Welcome to the Zeek Newsletter.
In this Issue:
- Slack Cleanup and Survey Launch
- Zeek Tip of the Month (NEW!): Working with JSON input
- Community Call Recap
- Development Highlights
- From the Blog: Are Spicy parsers slower than Binpac?
- Storage Framework Updates: Try it out and share your feedback
- Package Updates
- Get Involved
[TL;DR]
June brings progress on Zeek 8, a fresh bugfix release (7.2.1), and exciting new work in Spicy, the Storage Framework, and event metadata. We’re launching a Slack channel cleanup on June 6 and the Zeek Project Survey at the end of the month.
Plus, there are several places in this issue where we’re actively asking for your input – especially on the Storage Framework and the analyzer.log & dpd.log updates in the Development Highlights section. Have thoughts or suggestions? Just drop a comment directly on this post.
Don’t Miss This – Reminders for the Community
Slack Cleanup Coming June 6: We’re doing some light housekeeping in Slack this Friday, June 6. Expect an updated channel list, improved descriptions, and some reorganizing to make it easier to find what you need. Keep an eye on the #general channel for updates on Friday afternoon.
Zeek Project Survey Launching Soon: The 2025 Zeek Project Survey will launch at the end of June. Your input here will help guide development priorities, community initiatives, and more. It will be quick to fill out and will make a big difference – stay tuned for more information later this month.
Zeek Tip of the Month:
Did you know that Zeek can ingest JSON content via the Input Framework? Find out more in the documentation.
Have a tip of your own?
We’re looking for tricks, shortcuts, or helpful techniques to feature in the newsletter. Let us know how you’re using Zeek – your tip might help someone else in the community.
Submit yours here.
Zeek Community Call Highlights
Thanks to those who tuned in and shared during yesterday’s monthly Community Call. We covered the journey from Zeek 6 to Zeek 8, which is coming this summer (slides here), what’s new in Spicy 1.13, and two specific features that Eldon Koyle, friend of Zeek, finds most exciting right now. It was also shared that the next full-day Zeek training will take place at the NSF Cybersecurity Summit in Boulder, CO in late October. More details to come!
If you couldn’t join the meeting live, the recording is available on our YouTube channel.
The next call is July 2 at 10am PT (1pm ET). Use this Zoom link to join. There’s no registration required, just drop in and join the conversation. See you there!
Development Updates
Work is underway on Zeek 8, with a number of changes landing or in progress that lay the groundwork for the next major release:
- Zeek 7.2.1 was released as the first bugfix update for 7.2. Find the release notes here.
- Custom event metadata support was added, allowing developers to attach arbitrary metadata to remote events.
- Performance improvements in Spicy continued, along with the release of Spicy 1.13.1, and initial testing of codspeed for benchmarking in CI workflows.
- Our new Redis analyzer was merged.
- The Storage Framework received backend refinements following hands-on testing.
- Early work continued on pluggable flow tuple support.
- The analyzer.log and dpd.log subsystems were overhauled to improve structure and behavior.
We’d love to hear your thoughts on these changes. Drop a comment below to share feedback, ask questions, or flag ideas for future work.
Core Feature Updates
Here’s a closer look at a few of the recent improvements mentioned above:
1 - Custom Event Metadata
Zeek’s core now supports adding custom metadata to remote events, not just the network timestamp. This gives developers more flexibility for diagnostics, monitoring, or other context-sharing across cluster nodes.
Currently, this feature is accessible via C++ plugins using a new HookPublishEvent() plugin hook. One example use case: tracking event latency by adding the sender’s wallclock time as metadata and generating histograms on the receiving node.
Documentation is in progress 
2 - Event Group Management for Intel Seen Scripts
Zeek now manages the performance impact of the frameworks/intel/seen scripts more efficiently. Thanks to new event group annotations and a manage-event-groups policy script, event handlers of the frameworks/intel/seen scripts are now only active when Intel indicators are actually in use.
This means you can load these scripts by default without unnecessary overhead (a win for performance-conscious deployments).
Note: If no indicators of a specific Intel::Type are loaded, the related event handlers (and the Intel::seen_policy hook) won’t run.
3 - Help Shape the Storage Framework
Zeek’s new Storage Framework offers a more flexible, backend-agnostic way to store and access state across Zeek clusters, an improvement over hardcoded Broker stores. By abstracting the storage layer, it’s now easier to plug in different backends and tailor state management to your environment.
Please check it out and tell us what you think – your input will help guide next steps.
We’re especially looking for feedback on:
- Ease of use: Is the script-level API intuitive?
- Power vs. simplicity: Does it strike the right balance?
- Documentation: Too light? Too heavy? Anything missing?
- Backends: We’re considering adding support for NATS, PostgreSQL, and Memcached. What else should be on our radar?
Links:
Comment below with your feedback: Backend ideas, feature requests, or things that confused you. We’re eager to hear what you think!
From the Zeek Blog: Are Spicy parsers slower than Binpac parsers?
Zeek’s parser ecosystem is evolving, but does the newer, easier-to-use Spicy framework come at a performance cost? In this deep dive, @etyp compares Spicy and Binpac head-to-head, explores what makes Spicy powerful, and uncovers where performance gaps exist – and what can be done about them.
Read the full post to see the results and what’s next for parser performance in Zeek.
New to Zeek?
If you’re new to the project, start with the Zeek in Action video series for practical examples of how Zeek works. When you’re ready to roll up your sleeves, follow the Get Started guide in our documentation to set up Zeek.
Zeek Package Updates
Anyone in the Zeek community can write add-on functionality for Zeek via packages — see https://packages.zeek.org to browse them, and our zkg package manager documentation to get started.
Recently added or updated packages are always visible on GitHub directly, via the following search of pull requests to our package repository:
https://github.com/zeek/packages/pulls?q=is%3Apr+is%3Aclosed
The https://packages.zeek.org site reported the latest update:
Log Schema Support for Zeek
This Zeek package generates schemas for Zeek’s logs. For every log your Zeek installation produces (such as conn.log or tls.log) the schema describes each log field including name, type, docstring, and more.
Get Involved
Got ideas, feedback, or content for the newsletter? Send us a note at news@zeek.org or drop by the #news channel on Slack. Join Slack here.
Stay in the loop and connect with others in the Zeek community:
- See what people are talking about on Discourse
- Subscribe to our YouTube channel
- Follow us on Mastodon, Bluesky, and LinkedIn
Want more insider updates? Check out the Leadership Team meeting notes.
And if you’re hunting for Zeek-related jobs, here’s a handy LinkedIn search.
Thanks for being part of the community. We’ll see you next time!