.. _log-files:

=========
Log Files
=========

Listed below are the log files generated by Zeek, including a brief description
of the log file and links to descriptions of the fields for each log
type.

Network Protocols
-----------------

.. list-table::
  :header-rows: 1

  * - Log File
    - Description
    - Field Descriptions

  * - :file:`conn.log`
    - TCP/UDP/ICMP connections
    - :zeek:type:`Conn::Info`

  * - :file:`dce_rpc.log`
    - Distributed Computing Environment/RPC
    - :zeek:type:`DCE_RPC::Info`

  * - :file:`dhcp.log`
    - DHCP leases
    - :zeek:type:`DHCP::Info`

  * - :file:`dnp3.log`
    - DNP3 requests and replies
    - :zeek:type:`DNP3::Info`

  * - :file:`dns.log`
    - DNS activity
    - :zeek:type:`DNS::Info`

  * - :file:`ftp.log`
    - FTP activity
    - :zeek:type:`FTP::Info`

  * - :file:`http.log`
    - HTTP requests and replies
    - :zeek:type:`HTTP::Info`

  * - :file:`irc.log`
    - IRC commands and responses
    - :zeek:type:`IRC::Info`

  * - :file:`kerberos.log`
    - Kerberos
    - :zeek:type:`KRB::Info`

  * - :file:`ldap.log`
    - LDAP Messages
    - :zeek:type:`LDAP::MessageInfo`

  * - :file:`ldap_search.log`
    - LDAP Searches
    - :zeek:type:`LDAP::SearchInfo`

  * - :file:`modbus.log`
    - Modbus commands and responses
    - :zeek:type:`Modbus::Info`

  * - :file:`modbus_register_change.log`
    - Tracks changes to Modbus holding registers
    - :zeek:type:`Modbus::MemmapInfo`

  * - :file:`mysql.log`
    - MySQL
    - :zeek:type:`MySQL::Info`

  * - :file:`ntlm.log`
    - NT LAN Manager (NTLM)
    - :zeek:type:`NTLM::Info`

  * - :file:`ntp.log`
    - Network Time Protocol
    - :zeek:type:`NTP::Info`

  * - :file:`postgresql.log`
    - PostgreSQL events
    - :zeek:type:`PostgreSQL::Info`

  * - :file:`quic.log`
    - QUIC connections
    - :zeek:type:`QUIC::Info`

  * - :file:`radius.log`
    - RADIUS authentication attempts
    - :zeek:type:`RADIUS::Info`

  * - :file:`redis.log`
    - Redis commands
    - :zeek:type:`Redis::Info`

  * - :file:`rdp.log`
    - RDP
    - :zeek:type:`RDP::Info`

  * - :file:`rfb.log`
    - Remote Framebuffer (RFB)
    - :zeek:type:`RFB::Info`

  * - :file:`sip.log`
    - SIP
    - :zeek:type:`SIP::Info`

  * - :file:`smb_cmd.log`
    - SMB commands
    - :zeek:type:`SMB::CmdInfo`

  * - :file:`smb_files.log`
    - SMB files
    - :zeek:type:`SMB::FileInfo`

  * - :file:`smb_mapping.log`
    - SMB trees
    - :zeek:type:`SMB::TreeInfo`

  * - :file:`smtp.log`
    - SMTP transactions
    - :zeek:type:`SMTP::Info`

  * - :file:`snmp.log`
    - SNMP messages
    - :zeek:type:`SNMP::Info`

  * - :file:`socks.log`
    - SOCKS proxy requests
    - :zeek:type:`SOCKS::Info`

  * - :file:`ssh.log`
    - SSH connections
    - :zeek:type:`SSH::Info`

  * - :file:`ssl.log`
    - SSL/TLS handshake info
    - :zeek:type:`SSL::Info`

  * - :file:`syslog.log`
    - Syslog messages
    - :zeek:type:`Syslog::Info`

  * - :file:`tunnel.log`
    - Tunneling protocol events
    - :zeek:type:`Tunnel::Info`

  * - :file:`websocket.log`
    - WebSocket handshakes
    - :zeek:type:`WebSocket::Info`


Files
-----

.. list-table::
  :header-rows: 1

  * - Log File
    - Description
    - Field Descriptions

  * - :file:`files.log`
    - File analysis results
    - :zeek:type:`Files::Info`

  * - :file:`ocsp.log`
    - Online Certificate Status Protocol (OCSP). Only created if policy script is loaded.
    - :zeek:type:`OCSP::Info`

  * - :file:`pe.log`
    - Portable Executable (PE)
    - :zeek:type:`PE::Info`

  * - :file:`x509.log`
    - X.509 certificate info
    - :zeek:type:`X509::Info`


NetControl
----------

.. list-table::
  :header-rows: 1

  * - Log File
    - Description
    - Field Descriptions

  * - :file:`netcontrol.log`
    - NetControl actions
    - :zeek:type:`NetControl::Info`

  * - :file:`netcontrol_drop.log`
    - NetControl actions
    - :zeek:type:`NetControl::DropInfo`

  * - :file:`netcontrol_shunt.log`
    - NetControl shunt actions
    - :zeek:type:`NetControl::ShuntInfo`

  * - :file:`netcontrol_catch_release.log`
    - NetControl catch and release actions
    - :zeek:type:`NetControl::CatchReleaseInfo`

  * - :file:`openflow.log`
    - OpenFlow debug log
    - :zeek:type:`OpenFlow::Info`


Detection
---------

.. list-table::
  :header-rows: 1

  * - Log File
    - Description
    - Field Descriptions

  * - :file:`intel.log`
    - Intelligence data matches
    - :zeek:type:`Intel::Info`

  * - :file:`notice.log`
    - Zeek notices
    - :zeek:type:`Notice::Info`

  * - :file:`notice_alarm.log`
    - The alarm stream
    - :zeek:type:`Notice::Info`

  * - :file:`signatures.log`
    - Signature matches
    - :zeek:type:`Signatures::Info`

  * - :file:`traceroute.log`
    - Traceroute detection
    - :zeek:type:`Traceroute::Info`


Network Observations
--------------------

.. list-table::
  :header-rows: 1

  * - Log File
    - Description
    - Field Descriptions

  * - :file:`known_certs.log`
    - SSL certificates
    - :zeek:type:`Known::CertsInfo`

  * - :file:`known_hosts.log`
    - Hosts that have completed TCP handshakes
    - :zeek:type:`Known::HostsInfo`

  * - :file:`known_modbus.log`
    - Modbus masters and slaves
    - :zeek:type:`Known::ModbusInfo`

  * - :file:`known_services.log`
    - Services running on hosts
    - :zeek:type:`Known::ServicesInfo`

  * - :file:`software.log`
    - Software being used on the network
    - :zeek:type:`Software::Info`


Miscellaneous
-------------

.. list-table::
  :header-rows: 1

  * - Log File
    - Description
    - Field Descriptions

  * - :file:`analyzer.log`
    - Protocol, packet or file analyzer violations
    - :zeek:type:`Analyzer::Logging::Info`

  * - :file:`analyzer_debug.log`
    - Protocol, packet or file analyzer debug information
    - :zeek:type:`Analyzer::DebugLogging::Info`

  * - :file:`telemetry.log`
    - Zeek operational telemetry
    - :zeek:type:`Telemetry::Info`

  * - :file:`unknown_protocols.log`
    - Information about packet protocols that Zeek doesn't know how to process
    - :zeek:type:`UnknownProtocol::Info`

  * - :file:`weird.log`
    - Unexpected network-level activity
    - :zeek:type:`Weird::Info`

  * - :file:`weird_stats.log`
    - Statistics about unexpected activity
    - :zeek:type:`WeirdStats::Info`


Zeek Diagnostics
----------------

.. list-table::
  :header-rows: 1

  * - Log File
    - Description
    - Field Descriptions

  * - :file:`broker.log`
    - Peering status events between Zeek or Broker-enabled processes
    - :zeek:type:`Broker::Info`

  * - :file:`capture_loss.log`
    - Packet loss rate
    - :zeek:type:`CaptureLoss::Info`

  * - :file:`cluster.log`
    - Zeek cluster messages
    - :zeek:type:`Cluster::Info`

  * - :file:`config.log`
    - Configuration option changes
    - :zeek:type:`Config::Info`

  * - :file:`loaded_scripts.log`
    - Shows all scripts loaded by Zeek
    - :zeek:type:`LoadedScripts::Info`

  * - :file:`packet_filter.log`
    - List packet filters that were applied
    - :zeek:type:`PacketFilter::Info`

  * - :file:`print.log`
    - Print statements that were redirected to a log stream.
    - :zeek:type:`Log::PrintLogInfo`

  * - :file:`prof.log`
    - Profiling statistics (to create this log, load
      :doc:`/scripts/policy/misc/profiling.zeek`)
    - N/A

  * - :file:`reporter.log`
    - Internal error/warning/info messages
    - :zeek:type:`Reporter::Info`

  * - :file:`stats.log`
    - Memory/event/packet/lag statistics
    - :zeek:type:`Stats::Info`

  * - :file:`stderr.log`
    - Captures standard error when Zeek is started from ZeekControl
    - N/A

  * - :file:`stdout.log`
    - Captures standard output when Zeek is started from ZeekControl
    - N/A