This release improves log ingestion by extracting structured data from legacy syslog messages and aligning the bundled schema with Suricata 8. It also republishes the previous release after an error in the earlier release process.
🚀 Features
Section titled “🚀 Features”Add Suricata schema types for IKE, HTTP2, PGSQL, and Modbus
Section titled “Add Suricata schema types for IKE, HTTP2, PGSQL, and Modbus”The bundled Suricata schema now includes types for four previously missing event types: ike, http2, pgsql, and modbus.
The ike type supports both IKEv1 and IKEv2 traffic. Version-specific fields are contained within dedicated ikev1 and ikev2 sub-objects, covering key exchange payloads, nonce payloads, client proposals, vendor IDs, and IKEv2 role/notify information.
The http2 type models HTTP/2 request and response streams including settings frames, header lists, error codes, and stream priority.
The pgsql type covers PostgreSQL session events with full request fields (simple queries, startup parameters, SASL authentication) and response fields (row counts, command completion, parameter status).
The modbus type captures industrial Modbus protocol transactions including function codes, access types, exception responses, diagnostic subfunctions, and MEI encapsulated interface data.
Extract structured data from legacy syslog content
Section titled “Extract structured data from legacy syslog content”Mar 13, 2026 · @mavam, @codex · #5902
read_syslog and parse_syslog now extract a leading RFC 5424-style
structured-data block from RFC 3164 message content.
This pattern occurs in practice with some VMware ESXi messages, where
components such as Hostd emit a legacy syslog record and prepend structured
metadata before the human-readable message text.
For example, this raw syslog line:
<166>2026-02-11T18:01:45.587Z esxi-01.example.invalid Hostd[2099494]: [Originator@6876 sub=Vimsvc.TaskManager opID=11111111-2222-3333-4444-555555555555] Task Completednow parses as:
{ facility: 20, severity: 6, timestamp: "2026-02-11T18:01:45.587Z", hostname: "esxi-01.example.invalid", app_name: "Hostd", process_id: "2099494", structured_data: { "Originator@6876": { sub: "Vimsvc.TaskManager", opID: "11111111-2222-3333-4444-555555555555", }, }, content: "Task Completed",}Events without extracted structured data keep the existing syslog.rfc3164
schema. Events with extracted structured data use
syslog.rfc3164.structured.
Support for Suricata 8 schema
Section titled “Support for Suricata 8 schema”Mar 10, 2026 · @IyeOnline, @satta · #5888
The bundled Suricata schema now aligns with Suricata 8, enabling proper parsing and representation of events from Suricata 8 deployments.
This update introduces support for new event types including POP3, ARP, and BitTorrent DHT, along with enhancements to existing event types. QUIC events now include ja4 and ja4s fields for fingerprinting, DHCP events include vendor_class_identifier, and TLS certificate timestamps now use the precise time type instead of string representation.
These schema changes ensure that Tenzir can reliably ingest and process telemetry from Suricata 8 without data loss or type mismatches.
🐞 Bug Fixes
Section titled “🐞 Bug Fixes”Fix pipeline startup timeouts
Section titled “Fix pipeline startup timeouts”Mar 11, 2026 · @jachris · #5893
In some situations, pipelines could not be successfully started, leading to timeouts and a non-responsive node, especially during node start.
Prevent where/map assertion crash on sliced list batches
Section titled “Prevent where/map assertion crash on sliced list batches”Mar 10, 2026 · @IyeOnline, @codex · #5886
Pipelines using chained list transforms such as xs.where(...).map(...).where(...) no longer trigger an internal assertion on sliced input batches.
Graceful handling of Google Cloud Pub/Sub authentication errors
Section titled “Graceful handling of Google Cloud Pub/Sub authentication errors”Mar 9, 2026 · @mavam, @codex · #5877
Invalid Google Cloud credentials in from_google_cloud_pubsub no longer crash the node. Authentication errors now surface as operator diagnostics instead.