Log Files

Listed below are the log files generated by Bro, including a brief description of the log file and links to descriptions of the fields for each log type.

Network Protocols

Log File Description Field Descriptions
conn.log TCP/UDP/ICMP connections Conn::Info
dce_rpc.log Distributed Computing Environment/RPC DCE_RPC::Info
dhcp.log DHCP leases DHCP::Info
dnp3.log DNP3 requests and replies DNP3::Info
dns.log DNS activity DNS::Info
ftp.log FTP activity FTP::Info
http.log HTTP requests and replies HTTP::Info
irc.log IRC commands and responses IRC::Info
kerberos.log Kerberos KRB::Info
modbus.log Modbus commands and responses Modbus::Info
modbus_register_change.log Tracks changes to Modbus holding registers Modbus::MemmapInfo
mysql.log MySQL MySQL::Info
ntlm.log NT LAN Manager (NTLM) NTLM::Info
radius.log RADIUS authentication attempts RADIUS::Info
rdp.log RDP RDP::Info
rfb.log Remote Framebuffer (RFB) RFB::Info
sip.log SIP SIP::Info
smb_cmd.log SMB commands SMB::CmdInfo
smb_files.log SMB files SMB::FileInfo
smb_mapping.log SMB trees SMB::TreeInfo
smtp.log SMTP transactions SMTP::Info
snmp.log SNMP messages SNMP::Info
socks.log SOCKS proxy requests SOCKS::Info
ssh.log SSH connections SSH::Info
ssl.log SSL/TLS handshake info SSL::Info
syslog.log Syslog messages Syslog::Info
tunnel.log Tunneling protocol events Tunnel::Info

Files

Log File Description Field Descriptions
files.log File analysis results Files::Info
pe.log Portable Executable (PE) PE::Info
x509.log X.509 certificate info X509::Info

NetControl

Log File Description Field Descriptions
netcontrol.log NetControl actions NetControl::Info
netcontrol_drop.log NetControl actions NetControl::DropInfo
netcontrol_shunt.log NetControl shunt actions NetControl::ShuntInfo
netcontrol_catch_release.log NetControl catch and release actions NetControl::CatchReleaseInfo
openflow.log OpenFlow debug log OpenFlow::Info

Detection

Log File Description Field Descriptions
intel.log Intelligence data matches Intel::Info
notice.log Bro notices Notice::Info
notice_alarm.log The alarm stream Notice::ACTION_ALARM
signatures.log Signature matches Signatures::Info
traceroute.log Traceroute detection Traceroute::Info

Network Observations

Log File Description Field Descriptions
known_certs.log SSL certificates Known::CertsInfo
known_devices.log MAC addresses of devices on the network Known::DevicesInfo
known_hosts.log Hosts that have completed TCP handshakes Known::HostsInfo
known_modbus.log Modbus masters and slaves Known::ModbusInfo
known_services.log Services running on hosts Known::ServicesInfo
software.log Software being used on the network Software::Info

Miscellaneous

Log File Description Field Descriptions
barnyard2.log Alerts received from Barnyard2 Barnyard2::Info
dpd.log Dynamic protocol detection failures DPD::Info
unified2.log Interprets Snort’s unified output Unified2::Info
weird.log Unexpected network-level activity Weird::Info

Bro Diagnostics

Log File Description Field Descriptions
capture_loss.log Packet loss rate CaptureLoss::Info
cluster.log Bro cluster messages Cluster::Info
communication.log Communication events between Bro or Broccoli instances Communication::Info
loaded_scripts.log Shows all scripts loaded by Bro LoadedScripts::Info
packet_filter.log List packet filters that were applied PacketFilter::Info
prof.log Profiling statistics (to create this log, load policy/misc/profiling.bro) N/A
reporter.log Internal error/warning/info messages Reporter::Info
stats.log Memory/event/packet/lag statistics Stats::Info
stderr.log Captures standard error when Bro is started from BroControl N/A
stdout.log Captures standard output when Bro is started from BroControl N/A

Next Page

Notices

Previous Page

Directives

Copyright 2016, The Bro Project. Last updated on December 15, 2017. Created using Sphinx 1.5.2.