diff --git a/doc/script-reference/log-files.rst b/doc/script-reference/log-files.rst index 5c2c761a07..0098bce4c0 100644 --- a/doc/script-reference/log-files.rst +++ b/doc/script-reference/log-files.rst @@ -7,15 +7,15 @@ and the events generated in a series of relevant log files. These files can later be reviewed for monitoring, auditing and troubleshooting purposes. Listed below are the log files generated by Bro, including a brief description -of the log file and links to descriptions of some of the fields for each log type. +of the log file and links to descriptions of some of the fields for each log +type. + +Bro Diagnostics +--------------- +----------------------------+---------------------------------------+---------------------------------+ | Log File | Description | Field Descriptions | +============================+=======================================+=================================+ -| app_stats.log | Info about web apps in use on network | :bro:type:`AppStats::Info` | -+----------------------------+---------------------------------------+---------------------------------+ -| barnyard2.log | Alerts received from Barnyard2 | :bro:type:`Barnyard2::Info` | -+----------------------------+---------------------------------------+---------------------------------+ | capture_loss.log | Packet loss rate | :bro:type:`CaptureLoss::Info` | +----------------------------+---------------------------------------+---------------------------------+ | cluster.log | Cluster messages | :bro:type:`Cluster::Info` | @@ -23,6 +23,55 @@ of the log file and links to descriptions of some of the fields for each log typ | communication.log | Connections to remote Bro or Broccoli | :bro:type:`Communication::Info` | | | instances | | +----------------------------+---------------------------------------+---------------------------------+ +| intel.log | Details about the intelligence | :bro:type:`Intel::Info` | +| | framework | | ++----------------------------+---------------------------------------+---------------------------------+ +| loaded_scripts.log | Shows all scripts loaded by Bro | :bro:type:`LoadedScripts::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| notice.log | Bro notices | :bro:type:`Notice::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| notice_alarm.log | The alarm stream | :bro:enum:`Notice::ACTION_ALARM`| ++----------------------------+---------------------------------------+---------------------------------+ +| packetfilter.log | Status of packet filters | :bro:type:`PacketFilter::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| reporter.log | Records error messages, location, | :bro:type:`Reporter::Info` | +| | and severity | | ++----------------------------+---------------------------------------+---------------------------------+ +| stats.log | Shows log memory/packet/lag | :bro:type:`Stats::Info` | +| | statistics | | ++----------------------------+---------------------------------------+---------------------------------+ +| unified2.log | Interprets Snort's unified output | :bro:type:`Unified2::Info` | +| | format | | ++----------------------------+---------------------------------------+---------------------------------+ + +Known_* Logs +------------ + ++----------------------------+---------------------------------------+---------------------------------+ +| Log File | Description | Field Descriptions | ++============================+=======================================+=================================+ +| known_certs.log | SSL certificates used | :bro:type:`Known::CertsInfo` | ++----------------------------+---------------------------------------+---------------------------------+ +| known_devices.log | MAC addresses of devices on the | :bro:type:`Known::DevicesInfo` | +| | network | | ++----------------------------+---------------------------------------+---------------------------------+ +| known_hosts.log | Daily record of completed TCP | :bro:type:`Known::HostsInfo` | +| | handshakes | | ++----------------------------+---------------------------------------+---------------------------------+ +| known_modbus.log | Modbus masters and workers | :bro:type:`Known::ModbusInfo` | ++----------------------------+---------------------------------------+---------------------------------+ +| known_services.log | Tracks services and protocols used | :bro:type:`Known::ServicesInfo` | +| | during a session | | ++----------------------------+---------------------------------------+---------------------------------+ + +Network Activity +---------------- + ++----------------------------+---------------------------------------+---------------------------------+ +| Log File | Description | Field Descriptions | ++============================+=======================================+=================================+ +| barnyard2.log | Alerts received from Barnyard2 | :bro:type:`Barnyard2::Info` | ++----------------------------+---------------------------------------+---------------------------------+ | conn.log  | Connection info | :bro:type:`Conn::Info` | +----------------------------+---------------------------------------+---------------------------------+ | dhcp.log  | DHCP leases | :bro:type:`DHCP::Info` | @@ -42,41 +91,14 @@ of the log file and links to descriptions of some of the fields for each log typ +----------------------------+---------------------------------------+---------------------------------+ | http.log | HTTP requests and replies | :bro:type:`HTTP::Info` | +----------------------------+---------------------------------------+---------------------------------+ -| intel.log | Details about the intelligence | :bro:type:`Intel::Info` | -| | framework | | -+----------------------------+---------------------------------------+---------------------------------+ | irc.log | IRC commands and responses | :bro:type:`IRC::Info` | +----------------------------+---------------------------------------+---------------------------------+ -| known_certs.log | SSL certificates used | :bro:type:`Known::CertsInfo` | -+----------------------------+---------------------------------------+---------------------------------+ -| known_devices.log | MAC addresses of devices on the | :bro:type:`Known::DevicesInfo` | -| | network | | -+----------------------------+---------------------------------------+---------------------------------+ -| known_hosts.log | Daily record of completed TCP | :bro:type:`Known::HostsInfo` | -| | handshakes | | -+----------------------------+---------------------------------------+---------------------------------+ -| known_modbus.log | Modbus masters and workers | :bro:type:`Known::ModbusInfo` | -+----------------------------+---------------------------------------+---------------------------------+ -| known_services.log | Tracks services and protocols used | :bro:type:`Known::ServicesInfo` | -| | during a session | | -+----------------------------+---------------------------------------+---------------------------------+ -| loaded_scripts.log | Shows all scripts loaded by Bro | :bro:type:`LoadedScripts::Info` | -+----------------------------+---------------------------------------+---------------------------------+ | modbus.log | Modbus protocol data | :bro:type:`Modbus::Info` | +----------------------------+---------------------------------------+---------------------------------+ | modbus_register_change.log | Tracks changes to holding registers | :bro:type:`Modbus::MemmapInfo` | +----------------------------+---------------------------------------+---------------------------------+ -| notice.log | Bro notices | :bro:type:`Notice::Info` | -+----------------------------+---------------------------------------+---------------------------------+ -| notice_alarm.log | The alarm stream | :bro:type:`Notice::Info` | -+----------------------------+---------------------------------------+---------------------------------+ -| packetfilter.log | Status of packet filters | :bro:type:`PacketFilter::Info` | -+----------------------------+---------------------------------------+---------------------------------+ | radius.log  | RADIUS authentication attempts | :bro:type:`RADIUS::Info` | +----------------------------+---------------------------------------+---------------------------------+ -| reporter.log | Records error messages, location, | :bro:type:`Reporter::Info` | -| | and severity | | -+----------------------------+---------------------------------------+---------------------------------+ | signatures.log | Tracks signatures used on TCP | :bro:type:`Signatures::Info` | | | connections | | +----------------------------+---------------------------------------+---------------------------------+ @@ -86,15 +108,10 @@ of the log file and links to descriptions of some of the fields for each log typ +----------------------------+---------------------------------------+---------------------------------+ | socks.log | SOCKS proxy requests | :bro:type:`SOCKS::Info` | +----------------------------+---------------------------------------+---------------------------------+ -| software.log | Software being used on the network | :bro:type:`Software::Info` | -+----------------------------+---------------------------------------+---------------------------------+ | ssh.log  | SSH connections | :bro:type:`SSH::Info` | +----------------------------+---------------------------------------+---------------------------------+ | ssl.log  | SSL/TLS handshake info | :bro:type:`SSL::Info` | +----------------------------+---------------------------------------+---------------------------------+ -| stats.log | Shows log memory/packet/lag | :bro:type:`Stats::Info` | -| | statistics | | -+----------------------------+---------------------------------------+---------------------------------+ | syslog.log  | Syslog messages and data | :bro:type:`Syslog::Info` | +----------------------------+---------------------------------------+---------------------------------+ | traceroute.log | Address and protocol data of a given | :bro:type:`Traceroute::Info` | @@ -102,11 +119,19 @@ of the log file and links to descriptions of some of the fields for each log typ +----------------------------+---------------------------------------+---------------------------------+ | tunnel.log | Tunnel data | :bro:type:`Tunnel::Info` | +----------------------------+---------------------------------------+---------------------------------+ -| unified2.log | Interprets Snort's unified output | :bro:type:`Unified2::Info` | -| | format | | -+----------------------------+---------------------------------------+---------------------------------+ | weird.log | Records unexpected protocol-level | :bro:type:`Weird::Info` | | | activity | | +----------------------------+---------------------------------------+---------------------------------+ | x509.log | Tracks X.509 certificates | :bro:type:`X509::Info` | +----------------------------+---------------------------------------+---------------------------------+ + +Software Asset Tracking +----------------------- + ++----------------------------+---------------------------------------+---------------------------------+ +| Log File | Description | Field Descriptions | ++============================+=======================================+=================================+ +| app_stats.log | Info about web apps in use on network | :bro:type:`AppStats::Info` | ++----------------------------+---------------------------------------+---------------------------------+ +| software.log | Software being used on the network | :bro:type:`Software::Info` | ++----------------------------+---------------------------------------+---------------------------------+