From 14940c2d8947d6ec7a8f9af944e8efb1e7b8df1a Mon Sep 17 00:00:00 2001 From: Jeannette Dopheide Date: Mon, 22 Sep 2014 10:59:05 -0500 Subject: [PATCH] More updates to log files page: descriptions --- doc/script-reference/index.rst | 5 +- doc/script-reference/log-files.rst | 138 ++++++++++++++++++++++------- 2 files changed, 109 insertions(+), 34 deletions(-) diff --git a/doc/script-reference/index.rst b/doc/script-reference/index.rst index fb2b24efa7..ee73ca84ee 100644 --- a/doc/script-reference/index.rst +++ b/doc/script-reference/index.rst @@ -5,6 +5,7 @@ Script Reference .. toctree:: :maxdepth: 1 + log-files notices proto-analyzers file-analyzers @@ -12,5 +13,5 @@ Script Reference packages scripts Broxygen Example Script - list-of-log-files - + + diff --git a/doc/script-reference/log-files.rst b/doc/script-reference/log-files.rst index cae276eb95..d4c3cee02e 100644 --- a/doc/script-reference/log-files.rst +++ b/doc/script-reference/log-files.rst @@ -1,38 +1,112 @@ -================= -List of Log Files -================= +========= +Log Files +========= As a monitoring tool, Bro records a detailed view of the traffic inspected and the events generated in a series of relevant log files. These files can later be reviewed for monitoring, auditing and troubleshooting purposes. -Listed below are the log files generated by Bro, a brief description of the -log file, and links to descriptions of some of the fields for each log type. +Listed below are the log files generated by Bro, including a brief description +of the log file and links to descriptions of some of the fields for each log type. -+-----------------+---------------------------------------+------------------------------+ -| Log File | Description | Field Descriptions | -+=================+=======================================+==============================+ -| http.log | Shows all HTTP requests and replies | :bro:type:`HTTP::Info` | -+-----------------+---------------------------------------+------------------------------+ -| ftp.log | Records FTP activity | :bro:type:`FTP::Info` | -+-----------------+---------------------------------------+------------------------------+ -| ssl.log | Records SSL sessions including | :bro:type:`SSL::Info` | -| | certificates used | | -+-----------------+---------------------------------------+------------------------------+ -| known_certs.log | Includes SSL certificates used | :bro:type:`Known::CertsInfo` | -+-----------------+---------------------------------------+------------------------------+ -| smtp.log | Summarizes SMTP traffic on a network | :bro:type:`SMTP::Info` | -+-----------------+---------------------------------------+------------------------------+ -| dns.log | Shows all DNS activity on a network | :bro:type:`DNS::Info` | -+-----------------+---------------------------------------+------------------------------+ -| conn.log | Records all connections seen by Bro | :bro:type:`Conn::Info` | -+-----------------+---------------------------------------+------------------------------+ -| dpd.log | Shows network activity on | :bro:type:`DPD::Info` | -| | non-standard ports | | -+-----------------+---------------------------------------+------------------------------+ -| files.log | Records information about all files | :bro:type:`Files::Info` | -| | transmitted over the network | | -+-----------------+---------------------------------------+------------------------------+ -| weird.log | Records unexpected protocol-level | :bro:type:`Weird::Info` | -| | activity | | -+-----------------+---------------------------------------+------------------------------+ ++----------------------------+---------------------------------------+---------------------------------+ +| Log File | Description | Field Descriptions | ++============================+=======================================+=================================+ +| app_stats.log | Info about web apps in use on network | :bro:type:`AppStats::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| barnyard2.log | Alerts received from Barnyard2 | :bro:type:`Barnyard2::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| capture_loss.log | Packet loss rate | :bro:type:`CaptureLoss::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| cluster.log | Cluster messages | :bro:type:`Cluster::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| communication.log | Connections to remote Bro or Broccoli | :bro:type:`Communication::Info` | +| | instances | | ++----------------------------+---------------------------------------+---------------------------------+ +| conn.log  | Connection info | :bro:type:`Conn::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| dhcp.log  | DHCP leases | :bro:type:`DHCP::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| dnp3.log | Requests and replies using DNP3 | :bro:type:`DNP3::Info` | +| | protocol | | ++----------------------------+---------------------------------------+---------------------------------+ +| dns.log  | DNS activity | :bro:type:`DNS::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| dpd.log | Network activity on non-standard | :bro:type:`DPD::Info` | +| | ports | | ++----------------------------+---------------------------------------+---------------------------------+ +| files.log | Info about files transmitted over the | :bro:type:`Files::Info` | +| | network | | ++----------------------------+---------------------------------------+---------------------------------+ +| ftp.log | FTP activity | :bro:type:`FTP::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| http.log | HTTP requests and replies | :bro:type:`HTTP::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| intel.log | Details about the intelligence | :bro:type:`Intel::Info` | +| | framework | | ++----------------------------+---------------------------------------+---------------------------------+ +| irc.log | IRC commands and responses | :bro:type:`IRC::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| known_certs.log | SSL certificates used | :bro:type:`Known::CertsInfo` | ++----------------------------+---------------------------------------+---------------------------------+ +| known_devices.log | MAC addresses of devices on the | :bro:type:`Known::DevicesInfo` | +| | network | | ++----------------------------+---------------------------------------+---------------------------------+ +| known_hosts.log | Daily record of completed TCP | :bro:type:`Known::HostsInfo` | +| | handshakes | | ++----------------------------+---------------------------------------+---------------------------------+ +| known_modbus.log | Modbus masters and workers | :bro:type:`Known::ModbusInfo` | ++----------------------------+---------------------------------------+---------------------------------+ +| known_services.log | Tracks services and protocols used | :bro:type:`Known::ServicesInfo` | +| | during a session | | ++----------------------------+---------------------------------------+---------------------------------+ +| loaded_scripts.log | Shows all scripts loaded by Bro | :bro:type:`LoadedScripts::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| modbus.log | Modbus protocol data | :bro:type:`Modbus::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| modbus_register_change.log | | | ++----------------------------+---------------------------------------+---------------------------------+ +| notice.log | Bro notices | :bro:type:`Notice::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| notice_alarm.log | The alarm stream | :bro:type:`Notice::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| packetfilter.log | Status of packet filters | :bro:type:`PacketFilter::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| radius.log  | RADIUS authentication attempts | :bro:type:`RADIUS::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| reporter.log | Records error messages, location, | :bro:type:`Reporter::Info` | +| | and severity | | ++----------------------------+---------------------------------------+---------------------------------+ +| signatures.log | Tracks signatures used on TCP | :bro:type:`Signatures::Info` | +| | connections | | ++----------------------------+---------------------------------------+---------------------------------+ +| smtp.log | SMTP traffic on a network | :bro:type:`SMTP::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| snmp.log  | SNMP traffic on a network | :bro:type:`SNMP::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| socks.log | SOCKS proxy requests | :bro:type:`SOCKS::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| software.log | Software being used on the network | :bro:type:`Software::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| ssh.log  | SSH connections | :bro:type:`SSH::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| ssl.log  | SSL/TLS handshake info | :bro:type:`SSL::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| stats.log | Shows log memory/packet/lag | :bro:type:`Stats::Info` | +| | statistics | | ++----------------------------+---------------------------------------+---------------------------------+ +| syslog.log  | Syslog messages and data | :bro:type:`Syslog::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| traceroute.log | Address and protocol data of a given | :bro:type:`Traceroute::Info` | +| | traceroute | | ++----------------------------+---------------------------------------+---------------------------------+ +| tunnel.log | Tunnel data | :bro:type:`Tunnel::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| unified2.log | Interprets Snort's unified output | :bro:type:`Unified2::Info` | +| | format | | ++----------------------------+---------------------------------------+---------------------------------+ +| weird.log | Records unexpected protocol-level | :bro:type:`Weird::Info` | +| | activity | | ++----------------------------+---------------------------------------+---------------------------------+ +| x509.log | Tracks X.509 certificates | :bro:type:`X509::Info` | ++----------------------------+---------------------------------------+---------------------------------+