Logstash zeek event failure

[divinehawk]

Describe the bug
Upgraded Malcolm to 25.05.0 from 24.10.0. Logstash error when not upgrading Hedgehog sensors at the same time.

To Reproduce
Run older version of hedgehog

Expected behavior
Malcolm should be able to parse older zeek logs

**Screenshots and/or Logs **

Could not index event to OpenSearch.
error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [zeek.conn.inner_vlan] of type [integer] in document with id '250516-2ZweO3YvNUiHo3Ze4sA4hA'. Preview of field's value: '94:c7:42:64:1b:e8'", "caused_by"=>{"type"=>"number_format_exception", "reason"=>"For input string: "94:c7:42:64:1b:e8""}}}}}

Malcolm Version:

• Version 25.05.0

How are you running Malcolm?
Docker

Additional context
Possibly related to f3231e9

[mmguero]

There's really only one way around this, and that is to enable JSON mode for your zeek logs:

• set ZEEK_JSON=true in /opt/sensor/sensor_ctl/control_vars.conf on Hedgehog and restart the services

By telling Hedgehog's Zeek logs to be JSON, Malcolm doesn't have to rely on the field order being consistent.

The corresponding setting in Malcolm, should you desire to set it (although in this case the issue is hedgehog being a different version so it doesn't make much difference) is in ./config/zeek.env