Event Normalization
⚠️ Changes made within these interfaces require that Zeek be restarted. Typically, the easiest way to accomplish this is via the command:
sudo dynamite zeek process restartDynamiteNSM relies on the open Elastic Common Schema (ECS). The Filebeat service is configured to normalize all events and alerts generated by Zeek in Suricata to this log format.
In order for event normalization to function properly ensure that the policy/tuning/json-logs is enabled.
dynamite zeek config site scripts --ids 7093e8e --enable
╒══════╤═════════════════════════╤═══════════╤═════════╕
│ Id │ Name │ Enabled │ Value │
╞══════╪═════════════════════════╪═══════════╪═════════╡
│ 1144 │ policy/tuning/json-logs │ True │ N/A │
╘══════╧═════════════════════════╧═══════════╧═════════╛