This patch release fixes several correctness and performance issues across parsing, querying, and storage, and completes Suricata 8 schema coverage.
🚀 Features
Section titled “🚀 Features”Add store origin metadata to feather files
Section titled “Add store origin metadata to feather files”Mar 17, 2026 · @tobim
Feather store files now include a TENZIR:store:origin key in the Arrow table
schema metadata. The value is "ingest" for freshly ingested data, "rebuild"
for partitions created by the rebuild command, and "compaction" for partitions
created by the compaction plugin. This allows external tooling such as pyarrow
to distinguish how a partition was produced.
Improved Clickhouse Usability
Section titled “Improved Clickhouse Usability”Mar 11, 2026 · @IyeOnline, @codex, @mavam, @raxyte · #5897
The to_clickhouse operator now supports dynamic table names via an expression
table=..., which must evaluate to a string. If the value is not a valid
table name, the events will be dropped with a warning.
With this change, the operator will also create a database if it does not exist.
The prime use-case for this are OCSF event streams:
subscribe "ocsf"ocsf::cast encode_variants=true, null_fill=trueto_clickhouse table=f"ocsf.{class_name.replace(" ","_")}", ...Install Tenzir via Homebrew on macOS
Section titled “Install Tenzir via Homebrew on macOS”You can now install Tenzir on Apple Silicon macOS via Homebrew:
brew tap tenzir/tenzirbrew install --cask tenzirYou can also install directly without tapping first:
brew install --cask tenzir/tenzir/tenzirThe release workflow keeps the Homebrew cask in sync with the signed macOS package so installs and uninstalls stay current across releases.
🔧 Changes
Section titled “🔧 Changes”Correct AWS Marketplace container image
Section titled “Correct AWS Marketplace container image”The AWS Marketplace ECR repository tenzir-node was incorrectly populated with
the tenzir image. It now correctly ships tenzir-node, which runs a Tenzir
node by default.
If you relied on the previous behavior, you can restore it by setting tenzir
as a custom entrypoint in your ECS task definition.
Add Suricata schema types for IKE, HTTP2, PGSQL, and Modbus
Section titled “Add Suricata schema types for IKE, HTTP2, PGSQL, and Modbus”The bundled Suricata schema now covers the remaining event types listed in the Suricata 8.0.3 EVE JSON format documentation: IKE (IKEv1/IKEv2), HTTP/2, PostgreSQL, and Modbus. This completes Suricata 8 schema coverage for Tenzir.
🐞 Bug Fixes
Section titled “🐞 Bug Fixes”Support long syslog structured-data parameter names
Section titled “Support long syslog structured-data parameter names”The read_syslog operator and parse_syslog function now accept RFC 5424 structured-data parameter names longer than 32 characters, which some vendors emit despite the specification limit.
For example, this message now parses successfully instead of being rejected:
<134>1 2026-03-18T11:00:51.194137+01:00 HOSTNAME abc 9043 23003147 [F5@12276 thx_f5_for_ignoring_the_32_char_limit_in_structured_data="thx"] broken exampleThis improves interoperability with vendor syslog implementations that exceed the RFC limit for structured-data parameter names.
Fix batch timeout to flush asynchronously
Section titled “Fix batch timeout to flush asynchronously”Mar 14, 2026 · @aljazerzen · #5906
The batch timeout was only checked when a new event arrived, so a single event followed by an idle stream would never be emitted. The timeout now fires independently of upstream activity.
Fix parse_winlog batch splitting
Section titled “Fix parse_winlog batch splitting”Mar 13, 2026 · @jachris · #5901
The parse_winlog function could fragment output into thousands of tiny
batches due to type conflicts in RenderingInfo/Keywords, where events with
one <Keyword> emitted a string but events with multiple emitted a list.
Additionally, EventData with unnamed <Data> elements is now always emitted
as a record with _0, _1, etc. as field names instead of a list.
Optimize in operator and fix eq/neq null semantics
Section titled “Optimize in operator and fix eq/neq null semantics”Mar 12, 2026 · @jachris · #5899
The in operator for list expressions is up to 33x faster. Previously it
created and finalized entire Arrow arrays for every element comparison, causing
severe overhead for expressions like EventID in [5447, 4661, ...].
Additionally, comparing a typed null value with == now returns false instead
of null, and != returns true, fixing a correctness issue with null
handling in equality comparisons.
Fix secret comparison bypass in in operator fast path
Section titled “Fix secret comparison bypass in in operator fast path”Mar 12, 2026 · @jachris · #5899
The in operator fast path now correctly prevents comparison of secret values.
Previously, secret_value in [...] would silently compare instead of returning
null with a warning, bypassing the established secret comparison policy.
Fix pattern equality ignoring case-insensitive flag
Section titled “Fix pattern equality ignoring case-insensitive flag”Mar 12, 2026 · @jachris · #5900
Pattern equality checks now correctly consider the case-insensitive flag. Previously, two patterns that differed only in case sensitivity were treated as equal, violating the hash/equality contract.
Fix over-reservation in partition_array for string/blob types
Section titled “Fix over-reservation in partition_array for string/blob types”Mar 12, 2026 · @jachris · #5899
Splitting Arrow arrays for string and blob types no longer over-reserves memory. Previously both output builders reserved the full input size each, using up to twice the necessary memory.