Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add community ID to more (all) Zeek logs types #444

Open
mmguero opened this issue Mar 14, 2024 · 0 comments
Open

add community ID to more (all) Zeek logs types #444

mmguero opened this issue Mar 14, 2024 · 0 comments
Labels
enhancement New feature or request external Depends on a bug or feature external to this project zeek Relating to Malcolm's use of Zeek
Milestone
z.staging

Comments

@mmguero
Copy link
Collaborator

mmguero commented Mar 14, 2024

It may be useful in some cases to have community ID as part of more zeek logs than conn.log. This would be a configurable option.

However, (at least as of 2020) there isn't a generalized mechanism to add a field to ALL logs. See corelight/zeek-community-id#3.

This gives us a few options, if we wanted to do this:

  • hook EVERY log type (sort of like this project) and add them manually
  • calculate community ID in logstash and add it during enrichment instead
  • ???
@mmguero mmguero added enhancement New feature or request external Depends on a bug or feature external to this project zeek Relating to Malcolm's use of Zeek labels Mar 14, 2024
@mmguero mmguero added this to the z.staging milestone Mar 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request external Depends on a bug or feature external to this project zeek Relating to Malcolm's use of Zeek
Projects
Malcolm
Status: Todo (investigate)
Milestone
z.staging
Development

No branches or pull requests
1 participant
@mmguero