Current documentation for applying a filter to a zeek stream before it is sent to Kafka is using the "$pred" feature. This feature was depreciated in Zeek version 4.x in favor of using the "hook" feature (https://docs.zeek.org/en/master/frameworks/logging.html#filter-log-records) but was still supported, but in version 5.x a "zeekctl check" will fail with:
error in /usr/local/zeek/share/zeek/site/local.zeek, lines 150-158: orphaned field "pred" in record coercion ((coerce [$name=kafka-ssl, $writer=Log::WRITER_KAFKAWRITER, $config=table(metadata.broker.list = cikafka.my-company.com:9093), $pred=no_ssl_int, $path=DC2_Network_Monitor_Zeek_SSL_Raw] to Log::Filter))
The above referenced Zeek documentation shows how to filter using hooks with the ASCII writer, but it is unclear how to implement a hook filter specific to a Kafka topic in a local.zeek configuration file.
Your environment
Version of Zeek - 5.0.8
Version or commit hash of the zeek-kafka package - v1.1.0
Operating System and version - Ubuntu Server 20.04
Summary of the issue
Current documentation for applying a filter to a zeek stream before it is sent to Kafka is using the "$pred" feature. This feature was depreciated in Zeek version 4.x in favor of using the "hook" feature (https://docs.zeek.org/en/master/frameworks/logging.html#filter-log-records) but was still supported, but in version 5.x a "zeekctl check" will fail with:
error in /usr/local/zeek/share/zeek/site/local.zeek, lines 150-158: orphaned field "pred" in record coercion ((coerce [$name=kafka-ssl, $writer=Log::WRITER_KAFKAWRITER, $config=table(metadata.broker.list = cikafka.my-company.com:9093), $pred=no_ssl_int, $path=DC2_Network_Monitor_Zeek_SSL_Raw] to Log::Filter))
The above referenced Zeek documentation shows how to filter using hooks with the ASCII writer, but it is unclear how to implement a hook filter specific to a Kafka topic in a local.zeek configuration file.
Your environment