Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 22:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
zeek/doc/script-reference/log-files.rst
Jeannette Dopheide 14940c2d89 More updates to log files page: descriptions
2014-09-22 10:59:05 -05:00

112 lines
11 KiB
ReStructuredText
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

=========
Log Files
=========
As a monitoring tool, Bro records a detailed view of the traffic inspected
and the events generated in a series of relevant log files. These files can
later be reviewed for monitoring, auditing and troubleshooting purposes.
Listed below are the log files generated by Bro, including a brief description
of the log file and links to descriptions of some of the fields for each log type.
+----------------------------+---------------------------------------+---------------------------------+
| Log File | Description | Field Descriptions |
+============================+=======================================+=================================+
| app_stats.log | Info about web apps in use on network | :bro:type:`AppStats::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| barnyard2.log | Alerts received from Barnyard2 | :bro:type:`Barnyard2::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| capture_loss.log | Packet loss rate | :bro:type:`CaptureLoss::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| cluster.log | Cluster messages | :bro:type:`Cluster::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| communication.log | Connections to remote Bro or Broccoli | :bro:type:`Communication::Info` |
| | instances | |
+----------------------------+---------------------------------------+---------------------------------+
| conn.log  | Connection info | :bro:type:`Conn::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| dhcp.log  | DHCP leases | :bro:type:`DHCP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| dnp3.log | Requests and replies using DNP3 | :bro:type:`DNP3::Info` |
| | protocol | |
+----------------------------+---------------------------------------+---------------------------------+
| dns.log  | DNS activity | :bro:type:`DNS::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| dpd.log | Network activity on non-standard | :bro:type:`DPD::Info` |
| | ports | |
+----------------------------+---------------------------------------+---------------------------------+
| files.log | Info about files transmitted over the | :bro:type:`Files::Info` |
| | network | |
+----------------------------+---------------------------------------+---------------------------------+
| ftp.log | FTP activity | :bro:type:`FTP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| http.log | HTTP requests and replies | :bro:type:`HTTP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| intel.log | Details about the intelligence | :bro:type:`Intel::Info` |
| | framework | |
+----------------------------+---------------------------------------+---------------------------------+
| irc.log | IRC commands and responses | :bro:type:`IRC::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| known_certs.log | SSL certificates used | :bro:type:`Known::CertsInfo` |
+----------------------------+---------------------------------------+---------------------------------+
| known_devices.log | MAC addresses of devices on the | :bro:type:`Known::DevicesInfo` |
| | network | |
+----------------------------+---------------------------------------+---------------------------------+
| known_hosts.log | Daily record of completed TCP | :bro:type:`Known::HostsInfo` |
| | handshakes | |
+----------------------------+---------------------------------------+---------------------------------+
| known_modbus.log | Modbus masters and workers | :bro:type:`Known::ModbusInfo` |
+----------------------------+---------------------------------------+---------------------------------+
| known_services.log | Tracks services and protocols used | :bro:type:`Known::ServicesInfo` |
| | during a session | |
+----------------------------+---------------------------------------+---------------------------------+
| loaded_scripts.log | Shows all scripts loaded by Bro | :bro:type:`LoadedScripts::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| modbus.log | Modbus protocol data | :bro:type:`Modbus::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| modbus_register_change.log | <add description here> | <add link here> |
+----------------------------+---------------------------------------+---------------------------------+
| notice.log | Bro notices | :bro:type:`Notice::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| notice_alarm.log | The alarm stream | :bro:type:`Notice::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| packetfilter.log | Status of packet filters | :bro:type:`PacketFilter::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| radius.log  | RADIUS authentication attempts | :bro:type:`RADIUS::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| reporter.log | Records error messages, location, | :bro:type:`Reporter::Info` |
| | and severity | |
+----------------------------+---------------------------------------+---------------------------------+
| signatures.log | Tracks signatures used on TCP | :bro:type:`Signatures::Info` |
| | connections | |
+----------------------------+---------------------------------------+---------------------------------+
| smtp.log | SMTP traffic on a network | :bro:type:`SMTP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| snmp.log  | SNMP traffic on a network | :bro:type:`SNMP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| socks.log | SOCKS proxy requests | :bro:type:`SOCKS::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| software.log | Software being used on the network | :bro:type:`Software::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| ssh.log  | SSH connections | :bro:type:`SSH::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| ssl.log  | SSL/TLS handshake info | :bro:type:`SSL::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| stats.log | Shows log memory/packet/lag | :bro:type:`Stats::Info` |
| | statistics | |
+----------------------------+---------------------------------------+---------------------------------+
| syslog.log  | Syslog messages and data | :bro:type:`Syslog::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| traceroute.log | Address and protocol data of a given | :bro:type:`Traceroute::Info` |
| | traceroute | |
+----------------------------+---------------------------------------+---------------------------------+
| tunnel.log | Tunnel data | :bro:type:`Tunnel::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| unified2.log | Interprets Snort's unified output | :bro:type:`Unified2::Info` |
| | format | |
+----------------------------+---------------------------------------+---------------------------------+
| weird.log | Records unexpected protocol-level | :bro:type:`Weird::Info` |
| | activity | |
+----------------------------+---------------------------------------+---------------------------------+
| x509.log | Tracks X.509 certificates | :bro:type:`X509::Info` |
+----------------------------+---------------------------------------+---------------------------------+
Reference in a new issue View git blame Copy permalink