Added Fields Ordering

ephemeric · May 15, 2025, 10:19am

Hi,

Am I correct in stating that field order is not to be relied on for log parsing?

As per #718: Log protocol type for notices - #3 one should/must avoid relying on the order of fields.

If I install GitHub - cisagov/ACID that adds several new fields to notice.log, restart zeek, run for a few days and then proceed to add another app like GitHub - corelight/CVE-2022-24491: A Zeek CVE-2022-24491 detector. that too adds fields to notice.log, there is no guarantee that fields will remain in the same order?

May I guess that after installing all your apps/zkgs, zeek starts, parses all the loaded scripts and generates the headers for the various log files?

Said headers will be regenerated at each start/restart and/or change accordingly if zkgs are added or removed?

So, the correct method is to parse the log file header and use column names yes?

Pardon my ignorance in the above matter please, hence my posting here.

johanna · May 15, 2025, 10:47am

Hi,

you are exactly correct - you should not rely on field ordering for log parsing; instead you should parse the field ordering out of the header.

While we typically try to avoid this, the field order can change between Zeek releases, and due to the order of scripts that are loaded.

Johanna

ephemeric · May 15, 2025, 6:31pm

Thank you. Much appreciated.

Topic		Replies	Views
#718: Log protocol type for notices Development development	2	79	May 6, 2022
Order events by timestamp when json logs are used Zeek	1	376	November 17, 2023
Log filtering a field re-ordering Zeek	1	85	May 6, 2022
Proposal: Make Zeek's debug logging thread-safe Development development	13	210	May 6, 2022
Field renaming Zeek	5	151	May 6, 2022