We have Zeek running in our environment. It's pretty outdated with 3.1.4 version. What is the best way to upgrade ZEEK? Should I start it from scratch? Or, is it possible somehow to upgrade it from the current version?
TIA
Tried to search about it, didn't find any info.
The Zeek project doesn't currently provide official upgrade documentation, but the question has come up a few times in our Slack & Discourse. Here are a few tips:
The degree to which you need to get hands-on in the upgrade depends a lot on how much you customized your Zeek installation — for example, did you add local custom scripts, install packages via zkg, etc. The fewer customizations you applied in your 3.x setting, the less you need to do. If you have no such customizations (other than perhaps a local.zeek file and some zeekctl config files) there's a good chance you can simply move to a new release and get going.
For custom content you created or added, the following holds: the scripting language itself hasn't changed much in backward-incompatible ways, but the various APIs used by the language have. You can simply try to run your local setup and may see various error messages for APIs that have changed. These should hopefully be relatively obvious. It'll help to start with an unclusterized setup so you can iterate more quickly.
There's a definitive list of good-to-know changes in each release in our NEWS file. You should definitely read it.
There's no requirement to upgrade in certain version incremements. That is, if you don't care whether your setup works with any Zeek 4 versions, you can move straight to the version of your choice.
The most recent release lines to consider are 5.0, 5.2, and 6.0. 5.0.x is our most recent long-term support release train, and 5.2.x the most recent general feature release line. 6.0 just came out a few days ago and marks the start of our new LTS line, but is pretty new still.
For more specific questions I suggest you swing by the Zeek Slack, where we provide more detailed support than is feasible here. Links to our community channels are here.
