Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Broke down logs into grouped sections based on use & origin

Browse source
This commit is contained in:
Jeannette Dopheide 2014-09-25 10:22:46 -05:00
parent e402a224d8
commit 16c70a5179
1 changed files with 65 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

105
doc/script-reference/log-files.rst
View file

@ -7,15 +7,15 @@ and the events generated in a series of relevant log files. These files can
later be reviewed for monitoring, auditing and troubleshooting purposes. later be reviewed for monitoring, auditing and troubleshooting purposes.
Listed below are the log files generated by Bro, including a brief description Listed below are the log files generated by Bro, including a brief description
of the log file and links to descriptions of some of the fields for each log type. of the log file and links to descriptions of some of the fields for each log
type.
Bro Diagnostics
---------------
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| Log File | Description | Field Descriptions | | Log File | Description | Field Descriptions |
+============================+=======================================+=================================+ +============================+=======================================+=================================+
| app_stats.log | Info about web apps in use on network | :bro:type:`AppStats::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| barnyard2.log | Alerts received from Barnyard2 | :bro:type:`Barnyard2::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| capture_loss.log | Packet loss rate | :bro:type:`CaptureLoss::Info` | | capture_loss.log | Packet loss rate | :bro:type:`CaptureLoss::Info` |
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| cluster.log | Cluster messages | :bro:type:`Cluster::Info` | | cluster.log | Cluster messages | :bro:type:`Cluster::Info` |
@ -23,6 +23,55 @@ of the log file and links to descriptions of some of the fields for each log typ
| communication.log | Connections to remote Bro or Broccoli | :bro:type:`Communication::Info` | | communication.log | Connections to remote Bro or Broccoli | :bro:type:`Communication::Info` |
| | instances | | | | instances | |
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| intel.log | Details about the intelligence | :bro:type:`Intel::Info` |
| | framework | |
+----------------------------+---------------------------------------+---------------------------------+
| loaded_scripts.log | Shows all scripts loaded by Bro | :bro:type:`LoadedScripts::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| notice.log | Bro notices | :bro:type:`Notice::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| notice_alarm.log | The alarm stream | :bro:enum:`Notice::ACTION_ALARM`|
+----------------------------+---------------------------------------+---------------------------------+
| packetfilter.log | Status of packet filters | :bro:type:`PacketFilter::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| reporter.log | Records error messages, location, | :bro:type:`Reporter::Info` |
| | and severity | |
+----------------------------+---------------------------------------+---------------------------------+
| stats.log | Shows log memory/packet/lag | :bro:type:`Stats::Info` |
| | statistics | |
+----------------------------+---------------------------------------+---------------------------------+
| unified2.log | Interprets Snort's unified output | :bro:type:`Unified2::Info` |
| | format | |
+----------------------------+---------------------------------------+---------------------------------+
Known_* Logs
------------
+----------------------------+---------------------------------------+---------------------------------+
| Log File | Description | Field Descriptions |
+============================+=======================================+=================================+
| known_certs.log | SSL certificates used | :bro:type:`Known::CertsInfo` |
+----------------------------+---------------------------------------+---------------------------------+
| known_devices.log | MAC addresses of devices on the | :bro:type:`Known::DevicesInfo` |
| | network | |
+----------------------------+---------------------------------------+---------------------------------+
| known_hosts.log | Daily record of completed TCP | :bro:type:`Known::HostsInfo` |
| | handshakes | |
+----------------------------+---------------------------------------+---------------------------------+
| known_modbus.log | Modbus masters and workers | :bro:type:`Known::ModbusInfo` |
+----------------------------+---------------------------------------+---------------------------------+
| known_services.log | Tracks services and protocols used | :bro:type:`Known::ServicesInfo` |
| | during a session | |
+----------------------------+---------------------------------------+---------------------------------+
Network Activity
----------------
+----------------------------+---------------------------------------+---------------------------------+
| Log File | Description | Field Descriptions |
+============================+=======================================+=================================+
| barnyard2.log | Alerts received from Barnyard2 | :bro:type:`Barnyard2::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| conn.log  | Connection info | :bro:type:`Conn::Info` | | conn.log  | Connection info | :bro:type:`Conn::Info` |
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| dhcp.log  | DHCP leases | :bro:type:`DHCP::Info` | | dhcp.log  | DHCP leases | :bro:type:`DHCP::Info` |
@ -42,41 +91,14 @@ of the log file and links to descriptions of some of the fields for each log typ
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| http.log | HTTP requests and replies | :bro:type:`HTTP::Info` | | http.log | HTTP requests and replies | :bro:type:`HTTP::Info` |
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| intel.log | Details about the intelligence | :bro:type:`Intel::Info` |
| | framework | |
+----------------------------+---------------------------------------+---------------------------------+
| irc.log | IRC commands and responses | :bro:type:`IRC::Info` | | irc.log | IRC commands and responses | :bro:type:`IRC::Info` |
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| known_certs.log | SSL certificates used | :bro:type:`Known::CertsInfo` |
+----------------------------+---------------------------------------+---------------------------------+
| known_devices.log | MAC addresses of devices on the | :bro:type:`Known::DevicesInfo` |
| | network | |
+----------------------------+---------------------------------------+---------------------------------+
| known_hosts.log | Daily record of completed TCP | :bro:type:`Known::HostsInfo` |
| | handshakes | |
+----------------------------+---------------------------------------+---------------------------------+
| known_modbus.log | Modbus masters and workers | :bro:type:`Known::ModbusInfo` |
+----------------------------+---------------------------------------+---------------------------------+
| known_services.log | Tracks services and protocols used | :bro:type:`Known::ServicesInfo` |
| | during a session | |
+----------------------------+---------------------------------------+---------------------------------+
| loaded_scripts.log | Shows all scripts loaded by Bro | :bro:type:`LoadedScripts::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| modbus.log | Modbus protocol data | :bro:type:`Modbus::Info` | | modbus.log | Modbus protocol data | :bro:type:`Modbus::Info` |
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| modbus_register_change.log | Tracks changes to holding registers | :bro:type:`Modbus::MemmapInfo` | | modbus_register_change.log | Tracks changes to holding registers | :bro:type:`Modbus::MemmapInfo` |
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| notice.log | Bro notices | :bro:type:`Notice::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| notice_alarm.log | The alarm stream | :bro:type:`Notice::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| packetfilter.log | Status of packet filters | :bro:type:`PacketFilter::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| radius.log  | RADIUS authentication attempts | :bro:type:`RADIUS::Info` | | radius.log  | RADIUS authentication attempts | :bro:type:`RADIUS::Info` |
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| reporter.log | Records error messages, location, | :bro:type:`Reporter::Info` |
| | and severity | |
+----------------------------+---------------------------------------+---------------------------------+
| signatures.log | Tracks signatures used on TCP | :bro:type:`Signatures::Info` | | signatures.log | Tracks signatures used on TCP | :bro:type:`Signatures::Info` |
| | connections | | | | connections | |
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
@ -86,15 +108,10 @@ of the log file and links to descriptions of some of the fields for each log typ
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| socks.log | SOCKS proxy requests | :bro:type:`SOCKS::Info` | | socks.log | SOCKS proxy requests | :bro:type:`SOCKS::Info` |
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| software.log | Software being used on the network | :bro:type:`Software::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| ssh.log  | SSH connections | :bro:type:`SSH::Info` | | ssh.log  | SSH connections | :bro:type:`SSH::Info` |
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| ssl.log  | SSL/TLS handshake info | :bro:type:`SSL::Info` | | ssl.log  | SSL/TLS handshake info | :bro:type:`SSL::Info` |
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| stats.log | Shows log memory/packet/lag | :bro:type:`Stats::Info` |
| | statistics | |
+----------------------------+---------------------------------------+---------------------------------+
| syslog.log  | Syslog messages and data | :bro:type:`Syslog::Info` | | syslog.log  | Syslog messages and data | :bro:type:`Syslog::Info` |
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| traceroute.log | Address and protocol data of a given | :bro:type:`Traceroute::Info` | | traceroute.log | Address and protocol data of a given | :bro:type:`Traceroute::Info` |
@ -102,11 +119,19 @@ of the log file and links to descriptions of some of the fields for each log typ
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| tunnel.log | Tunnel data | :bro:type:`Tunnel::Info` | | tunnel.log | Tunnel data | :bro:type:`Tunnel::Info` |
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| unified2.log | Interprets Snort's unified output | :bro:type:`Unified2::Info` |
| | format | |
+----------------------------+---------------------------------------+---------------------------------+
| weird.log | Records unexpected protocol-level | :bro:type:`Weird::Info` | | weird.log | Records unexpected protocol-level | :bro:type:`Weird::Info` |
| | activity | | | | activity | |
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
| x509.log | Tracks X.509 certificates | :bro:type:`X509::Info` | | x509.log | Tracks X.509 certificates | :bro:type:`X509::Info` |
+----------------------------+---------------------------------------+---------------------------------+ +----------------------------+---------------------------------------+---------------------------------+
Software Asset Tracking
-----------------------
+----------------------------+---------------------------------------+---------------------------------+
| Log File | Description | Field Descriptions |
+============================+=======================================+=================================+
| app_stats.log | Info about web apps in use on network | :bro:type:`AppStats::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| software.log | Software being used on the network | :bro:type:`Software::Info` |
+----------------------------+---------------------------------------+---------------------------------+