docs/reference/filebeat/exported-fields-zeek.md
% This file is generated! See dev-tools/mage/generate_fields_docs.go
Module for handling logs produced by Zeek/Bro
Fields from Zeek/Bro logs after normalization
zeek.session_id
: A unique identifier of the session
type: keyword
Fields exported by the Zeek capture_loss log
zeek.capture_loss.ts_delta
: The time delay between this measurement and the last.
type: integer
zeek.capture_loss.peer
: In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name.
type: keyword
zeek.capture_loss.gaps
: Number of missed ACKs from the previous measurement interval.
type: integer
zeek.capture_loss.acks
: Total number of ACKs seen in the previous measurement interval.
type: integer
zeek.capture_loss.percent_lost
: Percentage of ACKs seen where the data being ACKed wasn't seen.
type: double
Fields exported by the Zeek Connection log
zeek.connection.local_orig
: Indicates whether the session is originated locally.
type: boolean
zeek.connection.local_resp
: Indicates whether the session is responded locally.
type: boolean
zeek.connection.missed_bytes
: Missed bytes for the session.
type: long
zeek.connection.state
: Code indicating the state of the session.
type: keyword
zeek.connection.state_message
: The state of the session.
type: keyword
zeek.connection.icmp.type
: ICMP message type.
type: integer
zeek.connection.icmp.code
: ICMP message code.
type: integer
zeek.connection.history
: Flags indicating the history of the session.
type: keyword
zeek.connection.vlan
: VLAN identifier.
type: integer
zeek.connection.inner_vlan
: VLAN identifier.
type: integer
Fields exported by the Zeek DCE_RPC log
zeek.dce_rpc.rtt
: Round trip time from the request to the response. If either the request or response wasn't seen, this will be null.
type: integer
zeek.dce_rpc.named_pipe
: Remote pipe name.
type: keyword
zeek.dce_rpc.endpoint
: Endpoint name looked up from the uuid.
type: keyword
zeek.dce_rpc.operation
: Operation seen in the call.
type: keyword
Fields exported by the Zeek DHCP log
zeek.dhcp.domain
: Domain given by the server in option 15.
type: keyword
zeek.dhcp.duration
: Duration of the DHCP session representing the time from the first message to the last, in seconds.
type: double
zeek.dhcp.hostname
: Name given by client in Hostname option 12.
type: keyword
zeek.dhcp.client_fqdn
: FQDN given by client in Client FQDN option 81.
type: keyword
zeek.dhcp.lease_time
: IP address lease interval in seconds.
type: integer
Addresses seen in this DHCP exchange.
zeek.dhcp.address.assigned
: IP address assigned by the server.
type: ip
zeek.dhcp.address.client
: IP address of the client. If a transaction is only a client sending INFORM messages then there is no lease information exchanged so this is helpful to know who sent the messages. Getting an address in this field does require that the client sources at least one DHCP message using a non-broadcast address.
type: ip
zeek.dhcp.address.mac
: Client's hardware address.
type: keyword
zeek.dhcp.address.requested
: IP address requested by the client.
type: ip
zeek.dhcp.address.server
: IP address of the DHCP server.
type: ip
zeek.dhcp.msg.types
: List of DHCP message types seen in this exchange.
type: keyword
zeek.dhcp.msg.origin
: (present if policy/protocols/dhcp/msg-orig.bro is loaded) The address that originated each message from the msg.types field.
type: ip
zeek.dhcp.msg.client
: Message typically accompanied with a DHCP_DECLINE so the client can tell the server why it rejected an address.
type: keyword
zeek.dhcp.msg.server
: Message typically accompanied with a DHCP_NAK to let the client know why it rejected the request.
type: keyword
zeek.dhcp.software.client
: (present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option.
type: keyword
zeek.dhcp.software.server
: (present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option.
type: keyword
zeek.dhcp.id.circuit
: (present if policy/protocols/dhcp/sub-opts.bro is loaded) Added by DHCP relay agents which terminate switched or permanent circuits. It encodes an agent-local identifier of the circuit from which a DHCP client-to-server packet was received. Typically it should represent a router or switch interface number.
type: keyword
zeek.dhcp.id.remote_agent
: (present if policy/protocols/dhcp/sub-opts.bro is loaded) A globally unique identifier added by relay agents to identify the remote host end of the circuit.
type: keyword
zeek.dhcp.id.subscriber
: (present if policy/protocols/dhcp/sub-opts.bro is loaded) The subscriber ID is a value independent of the physical network configuration so that a customer's DHCP configuration can be given to them correctly no matter where they are physically connected.
type: keyword
Fields exported by the Zeek DNP3 log
zeek.dnp3.function.request
: The name of the function message in the request.
type: keyword
zeek.dnp3.function.reply
: The name of the function message in the reply.
type: keyword
zeek.dnp3.id
: The response's internal indication number.
type: integer
Fields exported by the Zeek DNS log
zeek.dns.trans_id
: DNS transaction identifier.
type: keyword
zeek.dns.rtt
: Round trip time for the query and response.
type: double
zeek.dns.query
: The domain name that is the subject of the DNS query.
type: keyword
zeek.dns.qclass
: The QCLASS value specifying the class of the query.
type: long
zeek.dns.qclass_name
: A descriptive name for the class of the query.
type: keyword
zeek.dns.qtype
: A QTYPE value specifying the type of the query.
type: long
zeek.dns.qtype_name
: A descriptive name for the type of the query.
type: keyword
zeek.dns.rcode
: The response code value in DNS response messages.
type: long
zeek.dns.rcode_name
: A descriptive name for the response code value.
type: keyword
zeek.dns.AA
: The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section.
type: boolean
zeek.dns.TC
: The Truncation bit specifies that the message was truncated.
type: boolean
zeek.dns.RD
: The Recursion Desired bit in a request message indicates that the client wants recursive service for this query.
type: boolean
zeek.dns.RA
: The Recursion Available bit in a response message indicates that the name server supports recursive queries.
type: boolean
zeek.dns.answers
: The set of resource descriptions in the query answer.
type: keyword
zeek.dns.TTLs
: The caching intervals of the associated RRs described by the answers field.
type: double
zeek.dns.rejected
: Indicates whether the DNS query was rejected by the server.
type: boolean
zeek.dns.total_answers
: The total number of resource records in the reply.
type: integer
zeek.dns.total_replies
: The total number of resource records in the reply message.
type: integer
zeek.dns.saw_query
: Whether the full DNS query has been seen.
type: boolean
zeek.dns.saw_reply
: Whether the full DNS reply has been seen.
type: boolean
Fields exported by the Zeek DPD log
zeek.dpd.analyzer
: The analyzer that generated the violation.
type: keyword
zeek.dpd.failure_reason
: The textual reason for the analysis failure.
type: keyword
zeek.dpd.packet_segment
: (present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) A chunk of the payload that most likely resulted in the protocol violation.
type: keyword
Fields exported by the Zeek Files log.
zeek.files.fuid
: A file unique identifier.
type: keyword
zeek.files.tx_host
: The host that transferred the file.
type: ip
zeek.files.rx_host
: The host that received the file.
type: ip
zeek.files.session_ids
: The sessions that have this file.
type: keyword
zeek.files.source
: An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source.
type: keyword
zeek.files.depth
: A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection.
type: long
zeek.files.analyzers
: A set of analysis types done during the file analysis.
type: keyword
zeek.files.mime_type
: Mime type of the file.
type: keyword
zeek.files.filename
: Name of the file if available.
type: keyword
zeek.files.local_orig
: If the source of this file is a network connection, this field indicates if the data originated from the local network or not.
type: boolean
zeek.files.is_orig
: If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder.
type: boolean
zeek.files.duration
: The duration the file was analyzed for. Not the duration of the session.
type: double
zeek.files.seen_bytes
: Number of bytes provided to the file analysis engine for the file.
type: long
zeek.files.total_bytes
: Total number of bytes that are supposed to comprise the full file.
type: long
zeek.files.missing_bytes
: The number of bytes in the file stream that were completely missed during the process of analysis.
type: long
zeek.files.overflow_bytes
: The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn't be reassembled.
type: long
zeek.files.timedout
: Whether the file analysis timed out at least once for the file.
type: boolean
zeek.files.parent_fuid
: Identifier associated with a container file from which this one was extracted as part of the file analysis.
type: keyword
zeek.files.md5
: An MD5 digest of the file contents.
type: keyword
zeek.files.sha1
: A SHA1 digest of the file contents.
type: keyword
zeek.files.sha256
: A SHA256 digest of the file contents.
type: keyword
zeek.files.extracted
: Local filename of extracted file.
type: keyword
zeek.files.extracted_cutoff
: Indicate whether the file being extracted was cut off hence not extracted completely.
type: boolean
zeek.files.extracted_size
: The number of bytes extracted to disk.
type: long
zeek.files.entropy
: The information density of the contents of the file.
type: double
Fields exported by the Zeek FTP log
zeek.ftp.user
: User name for the current FTP session.
type: keyword
zeek.ftp.password
: Password for the current FTP session if captured.
type: keyword
zeek.ftp.command
: Command given by the client.
type: keyword
zeek.ftp.arg
: Argument for the command if one is given.
type: keyword
zeek.ftp.file.size
: Size of the file if the command indicates a file transfer.
type: long
zeek.ftp.file.mime_type
: Sniffed mime type of file.
type: keyword
zeek.ftp.file.fuid
: (present if base/protocols/ftp/files.bro is loaded) File unique ID.
type: keyword
zeek.ftp.reply.code
: Reply code from the server in response to the command.
type: integer
zeek.ftp.reply.msg
: Reply message from the server in response to the command.
type: keyword
Expected FTP data channel.
zeek.ftp.data_channel.passive
: Whether PASV mode is toggled for control channel.
type: boolean
zeek.ftp.data_channel.originating_host
: The host that will be initiating the data connection.
type: ip
zeek.ftp.data_channel.response_host
: The host that will be accepting the data connection.
type: ip
zeek.ftp.data_channel.response_port
: The port at which the acceptor is listening for the data connection.
type: integer
zeek.ftp.cwd
: Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use.
type: keyword
Command that is currently waiting for a response.
zeek.ftp.cmdarg.cmd
: Command.
type: keyword
zeek.ftp.cmdarg.arg
: Argument for the command if one was given.
type: keyword
zeek.ftp.cmdarg.seq
: Counter to track how many commands have been executed.
type: integer
zeek.ftp.pending_commands
: Queue for commands that have been sent but not yet responded to are tracked here.
type: integer
zeek.ftp.passive
: Indicates if the session is in active or passive mode.
type: boolean
zeek.ftp.capture_password
: Determines if the password will be captured for this request.
type: boolean
zeek.ftp.last_auth_requested
: present if base/protocols/ftp/gridftp.bro is loaded. Last authentication/security mechanism that was used.
type: keyword
Fields exported by the Zeek HTTP log
zeek.http.trans_depth
: Represents the pipelined depth into the connection of this request/response transaction.
type: integer
zeek.http.status_msg
: Status message returned by the server.
type: keyword
zeek.http.info_code
: Last seen 1xx informational reply code returned by the server.
type: integer
zeek.http.info_msg
: Last seen 1xx informational reply message returned by the server.
type: keyword
zeek.http.tags
: A set of indicators of various attributes discovered and related to a particular request/response pair.
type: keyword
zeek.http.password
: Password if basic-auth is performed for the request.
type: keyword
zeek.http.captured_password
: Determines if the password will be captured for this request.
type: boolean
zeek.http.proxied
: All of the headers that may indicate if the HTTP request was proxied.
type: keyword
zeek.http.range_request
: Indicates if this request can assume 206 partial content in response.
type: boolean
zeek.http.client_header_names
: The vector of HTTP header names sent by the client. No header values are included here, just the header names.
type: keyword
zeek.http.server_header_names
: The vector of HTTP header names sent by the server. No header values are included here, just the header names.
type: keyword
zeek.http.orig_fuids
: An ordered vector of file unique IDs from the originator.
type: keyword
zeek.http.orig_mime_types
: An ordered vector of mime types from the originator.
type: keyword
zeek.http.orig_filenames
: An ordered vector of filenames from the originator.
type: keyword
zeek.http.resp_fuids
: An ordered vector of file unique IDs from the responder.
type: keyword
zeek.http.resp_mime_types
: An ordered vector of mime types from the responder.
type: keyword
zeek.http.resp_filenames
: An ordered vector of filenames from the responder.
type: keyword
zeek.http.orig_mime_depth
: Current number of MIME entities in the HTTP request message body.
type: integer
zeek.http.resp_mime_depth
: Current number of MIME entities in the HTTP response message body.
type: integer
Fields exported by the Zeek Intel log.
zeek.intel.seen.indicator
: The intelligence indicator.
type: keyword
zeek.intel.seen.indicator_type
: The type of data the indicator represents.
type: keyword
zeek.intel.seen.host
: If the indicator type was Intel::ADDR, then this field will be present.
type: keyword
zeek.intel.seen.conn
: If the data was discovered within a connection, the connection record should go here to give context to the data.
type: keyword
zeek.intel.seen.where
: Where the data was discovered.
type: keyword
zeek.intel.seen.node
: The name of the node where the match was discovered.
type: keyword
zeek.intel.seen.uid
: If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out.
type: keyword
zeek.intel.seen.f
: If the data was discovered within a file, the file record should go here to provide context to the data.
type: object
zeek.intel.seen.fuid
: If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out.
type: keyword
zeek.intel.matched
: Event to represent a match in the intelligence data from data that was seen.
type: keyword
zeek.intel.sources
: Sources which supplied data for this match.
type: keyword
zeek.intel.fuid
: If a file was associated with this intelligence hit, this is the uid for the file.
type: keyword
zeek.intel.file_mime_type
: A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out.
type: keyword
zeek.intel.file_desc
: Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out.
type: keyword
Fields exported by the Zeek IRC log
zeek.irc.nick
: Nickname given for the connection.
type: keyword
zeek.irc.user
: Username given for the connection.
type: keyword
zeek.irc.command
: Command given by the client.
type: keyword
zeek.irc.value
: Value for the command given by the client.
type: keyword
zeek.irc.addl
: Any additional data for the command.
type: keyword
zeek.irc.dcc.file.name
: Present if base/protocols/irc/dcc-send.bro is loaded. DCC filename requested.
type: keyword
zeek.irc.dcc.file.size
: Present if base/protocols/irc/dcc-send.bro is loaded. Size of the DCC transfer as indicated by the sender.
type: long
zeek.irc.dcc.mime_type
: present if base/protocols/irc/dcc-send.bro is loaded. Sniffed mime type of the file.
type: keyword
zeek.irc.fuid
: present if base/protocols/irc/files.bro is loaded. File unique ID.
type: keyword
Fields exported by the Zeek Kerberos log
zeek.kerberos.request_type
: Request type - Authentication Service (AS) or Ticket Granting Service (TGS).
type: keyword
zeek.kerberos.client
: Client name.
type: keyword
zeek.kerberos.service
: Service name.
type: keyword
zeek.kerberos.success
: Request result.
type: boolean
zeek.kerberos.error.code
: Error code.
type: integer
zeek.kerberos.error.msg
: Error message.
type: keyword
zeek.kerberos.valid.from
: Ticket valid from.
type: date
zeek.kerberos.valid.until
: Ticket valid until.
type: date
zeek.kerberos.valid.days
: Number of days the ticket is valid for.
type: integer
zeek.kerberos.cipher
: Ticket encryption type.
type: keyword
zeek.kerberos.forwardable
: Forwardable ticket requested.
type: boolean
zeek.kerberos.renewable
: Renewable ticket requested.
type: boolean
zeek.kerberos.ticket.auth
: Hash of ticket used to authorize request/transaction.
type: keyword
zeek.kerberos.ticket.new
: Hash of ticket returned by the KDC.
type: keyword
zeek.kerberos.cert.client.value
: Client certificate.
type: keyword
zeek.kerberos.cert.client.fuid
: File unique ID of client cert.
type: keyword
zeek.kerberos.cert.client.subject
: Subject of client certificate.
type: keyword
zeek.kerberos.cert.server.value
: Server certificate.
type: keyword
zeek.kerberos.cert.server.fuid
: File unique ID of server certificate.
type: keyword
zeek.kerberos.cert.server.subject
: Subject of server certificate.
type: keyword
Fields exported by the Zeek modbus log.
zeek.modbus.function
: The name of the function message that was sent.
type: keyword
zeek.modbus.exception
: The exception if the response was a failure.
type: keyword
zeek.modbus.track_address
: Present if policy/protocols/modbus/track-memmap.bro is loaded. Modbus track address.
type: integer
Fields exported by the Zeek MySQL log.
zeek.mysql.cmd
: The command that was issued.
type: keyword
zeek.mysql.arg
: The argument issued to the command.
type: keyword
zeek.mysql.success
: Whether the command succeeded.
type: boolean
zeek.mysql.rows
: The number of affected rows, if any.
type: integer
zeek.mysql.response
: Server message, if any.
type: keyword
Fields exported by the Zeek Notice log.
zeek.notice.connection_id
: Identifier of the related connection session.
type: keyword
zeek.notice.icmp_id
: Identifier of the related ICMP session.
type: keyword
zeek.notice.file.id
: An identifier associated with a single file that is related to this notice.
type: keyword
zeek.notice.file.parent_id
: Identifier associated with a container file from which this one was extracted.
type: keyword
zeek.notice.file.source
: An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source.
type: keyword
zeek.notice.file.mime_type
: A mime type if the notice is related to a file.
type: keyword
zeek.notice.file.is_orig
: If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder.
type: boolean
zeek.notice.file.seen_bytes
: Number of bytes provided to the file analysis engine for the file.
type: long
zeek.notice.ffile.total_bytes
: Total number of bytes that are supposed to comprise the full file.
type: long
zeek.notice.file.missing_bytes
: The number of bytes in the file stream that were completely missed during the process of analysis.
type: long
zeek.notice.file.overflow_bytes
: The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn't be reassembled.
type: long
zeek.notice.fuid
: A file unique ID if this notice is related to a file.
type: keyword
zeek.notice.note
: The type of the notice.
type: keyword
zeek.notice.msg
: The human readable message for the notice.
type: keyword
zeek.notice.sub
: The human readable sub-message.
type: keyword
zeek.notice.n
: Associated count, or a status code.
type: long
zeek.notice.peer_name
: Name of remote peer that raised this notice.
type: keyword
zeek.notice.peer_descr
: Textual description for the peer that raised this notice.
type: text
zeek.notice.actions
: The actions which have been applied to this notice.
type: keyword
zeek.notice.email_body_sections
: By adding chunks of text into this element, other scripts can expand on notices that are being emailed.
type: text
zeek.notice.email_delay_tokens
: Adding a string token to this set will cause the built-in emailing functionality to delay sending the email either the token has been removed or the email has been delayed for the specified time duration.
type: keyword
zeek.notice.identifier
: This field is provided when a notice is generated for the purpose of deduplicating notices.
type: keyword
zeek.notice.suppress_for
: This field indicates the length of time that this unique notice should be suppressed.
type: double
zeek.notice.dropped
: Indicate if the source IP address was dropped and denied network access.
type: boolean
Fields exported by the Zeek NTLM log.
zeek.ntlm.domain
: Domain name given by the client.
type: keyword
zeek.ntlm.hostname
: Hostname given by the client.
type: keyword
zeek.ntlm.success
: Indicate whether or not the authentication was successful.
type: boolean
zeek.ntlm.username
: Username given by the client.
type: keyword
zeek.ntlm.server.name.dns
: DNS name given by the server in a CHALLENGE.
type: keyword
zeek.ntlm.server.name.netbios
: NetBIOS name given by the server in a CHALLENGE.
type: keyword
zeek.ntlm.server.name.tree
: Tree name given by the server in a CHALLENGE.
type: keyword
Fields exported by the Zeek NTP log.
zeek.ntp.version
: The NTP version number (1, 2, 3, 4).
type: integer
zeek.ntp.mode
: The NTP mode being used.
type: integer
zeek.ntp.stratum
: The stratum (primary server, secondary server, etc.).
type: integer
zeek.ntp.poll
: The maximum interval between successive messages in seconds.
type: double
zeek.ntp.precision
: The precision of the system clock in seconds.
type: double
zeek.ntp.root_delay
: Total round-trip delay to the reference clock in seconds.
type: double
zeek.ntp.root_disp
: Total dispersion to the reference clock in seconds.
type: double
zeek.ntp.ref_id
: For stratum 0, 4 character string used for debugging. For stratum 1, ID assigned to the reference clock by IANA. Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).
type: keyword
zeek.ntp.ref_time
: Time when the system clock was last set or correct.
type: date
zeek.ntp.org_time
: Time at the client when the request departed for the NTP server.
type: date
zeek.ntp.rec_time
: Time at the server when the request arrived from the NTP client.
type: date
zeek.ntp.xmt_time
: Time at the server when the response departed for the NTP client.
type: date
zeek.ntp.num_exts
: Number of extension fields (which are not currently parsed).
type: integer
Fields exported by the Zeek OCSP log Online Certificate Status Protocol (OCSP). Only created if policy script is loaded.
zeek.ocsp.file_id
: File id of the OCSP reply.
type: keyword
zeek.ocsp.hash.algorithm
: Hash algorithm used to generate issuerNameHash and issuerKeyHash.
type: keyword
zeek.ocsp.hash.issuer.name
: Hash of the issuer's distingueshed name.
type: keyword
zeek.ocsp.hash.issuer.key
: Hash of the issuer's public key.
type: keyword
zeek.ocsp.serial_number
: Serial number of the affected certificate.
type: keyword
zeek.ocsp.status
: Status of the affected certificate.
type: keyword
zeek.ocsp.revoke.time
: Time at which the certificate was revoked.
type: date
zeek.ocsp.revoke.reason
: Reason for which the certificate was revoked.
type: keyword
zeek.ocsp.update.this
: The time at which the status being shows is known to have been correct.
type: date
zeek.ocsp.update.next
: The latest time at which new information about the status of the certificate will be available.
type: date
Fields exported by the Zeek pe log.
zeek.pe.client
: The client's version string.
type: keyword
zeek.pe.id
: File id of this portable executable file.
type: keyword
zeek.pe.machine
: The target machine that the file was compiled for.
type: keyword
zeek.pe.compile_time
: The time that the file was created at.
type: date
zeek.pe.os
: The required operating system.
type: keyword
zeek.pe.subsystem
: The subsystem that is required to run this file.
type: keyword
zeek.pe.is_exe
: Is the file an executable, or just an object file?
type: boolean
zeek.pe.is_64bit
: Is the file a 64-bit executable?
type: boolean
zeek.pe.uses_aslr
: Does the file support Address Space Layout Randomization?
type: boolean
zeek.pe.uses_dep
: Does the file support Data Execution Prevention?
type: boolean
zeek.pe.uses_code_integrity
: Does the file enforce code integrity checks?
type: boolean
zeek.pe.uses_seh
: Does the file use structured exception handing?
type: boolean
zeek.pe.has_import_table
: Does the file have an import table?
type: boolean
zeek.pe.has_export_table
: Does the file have an export table?
type: boolean
zeek.pe.has_cert_table
: Does the file have an attribute certificate table?
type: boolean
zeek.pe.has_debug_data
: Does the file have a debug table?
type: boolean
zeek.pe.section_names
: The names of the sections, in order.
type: keyword
Fields exported by the Zeek Radius log.
zeek.radius.username
: The username, if present.
type: keyword
zeek.radius.mac
: MAC address, if present.
type: keyword
zeek.radius.framed_addr
: The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.
type: ip
zeek.radius.remote_ip
: Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute.
type: ip
zeek.radius.connect_info
: Connect info, if present.
type: keyword
zeek.radius.reply_msg
: Reply message from the server challenge. This is frequently shown to the user authenticating.
type: keyword
zeek.radius.result
: Successful or failed authentication.
type: keyword
zeek.radius.ttl
: The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen.
type: integer
zeek.radius.logged
: Whether this has already been logged and can be ignored.
type: boolean
Fields exported by the Zeek RDP log.
zeek.rdp.cookie
: Cookie value used by the client machine. This is typically a username.
type: keyword
zeek.rdp.result
: Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages.
type: keyword
zeek.rdp.security_protocol
: Security protocol chosen by the server.
type: keyword
zeek.rdp.keyboard_layout
: Keyboard layout (language) of the client machine.
type: keyword
zeek.rdp.client.build
: RDP client version used by the client machine.
type: keyword
zeek.rdp.client.client_name
: Name of the client machine.
type: keyword
zeek.rdp.client.product_id
: Product ID of the client machine.
type: keyword
zeek.rdp.desktop.width
: Desktop width of the client machine.
type: integer
zeek.rdp.desktop.height
: Desktop height of the client machine.
type: integer
zeek.rdp.desktop.color_depth
: The color depth requested by the client in the high_color_depth field.
type: keyword
zeek.rdp.cert.type
: If the connection is being encrypted with native RDP encryption, this is the type of cert being used.
type: keyword
zeek.rdp.cert.count
: The number of certs seen. X.509 can transfer an entire certificate chain.
type: integer
zeek.rdp.cert.permanent
: Indicates if the provided certificate or certificate chain is permanent or temporary.
type: boolean
zeek.rdp.encryption.level
: Encryption level of the connection.
type: keyword
zeek.rdp.encryption.method
: Encryption method of the connection.
type: keyword
zeek.rdp.done
: Track status of logging RDP connections.
type: boolean
zeek.rdp.ssl
: (present if policy/protocols/rdp/indicate_ssl.bro is loaded) Flag the connection if it was seen over SSL.
type: boolean
Fields exported by the Zeek RFB log.
zeek.rfb.version.client.major
: Major version of the client.
type: keyword
zeek.rfb.version.client.minor
: Minor version of the client.
type: keyword
zeek.rfb.version.server.major
: Major version of the server.
type: keyword
zeek.rfb.version.server.minor
: Minor version of the server.
type: keyword
zeek.rfb.auth.success
: Whether or not authentication was successful.
type: boolean
zeek.rfb.auth.method
: Identifier of authentication method used.
type: keyword
zeek.rfb.share_flag
: Whether the client has an exclusive or a shared session.
type: boolean
zeek.rfb.desktop_name
: Name of the screen that is being shared.
type: keyword
zeek.rfb.width
: Width of the screen that is being shared.
type: integer
zeek.rfb.height
: Height of the screen that is being shared.
type: integer
Fields exported by the Zeek Signature log.
zeek.signature.note
: Notice associated with signature event.
type: keyword
zeek.signature.sig_id
: The name of the signature that matched.
type: keyword
zeek.signature.event_msg
: A more descriptive message of the signature-matching event.
type: keyword
zeek.signature.sub_msg
: Extracted payload data or extra message.
type: keyword
zeek.signature.sig_count
: Number of sigs, usually from summary count.
type: integer
zeek.signature.host_count
: Number of hosts, from a summary count.
type: integer
Fields exported by the Zeek SIP log.
zeek.sip.transaction_depth
: Represents the pipelined depth into the connection of this request/response transaction.
type: integer
zeek.sip.sequence.method
: Verb used in the SIP request (INVITE, REGISTER etc.).
type: keyword
zeek.sip.sequence.number
: Contents of the CSeq: header from the client.
type: keyword
zeek.sip.uri
: URI used in the request.
type: keyword
zeek.sip.date
: Contents of the Date: header from the client.
type: keyword
zeek.sip.request.from
: Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged.
type: keyword
zeek.sip.request.to
: Contents of the To: header.
type: keyword
zeek.sip.request.path
: The client message transmission path, as extracted from the headers.
type: keyword
zeek.sip.request.body_length
: Contents of the Content-Length: header from the client.
type: long
zeek.sip.response.from
: Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged.
type: keyword
zeek.sip.response.to
: Contents of the response To: header.
type: keyword
zeek.sip.response.path
: The server message transmission path, as extracted from the headers.
type: keyword
zeek.sip.response.body_length
: Contents of the Content-Length: header from the server.
type: long
zeek.sip.reply_to
: Contents of the Reply-To: header.
type: keyword
zeek.sip.call_id
: Contents of the Call-ID: header from the client.
type: keyword
zeek.sip.subject
: Contents of the Subject: header from the client.
type: keyword
zeek.sip.user_agent
: Contents of the User-Agent: header from the client.
type: keyword
zeek.sip.status.code
: Status code returned by the server.
type: integer
zeek.sip.status.msg
: Status message returned by the server.
type: keyword
zeek.sip.warning
: Contents of the Warning: header.
type: keyword
zeek.sip.content_type
: Contents of the Content-Type: header from the server.
type: keyword
Fields exported by the Zeek smb_cmd log.
zeek.smb_cmd.command
: The command sent by the client.
type: keyword
zeek.smb_cmd.sub_command
: The subcommand sent by the client, if present.
type: keyword
zeek.smb_cmd.argument
: Command argument sent by the client, if any.
type: keyword
zeek.smb_cmd.status
: Server reply to the client's command.
type: keyword
zeek.smb_cmd.rtt
: Round trip time from the request to the response.
type: double
zeek.smb_cmd.version
: Version of SMB for the command.
type: keyword
zeek.smb_cmd.username
: Authenticated username, if available.
type: keyword
zeek.smb_cmd.tree
: If this is related to a tree, this is the tree that was used for the current command.
type: keyword
zeek.smb_cmd.tree_service
: The type of tree (disk share, printer share, named pipe, etc.).
type: keyword
If the command referenced a file, store it here.
zeek.smb_cmd.file.name
: Filename if one was seen.
type: keyword
zeek.smb_cmd.file.action
: Action this log record represents.
type: keyword
zeek.smb_cmd.file.uid
: UID of the referenced file.
type: keyword
zeek.smb_cmd.file.host.tx
: Address of the transmitting host.
type: ip
zeek.smb_cmd.file.host.rx
: Address of the receiving host.
type: ip
zeek.smb_cmd.smb1_offered_dialects
: Present if base/protocols/smb/smb1-main.bro is loaded. Dialects offered by the client.
type: keyword
zeek.smb_cmd.smb2_offered_dialects
: Present if base/protocols/smb/smb2-main.bro is loaded. Dialects offered by the client.
type: integer
Fields exported by the Zeek SMB Files log.
zeek.smb_files.action
: Action this log record represents.
type: keyword
zeek.smb_files.fid
: ID referencing this file.
type: integer
zeek.smb_files.name
: Filename if one was seen.
type: keyword
zeek.smb_files.path
: Path pulled from the tree this file was transferred to or from.
type: keyword
zeek.smb_files.previous_name
: If the rename action was seen, this will be the file's previous name.
type: keyword
zeek.smb_files.size
: Byte size of the file.
type: long
Timestamps of the file.
zeek.smb_files.times.accessed
: The file's access time.
type: date
zeek.smb_files.times.changed
: The file's change time.
type: date
zeek.smb_files.times.created
: The file's create time.
type: date
zeek.smb_files.times.modified
: The file's modify time.
type: date
zeek.smb_files.uuid
: UUID referencing this file if DCE/RPC.
type: keyword
Fields exported by the Zeek SMB_Mapping log.
zeek.smb_mapping.path
: Name of the tree path.
type: keyword
zeek.smb_mapping.service
: The type of resource of the tree (disk share, printer share, named pipe, etc.).
type: keyword
zeek.smb_mapping.native_file_system
: File system of the tree.
type: keyword
zeek.smb_mapping.share_type
: If this is SMB2, a share type will be included. For SMB1, the type of share will be deduced and included as well.
type: keyword
Fields exported by the Zeek SMTP log.
zeek.smtp.transaction_depth
: A count to represent the depth of this message transaction in a single connection where multiple messages were transferred.
type: integer
zeek.smtp.helo
: Contents of the Helo header.
type: keyword
zeek.smtp.mail_from
: Email addresses found in the MAIL FROM header.
type: keyword
zeek.smtp.rcpt_to
: Email addresses found in the RCPT TO header.
type: keyword
zeek.smtp.date
: Contents of the Date header.
type: date
zeek.smtp.from
: Contents of the From header.
type: keyword
zeek.smtp.to
: Contents of the To header.
type: keyword
zeek.smtp.cc
: Contents of the CC header.
type: keyword
zeek.smtp.reply_to
: Contents of the ReplyTo header.
type: keyword
zeek.smtp.msg_id
: Contents of the MsgID header.
type: keyword
zeek.smtp.in_reply_to
: Contents of the In-Reply-To header.
type: keyword
zeek.smtp.subject
: Contents of the Subject header.
type: keyword
zeek.smtp.x_originating_ip
: Contents of the X-Originating-IP header.
type: keyword
zeek.smtp.first_received
: Contents of the first Received header.
type: keyword
zeek.smtp.second_received
: Contents of the second Received header.
type: keyword
zeek.smtp.last_reply
: The last message that the server sent to the client.
type: keyword
zeek.smtp.path
: The message transmission path, as extracted from the headers.
type: ip
zeek.smtp.user_agent
: Value of the User-Agent header from the client.
type: keyword
zeek.smtp.tls
: Indicates that the connection has switched to using TLS.
type: boolean
zeek.smtp.process_received_from
: Indicates if the "Received: from" headers should still be processed.
type: boolean
zeek.smtp.has_client_activity
: Indicates if client activity has been seen, but not yet logged.
type: boolean
zeek.smtp.fuids
: (present if base/protocols/smtp/files.bro is loaded) An ordered vector of file unique IDs seen attached to the message.
type: keyword
zeek.smtp.is_webmail
: Indicates if the message was sent through a webmail interface.
type: boolean
Fields exported by the Zeek SNMP log.
zeek.snmp.duration
: The amount of time between the first packet beloning to the SNMP session and the latest one seen.
type: double
zeek.snmp.version
: The version of SNMP being used.
type: keyword
zeek.snmp.community
: The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901.
type: keyword
zeek.snmp.get.requests
: The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session.
type: integer
zeek.snmp.get.bulk_requests
: The number of variable bindings in GetBulkRequest PDUs seen for the session.
type: integer
zeek.snmp.get.responses
: The number of variable bindings in GetResponse/Response PDUs seen for the session.
type: integer
zeek.snmp.set.requests
: The number of variable bindings in SetRequest PDUs seen for the session.
type: integer
zeek.snmp.display_string
: A system description of the SNMP responder endpoint.
type: keyword
zeek.snmp.up_since
: The time at which the SNMP responder endpoint claims it's been up since.
type: date
Fields exported by the Zeek SOCKS log.
zeek.socks.version
: Protocol version of SOCKS.
type: integer
zeek.socks.user
: Username used to request a login to the proxy.
type: keyword
zeek.socks.password
: Password used to request a login to the proxy.
type: keyword
zeek.socks.status
: Server status for the attempt at using the proxy.
type: keyword
zeek.socks.request.host
: Client requested SOCKS address. Could be an address, a name or both.
type: keyword
zeek.socks.request.port
: Client requested port.
type: integer
zeek.socks.bound.host
: Server bound address. Could be an address, a name or both.
type: keyword
zeek.socks.bound.port
: Server bound port.
type: integer
zeek.socks.capture_password
: Determines if the password will be captured for this request.
type: boolean
Fields exported by the Zeek SSH log.
zeek.ssh.client
: The client's version string.
type: keyword
zeek.ssh.direction
: Direction of the connection. If the client was a local host logging into an external host, this would be OUTBOUND. INBOUND would be set for the opposite situation.
type: keyword
zeek.ssh.host_key
: The server's key thumbprint.
type: keyword
zeek.ssh.server
: The server's version string.
type: keyword
zeek.ssh.version
: SSH major version (1 or 2).
type: integer
Cipher algorithms used in this session.
zeek.ssh.algorithm.cipher
: The encryption algorithm in use.
type: keyword
zeek.ssh.algorithm.compression
: The compression algorithm in use.
type: keyword
zeek.ssh.algorithm.host_key
: The server host key's algorithm.
type: keyword
zeek.ssh.algorithm.key_exchange
: The key exchange algorithm in use.
type: keyword
zeek.ssh.algorithm.mac
: The signing (MAC) algorithm in use.
type: keyword
zeek.ssh.auth.attempts
: The number of authentication attemps we observed. There's always at least one, since some servers might support no authentication at all. It's important to note that not all of these are failures, since some servers require two-factor auth (e.g. password AND pubkey).
type: integer
zeek.ssh.auth.success
: Authentication result.
type: boolean
Fields exported by the Zeek SSL log.
zeek.ssl.version
: SSL/TLS version that was logged.
type: keyword
zeek.ssl.cipher
: SSL/TLS cipher suite that was logged.
type: keyword
zeek.ssl.curve
: Elliptic curve that was logged when using ECDH/ECDHE.
type: keyword
zeek.ssl.resumed
: Flag to indicate if the session was resumed reusing the key material exchanged in an earlier connection.
type: boolean
zeek.ssl.next_protocol
: Next protocol the server chose using the application layer next protocol extension.
type: keyword
zeek.ssl.established
: Flag to indicate if this ssl session has been established successfully.
type: boolean
zeek.ssl.validation.status
: Result of certificate validation for this connection.
type: keyword
zeek.ssl.validation.code
: Result of certificate validation for this connection, given as OpenSSL validation code.
type: keyword
zeek.ssl.last_alert
: Last alert that was seen during the connection.
type: keyword
zeek.ssl.server.name
: Value of the Server Name Indicator SSL/TLS extension. It indicates the server name that the client was requesting.
type: keyword
zeek.ssl.server.cert_chain
: Chain of certificates offered by the server to validate its complete signing chain.
type: keyword
zeek.ssl.server.cert_chain_fuids
: An ordered vector of certificate file identifiers for the certificates offered by the server.
type: keyword
Subject of the signer of the X.509 certificate offered by the server.
zeek.ssl.server.issuer.common_name
: Common name of the signer of the X.509 certificate offered by the server.
type: keyword
zeek.ssl.server.issuer.country
: Country code of the signer of the X.509 certificate offered by the server.
type: keyword
zeek.ssl.server.issuer.locality
: Locality of the signer of the X.509 certificate offered by the server.
type: keyword
zeek.ssl.server.issuer.organization
: Organization of the signer of the X.509 certificate offered by the server.
type: keyword
zeek.ssl.server.issuer.organizational_unit
: Organizational unit of the signer of the X.509 certificate offered by the server.
type: keyword
zeek.ssl.server.issuer.state
: State or province name of the signer of the X.509 certificate offered by the server.
type: keyword
Subject of the X.509 certificate offered by the server.
zeek.ssl.server.subject.common_name
: Common name of the X.509 certificate offered by the server.
type: keyword
zeek.ssl.server.subject.country
: Country code of the X.509 certificate offered by the server.
type: keyword
zeek.ssl.server.subject.locality
: Locality of the X.509 certificate offered by the server.
type: keyword
zeek.ssl.server.subject.organization
: Organization of the X.509 certificate offered by the server.
type: keyword
zeek.ssl.server.subject.organizational_unit
: Organizational unit of the X.509 certificate offered by the server.
type: keyword
zeek.ssl.server.subject.state
: State or province name of the X.509 certificate offered by the server.
type: keyword
zeek.ssl.client.cert_chain
: Chain of certificates offered by the client to validate its complete signing chain.
type: keyword
zeek.ssl.client.cert_chain_fuids
: An ordered vector of certificate file identifiers for the certificates offered by the client.
type: keyword
Subject of the signer of the X.509 certificate offered by the client.
zeek.ssl.client.issuer.common_name
: Common name of the signer of the X.509 certificate offered by the client.
type: keyword
zeek.ssl.client.issuer.country
: Country code of the signer of the X.509 certificate offered by the client.
type: keyword
zeek.ssl.client.issuer.locality
: Locality of the signer of the X.509 certificate offered by the client.
type: keyword
zeek.ssl.client.issuer.organization
: Organization of the signer of the X.509 certificate offered by the client.
type: keyword
zeek.ssl.client.issuer.organizational_unit
: Organizational unit of the signer of the X.509 certificate offered by the client.
type: keyword
zeek.ssl.client.issuer.state
: State or province name of the signer of the X.509 certificate offered by the client.
type: keyword
Subject of the X.509 certificate offered by the client.
zeek.ssl.client.subject.common_name
: Common name of the X.509 certificate offered by the client.
type: keyword
zeek.ssl.client.subject.country
: Country code of the X.509 certificate offered by the client.
type: keyword
zeek.ssl.client.subject.locality
: Locality of the X.509 certificate offered by the client.
type: keyword
zeek.ssl.client.subject.organization
: Organization of the X.509 certificate offered by the client.
type: keyword
zeek.ssl.client.subject.organizational_unit
: Organizational unit of the X.509 certificate offered by the client.
type: keyword
zeek.ssl.client.subject.state
: State or province name of the X.509 certificate offered by the client.
type: keyword
Fields exported by the Zeek stats log.
zeek.stats.peer
: Peer that generated this log. Mostly for clusters.
type: keyword
zeek.stats.memory
: Amount of memory currently in use in MB.
type: integer
zeek.stats.packets.processed
: Number of packets processed since the last stats interval.
type: long
zeek.stats.packets.dropped
: Number of packets dropped since the last stats interval if reading live traffic.
type: long
zeek.stats.packets.received
: Number of packets seen on the link since the last stats interval if reading live traffic.
type: long
zeek.stats.bytes.received
: Number of bytes received since the last stats interval if reading live traffic.
type: long
zeek.stats.connections.tcp.active
: TCP connections currently in memory.
type: integer
zeek.stats.connections.tcp.count
: TCP connections seen since last stats interval.
type: integer
zeek.stats.connections.udp.active
: UDP connections currently in memory.
type: integer
zeek.stats.connections.udp.count
: UDP connections seen since last stats interval.
type: integer
zeek.stats.connections.icmp.active
: ICMP connections currently in memory.
type: integer
zeek.stats.connections.icmp.count
: ICMP connections seen since last stats interval.
type: integer
zeek.stats.events.processed
: Number of events processed since the last stats interval.
type: integer
zeek.stats.events.queued
: Number of events that have been queued since the last stats interval.
type: integer
zeek.stats.timers.count
: Number of timers scheduled since last stats interval.
type: integer
zeek.stats.timers.active
: Current number of scheduled timers.
type: integer
zeek.stats.files.count
: Number of files seen since last stats interval.
type: integer
zeek.stats.files.active
: Current number of files actively being seen.
type: integer
zeek.stats.dns_requests.count
: Number of DNS requests seen since last stats interval.
type: integer
zeek.stats.dns_requests.active
: Current number of DNS requests awaiting a reply.
type: integer
zeek.stats.reassembly_size.tcp
: Current size of TCP data in reassembly.
type: integer
zeek.stats.reassembly_size.file
: Current size of File data in reassembly.
type: integer
zeek.stats.reassembly_size.frag
: Current size of packet fragment data in reassembly.
type: integer
zeek.stats.reassembly_size.unknown
: Current size of unknown data in reassembly (this is only PIA buffer right now).
type: integer
zeek.stats.timestamp_lag
: Lag between the wall clock and packet timestamps if reading live traffic.
type: integer
Fields exported by the Zeek syslog log.
zeek.syslog.facility
: Syslog facility for the message.
type: keyword
zeek.syslog.severity
: Syslog severity for the message.
type: keyword
zeek.syslog.message
: The plain text message.
type: keyword
Fields exported by the Zeek SSH log.
zeek.tunnel.type
: The type of tunnel.
type: keyword
zeek.tunnel.action
: The type of activity that occurred.
type: keyword
Fields exported by the Zeek Weird log.
zeek.weird.name
: The name of the weird that occurred.
type: keyword
zeek.weird.additional_info
: Additional information accompanying the weird if any.
type: keyword
zeek.weird.notice
: Indicate if this weird was also turned into a notice.
type: boolean
zeek.weird.peer
: The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble.
type: keyword
zeek.weird.identifier
: This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird.
type: keyword
Fields exported by the Zeek x509 log.
zeek.x509.id
: File id of this certificate.
type: keyword
Basic information about the certificate.
zeek.x509.certificate.version
: Version number.
type: integer
zeek.x509.certificate.serial
: Serial number.
type: keyword
Subject.
zeek.x509.certificate.subject.country
: Country provided in the certificate subject.
type: keyword
zeek.x509.certificate.subject.common_name
: Common name provided in the certificate subject.
type: keyword
zeek.x509.certificate.subject.locality
: Locality provided in the certificate subject.
type: keyword
zeek.x509.certificate.subject.organization
: Organization provided in the certificate subject.
type: keyword
zeek.x509.certificate.subject.organizational_unit
: Organizational unit provided in the certificate subject.
type: keyword
zeek.x509.certificate.subject.state
: State or province provided in the certificate subject.
type: keyword
Issuer.
zeek.x509.certificate.issuer.country
: Country provided in the certificate issuer field.
type: keyword
zeek.x509.certificate.issuer.common_name
: Common name provided in the certificate issuer field.
type: keyword
zeek.x509.certificate.issuer.locality
: Locality provided in the certificate issuer field.
type: keyword
zeek.x509.certificate.issuer.organization
: Organization provided in the certificate issuer field.
type: keyword
zeek.x509.certificate.issuer.organizational_unit
: Organizational unit provided in the certificate issuer field.
type: keyword
zeek.x509.certificate.issuer.state
: State or province provided in the certificate issuer field.
type: keyword
zeek.x509.certificate.common_name
: Last (most specific) common name.
type: keyword
Certificate validity timestamps
zeek.x509.certificate.valid.from
: Timestamp before when certificate is not valid.
type: date
zeek.x509.certificate.valid.until
: Timestamp after when certificate is not valid.
type: date
zeek.x509.certificate.key.algorithm
: Name of the key algorithm.
type: keyword
zeek.x509.certificate.key.type
: Key type, if key parseable by openssl (either rsa, dsa or ec).
type: keyword
zeek.x509.certificate.key.length
: Key length in bits.
type: integer
zeek.x509.certificate.signature_algorithm
: Name of the signature algorithm.
type: keyword
zeek.x509.certificate.exponent
: Exponent, if RSA-certificate.
type: keyword
zeek.x509.certificate.curve
: Curve, if EC-certificate.
type: keyword
Subject alternative name extension of the certificate.
zeek.x509.san.dns
: List of DNS entries in SAN.
type: keyword
zeek.x509.san.uri
: List of URI entries in SAN.
type: keyword
zeek.x509.san.email
: List of email entries in SAN.
type: keyword
zeek.x509.san.ip
: List of IP entries in SAN.
type: ip
zeek.x509.san.other_fields
: True if the certificate contained other, not recognized or parsed name fields.
type: boolean
Basic constraints extension of the certificate.
zeek.x509.basic_constraints.certificate_authority
: CA flag set or not.
type: boolean
zeek.x509.basic_constraints.path_length
: Maximum path length.
type: integer
zeek.x509.log_cert
: Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded Logging of certificate is suppressed if set to F.
type: boolean