[Zeek] Elastic Common Schema mapping
Darren S.
phatbuckett at gmail.com
Sat Oct 19 13:29:09 PDT 2019
On Sat, Oct 19, 2019 at 1:01 PM Brian Dye <brian at corelight.com> wrote:
> All,
>
> Following up on my brief comments at ZeekWeek, happy to share that we've
> developed a mapping of Zeek fields to the Elastic Common Schema. It is
> posted at https://github.com/corelight/ecs-mapping - looking forward to
> feedback and of course if there are any issues let us know (big thanks to
> Richard, cc'd above, for his work as the first deployment!). We'll work to
> update this as the ECS revs - there are several field they don't have in
> the schema yet. Happy mapping!
>
This is great!
The project README notes:
> The mapping can be done using either an ElasticSearch ingest node or
directly in Kibana
For users that ingest and enrich through a Logstash pipeline, how does this
apply? (i.e. would they then have to maintain ingestion content in multiple
layers)?
--
Darren Spruell
phatbuckett at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191019/ccef3f6b/attachment.html
More information about the Zeek
mailing list