=========
Log Files
=========

Listed below are the log files generated by Bro, including a brief description
of the log file and links to descriptions of the fields for each log
type.

Network Protocols
-----------------

+----------------------------+---------------------------------------+---------------------------------+
| Log File                   | Description                           | Field Descriptions              |
+============================+=======================================+=================================+
| conn.log                   | TCP/UDP/ICMP connections              | :bro:type:`Conn::Info`          |
+----------------------------+---------------------------------------+---------------------------------+
| dhcp.log                   | DHCP leases                           | :bro:type:`DHCP::Info`          |
+----------------------------+---------------------------------------+---------------------------------+
| dnp3.log                   | DNP3 requests and replies             | :bro:type:`DNP3::Info`          |
+----------------------------+---------------------------------------+---------------------------------+
| dns.log                    | DNS activity                          | :bro:type:`DNS::Info`           |
+----------------------------+---------------------------------------+---------------------------------+
| ftp.log                    | FTP activity                          | :bro:type:`FTP::Info`           |
+----------------------------+---------------------------------------+---------------------------------+
| http.log                   | HTTP requests and replies             | :bro:type:`HTTP::Info`          |
+----------------------------+---------------------------------------+---------------------------------+
| irc.log                    | IRC commands and responses            | :bro:type:`IRC::Info`           |
+----------------------------+---------------------------------------+---------------------------------+
| kerberos.log               | Kerberos                              | :bro:type:`KRB::Info`           |
+----------------------------+---------------------------------------+---------------------------------+
| modbus.log                 | Modbus commands and responses         | :bro:type:`Modbus::Info`        |
+----------------------------+---------------------------------------+---------------------------------+
| modbus_register_change.log | Tracks changes to Modbus holding      | :bro:type:`Modbus::MemmapInfo`  |
|                            | registers                             |                                 |
+----------------------------+---------------------------------------+---------------------------------+
| mysql.log                  | MySQL                                 | :bro:type:`MySQL::Info`         |
+----------------------------+---------------------------------------+---------------------------------+
| radius.log                 | RADIUS authentication attempts        | :bro:type:`RADIUS::Info`        |
+----------------------------+---------------------------------------+---------------------------------+
| rdp.log                    | RDP                                   | :bro:type:`RDP::Info`           |
+----------------------------+---------------------------------------+---------------------------------+
| sip.log                    | SIP                                   | :bro:type:`SIP::Info`           |
+----------------------------+---------------------------------------+---------------------------------+
| smtp.log                   | SMTP transactions                     | :bro:type:`SMTP::Info`          |
+----------------------------+---------------------------------------+---------------------------------+
| snmp.log                   | SNMP messages                         | :bro:type:`SNMP::Info`          |
+----------------------------+---------------------------------------+---------------------------------+
| socks.log                  | SOCKS proxy requests                  | :bro:type:`SOCKS::Info`         |
+----------------------------+---------------------------------------+---------------------------------+
| ssh.log                    | SSH connections                       | :bro:type:`SSH::Info`           |
+----------------------------+---------------------------------------+---------------------------------+
| ssl.log                    | SSL/TLS handshake info                | :bro:type:`SSL::Info`           |
+----------------------------+---------------------------------------+---------------------------------+
| syslog.log                 | Syslog messages                       | :bro:type:`Syslog::Info`        |
+----------------------------+---------------------------------------+---------------------------------+
| tunnel.log                 | Tunneling protocol events             | :bro:type:`Tunnel::Info`        |
+----------------------------+---------------------------------------+---------------------------------+

Files
-----

+----------------------------+---------------------------------------+---------------------------------+
| Log File                   | Description                           | Field Descriptions              |
+============================+=======================================+=================================+
| files.log                  | File analysis results                 | :bro:type:`Files::Info`         |
+----------------------------+---------------------------------------+---------------------------------+
| pe.log                     | Portable Executable (PE)              | :bro:type:`PE::Info`            |
+----------------------------+---------------------------------------+---------------------------------+
| x509.log                   | X.509 certificate info                | :bro:type:`X509::Info`          |
+----------------------------+---------------------------------------+---------------------------------+

Detection
---------

+----------------------------+---------------------------------------+---------------------------------+
| Log File                   | Description                           | Field Descriptions              |
+============================+=======================================+=================================+
| intel.log                  | Intelligence data matches             | :bro:type:`Intel::Info`         |
+----------------------------+---------------------------------------+---------------------------------+
| notice.log                 | Bro notices                           | :bro:type:`Notice::Info`        |
+----------------------------+---------------------------------------+---------------------------------+
| notice_alarm.log           | The alarm stream                      | :bro:enum:`Notice::ACTION_ALARM`|
+----------------------------+---------------------------------------+---------------------------------+
| signatures.log             | Signature matches                     | :bro:type:`Signatures::Info`    |
+----------------------------+---------------------------------------+---------------------------------+
| traceroute.log             | Traceroute detection                  | :bro:type:`Traceroute::Info`    |
+----------------------------+---------------------------------------+---------------------------------+


Network Observations
--------------------

+----------------------------+---------------------------------------+---------------------------------+
| Log File                   | Description                           | Field Descriptions              |
+============================+=======================================+=================================+
| app_stats.log              | Web app usage statistics              | :bro:type:`AppStats::Info`      |
+----------------------------+---------------------------------------+---------------------------------+
| known_certs.log            | SSL certificates                      | :bro:type:`Known::CertsInfo`    |
+----------------------------+---------------------------------------+---------------------------------+
| known_devices.log          | MAC addresses of devices on the       | :bro:type:`Known::DevicesInfo`  |
|                            | network                               |                                 |
+----------------------------+---------------------------------------+---------------------------------+
| known_hosts.log            | Hosts that have completed TCP         | :bro:type:`Known::HostsInfo`    |
|                            | handshakes                            |                                 |
+----------------------------+---------------------------------------+---------------------------------+
| known_modbus.log           | Modbus masters and slaves             | :bro:type:`Known::ModbusInfo`   |
+----------------------------+---------------------------------------+---------------------------------+
| known_services.log         | Services running on hosts             | :bro:type:`Known::ServicesInfo` |
+----------------------------+---------------------------------------+---------------------------------+
| software.log               | Software being used on the network    | :bro:type:`Software::Info`      |
+----------------------------+---------------------------------------+---------------------------------+

Miscellaneous
-------------

+----------------------------+---------------------------------------+---------------------------------+
| Log File                   | Description                           | Field Descriptions              |
+============================+=======================================+=================================+
| barnyard2.log              | Alerts received from Barnyard2        | :bro:type:`Barnyard2::Info`     |
+----------------------------+---------------------------------------+---------------------------------+
| dpd.log                    | Dynamic protocol detection failures   | :bro:type:`DPD::Info`           |
+----------------------------+---------------------------------------+---------------------------------+
| unified2.log               | Interprets Snort's unified output     | :bro:type:`Unified2::Info`      |
+----------------------------+---------------------------------------+---------------------------------+
| weird.log                  | Unexpected network-level activity     | :bro:type:`Weird::Info`         |
+----------------------------+---------------------------------------+---------------------------------+

Bro Diagnostics
---------------

+----------------------------+---------------------------------------+---------------------------------+
| Log File                   | Description                           | Field Descriptions              |
+============================+=======================================+=================================+
| capture_loss.log           | Packet loss rate                      | :bro:type:`CaptureLoss::Info`   |
+----------------------------+---------------------------------------+---------------------------------+
| cluster.log                | Bro cluster messages                  | :bro:type:`Cluster::Info`       |
+----------------------------+---------------------------------------+---------------------------------+
| communication.log          | Communication events between Bro or   | :bro:type:`Communication::Info` |
|                            | Broccoli instances                    |                                 |
+----------------------------+---------------------------------------+---------------------------------+
| loaded_scripts.log         | Shows all scripts loaded by Bro       | :bro:type:`LoadedScripts::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| packet_filter.log          | List packet filters that were applied | :bro:type:`PacketFilter::Info`  |
+----------------------------+---------------------------------------+---------------------------------+
| prof.log                   | Profiling statistics (to create this  | N/A                             |
|                            | log, load policy/misc/profiling.bro)  |                                 |
+----------------------------+---------------------------------------+---------------------------------+
| reporter.log               | Internal error/warning/info messages  | :bro:type:`Reporter::Info`      |
+----------------------------+---------------------------------------+---------------------------------+
| stats.log                  | Memory/event/packet/lag statistics    | :bro:type:`Stats::Info`         |
+----------------------------+---------------------------------------+---------------------------------+
| stderr.log                 | Captures standard error when Bro is   | N/A                             |
|                            | started from BroControl               |                                 |
+----------------------------+---------------------------------------+---------------------------------+
| stdout.log                 | Captures standard output when Bro is  | N/A                             |
|                            | started from BroControl               |                                 |
+----------------------------+---------------------------------------+---------------------------------+

