Is there a Zeek field to ECS field mapping document? Other than the logtype.yml files which actually do the conversion and renames, I have not been able to find anything. I'm avoiding having to build this mapping from scratch because I imagine it must exist by now.
An example is the duration field in Zeek. In the ECS process, it gets turned into temp.duration (according to connection.yml) and then into event.duration in the ECS pipeline (pipeline.yml)
Thank you!
Here is the doc on zeek ecs translation. Zeek | Elastic docs
If you deploy zeek integration with elastic agent, then you can view/edit the ingest pipeline associated with the zeek integration. that is where the data curated prior to persisting to the corresponding log index.
Thanks - I was more so looking for a one-to-one mapping since this doesn't tell me exactly what Zeek fields map to what ECS fields. Doesn't seem like such document exists though...
There isn't a documentation about it, if you are not using the integration what you can do is look how Elastic parse the documents from Zeek to try to map your fields.
You can find the ingest pipelines used here: https://github.com/elastic/integrations/tree/main/packages/zeek/data_stream
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.