Zeek logs section in README

ZeerBit · Feb 15, 2020 · 1c8f6d1 · 1c8f6d1
1 parent 31db902
commit 1c8f6d1
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -2,6 +2,19 @@
 ## Overview
 Elastic Common Schema (ECS) pipeline for Zeek/Bro network traffic analyzer with [Fluent Bit](https://fluentbit.io/).
 
+## Zeek logs
+The following [Zeek logs](https://docs.zeek.org/en/current/script-reference/log-files.html) are supported:
+
+- [`Conn::Info`](https://docs.zeek.org/en/current/scripts/base/protocols/conn/main.zeek.html#type-Conn::Info)
+- [`DHCP::Info`](https://docs.zeek.org/en/current/scripts/base/protocols/dhcp/main.zeek.html#type-DHCP::Info)
+- [`DNS::Info`](https://docs.zeek.org/en/current/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info)
+- [`HTTP::Info`](https://docs.zeek.org/en/current/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info)
+- [`SSL:Info`](https://docs.zeek.org/en/current/scripts/base/protocols/ssl/main.zeek.html#type-SSL::Info)
+
+The pipeline maps original key/values from the Zeek logs into proper [ECS keys](https://www.elastic.co/guide/en/ecs/current/index.html). If a key from any of the logs above doesn't have a corresponding key in ECS, it is mapped as `zeek.<log_type>.<key>`. For example, `tags` from `HTTP::Info` are mapped as `zeek.http.tags`.
+
+The pipeline supports both tabular as well as JSON log formats. Parcers for the tabular format are provided for sets of fields that Zeek logs by default . If optional fields are enabled, or if additionall Zeek modules, like [`bro-community-id`](https://github.com/corelight/bro-community-id) or [`ja3`](https://github.com/salesforce/ja3), are installed, it is recommended to use JSON format as input. The pipeline is tested with JSON format produced by  [`json-streaming-logs`](https://github.com/corelight/json-streaming-logs) Zeek module. If enabling JSON logging is not an option, modification of the parcers in [`parsers.conf`](parsers.conf) shall be done to accomodate additonal fields.
+
 ## Installation
 Prerequisites:
 
@@ -41,7 +54,7 @@ Start Fluent Bit pipeline
 
     sudo ./fluent-bit.start
 
-# Copyright notice
+## Copyright notice
 
 COPYRIGHT 2019 - 2020 [Alex Bortok](https://github.com/bortok)