[Zeek] Elastic Common Schema mapping

Steve Smoot smoot at corelight.com
Wed Oct 23 07:23:38 PDT 2019


On Sat, Oct 19, 2019 at 1:31 PM Darren S. <phatbuckett at gmail.com> wrote:

> Following up on my brief comments at ZeekWeek, happy to share that we've
>> developed a mapping of Zeek fields to the Elastic Common Schema.  It is
>> posted at https://github.com/corelight/ecs-mapping - looking forward to
>> feedback and of course if there are any issues let us know (big thanks to
>> Richard, cc'd above, for his work as the first deployment!). We'll work to
>> update this as the ECS revs - there are several field they don't have in
>> the schema yet. Happy mapping!
>>
>
> This is great!
>
> The project README notes:
>
> > The mapping can be done using either an ElasticSearch ingest node or
> directly in Kibana
>
> For users that ingest and enrich through a Logstash pipeline, how does
> this apply? (i.e. would they then have to maintain ingestion content in
> multiple layers)?
>

Yes it still applies, when Logstash forwards the data to Elastic it will go
through the ingest pipelines and go through ECS.

-s


>
> --
> Darren Spruell
> phatbuckett at gmail.com
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
*Stephen R. Smoot, PhD*
VP, Customer Success
Corelight
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191023/0a4d02f1/attachment-0001.html 


More information about the Zeek mailing list