Filebeat Zeek module doesn’t add ECS fields to zeek logs

Hi all,

I followed the official documentation and I’ve changed zeek’s output to json logs but somehow zeek module from Filebeat does’t enrich data with ECS fields. Filebeat sends the logs, but without adding the extra fields as per ECS and it’s github code. Just to give you an example there is no event.dataset or source.ip etc.

I’ve enabled zeek module with sudo filebeat modules enable zeek and added the log paths to zeek.yml, but the extra fields were not added. Used this blogpost Collecting and analyzing Zeek data with Elastic Security | Elastic Blog

The fields are called zeek.id.orig_h and not zeek.connection.id.orig_h as per your docs. How can I solve this?

Thank you!

Hello @Automation_Scripts

So there is a few things we need to rule out here to find out where the issue might be, if its in our parsing or just a misconfiguration somewhere.

Would you be able to provide a single line from the logfile you are trying to read? And if possible a copy of the filebeat.yml and zeek.yml file? Feel free to remove or obsfucate any sensitive information like usernames and passwords etc.

So the instalation is not quite straight forward, but I managed to run ELK with docker. I think a video demo with the instalation of ELK would help a lot the community.