Releases: brimdata/zui
v0.25.0
Visit the Brim Download page to find the package for your OS platform.
As you can see below, there've been many changes since the last Brim GA release! Highlights include:
- The storage used by Brim to hold your logs is now a Zed lake. Though the introduction of Zed lakes causes no immediate change to your favorite Brim workflows, they unlock powerful new functionality that will be revealed in Brim going forward, including Git-like branching. See the Zed lake README for details.
- Enhancements have been made to the Zed language to unify search and expression syntax, introduce new operators and functions for data exploration and shaping, and more! Review the Zed language docs for details.
- pcap processing is now handled by a separate, new component called Brimcap. Your favorite pcap workflows in Brim have not changed, but Brimcap also opens up new flexible custom configurations and can be used as a standalone tool. For more info, check out the Brimcap README and wiki.
Among the many detailed changes listed below, there're a few big ones in particular we'd like to bring to your attention first.
-
You will be prompted upon first launch of Brim
v0.25.0
to allow auto-migration of saved data from yourv0.24.0
Spaces to pools in Zed lakes. See the Space Migration article in the Brim wiki for details. -
Brim
v0.25.0
includes a new installer that will make upgrades to future versions more seamless. However, when making the jump fromv0.24.0
to the newer release:- Windows users will not be prompted to auto-update as they were in the past. Windows users will also have to manually uninstall the old release before
v0.25.0
will start. Auto-update notifications for Windows will resume on the next release. See the Installation article on the Brim wiki for details. - Linux users of RPM packages (such as for Red Hat-style distributions) will need to uninstall the older
v0.24.0
release before the RPM package forv0.25.0
will successfully install. See the Linux RPM Upgrade article in the Brim wiki for details.
Note that a Brim uninstall does not disturb the data you've saved in the app. See the Filesystem Paths article in the Brim wiki for details of how Brim stores user data separately from app binaries.
- Windows users will not be prompted to auto-update as they were in the past. Windows users will also have to manually uninstall the old release before
-
When upgrading to
v0.25.0
, the pre-installed entries in the Query Library are auto-updated to adapt to new Zed language syntax. However, if you've saved custom entries to the Query Library, you'll need to change these yourself. Some key changes include:=
now being used for assignment,==
for equality comparisons, and string values must now be quoted in field/value matches.
The exhaustive set of changes is listed below. Come talk to us on Slack if you have additional questions.
- Update Zed to v0.30.0
- Make the toolbar "responsive" such that buttons hide when the window is made small (#1416, #1553)
- Add a Troubleshooting wiki entry for the case when Brim shows "Connection Error: The service at localhost:9867 could not be reached" (#1448, #1491)
- Fix an issue where the "Back" button in the Log Detail view was not returning to the previously-viewed record (#1447)
- Upgrade Electron dependency to 11.2.1 (#1426)
- Add wiki cookbooks for use of Zed
join
in Brim for releasesv0.24.0
andv0.25.0+
(#1430, #1729) - Improve the error messages shown when imports fail (#1467)
- Fix an issue where the Log Detail pane would crash when certain named fields were missing from the target record (#1494)
- Use URLs to keep track of routing and tab history, which allows for direct edits of pinned items (#1473, #1649)
- Fix an issue where deleting a Space that was shown in the active tab would cause a crash (#1527)
- Fix an issue where navigating to a workspace that does not exist would cause a crash (#1533)
- Commas are now stripped when a numeric value is copied into the paste buffer via right-click Copy (#1535)
- Adjust the guidance on the Import Files page and add a wiki article with more detail (#1548, #1625, #1626, #1635)
- Brim is now packaged using electron-builder, which streamlines installation and auto-update (#1508)
- Fix an issue where importing an NDJSON record containing an empty object caused a "Cannot read property 'map' of null" pop-up error (#1581)
- Remove the legacy approach for applying Zed types to NDJSON input, as this is now done via Zed shapers (docs) (#1580, #1582)
- Brim now invokes Brimcap to generate logs from imported pcaps and to extract flows when Packets is clicked, rather than relying on
zqd
(#1584, #1573, #1591, #1590, #1598, #1614, #1617, #1637, #1651, #1664, #1668, #1705, #1731, #1735, #1748, #1747, #1781, #1789, #1810, #1816, #1829, #1833) - Use pools in Zed lakes for backend storage rather than Spaces (#1589, #1601, #1633, #1676, #1696, #1710, #1712, #1772, #1822)
- Implement the full Zed type system in JavaScript, which allows for improved presentation of array and set types, and also fixes an issue where named types were rejected at import (#1603, #1623, #1663, #1732)
- Offer the option to migrate Spaces to pools when new Brim launches (wiki article) (#1621, #1587, #1636, #1641, #1640, #1657, #1671, #1682, #1762)
- Automatically append
| fuse
to the Zed pipeline if the user is exporting data in CSV format (#1622) - Notify a Windows user if they've launched new Brim while old Brim is still installed (#1627, #1751)
- Update default Query Library entries to reflect newer Zed language syntax (#1489, #1645)
- Fix an issue where timestamps in Log Detail were not displayed with full precision and did not reflect current Preferences settings (#1643)
- Fix an issue where selecting File > New Window on a freshly-installed app triggered a crash (#1654)
- Show Release Notes for the currently-installed Brim version in a tab (#1655, #1670, #1679, #1680)
- Add a wiki article to inform Linux RPM users that their old Brim will need to be manually uninstalled before the new Brim will install (#1683)
- Fix an issue where viewing Suricata alerts in Brim could trigger a "TypeError: Cannot read property 'startsWith' of undefined" error (#1706)
- Ensure pool updates made from outside the app are reflected automatically in Brim (#1702, #1709, #1711, #1713, #1722, #1733, #1734)
- The Brim wiki now has articles for changes specific to the
v0.25.0
release, with parallel articles remaining for older Brim where functionality has changed significantly (#1723) - Update the Code Base Walkthrough wiki article to reflect recent changes to where code lives in the repo (#1738)
- Preferences now has settings for a "thousands separator" and "decimal" that allow changing from
,
and.
defaults or removing them entirely (#1740, #1765) - Fix issues where error messages from failed imports were not being fully surfaced (#1760, #1786)
- Zed
type
values that are output in Brim are no longer wrapped with parentheses (#1757) - Hovering over a field value now displays the Zed data type in a tooltip (#1766)
- Fix an issue where selecting a range from the time span pull-down caused a crash with unshaped data (#1777)
- On macOS, if all Brim windows are closed but the app is still running, clicking the Brim icon in the Dock now opens a new window (#1782)
- Fix an issue where numbers were being incorrectly output in scientific notation (#1787)
- Fix a memory leak that occurred during large data imports (#1793)
- Due to the deprecation of Spaces, the Data Directory setting has been removed from Preferences (#1794)
- Fix an issue where Zed type definition values could not be copied into the paste buffer (#1796)
- Add a new section to the Filesystem Paths wiki article to describe how Brim and Zed use temporary storage (#1801)
- Fix an issue where "Kill search" was not halting a search in progress (#1814)
- Windows releases are signed, but you may see a warning popup when you run the installer (unlike our Mac/Linux releases). See Microsoft Windows beta limitations for details.
v0.24.0
Visit the Brim Download page to find the package for your OS platform.
- Update zq to v0.29.0
- Consolidate the colors used in Brim (#1405)
- Fix an issue where the arrows in the sidebar were incorrectly pointed (#1414)
- Add a wiki doc and script showing how to transfer contents of the Query Library (#1415)
- Fix an issue where data exports continued long after the "Exporting..." pop-up went away (#1424)
- Hide the archive index search dropdown (#1417)
- Fix an issue where invoking a right-click "Whois" lookup in a Log Detail window caused a stack dump (#1418)
- Windows releases are signed, but you may see a warning popup when you run the installer (unlike our Mac/Linux releases). See Microsoft Windows beta limitations for details.
v0.23.0
Visit the Brim Download page to find the package for your OS platform.
NOTE - Beginning with this release, a subset of the source code in the github.com/brimsec/brim GitHub repository is covered by a source-available style license, the Polyform Perimeter License (PPL). We've moved the PPL-covered code under a ppl/
directory in the repository. The majority of our source code retains the existing BSD-3-Clause license.
The overwhelming majority of Brim users and developers will not be impacted by this change, including those using Brim in commercial settings. The use of the source-available Polyform Perimeter license prevents use cases like marketing a work as a replacement for the Brim desktop application while using material covered under the PPL.
In general, we are making this change to ensure technology giants can't use the PPL-covered code to make replacement offerings of our projects. We believe users and developers should have access to the source code for our projects, and we need a sustainable business model to continue funding our work. Using the source-available Polyform Perimeter license on portions of the source code lets us realize both.
For more detail regarding licensing, see the CONTRIBUTING.md doc, and feel free to come talk to us on Slack if you have additional questions.
NOTICE for users who have added custom entries to their Query Library:
We've become aware of an issue in Brim v0.22.0 where custom entries in the Query Library will not be saved if you quit by closing all your Brim windows (i.e. hitting the "X" in the upper-right of the window on Windows/Linux, or clicking the "red stoplights" on macOS). They are saved if you quit via the pull-down menu (File > Exit on Windows/Linux, Brim > Quit Brim on macOS). Therefore, when closing Brim in prep for the v0.23.0 upgrade, make sure you quit via pull-down menu. When you're prompted to auto-update to v0.23.0 on Windows/macOS, select the option to Restart Later so that way you can quit via pull-down menu. We've fixed these issues so it should not be a problem in v0.23.0 and going forward. Sorry for the inconvenience!
- Update zq to v0.28.0
- Revise the Troubleshooting doc to describe the use of the Window > Reset State pull-down menu option (#1350)
- Fix an issue where scrolling to the bottom of the main window did not bring up additional events (#1348)
- Fix an issue with inconsistently-created pinned items in the History panel (#1349)
- Adjust the configuration for log generation in the embedded
zqd
(#1353) - Fix an issue where "Restart Required" notifications in the Preferences screen were not fully visible (#1368)
- Fix an issue where results in the "MD5 correlation" visualization were not being updated after event tiles were clicked (#1369)
- Disable the creation of macOS filesystem tags during Export operations (#1370)
- Fix issues where Query Library entries were being lost when exiting/relaunching Brim (#1366, #1387)
- Add a right-click option to Copy field contents into the paste buffer (#1367, #1381)
- A "Connection" (such as to a remote
zqd
) is now known as a "Workspace" (#1372) - Revise the Troubleshooting doc with more detail regarding failures to open flows from pcaps (#1380)
- Windows releases are signed, but you may see a warning popup when you run the installer (unlike our Mac/Linux releases). See Microsoft Windows beta limitations for details.
v0.22.0
Visit the Brim Download page to find the package for your OS platform.
- Add a customizable "Query Library" panel of clickable Z queries for working with Zeek and Suricata logs (#1272)
- Add the
source
field to the JSON typing config to prepare for Zeek v4.xweird
events (#1307) - Allow the export of query results in NDJSON and CSV formats (#1302, #1328)
- Add a correlation visualization in the Log Detail view for pivoting from a Suricata alert back to related Zeek
conn
events (#1310) - Re-style the Log Detail panel and window (#1310)
- Ensure
_path
andevent_type
fields are always displayed directly to the right of thets
timestamp field (#1339) - Pull-down menu option Window > Reset State now clears app state after user confirmation (#1338)
- Update zq to v0.27.1 (follow that link for details of additional changes that may affect Brim)
- Windows releases are signed, but you may see a warning popup when you run the installer (unlike our Mac/Linux releases). See Microsoft Windows beta limitations for details.
v0.21.1
Visit the Brim Download page to find the package for your OS platform.
- Update zq to v0.26.0, which fixes an issue that was causing pcap import failures, and also delivers other enhancements
- Windows releases are signed, but you may see a warning popup when you run the installer (unlike our Mac/Linux releases). See Microsoft Windows beta limitations for details.
v0.21.0
Visit the Brim Download page to find the package for your OS platform.
NOTE - The Brim v0.21.0 release includes initial support for the automatic generation of Suricata alerts from imported pcaps. The alert records may be isolated via a ZQL search event_type=alert
and are also included automatically alongside relevant Zeek event context in the correlation visualization in the Log Detail view. The Suricata build that's packaged with Brim uses the Emerging Threats Open ruleset, and Brim triggers a download of the most recent set of these rules each time it is launched.
There are two known issues found during testing that may be bugs in Suricata that impact the correctness of the alerts seen in Brim:
- When run on a system under heavy load, Suricata has sometimes been observed to generate fewer alerts than expected (or none at all) for a given pcap.
- Alerts may be generated with timestamps that are seconds/minutes further into the future beyond the end of the time range of the flow that triggered them.
These issues are still being investigated and more information will be provided as they're better understood. More Suricata-related functionality is also planned in upcoming releases. For now, please contact us on Slack or open an issue if you have any questions or problems with the new Suricata support, including incidents of the issues described above.
- Update zq to v0.25.0
- Add Suricata support to generate alerts from imported pcaps (#1207)
- Include Suricata alerts in the correlation visualization in the Log Detail view (#1262)
- Update the Supported Platforms article with detail from recent testing (#1267, #1273)
- Add a wiki doc with details for using Brim with a remote
zqd
(#1222, #1252) - Add a wiki doc with basic Brim installation guidance (#1253, #1260)
- Add a "Sectional" package in the code that allows a view to be split (#1247)
- Add a "Tree list" package in the code for working with lists (rendering, drag & drop, etc.) (#1254)
- Fix an issue where Brim would freeze during zoom-in/zoom-out (#1275)
- Fix an issue where autoupdate would install releases with version numbers "older" than the number of the one currently installed (#1244)
- Fix an issue where the Space list would come up empty and Space details would show "NAN UNDEFINED" after a Brim restart (#1283, #1288)
- Fix an issue on Windows where clicking records generated from an imported pcap produced error messages (#1287)
- Windows releases are signed, but you may see a warning popup when you run the installer (unlike our Mac/Linux releases). See Microsoft Windows beta limitations for details.
v0.20.0
Visit the Brim Download page to find the package for your OS platform.
- Update zq to v0.24.0
- Begin bundling the same Zeek artifact referenced in zq's
package.json
(#1215) - Support log imports over the network, such as to a remote
zqd
(#1195, #1228) - Fix an issue where an excess "Space does not exist" message was shown when clicking Retry after a
zqd
restart (#1200) - Improve the error message for failed attempts to import pcaps (#1235)
- Allow removal of remote Connection configs (#1226)
- Fix an issue where importing logs containing
null
values for nested records caused a crash (#1241) - Add scaffolding for a future Query Library feature (#1239)
- Fix an issue where Brim sometimes failed to load on remote VM sessions (#1248)
- Windows releases are signed, but you may see a warning popup when you run the installer (unlike our Mac/Linux releases). See Microsoft Windows beta limitations for details.
v0.19.0
Visit the Brim Download page to find the package for your OS platform.
- NOTE - Due to the ZNG storage format change described in the
zq
v0.23.0 release notes, when you first launch the new version of Brim, a one-time bulk background update of the stored data for all of your existing Spaces will automatically begin. If you click to access a Space while migration is in progress, an animated "spinner" will be visible in the right of the Search bar. Once migration is complete for a Space, the bar chart will be filled in and the first splash of events will be shown and you can begin working with your Space as usual.
- Update zq to v0.23.0
- Update Zeek to v3.2.1-brim4 which provides Community ID generation and the latest geolocation data (#1202)
- Binaries for
pcap
,zapi
, andzar
are now bundled with Brim (#1098) - Fix an issue where Brim presented a blank white screen when it failed to initialize (#1035)
- Improve how Brim handles ZJSON responses from
zqd
(#1108) - Upgrade to Electron v10.1.4 and WebdriverIO v6.6.7 (#1106, #1159)
- Fix an issue where accidental non-NDJSON data in an NDJSON response stream resulted in confusing error messages (#1111)
- Ensure pcap import warnings are presented to the user (#1112)
- Add an "Import complete" pop-up notification (#1134, #1185)
- Fix an issue where "Pivot to logs" was grayed out when right-clicking on an entry containing a dotted record field (#1142)
- Fix an issue where pinned entries in the History panel were sometimes inconsistently created (#1143)
- Add a "Move to Current Display" option on Windows to move Brim windows from an inaccessible external display (#1148, #1158, #1164)
- Fix an issue where executing rapid-fire queries caused excess disruptive "The user aborted a request" notifications (#1155)
- Fix an issue where launching Brim with config pointing to an inaccessible remote
zqd
caused a blank white screen (#1150, #1163) - Allow for naming remote connections and editing their settings (#1157, #1167)
- Fix an issue where a Space couldn't be deleted if
zqd
went down during data import (#1146) - Improve presentation of modals, such as Debug Query (#1171, #1184, #1175)
- Fix an issue on macOS where clicking the Brim dock icon opened additional windows (#1189)
- Fix an issue where opening the Log Detail window caused the main window to spin (#1196)
- Fix an issue on Windows where closing the last Brim window left lingering processes and Brim unable to start afterwards (#1205)
- Windows releases are signed, but you may see a warning popup when you run the installer (unlike our Mac/Linux releases). See Microsoft Windows beta limitations for details.
v0.18.0
Visit the Brim Download page to find the package for your OS platform.
- Update zq to v0.22.0
- Update Zeek to v3.2.0-dev-brim10 to take advantage of latest geolocation data (#1096)
- Move the code base from Flow to TypeScript (#1075)
- Point to new Slack community URL https://www.brimsecurity.com/join-slack/ (#1089)
- Show a spinner if there's delays closing the "new connection" modal (#1084)
- Add a right-click option to delete all Spaces (#1078)
- Organize History entries by unique Space/Connection combination (#1078)
- Fix an issue where closing Brim after having searched a remote Space caused a "Space does not exist" error when Brim was relaunched (#1091)
- Windows releases are signed, but you may see a warning popup when you run the installer (unlike our Mac/Linux releases). See Microsoft Windows beta limitations for details.
v0.17.0
Visit the Brim Download page to find the package for your OS platform.
- Update zq to v0.21.0
- Update Zeek to v3.2.0-dev-brim9 to take advantage of latest geolocation data (#1071)
- Fix an issue where abruptly killing Brim on Linux or macOS would leave behind an orphaned
zqd
process (#1031) - Add an option for executing index searches on Archive Spaces (#1024)
- Fix an issue where right-clicking to delete a Space when the Brim window was not in focus caused an "Uncaught TypeError" (#1066)
- Enable import of nanosecond pcap files (#1069)
- Windows releases are signed, but you may see a warning popup when you run the installer (unlike our Mac/Linux releases). See Microsoft Windows beta limitations for details.