mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
160 lines
13 KiB
ReStructuredText
160 lines
13 KiB
ReStructuredText
=========
|
|
Log Files
|
|
=========
|
|
|
|
Listed below are the log files generated by Bro, including a brief description
|
|
of the log file and links to descriptions of the fields for each log
|
|
type.
|
|
|
|
Network Protocols
|
|
-----------------
|
|
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| Log File | Description | Field Descriptions |
|
|
+============================+=======================================+=================================+
|
|
| conn.log | TCP/UDP/ICMP connections | :bro:type:`Conn::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| dhcp.log | DHCP leases | :bro:type:`DHCP::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| dnp3.log | DNP3 requests and replies | :bro:type:`DNP3::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| dns.log | DNS activity | :bro:type:`DNS::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| ftp.log | FTP activity | :bro:type:`FTP::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| http.log | HTTP requests and replies | :bro:type:`HTTP::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| irc.log | IRC commands and responses | :bro:type:`IRC::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| kerberos.log | Kerberos | :bro:type:`KRB::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| modbus.log | Modbus commands and responses | :bro:type:`Modbus::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| modbus_register_change.log | Tracks changes to Modbus holding | :bro:type:`Modbus::MemmapInfo` |
|
|
| | registers | |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| mysql.log | MySQL | :bro:type:`MySQL::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| radius.log | RADIUS authentication attempts | :bro:type:`RADIUS::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| rdp.log | RDP | :bro:type:`RDP::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| rfb.log | Remote Framebuffer (RFB) | :bro:type:`RFB::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| sip.log | SIP | :bro:type:`SIP::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| smtp.log | SMTP transactions | :bro:type:`SMTP::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| snmp.log | SNMP messages | :bro:type:`SNMP::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| socks.log | SOCKS proxy requests | :bro:type:`SOCKS::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| ssh.log | SSH connections | :bro:type:`SSH::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| ssl.log | SSL/TLS handshake info | :bro:type:`SSL::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| syslog.log | Syslog messages | :bro:type:`Syslog::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| tunnel.log | Tunneling protocol events | :bro:type:`Tunnel::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
|
|
Files
|
|
-----
|
|
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| Log File | Description | Field Descriptions |
|
|
+============================+=======================================+=================================+
|
|
| files.log | File analysis results | :bro:type:`Files::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| pe.log | Portable Executable (PE) | :bro:type:`PE::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| x509.log | X.509 certificate info | :bro:type:`X509::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
|
|
Detection
|
|
---------
|
|
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| Log File | Description | Field Descriptions |
|
|
+============================+=======================================+=================================+
|
|
| intel.log | Intelligence data matches | :bro:type:`Intel::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| notice.log | Bro notices | :bro:type:`Notice::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| notice_alarm.log | The alarm stream | :bro:enum:`Notice::ACTION_ALARM`|
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| signatures.log | Signature matches | :bro:type:`Signatures::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| traceroute.log | Traceroute detection | :bro:type:`Traceroute::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
|
|
|
|
Network Observations
|
|
--------------------
|
|
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| Log File | Description | Field Descriptions |
|
|
+============================+=======================================+=================================+
|
|
| app_stats.log | Web app usage statistics | :bro:type:`AppStats::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| known_certs.log | SSL certificates | :bro:type:`Known::CertsInfo` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| known_devices.log | MAC addresses of devices on the | :bro:type:`Known::DevicesInfo` |
|
|
| | network | |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| known_hosts.log | Hosts that have completed TCP | :bro:type:`Known::HostsInfo` |
|
|
| | handshakes | |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| known_modbus.log | Modbus masters and slaves | :bro:type:`Known::ModbusInfo` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| known_services.log | Services running on hosts | :bro:type:`Known::ServicesInfo` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| software.log | Software being used on the network | :bro:type:`Software::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
|
|
Miscellaneous
|
|
-------------
|
|
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| Log File | Description | Field Descriptions |
|
|
+============================+=======================================+=================================+
|
|
| barnyard2.log | Alerts received from Barnyard2 | :bro:type:`Barnyard2::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| dpd.log | Dynamic protocol detection failures | :bro:type:`DPD::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| unified2.log | Interprets Snort's unified output | :bro:type:`Unified2::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| weird.log | Unexpected network-level activity | :bro:type:`Weird::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
|
|
Bro Diagnostics
|
|
---------------
|
|
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| Log File | Description | Field Descriptions |
|
|
+============================+=======================================+=================================+
|
|
| capture_loss.log | Packet loss rate | :bro:type:`CaptureLoss::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| cluster.log | Bro cluster messages | :bro:type:`Cluster::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| communication.log | Communication events between Bro or | :bro:type:`Communication::Info` |
|
|
| | Broccoli instances | |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| loaded_scripts.log | Shows all scripts loaded by Bro | :bro:type:`LoadedScripts::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| packet_filter.log | List packet filters that were applied | :bro:type:`PacketFilter::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| prof.log | Profiling statistics (to create this | N/A |
|
|
| | log, load policy/misc/profiling.bro) | |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| reporter.log | Internal error/warning/info messages | :bro:type:`Reporter::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| stats.log | Memory/event/packet/lag statistics | :bro:type:`Stats::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| stderr.log | Captures standard error when Bro is | N/A |
|
|
| | started from BroControl | |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| stdout.log | Captures standard output when Bro is | N/A |
|
|
| | started from BroControl | |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
|