Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/doc/script-reference/log-files.rst
Tim Wojtulewicz ded98cd373 Copy docs into Zeek repo directly 
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the
zeek-docs repo.
2025-09-26 02:58:29 +00:00

370 lines
7.6 KiB
ReStructuredText
Raw Permalink Blame History

.. _log-files:
=========
Log Files
=========
Listed below are the log files generated by Zeek, including a brief description
of the log file and links to descriptions of the fields for each log
type.
Network Protocols
-----------------
.. list-table::
:header-rows: 1
* - Log File
- Description
- Field Descriptions
* - :file:`conn.log`
- TCP/UDP/ICMP connections
- :zeek:type:`Conn::Info`
* - :file:`dce_rpc.log`
- Distributed Computing Environment/RPC
- :zeek:type:`DCE_RPC::Info`
* - :file:`dhcp.log`
- DHCP leases
- :zeek:type:`DHCP::Info`
* - :file:`dnp3.log`
- DNP3 requests and replies
- :zeek:type:`DNP3::Info`
* - :file:`dns.log`
- DNS activity
- :zeek:type:`DNS::Info`
* - :file:`ftp.log`
- FTP activity
- :zeek:type:`FTP::Info`
* - :file:`http.log`
- HTTP requests and replies
- :zeek:type:`HTTP::Info`
* - :file:`irc.log`
- IRC commands and responses
- :zeek:type:`IRC::Info`
* - :file:`kerberos.log`
- Kerberos
- :zeek:type:`KRB::Info`
* - :file:`ldap.log`
- LDAP Messages
- :zeek:type:`LDAP::MessageInfo`
* - :file:`ldap_search.log`
- LDAP Searches
- :zeek:type:`LDAP::SearchInfo`
* - :file:`modbus.log`
- Modbus commands and responses
- :zeek:type:`Modbus::Info`
* - :file:`modbus_register_change.log`
- Tracks changes to Modbus holding registers
- :zeek:type:`Modbus::MemmapInfo`
* - :file:`mysql.log`
- MySQL
- :zeek:type:`MySQL::Info`
* - :file:`ntlm.log`
- NT LAN Manager (NTLM)
- :zeek:type:`NTLM::Info`
* - :file:`ntp.log`
- Network Time Protocol
- :zeek:type:`NTP::Info`
* - :file:`postgresql.log`
- PostgreSQL events
- :zeek:type:`PostgreSQL::Info`
* - :file:`quic.log`
- QUIC connections
- :zeek:type:`QUIC::Info`
* - :file:`radius.log`
- RADIUS authentication attempts
- :zeek:type:`RADIUS::Info`
* - :file:`redis.log`
- Redis commands
- :zeek:type:`Redis::Info`
* - :file:`rdp.log`
- RDP
- :zeek:type:`RDP::Info`
* - :file:`rfb.log`
- Remote Framebuffer (RFB)
- :zeek:type:`RFB::Info`
* - :file:`sip.log`
- SIP
- :zeek:type:`SIP::Info`
* - :file:`smb_cmd.log`
- SMB commands
- :zeek:type:`SMB::CmdInfo`
* - :file:`smb_files.log`
- SMB files
- :zeek:type:`SMB::FileInfo`
* - :file:`smb_mapping.log`
- SMB trees
- :zeek:type:`SMB::TreeInfo`
* - :file:`smtp.log`
- SMTP transactions
- :zeek:type:`SMTP::Info`
* - :file:`snmp.log`
- SNMP messages
- :zeek:type:`SNMP::Info`
* - :file:`socks.log`
- SOCKS proxy requests
- :zeek:type:`SOCKS::Info`
* - :file:`ssh.log`
- SSH connections
- :zeek:type:`SSH::Info`
* - :file:`ssl.log`
- SSL/TLS handshake info
- :zeek:type:`SSL::Info`
* - :file:`syslog.log`
- Syslog messages
- :zeek:type:`Syslog::Info`
* - :file:`tunnel.log`
- Tunneling protocol events
- :zeek:type:`Tunnel::Info`
* - :file:`websocket.log`
- WebSocket handshakes
- :zeek:type:`WebSocket::Info`
Files
-----
.. list-table::
:header-rows: 1
* - Log File
- Description
- Field Descriptions
* - :file:`files.log`
- File analysis results
- :zeek:type:`Files::Info`
* - :file:`ocsp.log`
- Online Certificate Status Protocol (OCSP). Only created if policy script is loaded.
- :zeek:type:`OCSP::Info`
* - :file:`pe.log`
- Portable Executable (PE)
- :zeek:type:`PE::Info`
* - :file:`x509.log`
- X.509 certificate info
- :zeek:type:`X509::Info`
NetControl
----------
.. list-table::
:header-rows: 1
* - Log File
- Description
- Field Descriptions
* - :file:`netcontrol.log`
- NetControl actions
- :zeek:type:`NetControl::Info`
* - :file:`netcontrol_drop.log`
- NetControl actions
- :zeek:type:`NetControl::DropInfo`
* - :file:`netcontrol_shunt.log`
- NetControl shunt actions
- :zeek:type:`NetControl::ShuntInfo`
* - :file:`netcontrol_catch_release.log`
- NetControl catch and release actions
- :zeek:type:`NetControl::CatchReleaseInfo`
* - :file:`openflow.log`
- OpenFlow debug log
- :zeek:type:`OpenFlow::Info`
Detection
---------
.. list-table::
:header-rows: 1
* - Log File
- Description
- Field Descriptions
* - :file:`intel.log`
- Intelligence data matches
- :zeek:type:`Intel::Info`
* - :file:`notice.log`
- Zeek notices
- :zeek:type:`Notice::Info`
* - :file:`notice_alarm.log`
- The alarm stream
- :zeek:type:`Notice::Info`
* - :file:`signatures.log`
- Signature matches
- :zeek:type:`Signatures::Info`
* - :file:`traceroute.log`
- Traceroute detection
- :zeek:type:`Traceroute::Info`
Network Observations
--------------------
.. list-table::
:header-rows: 1
* - Log File
- Description
- Field Descriptions
* - :file:`known_certs.log`
- SSL certificates
- :zeek:type:`Known::CertsInfo`
* - :file:`known_hosts.log`
- Hosts that have completed TCP handshakes
- :zeek:type:`Known::HostsInfo`
* - :file:`known_modbus.log`
- Modbus masters and slaves
- :zeek:type:`Known::ModbusInfo`
* - :file:`known_services.log`
- Services running on hosts
- :zeek:type:`Known::ServicesInfo`
* - :file:`software.log`
- Software being used on the network
- :zeek:type:`Software::Info`
Miscellaneous
-------------
.. list-table::
:header-rows: 1
* - Log File
- Description
- Field Descriptions
* - :file:`analyzer.log`
- Protocol, packet or file analyzer violations
- :zeek:type:`Analyzer::Logging::Info`
* - :file:`analyzer_debug.log`
- Protocol, packet or file analyzer debug information
- :zeek:type:`Analyzer::DebugLogging::Info`
* - :file:`telemetry.log`
- Zeek operational telemetry
- :zeek:type:`Telemetry::Info`
* - :file:`unknown_protocols.log`
- Information about packet protocols that Zeek doesn't know how to process
- :zeek:type:`UnknownProtocol::Info`
* - :file:`weird.log`
- Unexpected network-level activity
- :zeek:type:`Weird::Info`
* - :file:`weird_stats.log`
- Statistics about unexpected activity
- :zeek:type:`WeirdStats::Info`
Zeek Diagnostics
----------------
.. list-table::
:header-rows: 1
* - Log File
- Description
- Field Descriptions
* - :file:`broker.log`
- Peering status events between Zeek or Broker-enabled processes
- :zeek:type:`Broker::Info`
* - :file:`capture_loss.log`
- Packet loss rate
- :zeek:type:`CaptureLoss::Info`
* - :file:`cluster.log`
- Zeek cluster messages
- :zeek:type:`Cluster::Info`
* - :file:`config.log`
- Configuration option changes
- :zeek:type:`Config::Info`
* - :file:`loaded_scripts.log`
- Shows all scripts loaded by Zeek
- :zeek:type:`LoadedScripts::Info`
* - :file:`packet_filter.log`
- List packet filters that were applied
- :zeek:type:`PacketFilter::Info`
* - :file:`print.log`
- Print statements that were redirected to a log stream.
- :zeek:type:`Log::PrintLogInfo`
* - :file:`prof.log`
- Profiling statistics (to create this log, load
:doc:`/scripts/policy/misc/profiling.zeek`)
- N/A
* - :file:`reporter.log`
- Internal error/warning/info messages
- :zeek:type:`Reporter::Info`
* - :file:`stats.log`
- Memory/event/packet/lag statistics
- :zeek:type:`Stats::Info`
* - :file:`stderr.log`
- Captures standard error when Zeek is started from ZeekControl
- N/A
* - :file:`stdout.log`
- Captures standard output when Zeek is started from ZeekControl
- N/A
Reference in a new issue View git blame Copy permalink