Log Files

Listed below are the log files generated by Zeek, including a brief description of the log file and links to descriptions of the fields for each log type.

Network Protocols

Log File

Description

Field Descriptions

conn.log

TCP/UDP/ICMP connections

Conn::Info

dce_rpc.log

Distributed Computing Environment/RPC

DCE_RPC::Info

dhcp.log

DHCP leases

DHCP::Info

dnp3.log

DNP3 requests and replies

DNP3::Info

dns.log

DNS activity

DNS::Info

ftp.log

FTP activity

FTP::Info

http.log

HTTP requests and replies

HTTP::Info

irc.log

IRC commands and responses

IRC::Info

kerberos.log

Kerberos

KRB::Info

modbus.log

Modbus commands and responses

Modbus::Info

modbus_register_change.log

Tracks changes to Modbus holding registers

Modbus::MemmapInfo

mysql.log

MySQL

MySQL::Info

ntlm.log

NT LAN Manager (NTLM)

NTLM::Info

ntp.log

Network Time Protocol

NTP::Info

radius.log

RADIUS authentication attempts

RADIUS::Info

rdp.log

RDP

RDP::Info

rfb.log

Remote Framebuffer (RFB)

RFB::Info

sip.log

SIP

SIP::Info

smb_cmd.log

SMB commands

SMB::CmdInfo

smb_files.log

SMB files

SMB::FileInfo

smb_mapping.log

SMB trees

SMB::TreeInfo

smtp.log

SMTP transactions

SMTP::Info

snmp.log

SNMP messages

SNMP::Info

socks.log

SOCKS proxy requests

SOCKS::Info

ssh.log

SSH connections

SSH::Info

ssl.log

SSL/TLS handshake info

SSL::Info

syslog.log

Syslog messages

Syslog::Info

tunnel.log

Tunneling protocol events

Tunnel::Info

Files

Log File

Description

Field Descriptions

files.log

File analysis results

Files::Info

ocsp.log

Online Certificate Status Protocol (OCSP). Only created if policy script is loaded.

OCSP::Info

pe.log

Portable Executable (PE)

PE::Info

x509.log

X.509 certificate info

X509::Info

NetControl

Log File

Description

Field Descriptions

netcontrol.log

NetControl actions

NetControl::Info

netcontrol_drop.log

NetControl actions

NetControl::DropInfo

netcontrol_shunt.log

NetControl shunt actions

NetControl::ShuntInfo

netcontrol_catch_release.log

NetControl catch and release actions

NetControl::CatchReleaseInfo

openflow.log

OpenFlow debug log

OpenFlow::Info

Detection

Log File

Description

Field Descriptions

intel.log

Intelligence data matches

Intel::Info

notice.log

Zeek notices

Notice::Info

notice_alarm.log

The alarm stream

Notice::Info

signatures.log

Signature matches

Signatures::Info

traceroute.log

Traceroute detection

Traceroute::Info

Network Observations

Log File

Description

Field Descriptions

known_certs.log

SSL certificates

Known::CertsInfo

known_hosts.log

Hosts that have completed TCP handshakes

Known::HostsInfo

known_modbus.log

Modbus masters and slaves

Known::ModbusInfo

known_services.log

Services running on hosts

Known::ServicesInfo

software.log

Software being used on the network

Software::Info

Miscellaneous

Log File

Description

Field Descriptions

dpd.log

Dynamic protocol detection failures

DPD::Info

unknown_protocols.log

Information about packet protocols that Zeek doesn’t know how to process

UnknownProtocol::Info

weird.log

Unexpected network-level activity

Weird::Info

weird_stats.log

Statistics about unexpected activity

WeirdStats::Info

Zeek Diagnostics

Log File

Description

Field Descriptions

broker.log

Peering status events between Zeek or Broker-enabled processes

Broker::Info

capture_loss.log

Packet loss rate

CaptureLoss::Info

cluster.log

Zeek cluster messages

Cluster::Info

config.log

Configuration option changes

Config::Info

loaded_scripts.log

Shows all scripts loaded by Zeek

LoadedScripts::Info

packet_filter.log

List packet filters that were applied

PacketFilter::Info

print.log

Print statements that were redirected to a log stream.

Log::PrintLogInfo

prof.log

Profiling statistics (to create this log, load policy/misc/profiling.zeek)

N/A

reporter.log

Internal error/warning/info messages

Reporter::Info

stats.log

Memory/event/packet/lag statistics

Stats::Info

stderr.log

Captures standard error when Zeek is started from ZeekControl

N/A

stdout.log

Captures standard output when Zeek is started from ZeekControl

N/A