[Zeek] Elastic Common Schema mapping
smoot at corelight.com
Wed Oct 23 07:23:38 PDT 2019
On Sat, Oct 19, 2019 at 1:31 PM Darren S. <phatbuckett at gmail.com> wrote:
> Following up on my brief comments at ZeekWeek, happy to share that we've
>> developed a mapping of Zeek fields to the Elastic Common Schema. It is
>> posted at https://github.com/corelight/ecs-mapping - looking forward to
>> feedback and of course if there are any issues let us know (big thanks to
>> Richard, cc'd above, for his work as the first deployment!). We'll work to
>> update this as the ECS revs - there are several field they don't have in
>> the schema yet. Happy mapping!
> This is great!
> The project README notes:
> > The mapping can be done using either an ElasticSearch ingest node or
> directly in Kibana
> For users that ingest and enrich through a Logstash pipeline, how does
> this apply? (i.e. would they then have to maintain ingestion content in
> multiple layers)?
Yes it still applies, when Logstash forwards the data to Elastic it will go
through the ingest pipelines and go through ECS.
> Darren Spruell
> phatbuckett at gmail.com
> Zeek mailing list
> zeek at zeek.org
*Stephen R. Smoot, PhD*
VP, Customer Success
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Zeek