========= Log Files ========= Listed below are the log files generated by Bro, including a brief description of the log file and links to descriptions of the fields for each log type. Network Protocols ----------------- +----------------------------+---------------------------------------+---------------------------------+ | Log File | Description | Field Descriptions | +============================+=======================================+=================================+ | conn.log | TCP/UDP/ICMP connections | :bro:type:`Conn::Info` | +----------------------------+---------------------------------------+---------------------------------+ | dce_rpc.log | Distributed Computing Environment/RPC | :bro:type:`DCE_RPC::Info` | +----------------------------+---------------------------------------+---------------------------------+ | dhcp.log | DHCP leases | :bro:type:`DHCP::Info` | +----------------------------+---------------------------------------+---------------------------------+ | dnp3.log | DNP3 requests and replies | :bro:type:`DNP3::Info` | +----------------------------+---------------------------------------+---------------------------------+ | dns.log | DNS activity | :bro:type:`DNS::Info` | +----------------------------+---------------------------------------+---------------------------------+ | ftp.log | FTP activity | :bro:type:`FTP::Info` | +----------------------------+---------------------------------------+---------------------------------+ | http.log | HTTP requests and replies | :bro:type:`HTTP::Info` | +----------------------------+---------------------------------------+---------------------------------+ | irc.log | IRC commands and responses | :bro:type:`IRC::Info` | +----------------------------+---------------------------------------+---------------------------------+ | kerberos.log | Kerberos | :bro:type:`KRB::Info` | +----------------------------+---------------------------------------+---------------------------------+ | modbus.log | Modbus commands and responses | :bro:type:`Modbus::Info` | +----------------------------+---------------------------------------+---------------------------------+ | modbus_register_change.log | Tracks changes to Modbus holding | :bro:type:`Modbus::MemmapInfo` | | | registers | | +----------------------------+---------------------------------------+---------------------------------+ | mysql.log | MySQL | :bro:type:`MySQL::Info` | +----------------------------+---------------------------------------+---------------------------------+ | ntlm.log | NT LAN Manager (NTLM) | :bro:type:`NTLM::Info` | +----------------------------+---------------------------------------+---------------------------------+ | radius.log | RADIUS authentication attempts | :bro:type:`RADIUS::Info` | +----------------------------+---------------------------------------+---------------------------------+ | rdp.log | RDP | :bro:type:`RDP::Info` | +----------------------------+---------------------------------------+---------------------------------+ | rfb.log | Remote Framebuffer (RFB) | :bro:type:`RFB::Info` | +----------------------------+---------------------------------------+---------------------------------+ | sip.log | SIP | :bro:type:`SIP::Info` | +----------------------------+---------------------------------------+---------------------------------+ | smb_cmd.log | SMB commands | :bro:type:`SMB::CmdInfo` | +----------------------------+---------------------------------------+---------------------------------+ | smb_files.log | SMB files | :bro:type:`SMB::FileInfo` | +----------------------------+---------------------------------------+---------------------------------+ | smb_mapping.log | SMB trees | :bro:type:`SMB::TreeInfo` | +----------------------------+---------------------------------------+---------------------------------+ | smtp.log | SMTP transactions | :bro:type:`SMTP::Info` | +----------------------------+---------------------------------------+---------------------------------+ | snmp.log | SNMP messages | :bro:type:`SNMP::Info` | +----------------------------+---------------------------------------+---------------------------------+ | socks.log | SOCKS proxy requests | :bro:type:`SOCKS::Info` | +----------------------------+---------------------------------------+---------------------------------+ | ssh.log | SSH connections | :bro:type:`SSH::Info` | +----------------------------+---------------------------------------+---------------------------------+ | ssl.log | SSL/TLS handshake info | :bro:type:`SSL::Info` | +----------------------------+---------------------------------------+---------------------------------+ | syslog.log | Syslog messages | :bro:type:`Syslog::Info` | +----------------------------+---------------------------------------+---------------------------------+ | tunnel.log | Tunneling protocol events | :bro:type:`Tunnel::Info` | +----------------------------+---------------------------------------+---------------------------------+ Files ----- +----------------------------+---------------------------------------+---------------------------------+ | Log File | Description | Field Descriptions | +============================+=======================================+=================================+ | files.log | File analysis results | :bro:type:`Files::Info` | +----------------------------+---------------------------------------+---------------------------------+ | ocsp.log | Online Certificate Status Protocol | :bro:type:`OCSP::Info` | | | (OCSP). Only created if policy script | | | | is loaded. | | +----------------------------+---------------------------------------+---------------------------------+ | pe.log | Portable Executable (PE) | :bro:type:`PE::Info` | +----------------------------+---------------------------------------+---------------------------------+ | x509.log | X.509 certificate info | :bro:type:`X509::Info` | +----------------------------+---------------------------------------+---------------------------------+ NetControl ---------- +------------------------------+---------------------------------------+------------------------------------------+ | Log File | Description | Field Descriptions | +==============================+=======================================+==========================================+ | netcontrol.log | NetControl actions | :bro:type:`NetControl::Info` | +------------------------------+---------------------------------------+------------------------------------------+ | netcontrol_drop.log | NetControl actions | :bro:type:`NetControl::DropInfo` | +------------------------------+---------------------------------------+------------------------------------------+ | netcontrol_shunt.log | NetControl shunt actions | :bro:type:`NetControl::ShuntInfo` | +------------------------------+---------------------------------------+------------------------------------------+ | netcontrol_catch_release.log | NetControl catch and release actions | :bro:type:`NetControl::CatchReleaseInfo` | +------------------------------+---------------------------------------+------------------------------------------+ | openflow.log | OpenFlow debug log | :bro:type:`OpenFlow::Info` | +------------------------------+---------------------------------------+------------------------------------------+ Detection --------- +----------------------------+---------------------------------------+---------------------------------+ | Log File | Description | Field Descriptions | +============================+=======================================+=================================+ | intel.log | Intelligence data matches | :bro:type:`Intel::Info` | +----------------------------+---------------------------------------+---------------------------------+ | notice.log | Bro notices | :bro:type:`Notice::Info` | +----------------------------+---------------------------------------+---------------------------------+ | notice_alarm.log | The alarm stream | :bro:enum:`Notice::Info` | +----------------------------+---------------------------------------+---------------------------------+ | signatures.log | Signature matches | :bro:type:`Signatures::Info` | +----------------------------+---------------------------------------+---------------------------------+ | traceroute.log | Traceroute detection | :bro:type:`Traceroute::Info` | +----------------------------+---------------------------------------+---------------------------------+ Network Observations -------------------- +----------------------------+---------------------------------------+---------------------------------+ | Log File | Description | Field Descriptions | +============================+=======================================+=================================+ | known_certs.log | SSL certificates | :bro:type:`Known::CertsInfo` | +----------------------------+---------------------------------------+---------------------------------+ | known_hosts.log | Hosts that have completed TCP | :bro:type:`Known::HostsInfo` | | | handshakes | | +----------------------------+---------------------------------------+---------------------------------+ | known_modbus.log | Modbus masters and slaves | :bro:type:`Known::ModbusInfo` | +----------------------------+---------------------------------------+---------------------------------+ | known_services.log | Services running on hosts | :bro:type:`Known::ServicesInfo` | +----------------------------+---------------------------------------+---------------------------------+ | software.log | Software being used on the network | :bro:type:`Software::Info` | +----------------------------+---------------------------------------+---------------------------------+ Miscellaneous ------------- +----------------------------+---------------------------------------+---------------------------------+ | Log File | Description | Field Descriptions | +============================+=======================================+=================================+ | barnyard2.log | Alerts received from Barnyard2 | :bro:type:`Barnyard2::Info` | +----------------------------+---------------------------------------+---------------------------------+ | dpd.log | Dynamic protocol detection failures | :bro:type:`DPD::Info` | +----------------------------+---------------------------------------+---------------------------------+ | unified2.log | Interprets Snort's unified output | :bro:type:`Unified2::Info` | +----------------------------+---------------------------------------+---------------------------------+ | weird.log | Unexpected network-level activity | :bro:type:`Weird::Info` | +----------------------------+---------------------------------------+---------------------------------+ | weird_stats.log | Statistics about unexpected activity | :bro:type:`WeirdStats::Info` | +----------------------------+---------------------------------------+---------------------------------+ Bro Diagnostics --------------- +----------------------------+---------------------------------------+---------------------------------+ | Log File | Description | Field Descriptions | +============================+=======================================+=================================+ | broker.log | Peering status events between Bro or | :bro:type:`Broker::Info` | | | Broker-enabled processes | | +----------------------------+---------------------------------------+---------------------------------+ | capture_loss.log | Packet loss rate | :bro:type:`CaptureLoss::Info` | +----------------------------+---------------------------------------+---------------------------------+ | cluster.log | Bro cluster messages | :bro:type:`Cluster::Info` | +----------------------------+---------------------------------------+---------------------------------+ | config.log | Configuration option changes | :bro:type:`Config::Info` | +----------------------------+---------------------------------------+---------------------------------+ | loaded_scripts.log | Shows all scripts loaded by Bro | :bro:type:`LoadedScripts::Info` | +----------------------------+---------------------------------------+---------------------------------+ | packet_filter.log | List packet filters that were applied | :bro:type:`PacketFilter::Info` | +----------------------------+---------------------------------------+---------------------------------+ | prof.log | Profiling statistics (to create this | N/A | | | log, load policy/misc/profiling.bro) | | +----------------------------+---------------------------------------+---------------------------------+ | reporter.log | Internal error/warning/info messages | :bro:type:`Reporter::Info` | +----------------------------+---------------------------------------+---------------------------------+ | stats.log | Memory/event/packet/lag statistics | :bro:type:`Stats::Info` | +----------------------------+---------------------------------------+---------------------------------+ | stderr.log | Captures standard error when Bro is | N/A | | | started from BroControl | | +----------------------------+---------------------------------------+---------------------------------+ | stdout.log | Captures standard output when Bro is | N/A | | | started from BroControl | | +----------------------------+---------------------------------------+---------------------------------+