mirror of
https://github.com/zeek/zeek.git
synced 2025-10-09 18:18:19 +00:00
e2dfaf8a5b
There were some cases where the log would be missing a field or data wouldn't get sent to file analysis. At least some of this is fixed now and I get confused a bit less when I look at the logs now. Also, I made the default handling "FILE" so that things like FILE_UNKNOWN wouldn't show up in the logs so regularly. It's technically correct that way, but it doesn't look good and it's correct as FILE often enough that it make sense to make it the default I think.
14 lines
1.3 KiB
Text
14 lines
1.3 KiB
Text
#separator \x09
|
|
#set_separator ,
|
|
#empty_field (empty)
|
|
#unset_field -
|
|
#path smb_files
|
|
#open 2016-04-01-08-31-01
|
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid action path name size times.modified times.accessed times.created times.changed
|
|
#types time string addr port addr port string enum string string count time time time time
|
|
1323202695.377459 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN \\\\10.0.0.12\\smb2 <share_root> 8192 1323202604.512058 1323202604.512058 1322343963.945297 1323202604.512058
|
|
1323202695.432192 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN \\\\10.0.0.12\\smb2 WP_SMBPlugin.pdf 0 1323202695.427034 1323202695.427034 1323202695.427034 1323202695.427034
|
|
1323202695.432192 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 FUU9mc3Ub5uZdcqg1d SMB::FILE_CLOSE \\\\10.0.0.12\\smb2 WP_SMBPlugin.pdf 0 1323202695.427034 1323202695.427034 1323202695.427034 1323202695.427034
|
|
1323202695.599914 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN \\\\10.0.0.12\\smb2 <share_root> 8192 1323202695.427034 1323202695.427034 1322343963.945297 1323202695.427034
|
|
1323202695.599914 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_CLOSE \\\\10.0.0.12\\smb2 <share_root> 8192 1323202695.427034 1323202695.427034 1322343963.945297 1323202695.427034
|
|
#close 2016-04-01-08-31-01
|