Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

More updates to log files page: descriptions

Browse source
This commit is contained in:
Jeannette Dopheide 2014-09-22 10:59:05 -05:00
parent 401ec39ce2
commit 14940c2d89
2 changed files with 109 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

3
doc/script-reference/index.rst
View file

@ -5,6 +5,7 @@ Script Reference
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 1
log-files
notices notices
proto-analyzers proto-analyzers
file-analyzers file-analyzers
@ -12,5 +13,5 @@ Script Reference
packages packages
scripts scripts
Broxygen Example Script </scripts/broxygen/example.bro> Broxygen Example Script </scripts/broxygen/example.bro>
list-of-log-files

132
doc/script-reference/log-files.rst
View file

@ -1,38 +1,112 @@
================= =========
List of Log Files Log Files
================= =========
As a monitoring tool, Bro records a detailed view of the traffic inspected As a monitoring tool, Bro records a detailed view of the traffic inspected
and the events generated in a series of relevant log files. These files can and the events generated in a series of relevant log files. These files can
later be reviewed for monitoring, auditing and troubleshooting purposes. later be reviewed for monitoring, auditing and troubleshooting purposes.
Listed below are the log files generated by Bro, a brief description of the Listed below are the log files generated by Bro, including a brief description
log file, and links to descriptions of some of the fields for each log type. of the log file and links to descriptions of some of the fields for each log type.
+-----------------+---------------------------------------+------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| Log File | Description | Field Descriptions | | Log File | Description | Field Descriptions |
+=================+=======================================+==============================+ +============================+=======================================+=================================+
| http.log | Shows all HTTP requests and replies | :bro:type:`HTTP::Info` | | app_stats.log | Info about web apps in use on network | :bro:type:`AppStats::Info` |
+-----------------+---------------------------------------+------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| ftp.log | Records FTP activity | :bro:type:`FTP::Info` | | barnyard2.log | Alerts received from Barnyard2 | :bro:type:`Barnyard2::Info` |
+-----------------+---------------------------------------+------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| ssl.log | Records SSL sessions including | :bro:type:`SSL::Info` | | capture_loss.log | Packet loss rate | :bro:type:`CaptureLoss::Info` |
| | certificates used | | +----------------------------+---------------------------------------+---------------------------------+
+-----------------+---------------------------------------+------------------------------+ | cluster.log | Cluster messages | :bro:type:`Cluster::Info` |
| known_certs.log | Includes SSL certificates used | :bro:type:`Known::CertsInfo` | +----------------------------+---------------------------------------+---------------------------------+
+-----------------+---------------------------------------+------------------------------+ | communication.log | Connections to remote Bro or Broccoli | :bro:type:`Communication::Info` |
| smtp.log | Summarizes SMTP traffic on a network | :bro:type:`SMTP::Info` | | | instances | |
+-----------------+---------------------------------------+------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| dns.log | Shows all DNS activity on a network | :bro:type:`DNS::Info` | | conn.log  | Connection info | :bro:type:`Conn::Info` |
+-----------------+---------------------------------------+------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| conn.log | Records all connections seen by Bro | :bro:type:`Conn::Info` | | dhcp.log  | DHCP leases | :bro:type:`DHCP::Info` |
+-----------------+---------------------------------------+------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| dpd.log | Shows network activity on | :bro:type:`DPD::Info` | | dnp3.log | Requests and replies using DNP3 | :bro:type:`DNP3::Info` |
| | non-standard ports | | | | protocol | |
+-----------------+---------------------------------------+------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| files.log | Records information about all files | :bro:type:`Files::Info` | | dns.log  | DNS activity | :bro:type:`DNS::Info` |
| | transmitted over the network | | +----------------------------+---------------------------------------+---------------------------------+
+-----------------+---------------------------------------+------------------------------+ | dpd.log | Network activity on non-standard | :bro:type:`DPD::Info` |
| | ports | |
+----------------------------+---------------------------------------+---------------------------------+
| files.log | Info about files transmitted over the | :bro:type:`Files::Info` |
| | network | |
+----------------------------+---------------------------------------+---------------------------------+
| ftp.log | FTP activity | :bro:type:`FTP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| http.log | HTTP requests and replies | :bro:type:`HTTP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| intel.log | Details about the intelligence | :bro:type:`Intel::Info` |
| | framework | |
+----------------------------+---------------------------------------+---------------------------------+
| irc.log | IRC commands and responses | :bro:type:`IRC::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| known_certs.log | SSL certificates used | :bro:type:`Known::CertsInfo` |
+----------------------------+---------------------------------------+---------------------------------+
| known_devices.log | MAC addresses of devices on the | :bro:type:`Known::DevicesInfo` |
| | network | |
+----------------------------+---------------------------------------+---------------------------------+
| known_hosts.log | Daily record of completed TCP | :bro:type:`Known::HostsInfo` |
| | handshakes | |
+----------------------------+---------------------------------------+---------------------------------+
| known_modbus.log | Modbus masters and workers | :bro:type:`Known::ModbusInfo` |
+----------------------------+---------------------------------------+---------------------------------+
| known_services.log | Tracks services and protocols used | :bro:type:`Known::ServicesInfo` |
| | during a session | |
+----------------------------+---------------------------------------+---------------------------------+
| loaded_scripts.log | Shows all scripts loaded by Bro | :bro:type:`LoadedScripts::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| modbus.log | Modbus protocol data | :bro:type:`Modbus::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| modbus_register_change.log | <add description here> | <add link here> |
+----------------------------+---------------------------------------+---------------------------------+
| notice.log | Bro notices | :bro:type:`Notice::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| notice_alarm.log | The alarm stream | :bro:type:`Notice::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| packetfilter.log | Status of packet filters | :bro:type:`PacketFilter::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| radius.log  | RADIUS authentication attempts | :bro:type:`RADIUS::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| reporter.log | Records error messages, location, | :bro:type:`Reporter::Info` |
| | and severity | |
+----------------------------+---------------------------------------+---------------------------------+
| signatures.log | Tracks signatures used on TCP | :bro:type:`Signatures::Info` |
| | connections | |
+----------------------------+---------------------------------------+---------------------------------+
| smtp.log | SMTP traffic on a network | :bro:type:`SMTP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| snmp.log  | SNMP traffic on a network | :bro:type:`SNMP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| socks.log | SOCKS proxy requests | :bro:type:`SOCKS::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| software.log | Software being used on the network | :bro:type:`Software::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| ssh.log  | SSH connections | :bro:type:`SSH::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| ssl.log  | SSL/TLS handshake info | :bro:type:`SSL::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| stats.log | Shows log memory/packet/lag | :bro:type:`Stats::Info` |
| | statistics | |
+----------------------------+---------------------------------------+---------------------------------+
| syslog.log  | Syslog messages and data | :bro:type:`Syslog::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| traceroute.log | Address and protocol data of a given | :bro:type:`Traceroute::Info` |
| | traceroute | |
+----------------------------+---------------------------------------+---------------------------------+
| tunnel.log | Tunnel data | :bro:type:`Tunnel::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| unified2.log | Interprets Snort's unified output | :bro:type:`Unified2::Info` |
| | format | |
+----------------------------+---------------------------------------+---------------------------------+
| weird.log | Records unexpected protocol-level | :bro:type:`Weird::Info` | | weird.log | Records unexpected protocol-level | :bro:type:`Weird::Info` |
| | activity | | | | activity | |
+-----------------+---------------------------------------+------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| x509.log | Tracks X.509 certificates | :bro:type:`X509::Info` |
+----------------------------+---------------------------------------+---------------------------------+