Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/doc/script-reference/log-files.rst

137 lines
12 KiB
ReStructuredText
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

=========
Log Files
=========
As a monitoring tool, Bro records a detailed view of the traffic inspected
and the events generated in a series of relevant log files. These files can
later be reviewed for monitoring, auditing and troubleshooting purposes.
Listed below are the log files generated by Bro, including a brief description
of the log file and links to descriptions of some of the fields for each log
type.
Bro Diagnostics
---------------
+----------------------------+---------------------------------------+---------------------------------+
| Log File | Description | Field Descriptions |
+============================+=======================================+=================================+
| capture_loss.log | Packet loss rate | :bro:type:`CaptureLoss::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| cluster.log | Cluster messages | :bro:type:`Cluster::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| communication.log | Connections to remote Bro or Broccoli | :bro:type:`Communication::Info` |
| | instances | |
+----------------------------+---------------------------------------+---------------------------------+
| intel.log | Details about the intelligence | :bro:type:`Intel::Info` |
| | framework | |
+----------------------------+---------------------------------------+---------------------------------+
| loaded_scripts.log | Shows all scripts loaded by Bro | :bro:type:`LoadedScripts::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| notice.log | Bro notices | :bro:type:`Notice::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| notice_alarm.log | The alarm stream | :bro:enum:`Notice::ACTION_ALARM`|
+----------------------------+---------------------------------------+---------------------------------+
| packetfilter.log | Status of packet filters | :bro:type:`PacketFilter::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| reporter.log | Records error messages, location, | :bro:type:`Reporter::Info` |
| | and severity | |
+----------------------------+---------------------------------------+---------------------------------+
| stats.log | Shows log memory/packet/lag | :bro:type:`Stats::Info` |
| | statistics | |
+----------------------------+---------------------------------------+---------------------------------+
| unified2.log | Interprets Snort's unified output | :bro:type:`Unified2::Info` |
| | format | |
+----------------------------+---------------------------------------+---------------------------------+
Known_* Logs
------------
+----------------------------+---------------------------------------+---------------------------------+
| Log File | Description | Field Descriptions |
+============================+=======================================+=================================+
| known_certs.log | SSL certificates used | :bro:type:`Known::CertsInfo` |
+----------------------------+---------------------------------------+---------------------------------+
| known_devices.log | MAC addresses of devices on the | :bro:type:`Known::DevicesInfo` |
| | network | |
+----------------------------+---------------------------------------+---------------------------------+
| known_hosts.log | Daily record of completed TCP | :bro:type:`Known::HostsInfo` |
| | handshakes | |
+----------------------------+---------------------------------------+---------------------------------+
| known_modbus.log | Modbus masters and workers | :bro:type:`Known::ModbusInfo` |
+----------------------------+---------------------------------------+---------------------------------+
| known_services.log | Tracks services and protocols used | :bro:type:`Known::ServicesInfo` |
| | during a session | |
+----------------------------+---------------------------------------+---------------------------------+
Network Activity
----------------
+----------------------------+---------------------------------------+---------------------------------+
| Log File | Description | Field Descriptions |
+============================+=======================================+=================================+
| barnyard2.log | Alerts received from Barnyard2 | :bro:type:`Barnyard2::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| conn.log  | Connection info | :bro:type:`Conn::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| dhcp.log  | DHCP leases | :bro:type:`DHCP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| dnp3.log | Requests and replies using DNP3 | :bro:type:`DNP3::Info` |
| | protocol | |
+----------------------------+---------------------------------------+---------------------------------+
| dns.log  | DNS activity | :bro:type:`DNS::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| dpd.log | Network activity on non-standard | :bro:type:`DPD::Info` |
| | ports | |
+----------------------------+---------------------------------------+---------------------------------+
| files.log | Info about files transmitted over the | :bro:type:`Files::Info` |
| | network | |
+----------------------------+---------------------------------------+---------------------------------+
| ftp.log | FTP activity | :bro:type:`FTP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| http.log | HTTP requests and replies | :bro:type:`HTTP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| irc.log | IRC commands and responses | :bro:type:`IRC::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| modbus.log | Modbus protocol data | :bro:type:`Modbus::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| modbus_register_change.log | Tracks changes to holding registers | :bro:type:`Modbus::MemmapInfo` |
+----------------------------+---------------------------------------+---------------------------------+
| radius.log  | RADIUS authentication attempts | :bro:type:`RADIUS::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| signatures.log | Tracks signatures used on TCP | :bro:type:`Signatures::Info` |
| | connections | |
+----------------------------+---------------------------------------+---------------------------------+
| smtp.log | SMTP traffic on a network | :bro:type:`SMTP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| snmp.log  | SNMP traffic on a network | :bro:type:`SNMP::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| socks.log | SOCKS proxy requests | :bro:type:`SOCKS::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| ssh.log  | SSH connections | :bro:type:`SSH::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| ssl.log  | SSL/TLS handshake info | :bro:type:`SSL::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| syslog.log  | Syslog messages and data | :bro:type:`Syslog::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| traceroute.log | Address and protocol data of a given | :bro:type:`Traceroute::Info` |
| | traceroute | |
+----------------------------+---------------------------------------+---------------------------------+
| tunnel.log | Tunnel data | :bro:type:`Tunnel::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| weird.log | Records unexpected protocol-level | :bro:type:`Weird::Info` |
| | activity | |
+----------------------------+---------------------------------------+---------------------------------+
| x509.log | Tracks X.509 certificates | :bro:type:`X509::Info` |
+----------------------------+---------------------------------------+---------------------------------+
Software Asset Tracking
-----------------------
+----------------------------+---------------------------------------+---------------------------------+
| Log File | Description | Field Descriptions |
+============================+=======================================+=================================+
| app_stats.log | Info about web apps in use on network | :bro:type:`AppStats::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| software.log | Software being used on the network | :bro:type:`Software::Info` |
+----------------------------+---------------------------------------+---------------------------------+
Reference in a new issue View git blame Copy permalink