Skip to content
Tenzir

read_zeek_json

Parse an incoming Zeek JSON stream into events.

read_zeek_json [schema_only=bool, raw=bool]

Description

Section titled “Description”

schema_only = bool (optional)

Section titled “schema_only = bool (optional)”

When working with an existing schema, this option will ensure that the output schema has only the fields from that schema.

raw = bool (optional)

Section titled “raw = bool (optional)”

Use only the raw types that are native to the parsed format. Fields that have a type specified in the chosen schema will still be parsed according to the schema.

This means that JSON numbers will be parsed as numbers, but every JSON string remains a string, unless the field is in the schema.

Examples

Section titled “Examples”

Load a Zeek connection log

Section titled “Load a Zeek connection log”
zeek.json
{"__name":"sensor_10_0_0_2","_write_ts":"2020-02-26T04:00:03.734769Z","ts":"2020-02-26T03:40:03.724911Z","uid":"Cx3bf12iVwo5m7Gkd1","id.orig_h":"193.10.255.99","id.orig_p":6667,"id.resp_h":"141.9.40.50","id.resp_p":21,"proto":"tcp","duration":1196.975041,"orig_bytes":0,"resp_bytes":0,"conn_state":"S1","local_orig":false,"local_resp":true,"missed_bytes":0,"history":"Sh","orig_pkts":194,"orig_ip_bytes":7760,"resp_pkts":191,"resp_ip_bytes":8404}
{"_path":"_0_0_2","_write_ts":"2020-02-11T03:48:57.477193Z","ts":"2020-02-11T03:48:57.477193Z","uid":"Cpk0Nl33Zb5ZWLP1tc","id.orig_h":"185.100.59.59","id.orig_p":6667,"id.resp_h":"141.9.255.157","id.resp_p":8080,"proto":"tcp","note":"LongConnection::found","msg":"185.100.59.59 -> 141.9.255.157:8080/tcp remained alive for longer than 19m55s","sub":"1194.62","src":"185.100.59.59","dst":"141.9.255.157","p":8080,"peer_descr":"worker-02","actions":["Notice::ACTION_LOG"],"suppress_for":3600}
load "zeek.json"
read_zeek_json
{
  __name: "sensor_10_0_0_2",
  _write_ts: 2020-02-26T04:00:03.734769,
  ts: 2020-02-26T03:40:03.724911,
  uid: "Cx3bf12iVwo5m7Gkd1",
  id: {
    orig_h: 193.10.255.99,
    orig_p: 6667,
    resp_h: 141.9.40.50,
    resp_p: 21,
  },
  proto: "tcp",
  duration: 1196.975041,
  orig_bytes: 0,
  resp_bytes: 0,
  conn_state: "S1",
  local_orig: false,
  local_resp: true,
  missed_bytes: 0,
  history: "Sh",
  orig_pkts: 194,
  orig_ip_bytes: 7760,
  resp_pkts: 191,
  resp_ip_bytes: 8404,
}
{
  _write_ts: 2020-02-11T03:48:57.477193,
  ts: 2020-02-11T03:48:57.477193,
  uid: "Cpk0Nl33Zb5ZWLP1tc",
  id: {
    orig_h: 185.100.59.59,
    orig_p: 6667,
    resp_h: 141.9.255.157,
    resp_p: 8080,
  },
  proto: "tcp",
  _path: "_0_0_2",
  note: "LongConnection::found",
  msg: "185.100.59.59 -> 141.9.255.157:8080/tcp remained alive for longer than 19m55s",
  sub: "1194.62",
  src: 185.100.59.59,
  dst: 141.9.255.157,
  p: 8080,
  peer_descr: "worker-02",
  actions: [
    Notice::ACTION_LOG
  ],
  suppress_for: 3600,
}

See Also

Section titled “See Also”

read_zeek_tsv, write_zeek_json, write_zeek_tsv