We are in the unfortunate position of having to upgrade from 6.0.4 to 7.0.5 and are duly nervous.
Is there anything in particular to watch for? I have looked at NEWS and CHANGES and obviously, the changes from 6.0.4 to 7.0.5 are many.
I was thinking of taking some existing btests, running the traces in 6.0.4 as a baseline and then comparing in 7.0.5? Maybe my thinking is wrong and tests will break due to some changes?
What are the best practices for upgrading?
Not sure about best practices, but running a separate instance/infrastructure for the next version and comparing differences with your production environment is one approach. Or, having existing integration tests replaying defined traffic and doing checking on the logs.
If you have the ability to capture some of your production traffic as a PCAP, you could also run zeek -r with Zeek 6 and Zeek 7 and look for any surprising discrepancies (which we’d be happy to hear about). Make sure you’re loading any custom scripts for both versions, too.
Thank you, I will do this and post any pertinent info here.
Hi, I am just setting up 7.0.5 and have run into an issue setting up a broker. Perhaps its just me but if you run into any issues, please let me know, especially if you solve them. I will do the same.
If you describe the issue, perhaps someone will be able to help you 
Sure thing! When I install broker using pip, I get the error that the “Endpoint not found”.
broker version: 0.6.5
zeek version: 7.0.5
The script used:
import broker
with broker.Endpoint() as ep,
...do the thing...
I have read that zeek needs to be paired with a specific version of broker. Is this true? If so, what version should I be using?
edit
found announcement Introducing Zeek 7.1
Error persist after updating to 7.1.0:
Instead of using broker from pip or compiling it by hand, could you adapt PYTHONPATH for test-broker.py to point to your Zeek 7.1 installation’s lib/zeek/python directory?
Within the 7.1 container images, this works fine, it should be the same on your local system. You might need to adapt /usr/local/zeek to the prefix used at ./configure time.
$ docker run --rm -it zeek/zeek:7.1
root@a299bcb956a8:/ PYTHONPATH=.:/usr/local/zeek/lib/zeek/python python3
Python 3.11.2 (main, Sep 14 2024, 03:00:30) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import broker
>>> print(broker)
<module 'broker' from '/usr/local/zeek/lib/zeek/python/broker/__init__.py'>
>>> broker.Endpoint()
ff835a78-f640-554c-9f85-0595cd8b3df1
Hope this helps, Arne.
I sure can, thanks for the tip! I am working on getting the broker to work in c++ but writing zeek scripts using the broker works fine as well now.
I have a couple questions now that docker was brought up:
Is there a significant performance penalty when running zeek in a container or is it negligible?
How do you manage your migrations to different versions of zeek?
