{ "name": "zeek", "title": "Zeek", "version": "5.0.0", "release": "ga", "description": "Collect logs from Zeek with Elastic Agent.", "type": "integration", "download": "/epr/zeek/zeek-5.0.0.zip", "path": "/package/zeek/5.0.0", "icons": [ { "src": "/img/zeek.svg", "path": "/package/zeek/5.0.0/img/zeek.svg", "title": "zeek", "size": "214x203", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.12.0 || ^9.0.0" } }, "owner": { "type": "elastic", "github": "elastic/integration-experience" }, "categories": [ "network", "security" ], "signature_path": "/epr/zeek/zeek-5.0.0.zip.sig", "format_version": "3.0.3", "readme": "/package/zeek/5.0.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/kibana-zeek.png", "path": "/package/zeek/5.0.0/img/kibana-zeek.png", "title": "kibana zeek", "size": "3530x2414", "type": "image/png" } ], "assets": [ "/package/zeek/5.0.0/LICENSE.txt", "/package/zeek/5.0.0/changelog.yml", "/package/zeek/5.0.0/manifest.yml", "/package/zeek/5.0.0/validation.yml", "/package/zeek/5.0.0/docs/README.md", "/package/zeek/5.0.0/img/kibana-zeek.png", "/package/zeek/5.0.0/img/zeek.svg", "/package/zeek/5.0.0/kibana/tags.yml", "/package/zeek/5.0.0/data_stream/capture_loss/manifest.yml", "/package/zeek/5.0.0/data_stream/capture_loss/sample_event.json", "/package/zeek/5.0.0/data_stream/connection/manifest.yml", "/package/zeek/5.0.0/data_stream/connection/sample_event.json", "/package/zeek/5.0.0/data_stream/dce_rpc/manifest.yml", "/package/zeek/5.0.0/data_stream/dce_rpc/sample_event.json", "/package/zeek/5.0.0/data_stream/dhcp/manifest.yml", "/package/zeek/5.0.0/data_stream/dhcp/sample_event.json", "/package/zeek/5.0.0/data_stream/dnp3/manifest.yml", "/package/zeek/5.0.0/data_stream/dnp3/sample_event.json", "/package/zeek/5.0.0/data_stream/dns/manifest.yml", "/package/zeek/5.0.0/data_stream/dns/sample_event.json", "/package/zeek/5.0.0/data_stream/dpd/manifest.yml", "/package/zeek/5.0.0/data_stream/dpd/sample_event.json", "/package/zeek/5.0.0/data_stream/files/manifest.yml", "/package/zeek/5.0.0/data_stream/files/sample_event.json", "/package/zeek/5.0.0/data_stream/ftp/manifest.yml", "/package/zeek/5.0.0/data_stream/ftp/sample_event.json", "/package/zeek/5.0.0/data_stream/http/manifest.yml", "/package/zeek/5.0.0/data_stream/http/sample_event.json", "/package/zeek/5.0.0/data_stream/intel/manifest.yml", "/package/zeek/5.0.0/data_stream/intel/sample_event.json", "/package/zeek/5.0.0/data_stream/irc/manifest.yml", "/package/zeek/5.0.0/data_stream/irc/sample_event.json", "/package/zeek/5.0.0/data_stream/kerberos/manifest.yml", "/package/zeek/5.0.0/data_stream/kerberos/sample_event.json", "/package/zeek/5.0.0/data_stream/known_certs/manifest.yml", "/package/zeek/5.0.0/data_stream/known_certs/sample_event.json", "/package/zeek/5.0.0/data_stream/known_hosts/manifest.yml", "/package/zeek/5.0.0/data_stream/known_hosts/sample_event.json", "/package/zeek/5.0.0/data_stream/known_services/manifest.yml", "/package/zeek/5.0.0/data_stream/known_services/sample_event.json", "/package/zeek/5.0.0/data_stream/modbus/manifest.yml", "/package/zeek/5.0.0/data_stream/modbus/sample_event.json", "/package/zeek/5.0.0/data_stream/mysql/manifest.yml", "/package/zeek/5.0.0/data_stream/mysql/sample_event.json", "/package/zeek/5.0.0/data_stream/notice/manifest.yml", "/package/zeek/5.0.0/data_stream/notice/sample_event.json", "/package/zeek/5.0.0/data_stream/ntlm/manifest.yml", "/package/zeek/5.0.0/data_stream/ntlm/sample_event.json", "/package/zeek/5.0.0/data_stream/ntp/manifest.yml", "/package/zeek/5.0.0/data_stream/ntp/sample_event.json", "/package/zeek/5.0.0/data_stream/ocsp/manifest.yml", "/package/zeek/5.0.0/data_stream/ocsp/sample_event.json", "/package/zeek/5.0.0/data_stream/pe/manifest.yml", "/package/zeek/5.0.0/data_stream/pe/sample_event.json", "/package/zeek/5.0.0/data_stream/radius/manifest.yml", "/package/zeek/5.0.0/data_stream/radius/sample_event.json", "/package/zeek/5.0.0/data_stream/rdp/manifest.yml", "/package/zeek/5.0.0/data_stream/rdp/sample_event.json", "/package/zeek/5.0.0/data_stream/rfb/manifest.yml", "/package/zeek/5.0.0/data_stream/rfb/sample_event.json", "/package/zeek/5.0.0/data_stream/signature/manifest.yml", "/package/zeek/5.0.0/data_stream/signature/sample_event.json", "/package/zeek/5.0.0/data_stream/sip/manifest.yml", "/package/zeek/5.0.0/data_stream/sip/sample_event.json", "/package/zeek/5.0.0/data_stream/smb_cmd/manifest.yml", "/package/zeek/5.0.0/data_stream/smb_cmd/sample_event.json", "/package/zeek/5.0.0/data_stream/smb_files/manifest.yml", "/package/zeek/5.0.0/data_stream/smb_files/sample_event.json", "/package/zeek/5.0.0/data_stream/smb_mapping/manifest.yml", "/package/zeek/5.0.0/data_stream/smb_mapping/sample_event.json", "/package/zeek/5.0.0/data_stream/smtp/manifest.yml", "/package/zeek/5.0.0/data_stream/smtp/sample_event.json", "/package/zeek/5.0.0/data_stream/snmp/manifest.yml", "/package/zeek/5.0.0/data_stream/snmp/sample_event.json", "/package/zeek/5.0.0/data_stream/socks/manifest.yml", "/package/zeek/5.0.0/data_stream/socks/sample_event.json", "/package/zeek/5.0.0/data_stream/software/manifest.yml", "/package/zeek/5.0.0/data_stream/software/sample_event.json", "/package/zeek/5.0.0/data_stream/ssh/manifest.yml", "/package/zeek/5.0.0/data_stream/ssh/sample_event.json", "/package/zeek/5.0.0/data_stream/ssl/manifest.yml", "/package/zeek/5.0.0/data_stream/ssl/sample_event.json", "/package/zeek/5.0.0/data_stream/stats/manifest.yml", "/package/zeek/5.0.0/data_stream/stats/sample_event.json", "/package/zeek/5.0.0/data_stream/syslog/manifest.yml", "/package/zeek/5.0.0/data_stream/syslog/sample_event.json", "/package/zeek/5.0.0/data_stream/traceroute/manifest.yml", "/package/zeek/5.0.0/data_stream/traceroute/sample_event.json", "/package/zeek/5.0.0/data_stream/tunnel/manifest.yml", "/package/zeek/5.0.0/data_stream/tunnel/sample_event.json", "/package/zeek/5.0.0/data_stream/weird/manifest.yml", "/package/zeek/5.0.0/data_stream/weird/sample_event.json", "/package/zeek/5.0.0/data_stream/x509/manifest.yml", "/package/zeek/5.0.0/data_stream/x509/sample_event.json", "/package/zeek/5.0.0/docs/knowledge_base/service_info.md", "/package/zeek/5.0.0/kibana/dashboard/zeek-7cbb5410-3700-11e9-aa6d-ff445a78330c.json", "/package/zeek/5.0.0/data_stream/capture_loss/fields/agent.yml", "/package/zeek/5.0.0/data_stream/capture_loss/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/capture_loss/fields/beats.yml", "/package/zeek/5.0.0/data_stream/capture_loss/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/capture_loss/fields/fields.yml", "/package/zeek/5.0.0/data_stream/capture_loss/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/connection/fields/agent.yml", "/package/zeek/5.0.0/data_stream/connection/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/connection/fields/beats.yml", "/package/zeek/5.0.0/data_stream/connection/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/connection/fields/fields.yml", "/package/zeek/5.0.0/data_stream/connection/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/dce_rpc/fields/agent.yml", "/package/zeek/5.0.0/data_stream/dce_rpc/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/dce_rpc/fields/beats.yml", "/package/zeek/5.0.0/data_stream/dce_rpc/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/dce_rpc/fields/fields.yml", "/package/zeek/5.0.0/data_stream/dce_rpc/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/dhcp/fields/agent.yml", "/package/zeek/5.0.0/data_stream/dhcp/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/dhcp/fields/beats.yml", "/package/zeek/5.0.0/data_stream/dhcp/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/dhcp/fields/fields.yml", "/package/zeek/5.0.0/data_stream/dhcp/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/dnp3/fields/agent.yml", "/package/zeek/5.0.0/data_stream/dnp3/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/dnp3/fields/beats.yml", "/package/zeek/5.0.0/data_stream/dnp3/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/dnp3/fields/fields.yml", "/package/zeek/5.0.0/data_stream/dnp3/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/dns/fields/agent.yml", "/package/zeek/5.0.0/data_stream/dns/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/dns/fields/beats.yml", "/package/zeek/5.0.0/data_stream/dns/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/dns/fields/fields.yml", "/package/zeek/5.0.0/data_stream/dns/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/dpd/fields/agent.yml", "/package/zeek/5.0.0/data_stream/dpd/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/dpd/fields/beats.yml", "/package/zeek/5.0.0/data_stream/dpd/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/dpd/fields/fields.yml", "/package/zeek/5.0.0/data_stream/dpd/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/files/fields/agent.yml", "/package/zeek/5.0.0/data_stream/files/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/files/fields/beats.yml", "/package/zeek/5.0.0/data_stream/files/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/files/fields/fields.yml", "/package/zeek/5.0.0/data_stream/files/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/ftp/fields/agent.yml", "/package/zeek/5.0.0/data_stream/ftp/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/ftp/fields/beats.yml", "/package/zeek/5.0.0/data_stream/ftp/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/ftp/fields/fields.yml", "/package/zeek/5.0.0/data_stream/ftp/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/http/fields/agent.yml", "/package/zeek/5.0.0/data_stream/http/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/http/fields/beats.yml", "/package/zeek/5.0.0/data_stream/http/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/http/fields/fields.yml", "/package/zeek/5.0.0/data_stream/http/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/intel/fields/agent.yml", "/package/zeek/5.0.0/data_stream/intel/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/intel/fields/beats.yml", "/package/zeek/5.0.0/data_stream/intel/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/intel/fields/fields.yml", "/package/zeek/5.0.0/data_stream/intel/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/irc/fields/agent.yml", "/package/zeek/5.0.0/data_stream/irc/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/irc/fields/beats.yml", "/package/zeek/5.0.0/data_stream/irc/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/irc/fields/fields.yml", "/package/zeek/5.0.0/data_stream/irc/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/kerberos/fields/agent.yml", "/package/zeek/5.0.0/data_stream/kerberos/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/kerberos/fields/beats.yml", "/package/zeek/5.0.0/data_stream/kerberos/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/kerberos/fields/fields.yml", "/package/zeek/5.0.0/data_stream/kerberos/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/known_certs/fields/agent.yml", "/package/zeek/5.0.0/data_stream/known_certs/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/known_certs/fields/beats.yml", "/package/zeek/5.0.0/data_stream/known_certs/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/known_hosts/fields/agent.yml", "/package/zeek/5.0.0/data_stream/known_hosts/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/known_hosts/fields/beats.yml", "/package/zeek/5.0.0/data_stream/known_hosts/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/known_services/fields/agent.yml", "/package/zeek/5.0.0/data_stream/known_services/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/known_services/fields/beats.yml", "/package/zeek/5.0.0/data_stream/known_services/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/modbus/fields/agent.yml", "/package/zeek/5.0.0/data_stream/modbus/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/modbus/fields/beats.yml", "/package/zeek/5.0.0/data_stream/modbus/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/modbus/fields/fields.yml", "/package/zeek/5.0.0/data_stream/modbus/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/mysql/fields/agent.yml", "/package/zeek/5.0.0/data_stream/mysql/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/mysql/fields/beats.yml", "/package/zeek/5.0.0/data_stream/mysql/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/mysql/fields/fields.yml", "/package/zeek/5.0.0/data_stream/mysql/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/notice/fields/agent.yml", "/package/zeek/5.0.0/data_stream/notice/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/notice/fields/beats.yml", "/package/zeek/5.0.0/data_stream/notice/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/notice/fields/fields.yml", "/package/zeek/5.0.0/data_stream/notice/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/ntlm/fields/agent.yml", "/package/zeek/5.0.0/data_stream/ntlm/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/ntlm/fields/beats.yml", "/package/zeek/5.0.0/data_stream/ntlm/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/ntlm/fields/fields.yml", "/package/zeek/5.0.0/data_stream/ntlm/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/ntp/fields/agent.yml", "/package/zeek/5.0.0/data_stream/ntp/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/ntp/fields/beats.yml", "/package/zeek/5.0.0/data_stream/ntp/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/ntp/fields/fields.yml", "/package/zeek/5.0.0/data_stream/ntp/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/ocsp/fields/agent.yml", "/package/zeek/5.0.0/data_stream/ocsp/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/ocsp/fields/beats.yml", "/package/zeek/5.0.0/data_stream/ocsp/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/ocsp/fields/fields.yml", "/package/zeek/5.0.0/data_stream/ocsp/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/pe/fields/agent.yml", "/package/zeek/5.0.0/data_stream/pe/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/pe/fields/beats.yml", "/package/zeek/5.0.0/data_stream/pe/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/pe/fields/fields.yml", "/package/zeek/5.0.0/data_stream/pe/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/radius/fields/agent.yml", "/package/zeek/5.0.0/data_stream/radius/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/radius/fields/beats.yml", "/package/zeek/5.0.0/data_stream/radius/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/radius/fields/fields.yml", "/package/zeek/5.0.0/data_stream/radius/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/rdp/fields/agent.yml", "/package/zeek/5.0.0/data_stream/rdp/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/rdp/fields/beats.yml", "/package/zeek/5.0.0/data_stream/rdp/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/rdp/fields/fields.yml", "/package/zeek/5.0.0/data_stream/rdp/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/rfb/fields/agent.yml", "/package/zeek/5.0.0/data_stream/rfb/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/rfb/fields/beats.yml", "/package/zeek/5.0.0/data_stream/rfb/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/rfb/fields/fields.yml", "/package/zeek/5.0.0/data_stream/rfb/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/signature/fields/agent.yml", "/package/zeek/5.0.0/data_stream/signature/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/signature/fields/beats.yml", "/package/zeek/5.0.0/data_stream/signature/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/signature/fields/fields.yml", "/package/zeek/5.0.0/data_stream/signature/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/sip/fields/agent.yml", "/package/zeek/5.0.0/data_stream/sip/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/sip/fields/beats.yml", "/package/zeek/5.0.0/data_stream/sip/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/sip/fields/fields.yml", "/package/zeek/5.0.0/data_stream/sip/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/smb_cmd/fields/agent.yml", "/package/zeek/5.0.0/data_stream/smb_cmd/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/smb_cmd/fields/beats.yml", "/package/zeek/5.0.0/data_stream/smb_cmd/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/smb_cmd/fields/fields.yml", "/package/zeek/5.0.0/data_stream/smb_cmd/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/smb_files/fields/agent.yml", "/package/zeek/5.0.0/data_stream/smb_files/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/smb_files/fields/beats.yml", "/package/zeek/5.0.0/data_stream/smb_files/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/smb_files/fields/fields.yml", "/package/zeek/5.0.0/data_stream/smb_files/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/smb_mapping/fields/agent.yml", "/package/zeek/5.0.0/data_stream/smb_mapping/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/smb_mapping/fields/beats.yml", "/package/zeek/5.0.0/data_stream/smb_mapping/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/smb_mapping/fields/fields.yml", "/package/zeek/5.0.0/data_stream/smb_mapping/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/smtp/fields/agent.yml", "/package/zeek/5.0.0/data_stream/smtp/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/smtp/fields/beats.yml", "/package/zeek/5.0.0/data_stream/smtp/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/smtp/fields/fields.yml", "/package/zeek/5.0.0/data_stream/smtp/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/snmp/fields/agent.yml", "/package/zeek/5.0.0/data_stream/snmp/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/snmp/fields/beats.yml", "/package/zeek/5.0.0/data_stream/snmp/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/snmp/fields/fields.yml", "/package/zeek/5.0.0/data_stream/snmp/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/socks/fields/agent.yml", "/package/zeek/5.0.0/data_stream/socks/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/socks/fields/beats.yml", "/package/zeek/5.0.0/data_stream/socks/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/socks/fields/fields.yml", "/package/zeek/5.0.0/data_stream/socks/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/software/fields/agent.yml", "/package/zeek/5.0.0/data_stream/software/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/software/fields/beats.yml", "/package/zeek/5.0.0/data_stream/software/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/software/fields/fields.yml", "/package/zeek/5.0.0/data_stream/ssh/fields/agent.yml", "/package/zeek/5.0.0/data_stream/ssh/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/ssh/fields/beats.yml", "/package/zeek/5.0.0/data_stream/ssh/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/ssh/fields/fields.yml", "/package/zeek/5.0.0/data_stream/ssh/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/ssl/fields/agent.yml", "/package/zeek/5.0.0/data_stream/ssl/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/ssl/fields/beats.yml", "/package/zeek/5.0.0/data_stream/ssl/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/ssl/fields/fields.yml", "/package/zeek/5.0.0/data_stream/ssl/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/stats/fields/agent.yml", "/package/zeek/5.0.0/data_stream/stats/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/stats/fields/beats.yml", "/package/zeek/5.0.0/data_stream/stats/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/stats/fields/fields.yml", "/package/zeek/5.0.0/data_stream/stats/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/syslog/fields/agent.yml", "/package/zeek/5.0.0/data_stream/syslog/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/syslog/fields/beats.yml", "/package/zeek/5.0.0/data_stream/syslog/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/syslog/fields/fields.yml", "/package/zeek/5.0.0/data_stream/syslog/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/traceroute/fields/agent.yml", "/package/zeek/5.0.0/data_stream/traceroute/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/traceroute/fields/beats.yml", "/package/zeek/5.0.0/data_stream/traceroute/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/traceroute/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/tunnel/fields/agent.yml", "/package/zeek/5.0.0/data_stream/tunnel/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/tunnel/fields/beats.yml", "/package/zeek/5.0.0/data_stream/tunnel/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/tunnel/fields/fields.yml", "/package/zeek/5.0.0/data_stream/tunnel/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/weird/fields/agent.yml", "/package/zeek/5.0.0/data_stream/weird/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/weird/fields/beats.yml", "/package/zeek/5.0.0/data_stream/weird/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/weird/fields/fields.yml", "/package/zeek/5.0.0/data_stream/weird/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/x509/fields/agent.yml", "/package/zeek/5.0.0/data_stream/x509/fields/base-fields.yml", "/package/zeek/5.0.0/data_stream/x509/fields/beats.yml", "/package/zeek/5.0.0/data_stream/x509/fields/ecs.yml", "/package/zeek/5.0.0/data_stream/x509/fields/fields.yml", "/package/zeek/5.0.0/data_stream/x509/fields/package-fields.yml", "/package/zeek/5.0.0/data_stream/capture_loss/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/capture_loss/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/connection/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/connection/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/dce_rpc/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/dce_rpc/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/dhcp/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/dhcp/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/dnp3/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/dnp3/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/dns/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/dpd/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/dpd/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/files/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/files/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/ftp/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/ftp/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/http/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/intel/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/intel/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/irc/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/irc/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/kerberos/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/kerberos/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/known_certs/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/known_certs/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/known_hosts/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/known_hosts/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/known_services/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/known_services/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/modbus/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/modbus/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/mysql/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/notice/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/notice/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/ntlm/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/ntlm/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/ntp/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/ntp/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/ocsp/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/ocsp/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/pe/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/pe/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/radius/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/radius/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/rdp/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/rdp/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/rfb/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/rfb/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/signature/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/signature/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/sip/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/smb_cmd/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/smb_cmd/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/smb_files/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/smb_files/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/smb_mapping/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/smb_mapping/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/smtp/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/smtp/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/snmp/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/snmp/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/socks/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/socks/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/software/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/software/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/ssh/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/ssh/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/ssl/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/ssl/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/stats/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/stats/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/syslog/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/traceroute/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/traceroute/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/tunnel/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/weird/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/weird/elasticsearch/ingest_pipeline/default.yml", "/package/zeek/5.0.0/data_stream/x509/agent/stream/log.yml.hbs", "/package/zeek/5.0.0/data_stream/x509/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "zeek", "title": "Zeek logs", "description": "Collect logs from Zeek instances", "inputs": [ { "type": "logfile", "vars": [ { "name": "base_paths", "type": "text", "title": "Base Path", "description": "Base paths to zeek log files (eg. /var/log/bro/current)", "multi": true, "required": true, "show_user": true, "default": [ "/var/log/bro/current", "/opt/zeek/logs/current", "/usr/local/var/spool/zeek" ] } ], "title": "Collect Zeek logs", "description": "Collects logs from Zeek instances. Supported logs include: capture_loss, connection, dce_rpc, dhcp, dnp3, dns, dpd, files, ftp, http, intel, irc, kerberos, modbus, mysql, notice, ntlm, ntp, ocsp, pe, radius, rdp, rfb, signature, sip, smb_cmd, smb_files, smb_mapping, smtp, snmp, socks, ssh, ssl, stats, syslog, traceroute, tunnel, weird and x509" } ], "multiple": true } ], "data_streams": [ { "type": "logs", "dataset": "zeek.capture_loss", "title": "Zeek capture_loss logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of capture loss log file", "multi": true, "required": true, "show_user": true, "default": [ "capture_loss.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-capture-loss" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek capture_loss.log", "description": "Collect Zeek capture_loss logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "capture_loss" }, { "type": "logs", "dataset": "zeek.connection", "title": "Zeek connection logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of connection log", "multi": true, "required": true, "show_user": true, "default": [ "conn.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-connection" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek conn.log", "description": "Collect Zeek connection logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "connection" }, { "type": "logs", "dataset": "zeek.dce_rpc", "title": "Zeek dce_rpc logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of dce_rpc log file", "multi": true, "required": true, "show_user": true, "default": [ "dce_rpc.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-dce-rpc" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek dce_rpc.log", "description": "Collect Zeek dce_rpc logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "dce_rpc" }, { "type": "logs", "dataset": "zeek.dhcp", "title": "Zeek dhcp logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of dhcp log file", "multi": true, "required": true, "show_user": true, "default": [ "dhcp.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-dhcp" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek dhcp.log", "description": "Collect Zeek dhcp logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "dhcp" }, { "type": "logs", "dataset": "zeek.dnp3", "title": "Zeek dnp3 logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of dnp3 log file", "multi": true, "required": true, "show_user": true, "default": [ "dnp3.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "zeek-dnp3" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek dnp3.log", "description": "Collect Zeek dnp3 logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "dnp3" }, { "type": "logs", "dataset": "zeek.dns", "title": "Zeek dns logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of dns log file", "multi": true, "required": true, "show_user": true, "default": [ "dns.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-dns" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek dns.log", "description": "Collect Zeek dns logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "dns" }, { "type": "logs", "dataset": "zeek.dpd", "title": "Zeek dpd logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of the dpd log file", "multi": true, "required": true, "show_user": true, "default": [ "dpd.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "zeek-dpd" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek dpd.log", "description": "Collect Zeek dpd logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "dpd" }, { "type": "logs", "dataset": "zeek.files", "title": "Zeek files logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of the files log file", "multi": true, "required": true, "show_user": true, "default": [ "files.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "zeek-files" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek files.log", "description": "Collect Zeek files logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "files" }, { "type": "logs", "dataset": "zeek.ftp", "title": "Zeek ftp logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of ftp log file", "multi": true, "required": true, "show_user": true, "default": [ "ftp.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-ftp" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek ftp.log", "description": "Collect Zeek ftp logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "ftp" }, { "type": "logs", "dataset": "zeek.http", "title": "Zeek http logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of http log file", "multi": true, "required": true, "show_user": true, "default": [ "http.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-http" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek http.log", "description": "Collect Zeek http logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "http" }, { "type": "logs", "dataset": "zeek.intel", "title": "Zeek intel logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of intel log file", "multi": true, "required": true, "show_user": true, "default": [ "intel.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-intel" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek intel.log", "description": "Collect Zeek intel logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "intel" }, { "type": "logs", "dataset": "zeek.irc", "title": "Zeek irc logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of irc log file", "multi": true, "required": true, "show_user": true, "default": [ "irc.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-irc" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek irc.log", "description": "Collect Zeek irc logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "irc" }, { "type": "logs", "dataset": "zeek.kerberos", "title": "Zeek kerberos logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of kerberos log file", "multi": true, "required": true, "show_user": true, "default": [ "kerberos.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-kerberos" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek kerberos.log", "description": "Collect Zeek kerberos logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "kerberos" }, { "type": "logs", "dataset": "zeek.known_certs", "title": "Zeek Known Certs logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of Known Certs log", "multi": true, "required": true, "show_user": true, "default": [ "known_certs.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-known_certs" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek known_certs.log", "description": "Collect Zeek Known Certs logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "known_certs" }, { "type": "logs", "dataset": "zeek.known_hosts", "title": "Zeek Known Hosts logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of Known Hosts log", "multi": true, "required": true, "show_user": true, "default": [ "known_hosts.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-known_hosts" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek known_hosts.log", "description": "Collect Zeek Known Hosts logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "known_hosts" }, { "type": "logs", "dataset": "zeek.known_services", "title": "Zeek Known Services logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of Known Services log", "multi": true, "required": true, "show_user": true, "default": [ "known_services.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-known_services" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek known_services.log", "description": "Collect Zeek Known Services logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "known_services" }, { "type": "logs", "dataset": "zeek.modbus", "title": "Zeek modbus logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of modbus log file", "multi": true, "required": true, "show_user": true, "default": [ "modbus.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-modbus" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek modbus.log", "description": "Collect Zeek modbus logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "modbus" }, { "type": "logs", "dataset": "zeek.mysql", "title": "Zeek mysql logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of mysql log file", "multi": true, "required": true, "show_user": true, "default": [ "mysql.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-mysql" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek mysql.log", "description": "Collect Zeek mysql logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "mysql" }, { "type": "logs", "dataset": "zeek.notice", "title": "Zeek notice logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of notice log file", "multi": true, "required": true, "show_user": true, "default": [ "notice.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-notice" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek notice.log", "description": "Collect Zeek notice logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "notice" }, { "type": "logs", "dataset": "zeek.ntlm", "title": "Zeek ntlm logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of ntlm log file", "multi": true, "required": true, "show_user": true, "default": [ "ntlm.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-ntlm" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek ntlm.log", "description": "Collect Zeek ntlm logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "ntlm" }, { "type": "logs", "dataset": "zeek.ntp", "title": "Zeek ntp logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of ntp log", "multi": true, "required": true, "show_user": true, "default": [ "ntp.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-ntp" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek conn.log", "description": "Collect Zeek ntp logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "ntp" }, { "type": "logs", "dataset": "zeek.ocsp", "title": "Zeek ocsp logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of ocsp log file", "multi": true, "required": true, "show_user": true, "default": [ "ocsp.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-ocsp" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek ocsp.log", "description": "Collect Zeek ocsp logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "ocsp" }, { "type": "logs", "dataset": "zeek.pe", "title": "Zeek pe logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of pe log file", "multi": true, "required": true, "show_user": true, "default": [ "pe.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-pe" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek pe.log", "description": "Collect Zeek pe logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "pe" }, { "type": "logs", "dataset": "zeek.radius", "title": "Zeek radius logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of radius log file", "multi": true, "required": true, "show_user": true, "default": [ "radius.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-radius" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek radius.log", "description": "Collect Zeek radius logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "radius" }, { "type": "logs", "dataset": "zeek.rdp", "title": "Zeek rdp logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of rdp log file", "multi": true, "required": true, "show_user": true, "default": [ "rdp.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-rdp" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek rdp.log", "description": "Collect Zeek rdp logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "rdp" }, { "type": "logs", "dataset": "zeek.rfb", "title": "Zeek rfb logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of rfb log file", "multi": true, "required": true, "show_user": true, "default": [ "rfb.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-rfb" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek rfb.log", "description": "Collect Zeek rfb logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "rfb" }, { "type": "logs", "dataset": "zeek.signature", "title": "Zeek signature logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of signature log", "multi": true, "required": true, "show_user": true, "default": [ "signature.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-signature" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek signature.log", "description": "Collect Zeek signature logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "signature" }, { "type": "logs", "dataset": "zeek.sip", "title": "Zeek sip logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of sip log file", "multi": true, "required": true, "show_user": true, "default": [ "sip.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-sip" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek sip.log", "description": "Collect Zeek sip logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "sip" }, { "type": "logs", "dataset": "zeek.smb_cmd", "title": "Zeek smb_cmd logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of smb_cmd log file", "multi": true, "required": true, "show_user": true, "default": [ "smb_cmd.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-smb-cmd" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek smb_cmd.log", "description": "Collect Zeek smb_cmd logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "smb_cmd" }, { "type": "logs", "dataset": "zeek.smb_files", "title": "Zeek smb_files logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of smb_files log file", "multi": true, "required": true, "show_user": true, "default": [ "smb_files.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-smb-files" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek smb_files.log", "description": "Collect Zeek smb_files logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "smb_files" }, { "type": "logs", "dataset": "zeek.smb_mapping", "title": "Zeek smb_mapping logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of smb_mapping log file", "multi": true, "required": true, "show_user": true, "default": [ "smb_mapping.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": true, "default": [ "forwarded", "zeek.smb_mapping" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek smb_mapping.log", "description": "Collect Zeek smb_mapping logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "smb_mapping" }, { "type": "logs", "dataset": "zeek.smtp", "title": "Zeek smtp logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of smtp log file", "multi": true, "required": true, "show_user": true, "default": [ "smtp.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-smtp" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek smtp.log", "description": "Collect Zeek smtp logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "smtp" }, { "type": "logs", "dataset": "zeek.snmp", "title": "Zeek snmp logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of snmp log file", "multi": true, "required": true, "show_user": true, "default": [ "snmp.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-snmp" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek snmp.log", "description": "Collect Zeek snmp logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "snmp" }, { "type": "logs", "dataset": "zeek.socks", "title": "Zeek socks logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of socks log file", "multi": true, "required": true, "show_user": true, "default": [ "socks.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-socks" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek socks.log", "description": "Collect Zeek socks logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "socks" }, { "type": "logs", "dataset": "zeek.software", "title": "Zeek software logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of software log", "multi": true, "required": true, "show_user": true, "default": [ "software.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-software" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek software.log", "description": "Collect Zeek software logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "software" }, { "type": "logs", "dataset": "zeek.ssh", "title": "Zeek ssh logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of ssh log file", "multi": true, "required": true, "show_user": true, "default": [ "ssh.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-ssh" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek ssh.log", "description": "Collect Zeek ssh logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "ssh" }, { "type": "logs", "dataset": "zeek.ssl", "title": "Zeek ssl logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of ssl log file", "multi": true, "required": true, "show_user": true, "default": [ "ssl.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-ssl" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek ssl.log", "description": "Collect Zeek ssl logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "ssl" }, { "type": "logs", "dataset": "zeek.stats", "title": "Zeek stats logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of stats log file", "multi": true, "required": true, "show_user": true, "default": [ "stats.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-stats" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek stats.log", "description": "Collect Zeek stats logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "stats" }, { "type": "logs", "dataset": "zeek.syslog", "title": "Zeek syslog logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of syslog log file", "multi": true, "required": true, "show_user": true, "default": [ "syslog.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-syslog" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek syslog.log", "description": "Collect Zeek syslog logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "syslog" }, { "type": "logs", "dataset": "zeek.traceroute", "title": "Zeek traceroute logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of traceroute log file", "multi": true, "required": true, "show_user": true, "default": [ "traceroute.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-traceroute" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek traceroute.log", "description": "Collect Zeek traceroute logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "traceroute" }, { "type": "logs", "dataset": "zeek.tunnel", "title": "Zeek tunnel logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of tunnel log file", "multi": true, "required": true, "show_user": true, "default": [ "tunnel.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-tunnel" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek tunnel.log", "description": "Collect Zeek tunnel logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "tunnel" }, { "type": "logs", "dataset": "zeek.weird", "title": "Zeek weird logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of weird log file", "multi": true, "required": true, "show_user": true, "default": [ "weird.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-weird" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek weird.log", "description": "Collect Zeek weird logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "weird" }, { "type": "logs", "dataset": "zeek.x509", "title": "Zeek x509 logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "filenames", "type": "text", "title": "Filename of x509 log file", "multi": true, "required": true, "show_user": true, "default": [ "x509.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "zeek-x509" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Zeek x509.log", "description": "Collect Zeek x509 logs", "enabled": true, "ingestion_method": "File" } ], "package": "zeek", "path": "x509" } ] }