.. _zeek-fields:

Zeek Fields
===========

Zeek logs are sent to :ref:`elasticsearch` where they are parsed using ingest parsing. Most Zeek logs have a few standard fields and they are parsed as follows:

| ts => @timestamp
| uid => log.id.uid
| id.orig_h => source.ip
| id.orig_p => source.port
| id.resp_h => destination.ip
| id.resp_p => destination.port

The remaining fields in each log are specific to the log type. To see how the fields are mapped for a specific Zeek log, take a look at its ingest parser.

You can find ingest parsers in your local filesystem at ``/opt/so/conf/elasticsearch/ingest/`` or you can find them online at:

https://github.com/Security-Onion-Solutions/securityonion/tree/2.4/main/salt/elasticsearch/files/ingest

For example, suppose you want to know how the Zeek conn.log is parsed. You could take a look at ``/opt/so/conf/elasticsearch/ingest/zeek.conn`` or view it online at:

https://github.com/Security-Onion-Solutions/securityonion/blob/2.4/main/salt/elasticsearch/files/ingest/zeek.conn

You'll see that ``zeek.conn`` then calls the ``zeek.common`` pipeline (``/opt/so/conf/elasticsearch/ingest/zeek.common``):

https://github.com/Security-Onion-Solutions/securityonion/blob/2.4/main/salt/elasticsearch/files/ingest/zeek.common

which in turn calls the ``common`` pipeline (``/opt/so/conf/elasticsearch/ingest/common``):

https://github.com/Security-Onion-Solutions/securityonion/blob/2.4/main/salt/elasticsearch/files/ingest-dynamic/common