Log Files
Listed below are the log files generated by Zeek, including a brief description of the log file and links to descriptions of the fields for each log type.
Network Protocols
Log File |
Description |
Field Descriptions |
---|---|---|
|
TCP/UDP/ICMP connections |
|
|
Distributed Computing Environment/RPC |
|
|
DHCP leases |
|
|
DNP3 requests and replies |
|
|
DNS activity |
|
|
FTP activity |
|
|
HTTP requests and replies |
|
|
IRC commands and responses |
|
|
Kerberos |
|
|
Modbus commands and responses |
|
|
Tracks changes to Modbus holding registers |
|
|
MySQL |
|
|
NT LAN Manager (NTLM) |
|
|
Network Time Protocol |
|
|
RADIUS authentication attempts |
|
|
RDP |
|
|
Remote Framebuffer (RFB) |
|
|
SIP |
|
|
SMB commands |
|
|
SMB files |
|
|
SMB trees |
|
|
SMTP transactions |
|
|
SNMP messages |
|
|
SOCKS proxy requests |
|
|
SSH connections |
|
|
SSL/TLS handshake info |
|
|
Syslog messages |
|
|
Tunneling protocol events |
Files
Log File |
Description |
Field Descriptions |
---|---|---|
|
File analysis results |
|
|
Online Certificate Status Protocol (OCSP). Only created if policy script is loaded. |
|
|
Portable Executable (PE) |
|
|
X.509 certificate info |
NetControl
Log File |
Description |
Field Descriptions |
---|---|---|
|
NetControl actions |
|
|
NetControl actions |
|
|
NetControl shunt actions |
|
|
NetControl catch and release actions |
|
|
OpenFlow debug log |
Detection
Log File |
Description |
Field Descriptions |
---|---|---|
|
Intelligence data matches |
|
|
Zeek notices |
|
|
The alarm stream |
|
|
Signature matches |
|
|
Traceroute detection |
Network Observations
Log File |
Description |
Field Descriptions |
---|---|---|
|
SSL certificates |
|
|
Hosts that have completed TCP handshakes |
|
|
Modbus masters and slaves |
|
|
Services running on hosts |
|
|
Software being used on the network |
Miscellaneous
Log File |
Description |
Field Descriptions |
---|---|---|
|
Dynamic protocol detection failures |
|
|
Information about packet protocols that Zeek doesn’t know how to process |
|
|
Unexpected network-level activity |
|
|
Statistics about unexpected activity |
Zeek Diagnostics
Log File |
Description |
Field Descriptions |
---|---|---|
|
Peering status events between Zeek or Broker-enabled processes |
|
|
Packet loss rate |
|
|
Zeek cluster messages |
|
|
Configuration option changes |
|
|
Shows all scripts loaded by Zeek |
|
|
List packet filters that were applied |
|
|
Print statements that were redirected to a log stream. |
|
|
Profiling statistics (to create this log, load policy/misc/profiling.zeek) |
N/A |
|
Internal error/warning/info messages |
|
|
Memory/event/packet/lag statistics |
|
|
Captures standard error when Zeek is started from ZeekControl |
N/A |
|
Captures standard output when Zeek is started from ZeekControl |
N/A |