All,
Following up on my brief comments at ZeekWeek, happy to share that we’ve developed a mapping of Zeek fields to the Elastic Common Schema. It is posted at https://github.com/corelight/ecs-mapping - looking forward to feedback and of course if there are any issues let us know (big thanks to Richard, cc’d above, for his work as the first deployment!). We’ll work to update this as the ECS revs - there are several field they don’t have in the schema yet. Happy mapping!
Best,
Brian
This is great, thanks for sharing.
All,
Following up on my brief comments at ZeekWeek, happy to share that we’ve developed a mapping of Zeek fields to the Elastic Common Schema. It is posted at https://github.com/corelight/ecs-mapping - looking forward to feedback and of course if there are any issues let us know (big thanks to Richard, cc’d above, for his work as the first deployment!). We’ll work to update this as the ECS revs - there are several field they don’t have in the schema yet. Happy mapping!
This is great!
The project README notes:
The mapping can be done using either an ElasticSearch ingest node or directly in Kibana
For users that ingest and enrich through a Logstash pipeline, how does this apply? (i.e. would they then have to maintain ingestion content in multiple layers)?
Following up on my brief comments at ZeekWeek, happy to share that we’ve developed a mapping of Zeek fields to the Elastic Common Schema. It is posted at https://github.com/corelight/ecs-mapping - looking forward to feedback and of course if there are any issues let us know (big thanks to Richard, cc’d above, for his work as the first deployment!). We’ll work to update this as the ECS revs - there are several field they don’t have in the schema yet. Happy mapping!
This is great!
The project README notes:
The mapping can be done using either an ElasticSearch ingest node or directly in Kibana
For users that ingest and enrich through a Logstash pipeline, how does this apply? (i.e. would they then have to maintain ingestion content in multiple layers)?
Yes it still applies, when Logstash forwards the data to Elastic it will go through the ingest pipelines and go through ECS.
-s