Open mmguero opened 1 week ago
@mmguero cloned issue idaholab/Malcolm#444 on 2024-03-14:
It may be useful in some cases to have community ID as part of more zeek logs than conn.log. This would be a configurable option. However, (at least as of 2020) there isn't a generalized mechanism to add a field to ALL logs. See corelight/zeek-community-id#3. This gives us a few options, if we wanted to do this: hook EVERY log type (sort of like this project) and add them manually calculate community ID in logstash and add it during enrichment instead ???
It may be useful in some cases to have community ID as part of more zeek logs than conn.log. This would be a configurable option.
However, (at least as of 2020) there isn't a generalized mechanism to add a field to ALL logs. See corelight/zeek-community-id#3.
This gives us a few options, if we wanted to do this:
hook EVERY log type (sort of like this project) and add them manually
calculate community ID in logstash and add it during enrichment instead
???
mmguero
commented
1 week ago 