# Tenzir Node v5.13.0 This release enhances UDP ingestion with the new `from_udp` operator that produces structured events with sender metadata. We also improved the execution model for `every` and `cron` subpipelines, added DNS lookup capabilities, and made the Syslog parser more flexible. ## 馃殌 Features ### Context for `assert` operator Aug 20, 2025 路 [@raxyte](https://github.com/raxyte) 路 [#5433](https://github.com/tenzir/tenzir/pull/5433) The `assert` operator now has a `message` option that can be used to provide context about the event failing the assertion. ### More lenient RFC 3164 Syslog parsing Aug 20, 2025 路 [@IyeOnline](https://github.com/IyeOnline) 路 [#5426](https://github.com/tenzir/tenzir/pull/5426) Our syslog parser now allows for a `.` character in the tag/app\_name field and any character in the `process_id` field. This allows you to parse the log: ```plaintext <21>Aug 18 12:00:00 hostname_redacted .NetRuntime[-]: content... ``` ```tql { facility: 2, severity: 5, timestamp: "Aug 18 12:00:00", hostname: "hostname_redacted", app_name: ".NetRuntime", process_id: "-", content: "content...", } ``` ### `contains_null(x:any)` Aug 13, 2025 路 [@raxyte](https://github.com/raxyte) 路 [#5419](https://github.com/tenzir/tenzir/pull/5419) We added a new `contains_null` function that checks if the input value contains any `null` values. ### Perform inline DNS lookups Aug 11, 2025 路 [@mavam](https://github.com/mavam), [@IyeOnline](https://github.com/IyeOnline) 路 [#5379](https://github.com/tenzir/tenzir/pull/5379) The new `dns_lookup` operator enables DNS resolution for both IP addresses and domain names. It performs reverse PTR lookups for IP addresses and forward A/AAAA lookups for hostnames, returning structured results with hostnames or IP addresses with their types and TTLs. Resolve a domain name to IP addresses: ```tql from { host: "example.com" } dns_lookup host ``` ```tql { host: "example.com", dns_lookup: { records: [ { address: 2600:1406:3a00:21::173e:2e65, type: "AAAA", ttl: 58s, }, { address: 23.215.0.136, type: "A", ttl: 2.433333333333333min, }, // ... more records ], }, } ``` Resolve an IP address to a hostname: ```tql from { ip: 8.8.8.8 } dns_lookup ip ``` ```tql { ip: 8.8.8.8, dns_lookup: { hostname: "dns.google", }, } ``` ### Receive UDP datagrams as events Aug 8, 2025 路 [@mavam](https://github.com/mavam) 路 [#5375](https://github.com/tenzir/tenzir/pull/5375) The new `from_udp` operator receives UDP datagrams and outputs structured events containing both the data and peer information. Unlike `load_udp` which outputs raw bytes, `from_udp` produces events with metadata about the sender, making it ideal for security monitoring and network analysis where knowing the source of each datagram is important. Each received datagram becomes an event with this structure: ```tql from_udp "0.0.0.0:1234" ``` ```tql { data: "Hello, UDP!\n", peer: { ip: 192.168.1.100, port: 54321, }, } ``` Enable hostname resolution for DNS lookups (disabled by default for performance): ```tql from_udp "0.0.0.0:1234", resolve_hostnames=true ``` ```tql { data: "Hello, UDP!\n", peer: { ip: 192.168.1.100, port: 54321, hostname: "client.example.com", }, } ``` ## 馃敡 Changes ### Deprecation of `split_at_null` option of `read_lines` Aug 20, 2025 路 [@jachris](https://github.com/jachris) 路 [#5431](https://github.com/tenzir/tenzir/pull/5431) The `split_at_null` option of the `read_lines` operator is now deprecated. Use `read_delimited "\0"` instead. ### Sorting Improvements Aug 19, 2025 路 [@IyeOnline](https://github.com/IyeOnline) 路 [#5425](https://github.com/tenzir/tenzir/pull/5425) We have re-done the internals of the `sort` operator. You will now be able to more reliably sort events using lists or records as keys. Lists are compared lexicographically between their values, while records are compared by their sorted key-value pairs. ### `every` and `cron` subpipelines Aug 13, 2025 路 [@raxyte](https://github.com/raxyte) 路 [#5410](https://github.com/tenzir/tenzir/pull/5410) We changed the execution model for `every` and `cron` subpipelines, resulting in: * operators such as `context::load` now execute properly. * subpipelines can contain both `remote` and `local` operators. * subpipelines must not accept or output bytes. ### Amazon Security Lake Aug 11, 2025 路 [@mavam](https://github.com/mavam), [@IyeOnline](https://github.com/IyeOnline) 路 [#5412](https://github.com/tenzir/tenzir/pull/5412) We have made two convenience changes to the `to_amazon_security_lake` operator: * The `role` parameter now defaults to the automatically generated role for the custom source in Security Lake. If you are using a different role, you can still specify it. * The operator now uses UUIDv7 for the names of the files written into the Security Lake鈥檚 blob storage. Since UUIDv7 is time ordered, inspecting the files in the lake becomes slightly easier. ## 馃悶 Bug Fixes ### Rare crash in `save_tcp` operator Aug 12, 2025 路 [@jachris](https://github.com/jachris) 路 [#5420](https://github.com/tenzir/tenzir/pull/5420) We fixed a rare shutdown crash in the `save_tcp` operator. [ Download on GitHub ](https://github.com/tenzir/tenzir/releases/tag/v5.13.0) [Get the release artifacts and source code.](https://github.com/tenzir/tenzir/releases/tag/v5.13.0)