What version of Zeek is going to map to ECS ?

Just curious what version of Zeek is going to have the ECS mapping ?

Thank you,

Hi Don,

Assuming you’re using Filebeat’s Zeek module, it looks like ECS mapping is supported as of Zeek 2.6.1 (https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-zeek.html). This Github PR (https://github.com/elastic/beats/pull/17738) references an update to the Zeek module to support ECS 1.5 (latest).

I have Zeek 3.1.4 sending logs to Elasticsearch 7.8 and can confirm that fields appear to be mapped properly.

Hope that helps!
Eric
ericooi.com

If you have other avenues in mind, see also:
https://github.com/corelight/ecs-mapping

-s