Datastreams for zeek should be inside the logs-* naming #1
Comments
|
Thanks! I looked this over and don't understand what I'm losing if I don't name data streams this way, but I think I'd have to remove functionality from zeek2es to match this naming convention. The way I'm naming things is pretty important to how I'm processing things down the line for my research. I have the index/datastream names this way so Zeek formats can change over time, which happens a lot in my research. If I put all conn logs in |
|
This functionality should exist already if you use the |
|
I clarified the |
|
Here is a new script to automate what I talked about above: https://github.com/corelight/zeek2es/blob/working/process_logs_as_datastream.sh |
|
TIL you can make a data stream by naming a regular index |
|
I added another helper script and some documentation: https://github.com/corelight/zeek2es/tree/master#helperscripts These should do what you describe above. |
keithjjones
added
documentation
|
Since the newest updates addressed this issue, I'm closing it now. Please reopen if you think I missed the mark. Thanks! |
Hi
I just discovered this great repository. I personally think that when using datastreams the naming convention should be
logs-zeek-default. This would follow our datastream recommendations fortype-dataset-namespace.By placing the index with starting
logsit will show up automatically within the logs stream and the security pages and all other sorts of places within Kibana.The text was updated successfully, but these errors were encountered: