This script adds VLAN tags to all of the Zeek logs that have the conn_id
(id) field.
zkg refresh zkg install corelight/log-add-vlan-everywhere
All Zeek logs that contain connection information with the c$id field
should have fields that indicate VLAN tags (named vlan and inner_vlan).
There are potential side effects from loading this script if another script
is indexing tables based on the c$id field. This generally is not done
in most modern scripts and is not done in the core Zeek distribution anywhere.
This script tries to avoid potential trouble with this indexing issue by
only grabbing the VLAN information from the connection_established
event because any other script that uses c$id for indexing would probably
always get the value that was collected already anyway.
If you think that this script is impacting any other script please reach out to us at [email protected] and let us know what script you think it might be impacting.
Nate Guagenti @neu5ron Seth Hall <[email protected]>