This is one of the primary aims of the project I work on at the Idaho National Lab called Malcolm.
It’s open source, so you’re welcome to use or adapt the project as would fit your needs. Or, if you just want to see the code where we’re parsing the Zeek logs (in logstash) and making them correspond to the Arkime schema:
- https://github.com/idaholab/Malcolm/blob/main/logstash/pipelines/zeek/11_zeek_logs.conf
- https://github.com/idaholab/Malcolm/blob/main/arkime/etc/config.ini
-SG