Hello,
the files.log is currently unusual to work with in that it does not have the typical uid and c$id fields that most other logs have, while still being very connection oriented (conn_uids in most cases contains just a single uid).
We’re proposing the following change that may be included in Zeek 5.1 or 5.2:
Removal of tx_hosts, rx_hosts and conn_uids from files.log and unrolling files.log such that each entry has a single, optional, connection uid and connection identifier.
More details about the motivation and approach can be found in the Google Doc. Feedback and comments are welcome. We understand this is a rather invasive change and very happy to hear what others think.
Thanks,
Arne