Skip to content

error in stun_nat log parsing with multiple wan addresses. #849

New issue
New issue
Open
Bug
Open
error in stun_nat log parsing with multiple wan addresses.#849
Bug
Assignees
mmguero
Labels
bugSomething isn't workinglogstashRelating to Malcolm's use of LogstashzeekRelating to Malcolm's use of Zeek
Milestone
v26.01.0
@mmguero

Description

@mmguero
mmguero
opened on Jan 7, 2026

Given this portion of a zeek stun_nat log:

      "zeek": {
        "uid": "C7SS4Q2Zdd3PQGwam1",
        "ts": "2026-01-07T19:40:43.076Z",
        "stun_nat": {
          "wan_addr": ["170.249.143.130", "170.249.143.130"],
          "wan_port": [28192, 28192],
          "lan_addr": ["10.12.10.60", "10.12.10.60"]
        }
      }

We end up with this in related.ip:

      "related": {
        "ip": [
          "170.249.143.130",
          "10.12.10.60",
          "212.227.67.34",
          "170.249.143.130,170.249.143.130"
        ]
      }

I think the issue is the way we're doing add_field instead of merge in mutate_add_field_ecs_zeek_stun_nat_wan_addr and mutate_add_field_ecs_zeek_stun_nat_wan_port. Will fix and test.

Metadata

Metadata

Assignees

Labels

bugSomething isn't workinglogstashRelating to Malcolm's use of LogstashzeekRelating to Malcolm's use of Zeek

Type

Bug

Projects

Malcolm

Status

Testing

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions