Hello and happy new year!
For Zeek 6.2 and going forward, we’re changing the names and types of certain log fields within ldap.log and ldap_search.log to singular scalars.
While this is a breaking change for consumers of these logs, the LDAP analyzer was introduced with Zeek 6.1 and we’ve reserved the option to do these improvements until the next Zeek LTS relase (7.0).
The proposed NEWS entry of the change for more details:
Certain ``ldap.log`` and ``ldap_search.log`` fields have been renamed from
plural to singular and their types changed to scalars. This maps better onto
the expected request-response protocol used between client and server. Additionally,
it removes the burden of working with non-scalar columns from downstream systems.
Specifically, for ``ldap.log``:
* ``arguments: vector of string`` is now ``argument: string``
* ``diagnostic_messages: vector of string`` is now ``diagnostic_message: string``
* ``objects: vector of string`` is now ``object: string``
* ``opcodes: set[string]`` is now ``opcode: string``
* ``results: set[string]`` is now ``result: string``
For ``ldap_search.log``, the following fields were changed:
* ``base_objects: vector of string`` is now ``base_object: string``
* ``derefs: set[string]`` is now ``deref_aliases: string``
* ``diagnostic_messages: vector of string`` is now ``diagnostic_message: string``
* ``results: set[string]`` is now ``result: string``
* ``scopes: set[string]`` is now ``scope: string``
In the unlikely scenario that a request-response pair with the same message
identifier is observed, containing different values for certain fields, new
weirds are raised and will appear in ``weird.log``, including the old and new
values as well as the LDAP message identifier. The value within the LDAP logs
will be the most recently observed one.
Reference to the PR is here.
If you have thoughts around these kind of log changes in general, or LDAP specifically, please reach out.
Thanks,
Arne