Christian Kreibich

Sorry for the late response here @dcode — yes, that is true. This was actually our original idea, until we noticed that Zeek currently lacks a good way to generalize...

What mechanism do you mean? In filters or the writer?

Ah, right! I now remember reading over this and going "huh", but it was too early in my logging framework career. :smile: Thanks for the cluebatting! This seems to have...

I'd still like to have a way to do this in a controlled yet general way in the logging framework. But others have put in the elbow grease to do...

I am getting the same "s == null" error when trying to transfer files from my desktop to my phone. I have no problems transferring from phone to desktop. Happy...

> As all log stream activation happens within zeek_init events That's an aspect that gets into thorny terrain quickly ... technically this is a convention, but one that packages thankfully...

Thanks Chad, yep — Corelight's is on our radar and one of the drivers for this issue ... things could be simplified if we provide this as an open-source capability...

Two pointers to related technologies, for future reference: - An [IPFIX schema](https://github.com/DFDLSchemas/IPFIX/blob/master/src/main/resources/org/mitre/ipfix/common.dfdl.xsd) expressed in [DFDL](https://cboblog.typepad.com/cboblog/2008/07/dfdl-data-forma.html) - The data format templating features in [Netflow v9](https://datatracker.ietf.org/doc/html/rfc3954#page-11)

> If the objective is indeed providing a canonical anchor for how stock Zeek data looks like Yeah, where "stock" means the log data produced by Zeek in any particular...

@chadbrewbaker can you say more re "extra Zeek table of eBPF logs by timestamp"? I'm asking mainly because eBPF is a natural way to expand the cababilities of the [new...