Zeek Newsletter - Issue 62 - April 2026

michelle · May 7, 2026, 4:51pm

Welcome to the Zeek Newsletter

In this Issue:

TL;DR: Zeek 8.2 and 8.0.8 are releasing next week with documentation redesign and bug fixes. Berkeley workshop (Sept 10-11) CFP is open, and new blogs + videos from Fatema, Johanna, and Evan are live.

Community News & Reminders

Berkeley Workshop: Last week we announced the next Zeek workshop, which will take place September 10-11 at the David Brower Center in Berkeley, CA. The call for presentations is now open. You can find details about the workshop here.
Community Call Recap: Yesterday we covered 8.2 release timing, the documentation redesign, and more. Watch the recording on our YouTube channel. The next call is June 4 at 10am PT – use this Zoom link to join.
New Blogs and Videos: Fatema wrote Revisiting Weird-ness: Investigating DNS NOTIFY at Scale and Johanna wrote How to Write Zeek Logs in JSON & TSV Simultaneously. Evan also published a new video tutorial, Building a Custom Detection with Zeek and Spicy.
Topic of the Month: Last week we wrapped up April’s topic, “How Do You Keep Zeek Running?”, you can find the recap from the conversation here. This month’s topic is “Sensor Placement” – join us on Slack to discuss!

Development Updates

Zeek 8.2 and Zeek 8.0.8 are releasing next week. The team pushed the 8.2 release back one week to allow additional testing time, and both releases are now ready for deployment. Binary packages will follow shortly after the source releases. The 8.0.8 patch release addresses bug fixes and security issues to the LTS cycle. As with all of our feature releases, an 8.2 announcement blog post will accompany the launch with full details.

Alongside the releases, the documentation is receiving a major structural overhaul. The new organization includes additional tutorials and improved navigation, making it easier for both new and experienced users to find what they need. You can preview the changes now by viewing the 8.2 RC1 documentation on the docs site.

The team is currently migrating from Cirrus CI to a new continuous integration provider. While Cirrus CI is shutting down, the transition presents an opportunity to move to a more reliable and efficient platform. The migration has been a significant distraction but should result in a better development experience going forward.

Feedback on the 8.2 release candidate is still welcome, even this close to launch. The team is particularly interested in reports about second-level effects that appear during extended runs or in customized environments, including changes in memory usage, packet loss, or log output behavior.

The Zeek project’s AI contribution policy is nearly finalized, with the leadership team working through final wording choices to ensure clarity and community alignment.

As always, follow development progress on GitHub to stay current with the latest changes.

Zeek Techniques

The misc/dump-events.zeek script writes Zeek events to standard output in real time. This tracing can help you understand which events fire, when they do so, in which order, and with what arguments.

The script includes various tuning knobs to control the output:

$ zeek -Cr http.pcap misc/dump-events DumpEvents::include_args=F DumpEvents::include=/http.*entity/ DumpEvents::dump_all_events=T

1596519557.155703 http_begin_entity

1596519557.155754 http_begin_entity

1596519557.155754 http_end_entity

1596519557.155754 http_end_entity

It supports JSON lines output, too, which can be handy for digging into the arguments:

$ zeek -Cr http.pcap misc/dump-events DumpEvents::use_json=T DumpEvents::include=/connection/ | jq

{
  "ts": 1596519557.155484,
  "event": "new_connection",
  "args": {
    "c": {
      "id": {
        "orig_h": "127.0.0.1",
        "orig_p": {
          "port": 45376,
          "proto": "tcp"
        },
        "resp_h": "127.0.0.1",
        "resp_p": {
          "port": 8000,
          "proto": "tcp"
        },
        "proto": 6,
        "ctx": {}
      },

Check out our documentation to explore further: policy/misc/dump-events.zeek — Book of Zeek (8.1.2)

Share your tricks, shortcuts, or techniques with us using this form.

Packages

Anyone in the community can write add-on functionality for Zeek via packages.

Browse Zeek packages: https://packages.zeek.org
Head to our zkg package manager documentation to get started on your own
Questions? Check out #package-sharing to get help

Recently added or updated packages are always visible on GitHub directly, via the following search of pull requests to our package repository:

https://github.com/zeek/packages/pulls?q=is%3Apr+is%3Aclosed

Recent updates:

Get Involved

Share ideas or content: news@zeek.org or #security-news on Slack.
Stay connected: Discourse • YouTube • Mastodon • Bluesky • LinkedIn
Check out Leadership Team meeting notes for insider updates.
Looking for Zeek jobs? See openings on LinkedIn.

Thanks for being part of the community. We’ll see you next time!

Topic		Replies	Views
Zeek Newsletter - Issue 61 - March 2026 Announcements newsletter	1	67	April 8, 2026
Zeek Newsletter - Issue 53 - July 2025 Announcements newsletter	1	123	August 7, 2025
Zeek Newsletter - Issue 56 - October 2025 Announcements newsletter	0	79	November 6, 2025
Zeek Newsletter - Issue 58 - December 2025 Announcements newsletter	1	88	January 9, 2026
Zeek Newsletter - Issue 60 - February 2026 Announcements newsletter	0	65	March 5, 2026