<div dir="ltr"><div dir="ltr">On Sat, Oct 19, 2019 at 1:31 PM Darren S. <<a href="mailto:phatbuckett@gmail.com">phatbuckett@gmail.com</a>> wrote:</div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Following up on my brief comments at ZeekWeek, happy to share that we've developed a mapping of Zeek fields to the Elastic Common Schema. It is posted at <a href="https://github.com/corelight/ecs-mapping" target="_blank">https://github.com/corelight/ecs-mapping</a> - looking forward to feedback and of course if there are any issues let us know (big thanks to Richard, cc'd above, for his work as the first deployment!). We'll work to update this as the ECS revs - there are several field they don't have in the schema yet. Happy mapping!</div></div></blockquote><div dir="auto"><br></div><div dir="auto">This is great!</div><div dir="auto"><br></div><div dir="auto">The project README notes:</div><div dir="auto"><br></div><div dir="auto">> <span style="font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:15px;color:rgb(36,41,46)">The mapping can be done using either an ElasticSearch ingest node or directly in Kibana</span></div><div dir="auto"><span style="font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:15px;color:rgb(36,41,46)"><br></span></div><div dir="auto"><span style="font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:15px;color:rgb(36,41,46)">For users that ingest and enrich through a Logstash pipeline, how does this apply? (i.e. would they then have to maintain ingestion content in multiple layers)?</span></div></div></div></blockquote><div><br></div><div>Yes it still applies, <span style="font-family:Arial,Helvetica,sans-serif">when Logstash forwards the data to Elastic it will go through the ingest pipelines and go through ECS. </span></div><div><span style="font-family:Arial,Helvetica,sans-serif"><br></span></div><div><span style="font-family:Arial,Helvetica,sans-serif">-s</span></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="gmail_quote"><div dir="auto"><span style="font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:15px;color:rgb(36,41,46)"><br></span></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div></div></div></blockquote></div></div>-- <br><div dir="ltr">Darren Spruell<br><a href="mailto:phatbuckett@gmail.com" target="_blank">phatbuckett@gmail.com</a></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div style="color:rgb(136,136,136);font-size:12.8px"><font face="arial, helvetica, sans-serif" size="2" color="#000000"><b>Stephen R. Smoot, PhD</b></font></div><div><font color="#000000" face="arial, helvetica, sans-serif" size="2">VP, Customer Success</font></div><div style="color:rgb(136,136,136);font-size:12.8px"><font face="arial, helvetica, sans-serif" size="2" color="#000000">Corelight</font></div><div style="color:rgb(136,136,136);font-size:12.8px"></div></div></div></div></div></div>