add community ID to more (all) Zeek logs types

idaholab / Malcolm

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.

https://idaholab.github.io/Malcolm/

Other

327 stars 53 forks source link

add community ID to more (all) Zeek logs types #444

Open mmguero opened 3 months ago

mmguero commented 3 months ago

It may be useful in some cases to have community ID as part of more zeek logs than conn.log. This would be a configurable option.

However, (at least as of 2020) there isn't a generalized mechanism to add a field to ALL logs. See corelight/zeek-community-id#3.

This gives us a few options, if we wanted to do this:

hook EVERY log type (sort of like this project) and add them manually
calculate community ID in logstash and add it during enrichment instead
???