2.3.0

This release contains the following major changes:

• Linux: Add eBPF-based processes_events and sockets_events
  tables. These remain experimental for now and may require further
  fine tuning.

• macOS: Add processes_events and sockets_events tables. The
  former uses Endpoint Security, the latter a Network Extension.
  These remain experimental for now.

• macOS: Add separate installer application and turn the agent into
  a system extension. The installer does three things: (1) it asks
  the system to install the extension persistently; (2) it interacts
  with the user through a small UI, including offering some basic
  configuration; and (3) it communicates with the running extension
  for configuration and status checks.

• macOS: Distribute releases as pre-built DMG images that are signed and
  notarized.

• Windows: Distribute releases as pre-built installer packages.

• Windows: The build now uses vcpkg for dependencies.

• Support attaching an interactive console to a running agent. To
  connect to an already running agent, execute zeek-agent -r on
  the same machine (note that client and server must be running as
  the same user, probably root).

• Build without Broker by default. Broker support isn't needed
  anymore with Zeek >= 5.0. We now build without it by default. The
  pre-build binaries likewise no longer include Broker support.

For a detailed list of changes, see CHANGES.

2.2.0

• Port to Windows. (Binary build to come with next release.)

• GH-25: Add files_columns table that extracts selected columns
  from on-disk files und sends them over to Zeek as a record. See
  the README for documentation.

• GH-7: Extend the type system for table columns. We can now
  represent addresses, booleans, counts, intervals, ports, records,
  sets, times, and vectors end-to-end, so that they arrive as such
  at Zeek. We also update our tables to use the new types where
  appropriate.

• GH-34: Disable communication with a Zeek instance if it's package
  version is too old.

• Add a 2nd 'differences' mode to queries where no initial snapshot
  is provided. We now have (1) "snapshot-and-diffs", which sends an
  initial snapshot first, followed by diffs; and (2) "diffs", which
  sends an empty initial result and then just diffs.

• Add WebSocket transport layer compatible with Zeek 5.0. We now try
  both Broker and WebSocket when connecting to Zeek. The former will
  work with Zeek 4.0, the latter with Zeek 5.0.

• Add Broker version to agent handshake.

• Support default values for table parameters.

• Make exception available to table's data acquisition methods to signal failure.

• Move numerical version number computation from CMake to runtime.

• Fix deadlock in scheduler.

• Fix potential dereference of unset optional.

• Fix usage message.

• Fix assert that could wrongly trigger.

• Fix console getting stuck on queries with errors, and reduce
  unintended latency until query executes.

• Fix CI issue on Ubuntu.

• Fix potential deadlock in unit test.

• Fix trace-level debug logging.

• Fix linker issue on Linux.

• Make --test output available on failure in BTest suite.

• Clean up unused state in Zeek communication code.

• Format Zeek scripts with current zeek-format.

• Update SQLite to 3.38.1 to give us built-in JSON support.

• Update stduuid module.

2.1.0

• GH-25: Add files_columns table that extracts selected columns
  from on-disk files und sends them over to Zeek as a record. See
  the README for documentation.

• GH-7: Extend the type system for table columns. We can now
  represent addresses, booleans, counts, intervals, ports, records,
  sets, times, and vectors end-to-end, so that they arrive as such
  at Zeek. We also update our tables to use the new types where
  appropriate.

• GH-34: Disable communication with a Zeek instance if it's package
  version is too old.

• Add a 2nd 'differences' mode to queries where no initial snapshot
  is provided. We now have (1) "snapshot-and-diffs", which sends an
  initial snapshot first, followed by diffs; and (2) "diffs", which
  sends an empty initial result and then just diffs.

• Move numerical version number computation from CMake to runtime.

• Update SQLite to 3.38.1 to give us built-in JSON support.

• Add Broker version to agent handshake.

• Support default values for table parameters.

• Make exception available to table's data acquisition methods to signal failure.

• Fix assert that could wrongly trigger.

• Fix console getting stuck on queries with errors, and reduce
  unintended latency until query executes.

• Fix CI issue on Ubuntu.

• Fix potential deadlock in unit test.

• Fix trace-level debug logging.

• Fix linker issue on Linux.

• Make --test output available on failure in BTest suite.

• Clean up unused state in Zeek communication code.

• Format Zeek scripts with current zeek-format.

2.0.4

• Add new log options. In the configuration file we now provide more
  control of log messages:

  [log]
  type=<stdout|system|file>
  level=<error|warn|info|debug|trace>
  path=<path for type 'file'>
  

  Default remains logging to stdout at level INFO.

• Fine-tune log levels. We elevate some high-level messages to INFO
  level that can be useful to users, and we move some noisy debug
  messages to TRACE level (which is available only in debug builds).

• Expose Broker's SSL options in configuration file. This also moves
  all Zeek options into a [zeek] section of the configuration
  file.

• Link against standard version of OpenSSL by default. So far we
  hardcoded always using the static OpenSSL libraries. Now that's
  done only when with configured with --enable-static, otherwise
  we use whatever CMake determines being the default.

• Fix column type in files_lines table.

• Fix enforcement of maximum idle timeout.

• Add missing include to appease GCC 11.2.1.

• Update toml++.

2.0.3

• Adapt to package's new default listening port.

• Fix problem with column caching.

2.0.2

• Push all asynchronous activity to the main thread to avoid most
  inter-thread locking.

• Fix configure's --sanitizer argument.

• In .schema output, break out table parameters separately.

2.0.1

• Add a test build of the source code tarball to CI.

• Extend query API to allow specifying tables that must/must not be
  present. Agents will ignore queries not meeting expectations.

• Extract version information from Zeek's hello message.

• Adapt to changes to options in the Zeek package.

• Fix differential queries returning empty removed rows.

• Fix time filtering for differential queries.

• Fix double table deactivation.

• Guard against an error case in Darwin system logs collector.

v2.0.0

• Initial release.