diagnostic subfunctions, and MEI encapsulated interface data.

Extract structured data from legacy syslog content

Mar 13, 2026 · @mavam, @codex · #5902

read_syslog and parse_syslog now extract a leading RFC 5424-style structured-data block from RFC 3164 message content.

This pattern occurs in practice with some VMware ESXi messages, where components such as Hostd emit a legacy syslog record and prepend structured metadata before the human-readable message text.

For example, this raw syslog line:

<166>2026-02-11T18:01:45.587Z esxi-01.example.invalid Hostd[2099494]: [Originator@6876 sub=Vimsvc.TaskManager opID=11111111-2222-3333-4444-555555555555] Task Completed

now parses as:

{
  facility: 20,
  severity: 6,
  timestamp: "2026-02-11T18:01:45.587Z",
  hostname: "esxi-01.example.invalid",
  app_name: "Hostd",
  process_id: "2099494",
  structured_data: {
    "Originator@6876": {
      sub: "Vimsvc.TaskManager",
      opID: "11111111-2222-3333-4444-555555555555",
    },
  },
  content: "Task Completed",
}

Events without extracted structured data keep the existing syslog.rfc3164 schema. Events with extracted structured data use syslog.rfc3164.structured.

Support for Suricata 8 schema

Mar 10, 2026 · @IyeOnline, @satta · #5888

The bundled Suricata schema now aligns with Suricata 8, enabling proper parsing and representation of events from Suricata 8 deployments.

This update introduces support for new event types including POP3, ARP, and BitTorrent DHT, along with enhancements to existing event types. QUIC events now include ja4 and ja4s fields for fingerprinting, DHCP events include vendor_class_identifier, and TLS certificate timestamps now use the precise time type instead of string representation.

These schema changes ensure that Tenzir can reliably ingest and process telemetry from Suricata 8 without data loss or type mismatches.

Bug Fixes

Fix pipeline startup timeouts

Mar 11, 2026 · @jachris · #5893

In some situations, pipelines could not be successfully started, leading to timeouts and a non-responsive node, especially during node start.

Prevent where/map assertion crash on sliced list batches

Mar 10, 2026 · @IyeOnline, @codex · #5886

Pipelines using chained list transforms such as xs.where(...).map(...).where(...) no longer trigger an internal assertion on sliced input batches.

Graceful handling of Google Cloud Pub/Sub authentication errors

Mar 9, 2026 · @mavam, @codex · #5877

Invalid Google Cloud credentials in from_google_cloud_pubsub no longer crash the node. Authentication errors now surface as operator diagnostics instead.

Features

Check Point syslog structured-data dialect parsing

Mar 2, 2026 · @mavam, @codex · #5851

parse_syslog() and read_syslog now accept common Check Point structured-data variants that are not strictly RFC 5424 compliant. This includes key:"value" parameters, semicolon-separated parameters, and records that omit an SD-ID entirely.

For records without an SD-ID, Tenzir now normalizes the structured data under checkpoint_2620, so downstream pipelines can use a stable field path.

For example, the message <134>1 ... - [action:"Accept"; conn_direction:"Incoming"] now parses successfully and maps to structured_data.checkpoint_2620. This improves interoperability with Check Point exports and reduces ingestion-time preprocessing.

Changes

JSON parse error context

Mar 6, 2026 · @IyeOnline · #5805

JSON parsing errors now display the surrounding bytes at the error location. This makes it easier to diagnose malformed JSON in your data pipelines.

For example, if your JSON is missing a closing bracket, the error message shows you the bytes around that location and marks where the parser stopped expecting more input.

DNS hostname resolution opt-in for load_tcp operator

Mar 4, 2026 · @tobim, @codex · #5865

The load_tcp operator now makes DNS hostname resolution opt-in with the resolve_hostnames parameter (defaults to false).

Previously, the operator always attempted reverse DNS lookups for peer endpoints, which could fail in environments without working reverse DNS configurations. Now you can enable this behavior by setting resolve_hostnames to true:

load_tcp endpoint="0.0.0.0:5555" resolve_hostnames=true {
  read_json
}

When enabled and DNS resolution fails, the operator emits a warning diagnostic (once) instead of failing. This allows the operator to continue functioning in environments where reverse DNS is unavailable or unreliable.

Bug Fixes

Uncaught exception reporting

Mar 6, 2026 · @IyeOnline · #5805

We improved the reporting for unexpected diagnostics outside of operator execution, such as during startup. In these cases you will now get the diagnostic message.

Parser bug fixes for schema changes

Mar 6, 2026 · @IyeOnline · #5805

Fixed multiple issues that could cause errors or incorrect behavior when the schema of parsed events changes between records. This is particularly important when ingesting data from sources that may add, remove, or modify fields over time.

Schema mismatch warnings for repeated fields in JSON objects (which Tenzir interprets as lists) now include an explanatory hint, making it clearer what's happening when a field appears multiple times where a single value was expected.

Bug Fixes

JSON reading crash fix

Mar 2, 2026 · @IyeOnline · #5855

We fixed a bug that could cause a crash when reading JSON data.

Fix CEF parsing for unescaped equals

Mar 2, 2026 · @jachris · #5841

The CEF parser now handles unescaped = characters (which are not conforming to the specification) by using a heuristic.

Features

Add `hmac` function

Feb 27, 2026 · @mavam, @codex · #5846

The new experimental hmac function computes Hash-based Message Authentication Codes (HMAC) for strings and blobs. It supports SHA-256 (default), SHA-512, SHA-384, SHA-1, and MD5 algorithms.

Note: The key parameter is currently a plain string because function arguments cannot be secrets yet. We plan to change this in the future.

from {
  signature: hmac("hello world", "my-secret-key"),
}

{
  signature: "90eb182d8396f16d4341d582047f45c0a97d73388c5377d9ced478a2212295ad",
}

Specify a different algorithm with the algorithm parameter:

from {
  signature: hmac("hello world", "my-secret-key", algorithm="sha512"),
}

Bug Fixes

Fixed an assertion failure in slicing

Feb 27, 2026 · @IyeOnline · #5842

We fixed a bug that would cause an assertion failure "Index error: array slice would exceed array length". This was introduced as part of an optimization in Tenzir Node v5.27.0.

Bug Fixes

Fix platform plugin not respecting `certfile` and `keyfile` options

Feb 24, 2026 · @lava

Fixed in issue where the platform plugin did not correctly use the configured certfile, keyfile and cafile options for client certificate authentication, and improved the error messages for TLS issues during platform connection.

Features

Slice function extended to support lists

Feb 22, 2026 · @mavam, @codex · #5819

The slice function now supports list types in addition to string. You can slice lists using the same begin, end, and stride parameters. Negative stride values are now supported for lists, letting you reverse or step backward through list data. String slicing continues to require a positive stride.

Example usage with lists:

• [1, 2, 3, 4, 5].slice(begin=1, end=4) returns [2, 3, 4]
• [1, 2, 3, 4, 5].slice(stride=-1) returns the list in reverse order
• [1, 2, 3, 4, 5].slice(begin=1, end=5, stride=-2) returns [5, 3]

Enhance `sort` function with `desc` and `cmp` parameters

Feb 17, 2026 · @mavam, @codex · #5767

The sort function now supports two new parameters: desc for controlling sort direction and cmp for custom comparison logic via binary lambdas.

Sort in descending order:

from {xs: [3, 1, 2]}
select ys = sort(xs, desc=true)

{ys: [3, 2, 1]}

Sort records by a specific field using a custom comparator:

from {xs: [{v: 2, id: "b"}, {v: 1, id: "a"}, {v: 2, id: "c"}]}
select ys = sort(xs, cmp=(left, right) => left.v < right.v)

{
  ys: [
    {v: 1, id: "a"},
    {v: 2, id: "b"},
    {v: 2, id: "c"},
  ],
}

The cmp lambda receives two elements and returns a boolean indicating whether the first element should come before the second. Both parameters can be combined to reverse a custom comparison.

Bug Fixes

Fix `read_lines` operator for old executor

Feb 17, 2026 · @tobim

The read_lines operator was accidently broken while it was ported to the new execution API. This change restores its functionality.

HTTP header values can contain colons

Jan 28, 2026 · @lava · #5693

HTTP header values containing colons are now parsed correctly.

Features

Optional field parameters for user-defined operators

Feb 12, 2026 · @mavam, @claude · #5753

User-defined operators in packages can now declare optional field-type parameters with null as the default value. This allows operators to accept field selectors that are not required to be provided.

When a field parameter is declared with type: field and default: null, you can omit the argument when calling the operator, and the parameter will receive a null value instead. You can then check whether a field was provided by comparing the parameter to null within the operator definition.

Example:

In your package's operator definition, declare an optional field parameter:

args:
  named:
    - name: selector
      type: field
      default: null

In the operator implementation, check if the field was provided:

set result = if $selector != null then "field provided" else "field omitted"

When calling the operator, the field argument becomes optional:

my_operator                    # field is null
my_operator selector=x.y       # field is x.y

Only null is allowed as the default value for field parameters. Non-null defaults are rejected with an error during package loading.

Link header pagination for HTTP operators

Feb 11, 2026 · @mavam, @claude

The paginate parameter for the from_http and http operators now supports link-based pagination via the Link HTTP header.

Previously, pagination was only available through a lambda function that extracted the next URL from response data. Now you can use paginate="link" to automatically follow pagination links specified in the response's Link header, following RFC 8288. This is useful for APIs that use HTTP header-based pagination instead of embedding next URLs in the response body.

The operator parses the Link header and follows the rel=next relation to automatically fetch the next page of results.

Example:

from_http "https://api.example.com/data", paginate="link"

If an invalid pagination mode is provided (neither a lambda nor "link"), the operator now reports a clear error message.

MySQL source operator

Feb 6, 2026 · @mavam, @claude · #5721, #5738

The from_mysql operator lets you read data directly from MySQL databases.

Read a table:

from_mysql table="users", host="localhost", port=3306, user="admin", password="secret", database="mydb"

List tables:

from_mysql show="tables", host="localhost", port=3306, user="admin", password="secret", database="mydb"

Show columns:

from_mysql table="users", show="columns", host="localhost", port=3306, user="admin", password="secret", database="mydb"

And ultimately execute a custom SQL query:

from_mysql sql="SELECT id, name FROM users WHERE active = 1",
           host="localhost",
           port=3306,
           user="admin",
           password="secret",
           database="mydb"

The operator supports TLS/SSL connections for secure communication with MySQL servers. Use tls=true for default TLS settings, or pass a record for fine-grained control:

from_mysql table="users", host="db.example.com", database="prod", tls={
  cacert: "/path/to/ca.pem",
  certfile: "/path/to/client-cert.pem",
  keyfile: "/path/to/client-key.pem",
}

The operator supports MySQL's caching_sha2_password authentication method and automatically maps MySQL data types to Tenzir types.

Use live=true to continuously stream new rows from a table. The operator tracks progress using a watermark on an integer column, polling for rows above the last-seen value:

from_mysql table="events", live=true, host="localhost", database="mydb"

By default, the tracking column is auto-detected from the table's auto-increment primary key. To specify one explicitly:

from_mysql table="events", live=true, tracking_column="event_id",
           host="localhost", database="mydb"

Bug Fixes

Improve write_lines operator performance

Feb 12, 2026 · @IyeOnline

We have significantly improved the performance of the write_lines operator.

Secret type support for user-defined operator parameters

Feb 12, 2026 · @mavam, @claude · #5752

User-defined operators in packages can now declare parameters with the secret type to ensure that secret values are properly handled as secret expressions:

args:
  positional:
    - name: api_key
      type: secret
      description: "API key to use for authentication"

merge() function recursive deep merge for nested records

Feb 5, 2026 · @mavam, @claude · #5728

The merge() function now performs a recursive deep merge when merging two records. Previously, nested fields were dropped when merging, so merge({hw: {sn: "XYZ123"}}, {hw: {model: "foobar"}}) would incorrectly produce {hw: {model: "foobar"}} instead of recursively merging the nested fields. The function now correctly produces {hw: {sn: "XYZ123", model: "foobar"}} by materializing both input records and performing a deep merge on them.

Bug Fixes

Fix sigma operator directory handling to load all rules

Feb 3, 2026 · @mavam, @claude · #5715

The sigma operator now correctly loads all rules when given a directory containing multiple Sigma rule files. Previously, only the last processed rule file would be retained because the rules collection was being cleared on every recursive directory traversal.

sigma "/path/to/sigma/rules"

All rules found in the directory and its subdirectories will now be loaded and used to match against input events.

Features

Raw message field support for read_syslog operator

Jan 27, 2026 · @mavam, @claude · #5687

The read_syslog operator now supports a raw_message parameter that preserves the original, unparsed syslog message in a field of your choice. This is useful when you need to retain the exact input for auditing, debugging, or compliance purposes.

When you specify raw_message=<field>, the operator stores the complete input message (including all lines for multiline messages) in the specified field. This works with all syslog formats, including RFC 5424, RFC 3164, and octet-counted messages.

For example:

read_syslog raw_message=original_input

This stores the unparsed message in the original_input field alongside the parsed structured fields like hostname, app_name, message, and others.

Bug Fixes

Fix overzealous constant evaluation in `if` statements

Jan 30, 2026 · @jachris · #5701

The condition of if statements is no longer erroneously evaluated early when it contains a lambda expression that references runtime fields.

Support decompression for Kafka operators

Jan 30, 2026 · @raxyte, @claude · #5697

Kafka connectors now support decompressing messages with zstd, lz4 and gzip.

Fix intermittent UTF-8 errors in JSON parser

Jan 29, 2026 · @jachris, @claude · #5698

The JSON parser no longer intermittently fails with "The input is not valid UTF-8" when parsing data containing multi-byte UTF-8 characters such as accented letters or emojis.

Fix assertion failure in replace operator when replacing with null

Jan 29, 2026 · @mavam, @claude · #5696

The replace operator no longer triggers an assertion failure when using with=null on data processed by operators like ocsf::cast.

load_file "dns.json"
read_json
ocsf::cast "dns_activity"
replace what="", with=null

Where operator optimization for optional fields

Jan 28, 2026 · @jachris, @claude

The where operator optimization now correctly handles optional fields marked with ?. Previously, the optimizer didn't account for the optional marker, which could result in incorrect query optimization. This fix ensures that optional field accesses are handled properly without affecting the optimization of regular field accesses.

Features

Periodic emission for summarize operator

Jan 22, 2026 · @tobim, @claude · #5605

The summarize operator now supports periodic emission of aggregation results at fixed intervals, enabling real-time streaming analytics and monitoring use cases.

Use the options named argument with frequency to emit results every N seconds:

summarize count(this), src_ip, options={frequency: 5s}

This emits aggregation results every 5 seconds, showing the count per source IP for events received during each interval:

{src_ip: 192.168.1.1, count: 42}
{src_ip: 192.168.1.2, count: 17}
// ... 5 seconds later ...
{src_ip: 192.168.1.1, count: 38}
{src_ip: 192.168.1.3, count: 9}

The mode parameter controls how aggregations behave across emissions:

Reset mode (default) resets aggregations after each emission, providing per-interval metrics:

summarize sum(bytes), options={frequency: 10s}
// Shows bytes per 10-second window

Cumulative mode accumulates values across emissions, providing running totals:

summarize sum(bytes), options={frequency: 10s, mode: "cumulative"}
// Shows total bytes seen so far

Update mode emits only when values change from the previous emission, reducing output noise in monitoring scenarios:

summarize count(this), severity, options={frequency: 1s, mode: "update"}
// Emits only when the count for a severity level changes

The operator always emits final results when the input stream ends, ensuring no data is lost.

AWS IAM authentication for load_sqs, save_sqs, from_s3, to_s3, from_kafka, and to_kafka

Jan 21, 2026 · @tobim, @claude · #5675

The load_sqs, save_sqs, from_s3, to_s3, from_kafka, and to_kafka operators now support AWS IAM authentication through a new aws_iam option. You can configure explicit credentials, assume IAM roles, use AWS CLI profiles, or rely on the default credential chain.

The aws_iam option accepts these fields:

• profile: AWS CLI profile name for credential resolution
• access_key_id: AWS access key ID
• secret_access_key: AWS secret access key
• session_token: AWS session token for temporary credentials
• assume_role: IAM role ARN to assume
• session_name: Session name for role assumption
• external_id: External ID for role assumption

Additionally, the SQS and Kafka operators accept a top-level aws_region option:

• For load_sqs and save_sqs: Configures the AWS SDK client region for queue URL resolution
• For from_kafka and to_kafka: Required for MSK authentication (used to construct the authentication endpoint URL)

You can also combine explicit credentials with role assumption. This uses the provided credentials to call STS AssumeRole and obtain temporary credentials for the assumed role:

load_sqs "my-queue", aws_iam={
  access_key_id: "AKIAIOSFODNN7EXAMPLE",
  secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
  assume_role: "arn:aws:iam::123456789012:role/my-role"
}

For example, to load from SQS with a specific region:

load_sqs "my-queue", aws_region="us-east-1", aws_iam={
  access_key_id: "AKIAIOSFODNN7EXAMPLE",
  secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}

To use an AWS CLI profile:

load_sqs "my-queue", aws_iam={
  profile: "production"
}

To assume an IAM role:

from_s3 "s3://bucket/path", aws_iam={
  assume_role: "arn:aws:iam::123456789012:role/my-role",
  session_name: "tenzir-session",
  external_id: "unique-id"
}

For Kafka MSK authentication, the aws_region option is required:

from_kafka "my-topic", aws_region="us-east-1", aws_iam={
  profile: "production"
}

When no explicit credentials or profile are configured, operators use the AWS SDK's default credential provider chain, which checks environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), AWS configuration files (~/.aws/credentials), EC2/ECS instance metadata, and other standard sources. This applies both when aws_iam is omitted entirely and when aws_iam is specified without access_key_id, secret_access_key, or profile.

RFC 6587 octet-counting support for syslog parsing

Jan 21, 2026 · @mavam, @claude

The parse_syslog function now supports RFC 6587 octet-counted framing, where syslog messages are prefixed with their byte length (for example, 65 <syslog-message>). This framing is commonly used in TCP-based syslog transport to handle message boundaries.

The new octet_counting parameter for parse_syslog offers three modes:

• Not specified (default): Auto-detect. The parser strips a length prefix if present and valid, otherwise parses the input as-is. This prevents false positives where input coincidentally starts with digits and a space.
• octet_counting=true: Require a length prefix. Emits a warning and returns null if the input lacks a valid prefix.
• octet_counting=false: Never strip a length prefix. Parse the input as-is.

Per-actor memory allocation tracking

Jan 12, 2026 · @IyeOnline · #5646

We have added support for per-actor/per-thread allocation tracking. When enabled, these stats will track which actor (or thread) allocated how much memory. This gives much more detailed insights into where memory is allocated. By default these detailed statistics are not collected, as they introduce a cost to every allocation.

Changes

Preserve original field order in ocsf::derive

Jan 20, 2026 · @mavam, @claude · #5673

The ocsf::derive operator now preserves original field order instead of reordering alphabetically. Derived enum/sibling pairs are inserted at the position of the first field, ordered alphabetically within each pair (e.g., activity_id before activity_name). Non-OCSF fields remain at their original positions.

For example, given the input:

{foo: 1, class_uid: 1001}

The output is now:

{foo: 1, class_name: "...", class_uid: 1001}

Previously, the output was alphabetically sorted:

{class_name: "...", class_uid: 1001, foo: 1}

Cleanup of existing directory markers in from_s3 and from_abs

Jan 19, 2026 · @jachris · #5670

The from_s3 and from_azure_blob_storage operators now also delete existing directory marker objects along the glob path when remove=true. Directory markers are zero-byte objects with keys ending in / that some cloud storage tools create. These artifacts can accumulate over time, increasing API costs and slowing down listing operations.

Bug Fixes

Stable memory usage for `from_http` server

Jan 23, 2026 · @raxyte · #5677

The from_http server now has a stable memory usage when used with a slow downstream, especially in situations where the client timeouts and retries requests.

Phantom pipeline entries with empty IDs

Jan 22, 2026 · @jachris, @claude · #5680

In rare cases, a phantom pipeline with an empty ID could appear in the pipeline list that couldn't be deleted through the API.

Correct multi-partition commits in `from_kafka`

Jan 12, 2026 · @raxyte, @codex · #5654

The from_kafka operator now commits offsets per partition and tracks partition EOFs based on the current assignment, preventing premature exits and cross-partition replays after restarts.

No more directory markers for S3 and Azure

@jachris · #5669

Deleting files from S3 or Azure Blob Storage via from_s3 or from_azure_blob_storage with the remove=true option no longer creates empty directory marker objects in the parent directory when the last file of the directory is deleted.

Features

Per-pipeline memory consumption metrics

Jan 5, 2026 · @jachris · #5644

The new tenzir.metrics.operator_buffers metrics track the total bytes and events buffered across all operators of a pipeline. The metrics are emitted every second and include:

• timestamp: The point in time when the data was recorded
• pipeline_id: The pipeline's unique identifier
• bytes: Total bytes currently buffered
• events: Total events currently buffered (for events only)

Use metrics "operator_buffers" to access these metrics.

XML parsing functions for TQL

Dec 30, 2025 · @mavam, @claude · #5640, #5645

The new parse_xml and parse_winlog functions parse XML strings into structured records, enabling analysis of XML-formatted logs and data sources.

The parse_xml function offers flexible XML parsing with XPath-based element selection, configurable attribute handling, namespace management, and depth limiting. It supports multiple match results as lists and handles both simple and complex XML structures.

The parse_winlog function specializes in parsing Windows Event Log XML format, automatically finding Event elements and transforming EventData/UserData sections into properly structured fields.

Both functions integrate with Tenzir's multi-series builder for schema inference and type handling.

Easy parallel pipeline execution

Dec 23, 2025 · @raxyte · #5632

The parallel operator executes a pipeline across multiple parallel pipeline instances to improve throughput for computationally expensive operations. It automatically distributes input events across the pipeline instances and merges their outputs back into a single stream.

Use the jobs parameter to specify how many pipeline instances to spawn. For example, to parse JSON in parallel across 4 pipeline instances:

from_file "input.ndjson"
read_lines
parallel 4 {
  this = line.parse_json()
}

Changes

Duplicate diagnostics only suppressed for 4 hours

Jan 12, 2026 · @raxyte, @claude · #5652

Repeated warnings and errors now resurface every 4 hours instead of being suppressed forever. Previously, once a diagnostic was shown, it would never appear again even if the underlying issue persisted. This change helps users notice recurring problems that may require attention.

Event-based rate limiting for throttle operator

Jan 9, 2026 · @raxyte · #5642

The throttle operator now rate-limits events instead of bytes. Use the rate option to specify the maximum number of events per window, weight to assign custom per-event weights, and drop to discard excess events instead of waiting. The operator also emits metrics for dropped events.

Bug Fixes

Unresponsive pipeline API

Jan 15, 2026 · @jachris · #5651

Previously, it was possible for the node to enter a state where the internal pipeline API was no longer responding, thus rendering the platform unresponsive.

Crashes during gRPC operator shutdown

Jan 14, 2026 · @mavam, @claude · #5661

We fixed bugs in several gRPC-based operators:

• A potential crash in from_velociraptor on shutdown.
• Potentially not publishing final messages in to_google_cloud_pubsub on shutdown.
• A concurrency bug in from_google_cloud_pubsub that could cause a crash.

Missing events when using `in` with `export`

Jan 14, 2026 · @raxyte · #5660

The export operator incorrectly skipped partitions when evaluating in predicates with uncertain membership. This caused queries like export | where field in [values...] to potentially miss matching events.

Fixed `from_kafka` not producing events

Jan 14, 2026 · @IyeOnline · #5659

We fixed a bug in from_kafka that would cause it to not produce events.

Socket leak in `from_http`

Jan 8, 2026 · @jachris, @claude · #5647

The from_http operator sometimes left sockets in CLOSE_WAIT state instead of closing them properly. This could lead to resource exhaustion on long-running nodes receiving many HTTP requests.

Timezone handling in static binary

Jan 7, 2026 · @tobim, @claude · #5649

The format_time and parse_time functions in the static binary now correctly use the operating system's timezone database.

Error propagation in every and cron operators

Dec 23, 2025 · @raxyte · #5632

The every and cron operators now correctly propagate errors from their subpipelines instead of silently swallowing them.

Bug Fixes

Length mismatch in expression evaluation for heterogeneous data

Dec 31, 2025 · @raxyte, @codex

Expression evaluation could produce a length mismatch when processing heterogeneous data, potentially causing assertion failures. This affected various operations including binary and unary operators, field access, indexing, and aggregation functions.

Assertion failure in deduplicate with count_field

Dec 30, 2025 · @raxyte

The deduplicate operator with count_field option could cause assertion failures when discarding events.

Graceful shutdown for save_tcp connector

Dec 29, 2025 · @raxyte · #5637

The save_tcp connector now gracefully shuts down on pipeline stop and connection failures. Previously, the connector could abort the entire application on exit.

Features

Use event timestamps for compaction rules

Dec 23, 2025 · @jachris · #5629

Compaction rules can now use event timestamps instead of import time when selecting data by age. Configure this using the new optional field key in the compaction configuration.

Previously, compaction always used the import time to determine which partitions to compact. Now you can specify any timestamp field from your events:

tenzir:
  compaction:
    time:
      rules:
        - name: compact-old-logs
          after: 7d
          field: timestamp  # Use event timestamp instead of import time
          pipeline: |
            summarize count=count(), src_ip

When field is not specified, compaction continues to use import time for backward compatibility.

Count dropped events in deduplicate operator

Dec 22, 2025 · @raxyte · #5622

The deduplicate operator now supports a count_field option that adds a field to each output event showing how many events were dropped for that key.

Example

from {x: 1, seq: 1}, {x: 1, seq: 2}, {x: 1, seq: 3}, {x: 1, seq: 4}
deduplicate x, distance=2, count_field=drop_count

{x: 1, seq: 1, drop_count: 0}
{x: 1, seq: 4, drop_count: 2}

Events that are the first occurrence of a key or that trigger output after expiration have a count of 0.

Platform TLS configuration

Dec 17, 2025 · @lava · #5559

The Tenzir Node now lets you configure the minimum TLS version and TLS ciphers accepted for the connection to the Tenzir Platform:

plugins:
  platform:
    tls-min-version: "1.2"
    tls-ciphers: "HIGH:!aNULL:!MD5"

Node-level TLS configuration for operators

Dec 17, 2025 · @IyeOnline · #5559

All operators and connectors that use TLS now support centralized node-level configuration. Instead of passing TLS options to each operator individually, you can configure them once in tenzir.yaml under tenzir.tls.

Arguments passed directly to the operator itself via an argument take precedence over the configuration entry.

The following options are available:

• enable: Enable TLS on all operators that support it
• skip-peer-verification: Disable certificate verification
• cacert: Path to a CA certificate bundle for server verification
• certfile: Path to a client certificate file
• keyfile: Path to a client private key file
• tls-min-version: Minimum TLS protocol version ("1.0", "1.1", "1.2", or "1.3")
• tls-ciphers: OpenSSL cipher list string

The later two options have also been added as operator arguments.

For server-mode operators (load_http server=true, load_tcp), mutual TLS (mTLS) authentication is now supported:

• tls-client-ca: Path to a CA certificate for validating client certificates
• tls-require-client-cert: Require clients to present valid certificates

These two options are also available as operator arguments.

Example configuration enforcing TLS 1.2+ with specific ciphers:

tenzir:
  tls:
    tls-min-version: "1.2"
    tls-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
    cacert: "/etc/ssl/certs/ca-certificates.crt"

Bug Fixes

Fixed default compaction rules for metrics and diagnostics

Dec 23, 2025 · @jachris · #5629

The default compaction rules for tenzir.metrics.* and tenzir.diagnostic events now correctly use the timestamp field instead of import time.

Previously, these built-in compaction rules relied on import time to determine which events to compact, which could lead to inconsistent results as the import time is not computed per-event. As a result, it was possible that metrics and diagnostics were not deleted even though they expired.

Bug Fixes

Fixed assertion failure when encountering duplicate keys

Dec 19, 2025 · @IyeOnline · #5612

We fixed an assertion failure and subsequent crash that could occur when parsing events that contain duplicate keys.

Improved Type Conflict Handling

Dec 16, 2025 · @IyeOnline · #5612

We resolved an issue that would appear when reading in lists (e.g. JSON []) where the elements had different types. Tenzir's type system at this time only supports storing a single type in a list. Our parsers resolve this issue by first attempting conversions (e.g. to a common numeric type) and turning all values into strings as a last resort. Previously this would however also break Tenzir's batch processing leading to significant performance loss. This has now been fixed.

Bug Fixes

Fixed `publish` operator dropping events

Dec 18, 2025 · @raxyte · #5618

The publish operator could drop events during flush operations. Events are now reliably delivered to subscribers.