What change can be made to customize msg?

[brandonstephens922]

This is a feature request:

I certainly understand the reason for the current msg field format, however I am having an issue trying to customize it. The current format appends "from [uid]" to the end of the message. This can be useful in some environments for pivoting but causes a problem for aggregation in a SIEM. I have tried to modify the format of msg but my scripting skill level is novice level at best and I have seemed to hit a wall.

Great tool by the way, it has been very useful for us but could benefit from this change.

thanks,

B

[initconf]

Brandon,

Sorry for the issue - Somehow I missed your ticket

OK I have new updated version which runs with zeek-3.x.x now ! If you'd want to try this out too !

Could you send me a format of how you'd like message to appear - I can make it work for you ! Again, its only now I am seeing these tickets :(