Zeek IDS content pack contains pipeline rules, a stream, a dashboard displaying interesting activity, and a syslog tcp input to capture and index logs coming from a Zeek sensor.
If you are using Security Onion or an older versin of Zeek, the log files might be different and not contain the same exact fields.
See the full Description of Zeek IDS Default Log files https://www.zeek.org/sphinx/script-reference/log-files.html Working with Zeek logs https://www.zeek.org/sphinx/logs/index.html#working-with-log-files
Graylog v3.x.x or later for new content pack handling features
Rsyslog 8.x to use the replace() function if using rsyslog to ship logs
Zeek 2.6.x to use the pipeline files out of the box
editing pipeline configs will be required if using older versions of BRO/ZEEK
If running with SO, verify pipeline field values prior to sending data