# Tenzir Node v5.29.0 This release improves log ingestion by extracting structured data from legacy syslog messages and aligning the bundled schema with Suricata 8. It also republishes the previous release after an error in the earlier release process. ## 馃殌 Features ### Add Suricata schema types for IKE, HTTP2, PGSQL, and Modbus Mar 17, 2026 路 [@tobim](https://github.com/tobim) 路 [#5914](https://github.com/tenzir/tenzir/pull/5914) The bundled Suricata schema now includes types for four previously missing event types: `ike`, `http2`, `pgsql`, and `modbus`. The `ike` type supports both IKEv1 and IKEv2 traffic. Version-specific fields are contained within dedicated `ikev1` and `ikev2` sub-objects, covering key exchange payloads, nonce payloads, client proposals, vendor IDs, and IKEv2 role/notify information. The `http2` type models HTTP/2 request and response streams including settings frames, header lists, error codes, and stream priority. The `pgsql` type covers PostgreSQL session events with full request fields (simple queries, startup parameters, SASL authentication) and response fields (row counts, command completion, parameter status). The `modbus` type captures industrial Modbus protocol transactions including function codes, access types, exception responses, diagnostic subfunctions, and MEI encapsulated interface data. ### Extract structured data from legacy syslog content Mar 13, 2026 路 [@mavam](https://github.com/mavam), [@codex](https://github.com/codex) 路 [#5902](https://github.com/tenzir/tenzir/pull/5902) `read_syslog` and `parse_syslog` now extract a leading RFC 5424-style structured-data block from RFC 3164 message content. This pattern occurs in practice with some VMware ESXi messages, where components such as `Hostd` emit a legacy syslog record and prepend structured metadata before the human-readable message text. For example, this raw syslog line: ```text <166>2026-02-11T18:01:45.587Z esxi-01.example.invalid Hostd[2099494]: [Originator@6876 sub=Vimsvc.TaskManager opID=11111111-2222-3333-4444-555555555555] Task Completed ``` now parses as: ```tql { facility: 20, severity: 6, timestamp: "2026-02-11T18:01:45.587Z", hostname: "esxi-01.example.invalid", app_name: "Hostd", process_id: "2099494", structured_data: { "Originator@6876": { sub: "Vimsvc.TaskManager", opID: "11111111-2222-3333-4444-555555555555", }, }, content: "Task Completed", } ``` Events without extracted structured data keep the existing `syslog.rfc3164` schema. Events with extracted structured data use `syslog.rfc3164.structured`. ### Support for Suricata 8 schema Mar 10, 2026 路 [@IyeOnline](https://github.com/IyeOnline), [@satta](https://github.com/satta) 路 [#5888](https://github.com/tenzir/tenzir/pull/5888) The bundled Suricata schema now aligns with Suricata 8, enabling proper parsing and representation of events from Suricata 8 deployments. This update introduces support for new event types including POP3, ARP, and BitTorrent DHT, along with enhancements to existing event types. QUIC events now include `ja4` and `ja4s` fields for fingerprinting, DHCP events include `vendor_class_identifier`, and TLS certificate timestamps now use the precise `time` type instead of string representation. These schema changes ensure that Tenzir can reliably ingest and process telemetry from Suricata 8 without data loss or type mismatches. ## 馃悶 Bug Fixes ### Fix pipeline startup timeouts Mar 11, 2026 路 [@jachris](https://github.com/jachris) 路 [#5893](https://github.com/tenzir/tenzir/pull/5893) In some situations, pipelines could not be successfully started, leading to timeouts and a non-responsive node, especially during node start. ### Prevent where/map assertion crash on sliced list batches Mar 10, 2026 路 [@IyeOnline](https://github.com/IyeOnline), [@codex](https://github.com/codex) 路 [#5886](https://github.com/tenzir/tenzir/pull/5886) Pipelines using chained list transforms such as `xs.where(...).map(...).where(...)` no longer trigger an internal assertion on sliced input batches. ### Graceful handling of Google Cloud Pub/Sub authentication errors Mar 9, 2026 路 [@mavam](https://github.com/mavam), [@codex](https://github.com/codex) 路 [#5877](https://github.com/tenzir/tenzir/pull/5877) Invalid Google Cloud credentials in `from_google_cloud_pubsub` no longer crash the node. Authentication errors now surface as operator diagnostics instead. [ Download on GitHub ](https://github.com/tenzir/tenzir/releases/tag/v5.29.0) [Get the release artifacts and source code.](https://github.com/tenzir/tenzir/releases/tag/v5.29.0)