Downloads n/athis week

GitHub stars 1

Extension repository on GitHub

Extension descriptor (YAML)

Read Zeek network security monitor log files with automatic schema detection and type-aware parsing

Installing and Loading

INSTALL zeek FROM community;
LOAD zeek;

Example

INSTALL zeek FROM community;
LOAD inet; # if you want to automatically parse IPs and CIDRs.
LOAD zeek;

-- Read a Zeek log file (supports .gz compression and globs)
SELECT * FROM read_zeek('conn.log.gz');

-- Filter by service
SELECT ts, id_orig_h, id_resp_h, service
FROM read_zeek('conn.log.gz')
WHERE service = 'http';

About zeek

The zeek extension adds a read_zeek() table function for natively reading Zeek (formerly Bro) network security monitor TSV log files.

Features include:

• automatic schema detection from Zeek log headers (#fields, #types)
• automatic gzip/zstd decompression
• glob pattern support for reading multiple files at once
• proper NULL handling for Zeek's unset (-) and empty ((empty)) markers
• type-aware parsing with rich type mappings:
  • time to TIMESTAMP WITH TIME ZONE
  • interval to INTERVAL
  • addr/subnet to INET (with inet=false option for VARCHAR)
  • port to USMALLINT
  • vector[T]/set[T] to LIST[T]
• optional filename column for tracking source files across globs

Added Functions

Overloaded Functions

This extension does not add any function overloads.

Added Types

This extension does not add any types.

Added Settings

This extension does not add any settings.