--- title: Zeek (Bro) fields description: Module for handling logs produced by Zeek/Bro Fields from Zeek/Bro logs after normalization Fields exported by the Zeek capture_loss log Fields exported... url: https://www.elastic.co/elastic/docs-builder/docs/3028/reference/beats/filebeat/exported-fields-zeek products: - Beats - Filebeat applies_to: - Elastic Cloud Serverless: Generally available - Elastic Stack: Generally available --- # Zeek (Bro) fields Module for handling logs produced by Zeek/Bro ## zeek Fields from Zeek/Bro logs after normalization A unique identifier of the session type: keyword ## capture_loss Fields exported by the Zeek capture_loss log The time delay between this measurement and the last. type: integer In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name. type: keyword Number of missed ACKs from the previous measurement interval. type: integer Total number of ACKs seen in the previous measurement interval. type: integer Percentage of ACKs seen where the data being ACKed wasn't seen. type: double ## connection Fields exported by the Zeek Connection log Indicates whether the session is originated locally. type: boolean Indicates whether the session is responded locally. type: boolean Missed bytes for the session. type: long Code indicating the state of the session. type: keyword The state of the session. type: keyword ICMP message type. type: integer ICMP message code. type: integer Flags indicating the history of the session. type: keyword VLAN identifier. type: integer VLAN identifier. type: integer ## dce_rpc Fields exported by the Zeek DCE_RPC log Round trip time from the request to the response. If either the request or response wasn't seen, this will be null. type: integer Remote pipe name. type: keyword Endpoint name looked up from the uuid. type: keyword Operation seen in the call. type: keyword ## dhcp Fields exported by the Zeek DHCP log Domain given by the server in option 15. type: keyword Duration of the DHCP session representing the time from the first message to the last, in seconds. type: double Name given by client in Hostname option 12. type: keyword FQDN given by client in Client FQDN option 81. type: keyword IP address lease interval in seconds. type: integer ## address Addresses seen in this DHCP exchange. IP address assigned by the server. type: ip IP address of the client. If a transaction is only a client sending INFORM messages then there is no lease information exchanged so this is helpful to know who sent the messages. Getting an address in this field does require that the client sources at least one DHCP message using a non-broadcast address. type: ip Client's hardware address. type: keyword IP address requested by the client. type: ip IP address of the DHCP server. type: ip List of DHCP message types seen in this exchange. type: keyword (present if policy/protocols/dhcp/msg-orig.bro is loaded) The address that originated each message from the msg.types field. type: ip Message typically accompanied with a DHCP_DECLINE so the client can tell the server why it rejected an address. type: keyword Message typically accompanied with a DHCP_NAK to let the client know why it rejected the request. type: keyword (present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option. type: keyword (present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option. type: keyword (present if policy/protocols/dhcp/sub-opts.bro is loaded) Added by DHCP relay agents which terminate switched or permanent circuits. It encodes an agent-local identifier of the circuit from which a DHCP client-to-server packet was received. Typically it should represent a router or switch interface number. type: keyword (present if policy/protocols/dhcp/sub-opts.bro is loaded) A globally unique identifier added by relay agents to identify the remote host end of the circuit. type: keyword (present if policy/protocols/dhcp/sub-opts.bro is loaded) The subscriber ID is a value independent of the physical network configuration so that a customer's DHCP configuration can be given to them correctly no matter where they are physically connected. type: keyword ## dnp3 Fields exported by the Zeek DNP3 log The name of the function message in the request. type: keyword The name of the function message in the reply. type: keyword The response's internal indication number. type: integer ## dns Fields exported by the Zeek DNS log DNS transaction identifier. type: keyword Round trip time for the query and response. type: double The domain name that is the subject of the DNS query. type: keyword The QCLASS value specifying the class of the query. type: long A descriptive name for the class of the query. type: keyword A QTYPE value specifying the type of the query. type: long A descriptive name for the type of the query. type: keyword The response code value in DNS response messages. type: long A descriptive name for the response code value. type: keyword The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section. type: boolean The Truncation bit specifies that the message was truncated. type: boolean The Recursion Desired bit in a request message indicates that the client wants recursive service for this query. type: boolean The Recursion Available bit in a response message indicates that the name server supports recursive queries. type: boolean The set of resource descriptions in the query answer. type: keyword The caching intervals of the associated RRs described by the answers field. type: double Indicates whether the DNS query was rejected by the server. type: boolean The total number of resource records in the reply. type: integer The total number of resource records in the reply message. type: integer Whether the full DNS query has been seen. type: boolean Whether the full DNS reply has been seen. type: boolean ## dpd Fields exported by the Zeek DPD log The analyzer that generated the violation. type: keyword The textual reason for the analysis failure. type: keyword (present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) A chunk of the payload that most likely resulted in the protocol violation. type: keyword ## files Fields exported by the Zeek Files log. A file unique identifier. type: keyword The host that transferred the file. type: ip The host that received the file. type: ip The sessions that have this file. type: keyword An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source. type: keyword A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection. type: long A set of analysis types done during the file analysis. type: keyword Mime type of the file. type: keyword Name of the file if available. type: keyword If the source of this file is a network connection, this field indicates if the data originated from the local network or not. type: boolean If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder. type: boolean The duration the file was analyzed for. Not the duration of the session. type: double Number of bytes provided to the file analysis engine for the file. type: long Total number of bytes that are supposed to comprise the full file. type: long The number of bytes in the file stream that were completely missed during the process of analysis. type: long The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn't be reassembled. type: long Whether the file analysis timed out at least once for the file. type: boolean Identifier associated with a container file from which this one was extracted as part of the file analysis. type: keyword An MD5 digest of the file contents. type: keyword A SHA1 digest of the file contents. type: keyword A SHA256 digest of the file contents. type: keyword Local filename of extracted file. type: keyword Indicate whether the file being extracted was cut off hence not extracted completely. type: boolean The number of bytes extracted to disk. type: long The information density of the contents of the file. type: double ## ftp Fields exported by the Zeek FTP log User name for the current FTP session. type: keyword Password for the current FTP session if captured. type: keyword Command given by the client. type: keyword Argument for the command if one is given. type: keyword Size of the file if the command indicates a file transfer. type: long Sniffed mime type of file. type: keyword (present if base/protocols/ftp/files.bro is loaded) File unique ID. type: keyword Reply code from the server in response to the command. type: integer Reply message from the server in response to the command. type: keyword ## data_channel Expected FTP data channel. Whether PASV mode is toggled for control channel. type: boolean The host that will be initiating the data connection. type: ip The host that will be accepting the data connection. type: ip The port at which the acceptor is listening for the data connection. type: integer Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. type: keyword ## cmdarg Command that is currently waiting for a response. Command. type: keyword Argument for the command if one was given. type: keyword Counter to track how many commands have been executed. type: integer Queue for commands that have been sent but not yet responded to are tracked here. type: integer Indicates if the session is in active or passive mode. type: boolean Determines if the password will be captured for this request. type: boolean present if base/protocols/ftp/gridftp.bro is loaded. Last authentication/security mechanism that was used. type: keyword ## http Fields exported by the Zeek HTTP log Represents the pipelined depth into the connection of this request/response transaction. type: integer Status message returned by the server. type: keyword Last seen 1xx informational reply code returned by the server. type: integer Last seen 1xx informational reply message returned by the server. type: keyword A set of indicators of various attributes discovered and related to a particular request/response pair. type: keyword Password if basic-auth is performed for the request. type: keyword Determines if the password will be captured for this request. type: boolean All of the headers that may indicate if the HTTP request was proxied. type: keyword Indicates if this request can assume 206 partial content in response. type: boolean The vector of HTTP header names sent by the client. No header values are included here, just the header names. type: keyword The vector of HTTP header names sent by the server. No header values are included here, just the header names. type: keyword An ordered vector of file unique IDs from the originator. type: keyword An ordered vector of mime types from the originator. type: keyword An ordered vector of filenames from the originator. type: keyword An ordered vector of file unique IDs from the responder. type: keyword An ordered vector of mime types from the responder. type: keyword An ordered vector of filenames from the responder. type: keyword Current number of MIME entities in the HTTP request message body. type: integer Current number of MIME entities in the HTTP response message body. type: integer ## intel Fields exported by the Zeek Intel log. The intelligence indicator. type: keyword The type of data the indicator represents. type: keyword If the indicator type was Intel::ADDR, then this field will be present. type: keyword If the data was discovered within a connection, the connection record should go here to give context to the data. type: keyword Where the data was discovered. type: keyword The name of the node where the match was discovered. type: keyword If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out. type: keyword If the data was discovered within a file, the file record should go here to provide context to the data. type: object If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. type: keyword Event to represent a match in the intelligence data from data that was seen. type: keyword Sources which supplied data for this match. type: keyword If a file was associated with this intelligence hit, this is the uid for the file. type: keyword A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out. type: keyword Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out. type: keyword ## irc Fields exported by the Zeek IRC log Nickname given for the connection. type: keyword Username given for the connection. type: keyword Command given by the client. type: keyword Value for the command given by the client. type: keyword Any additional data for the command. type: keyword Present if base/protocols/irc/dcc-send.bro is loaded. DCC filename requested. type: keyword Present if base/protocols/irc/dcc-send.bro is loaded. Size of the DCC transfer as indicated by the sender. type: long present if base/protocols/irc/dcc-send.bro is loaded. Sniffed mime type of the file. type: keyword present if base/protocols/irc/files.bro is loaded. File unique ID. type: keyword ## kerberos Fields exported by the Zeek Kerberos log Request type - Authentication Service (AS) or Ticket Granting Service (TGS). type: keyword Client name. type: keyword Service name. type: keyword Request result. type: boolean Error code. type: integer Error message. type: keyword Ticket valid from. type: date Ticket valid until. type: date Number of days the ticket is valid for. type: integer Ticket encryption type. type: keyword Forwardable ticket requested. type: boolean Renewable ticket requested. type: boolean Hash of ticket used to authorize request/transaction. type: keyword Hash of ticket returned by the KDC. type: keyword Client certificate. type: keyword File unique ID of client cert. type: keyword Subject of client certificate. type: keyword Server certificate. type: keyword File unique ID of server certificate. type: keyword Subject of server certificate. type: keyword ## modbus Fields exported by the Zeek modbus log. The name of the function message that was sent. type: keyword The exception if the response was a failure. type: keyword Present if policy/protocols/modbus/track-memmap.bro is loaded. Modbus track address. type: integer ## mysql Fields exported by the Zeek MySQL log. The command that was issued. type: keyword The argument issued to the command. type: keyword Whether the command succeeded. type: boolean The number of affected rows, if any. type: integer Server message, if any. type: keyword ## notice Fields exported by the Zeek Notice log. Identifier of the related connection session. type: keyword Identifier of the related ICMP session. type: keyword An identifier associated with a single file that is related to this notice. type: keyword Identifier associated with a container file from which this one was extracted. type: keyword An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source. type: keyword A mime type if the notice is related to a file. type: keyword If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder. type: boolean Number of bytes provided to the file analysis engine for the file. type: long Total number of bytes that are supposed to comprise the full file. type: long The number of bytes in the file stream that were completely missed during the process of analysis. type: long The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn't be reassembled. type: long A file unique ID if this notice is related to a file. type: keyword The type of the notice. type: keyword The human readable message for the notice. type: keyword The human readable sub-message. type: keyword Associated count, or a status code. type: long Name of remote peer that raised this notice. type: keyword Textual description for the peer that raised this notice. type: text The actions which have been applied to this notice. type: keyword By adding chunks of text into this element, other scripts can expand on notices that are being emailed. type: text Adding a string token to this set will cause the built-in emailing functionality to delay sending the email either the token has been removed or the email has been delayed for the specified time duration. type: keyword This field is provided when a notice is generated for the purpose of deduplicating notices. type: keyword This field indicates the length of time that this unique notice should be suppressed. type: double Indicate if the source IP address was dropped and denied network access. type: boolean ## ntlm Fields exported by the Zeek NTLM log. Domain name given by the client. type: keyword Hostname given by the client. type: keyword Indicate whether or not the authentication was successful. type: boolean Username given by the client. type: keyword DNS name given by the server in a CHALLENGE. type: keyword NetBIOS name given by the server in a CHALLENGE. type: keyword Tree name given by the server in a CHALLENGE. type: keyword ## ntp Fields exported by the Zeek NTP log. The NTP version number (1, 2, 3, 4). type: integer The NTP mode being used. type: integer The stratum (primary server, secondary server, etc.). type: integer The maximum interval between successive messages in seconds. type: double The precision of the system clock in seconds. type: double Total round-trip delay to the reference clock in seconds. type: double Total dispersion to the reference clock in seconds. type: double For stratum 0, 4 character string used for debugging. For stratum 1, ID assigned to the reference clock by IANA. Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4). type: keyword Time when the system clock was last set or correct. type: date Time at the client when the request departed for the NTP server. type: date Time at the server when the request arrived from the NTP client. type: date Time at the server when the response departed for the NTP client. type: date Number of extension fields (which are not currently parsed). type: integer ## ocsp Fields exported by the Zeek OCSP log Online Certificate Status Protocol (OCSP). Only created if policy script is loaded. File id of the OCSP reply. type: keyword Hash algorithm used to generate issuerNameHash and issuerKeyHash. type: keyword Hash of the issuer's distingueshed name. type: keyword Hash of the issuer's public key. type: keyword Serial number of the affected certificate. type: keyword Status of the affected certificate. type: keyword Time at which the certificate was revoked. type: date Reason for which the certificate was revoked. type: keyword The time at which the status being shows is known to have been correct. type: date The latest time at which new information about the status of the certificate will be available. type: date ## pe Fields exported by the Zeek pe log. The client's version string. type: keyword File id of this portable executable file. type: keyword The target machine that the file was compiled for. type: keyword The time that the file was created at. type: date The required operating system. type: keyword The subsystem that is required to run this file. type: keyword Is the file an executable, or just an object file? type: boolean Is the file a 64-bit executable? type: boolean Does the file support Address Space Layout Randomization? type: boolean Does the file support Data Execution Prevention? type: boolean Does the file enforce code integrity checks? type: boolean Does the file use structured exception handing? type: boolean Does the file have an import table? type: boolean Does the file have an export table? type: boolean Does the file have an attribute certificate table? type: boolean Does the file have a debug table? type: boolean The names of the sections, in order. type: keyword ## radius Fields exported by the Zeek Radius log. The username, if present. type: keyword MAC address, if present. type: keyword The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address. type: ip Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute. type: ip Connect info, if present. type: keyword Reply message from the server challenge. This is frequently shown to the user authenticating. type: keyword Successful or failed authentication. type: keyword The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen. type: integer Whether this has already been logged and can be ignored. type: boolean ## rdp Fields exported by the Zeek RDP log. Cookie value used by the client machine. This is typically a username. type: keyword Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages. type: keyword Security protocol chosen by the server. type: keyword Keyboard layout (language) of the client machine. type: keyword RDP client version used by the client machine. type: keyword Name of the client machine. type: keyword Product ID of the client machine. type: keyword Desktop width of the client machine. type: integer Desktop height of the client machine. type: integer The color depth requested by the client in the high_color_depth field. type: keyword If the connection is being encrypted with native RDP encryption, this is the type of cert being used. type: keyword The number of certs seen. X.509 can transfer an entire certificate chain. type: integer Indicates if the provided certificate or certificate chain is permanent or temporary. type: boolean Encryption level of the connection. type: keyword Encryption method of the connection. type: keyword Track status of logging RDP connections. type: boolean (present if policy/protocols/rdp/indicate_ssl.bro is loaded) Flag the connection if it was seen over SSL. type: boolean ## rfb Fields exported by the Zeek RFB log. Major version of the client. type: keyword Minor version of the client. type: keyword Major version of the server. type: keyword Minor version of the server. type: keyword Whether or not authentication was successful. type: boolean Identifier of authentication method used. type: keyword Whether the client has an exclusive or a shared session. type: boolean Name of the screen that is being shared. type: keyword Width of the screen that is being shared. type: integer Height of the screen that is being shared. type: integer ## signature Fields exported by the Zeek Signature log. Notice associated with signature event. type: keyword The name of the signature that matched. type: keyword A more descriptive message of the signature-matching event. type: keyword Extracted payload data or extra message. type: keyword Number of sigs, usually from summary count. type: integer Number of hosts, from a summary count. type: integer ## sip Fields exported by the Zeek SIP log. Represents the pipelined depth into the connection of this request/response transaction. type: integer Verb used in the SIP request (INVITE, REGISTER etc.). type: keyword Contents of the CSeq: header from the client. type: keyword URI used in the request. type: keyword Contents of the Date: header from the client. type: keyword Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. type: keyword Contents of the To: header. type: keyword The client message transmission path, as extracted from the headers. type: keyword Contents of the Content-Length: header from the client. type: long Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. type: keyword Contents of the response To: header. type: keyword The server message transmission path, as extracted from the headers. type: keyword Contents of the Content-Length: header from the server. type: long Contents of the Reply-To: header. type: keyword Contents of the Call-ID: header from the client. type: keyword Contents of the Subject: header from the client. type: keyword Contents of the User-Agent: header from the client. type: keyword Status code returned by the server. type: integer Status message returned by the server. type: keyword Contents of the Warning: header. type: keyword Contents of the Content-Type: header from the server. type: keyword ## smb_cmd Fields exported by the Zeek smb_cmd log. The command sent by the client. type: keyword The subcommand sent by the client, if present. type: keyword Command argument sent by the client, if any. type: keyword Server reply to the client's command. type: keyword Round trip time from the request to the response. type: double Version of SMB for the command. type: keyword Authenticated username, if available. type: keyword If this is related to a tree, this is the tree that was used for the current command. type: keyword The type of tree (disk share, printer share, named pipe, etc.). type: keyword ## file If the command referenced a file, store it here. Filename if one was seen. type: keyword Action this log record represents. type: keyword UID of the referenced file. type: keyword Address of the transmitting host. type: ip Address of the receiving host. type: ip Present if base/protocols/smb/smb1-main.bro is loaded. Dialects offered by the client. type: keyword Present if base/protocols/smb/smb2-main.bro is loaded. Dialects offered by the client. type: integer ## smb_files Fields exported by the Zeek SMB Files log. Action this log record represents. type: keyword ID referencing this file. type: integer Filename if one was seen. type: keyword Path pulled from the tree this file was transferred to or from. type: keyword If the rename action was seen, this will be the file's previous name. type: keyword Byte size of the file. type: long ## times Timestamps of the file. The file's access time. type: date The file's change time. type: date The file's create time. type: date The file's modify time. type: date UUID referencing this file if DCE/RPC. type: keyword ## smb_mapping Fields exported by the Zeek SMB_Mapping log. Name of the tree path. type: keyword The type of resource of the tree (disk share, printer share, named pipe, etc.). type: keyword File system of the tree. type: keyword If this is SMB2, a share type will be included. For SMB1, the type of share will be deduced and included as well. type: keyword ## smtp Fields exported by the Zeek SMTP log. A count to represent the depth of this message transaction in a single connection where multiple messages were transferred. type: integer Contents of the Helo header. type: keyword Email addresses found in the MAIL FROM header. type: keyword Email addresses found in the RCPT TO header. type: keyword Contents of the Date header. type: date Contents of the From header. type: keyword Contents of the To header. type: keyword Contents of the CC header. type: keyword Contents of the ReplyTo header. type: keyword Contents of the MsgID header. type: keyword Contents of the In-Reply-To header. type: keyword Contents of the Subject header. type: keyword Contents of the X-Originating-IP header. type: keyword Contents of the first Received header. type: keyword Contents of the second Received header. type: keyword The last message that the server sent to the client. type: keyword The message transmission path, as extracted from the headers. type: ip Value of the User-Agent header from the client. type: keyword Indicates that the connection has switched to using TLS. type: boolean Indicates if the "Received: from" headers should still be processed. type: boolean Indicates if client activity has been seen, but not yet logged. type: boolean (present if base/protocols/smtp/files.bro is loaded) An ordered vector of file unique IDs seen attached to the message. type: keyword Indicates if the message was sent through a webmail interface. type: boolean ## snmp Fields exported by the Zeek SNMP log. The amount of time between the first packet beloning to the SNMP session and the latest one seen. type: double The version of SNMP being used. type: keyword The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. type: keyword The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session. type: integer The number of variable bindings in GetBulkRequest PDUs seen for the session. type: integer The number of variable bindings in GetResponse/Response PDUs seen for the session. type: integer The number of variable bindings in SetRequest PDUs seen for the session. type: integer A system description of the SNMP responder endpoint. type: keyword The time at which the SNMP responder endpoint claims it's been up since. type: date ## socks Fields exported by the Zeek SOCKS log. Protocol version of SOCKS. type: integer Username used to request a login to the proxy. type: keyword Password used to request a login to the proxy. type: keyword Server status for the attempt at using the proxy. type: keyword Client requested SOCKS address. Could be an address, a name or both. type: keyword Client requested port. type: integer Server bound address. Could be an address, a name or both. type: keyword Server bound port. type: integer Determines if the password will be captured for this request. type: boolean ## ssh Fields exported by the Zeek SSH log. The client's version string. type: keyword Direction of the connection. If the client was a local host logging into an external host, this would be OUTBOUND. INBOUND would be set for the opposite situation. type: keyword The server's key thumbprint. type: keyword The server's version string. type: keyword SSH major version (1 or 2). type: integer ## algorithm Cipher algorithms used in this session. The encryption algorithm in use. type: keyword The compression algorithm in use. type: keyword The server host key's algorithm. type: keyword The key exchange algorithm in use. type: keyword The signing (MAC) algorithm in use. type: keyword The number of authentication attemps we observed. There's always at least one, since some servers might support no authentication at all. It's important to note that not all of these are failures, since some servers require two-factor auth (e.g. password AND pubkey). type: integer Authentication result. type: boolean ## ssl Fields exported by the Zeek SSL log. SSL/TLS version that was logged. type: keyword SSL/TLS cipher suite that was logged. type: keyword Elliptic curve that was logged when using ECDH/ECDHE. type: keyword Flag to indicate if the session was resumed reusing the key material exchanged in an earlier connection. type: boolean Next protocol the server chose using the application layer next protocol extension. type: keyword Flag to indicate if this ssl session has been established successfully. type: boolean Result of certificate validation for this connection. type: keyword Result of certificate validation for this connection, given as OpenSSL validation code. type: keyword Last alert that was seen during the connection. type: keyword Value of the Server Name Indicator SSL/TLS extension. It indicates the server name that the client was requesting. type: keyword Chain of certificates offered by the server to validate its complete signing chain. type: keyword An ordered vector of certificate file identifiers for the certificates offered by the server. type: keyword ## issuer Subject of the signer of the X.509 certificate offered by the server. Common name of the signer of the X.509 certificate offered by the server. type: keyword Country code of the signer of the X.509 certificate offered by the server. type: keyword Locality of the signer of the X.509 certificate offered by the server. type: keyword Organization of the signer of the X.509 certificate offered by the server. type: keyword Organizational unit of the signer of the X.509 certificate offered by the server. type: keyword State or province name of the signer of the X.509 certificate offered by the server. type: keyword ## subject Subject of the X.509 certificate offered by the server. Common name of the X.509 certificate offered by the server. type: keyword Country code of the X.509 certificate offered by the server. type: keyword Locality of the X.509 certificate offered by the server. type: keyword Organization of the X.509 certificate offered by the server. type: keyword Organizational unit of the X.509 certificate offered by the server. type: keyword State or province name of the X.509 certificate offered by the server. type: keyword Chain of certificates offered by the client to validate its complete signing chain. type: keyword An ordered vector of certificate file identifiers for the certificates offered by the client. type: keyword ## issuer Subject of the signer of the X.509 certificate offered by the client. Common name of the signer of the X.509 certificate offered by the client. type: keyword Country code of the signer of the X.509 certificate offered by the client. type: keyword Locality of the signer of the X.509 certificate offered by the client. type: keyword Organization of the signer of the X.509 certificate offered by the client. type: keyword Organizational unit of the signer of the X.509 certificate offered by the client. type: keyword State or province name of the signer of the X.509 certificate offered by the client. type: keyword ## subject Subject of the X.509 certificate offered by the client. Common name of the X.509 certificate offered by the client. type: keyword Country code of the X.509 certificate offered by the client. type: keyword Locality of the X.509 certificate offered by the client. type: keyword Organization of the X.509 certificate offered by the client. type: keyword Organizational unit of the X.509 certificate offered by the client. type: keyword State or province name of the X.509 certificate offered by the client. type: keyword ## stats Fields exported by the Zeek stats log. Peer that generated this log. Mostly for clusters. type: keyword Amount of memory currently in use in MB. type: integer Number of packets processed since the last stats interval. type: long Number of packets dropped since the last stats interval if reading live traffic. type: long Number of packets seen on the link since the last stats interval if reading live traffic. type: long Number of bytes received since the last stats interval if reading live traffic. type: long TCP connections currently in memory. type: integer TCP connections seen since last stats interval. type: integer UDP connections currently in memory. type: integer UDP connections seen since last stats interval. type: integer ICMP connections currently in memory. type: integer ICMP connections seen since last stats interval. type: integer Number of events processed since the last stats interval. type: integer Number of events that have been queued since the last stats interval. type: integer Number of timers scheduled since last stats interval. type: integer Current number of scheduled timers. type: integer Number of files seen since last stats interval. type: integer Current number of files actively being seen. type: integer Number of DNS requests seen since last stats interval. type: integer Current number of DNS requests awaiting a reply. type: integer Current size of TCP data in reassembly. type: integer Current size of File data in reassembly. type: integer Current size of packet fragment data in reassembly. type: integer Current size of unknown data in reassembly (this is only PIA buffer right now). type: integer Lag between the wall clock and packet timestamps if reading live traffic. type: integer ## syslog Fields exported by the Zeek syslog log. Syslog facility for the message. type: keyword Syslog severity for the message. type: keyword The plain text message. type: keyword ## tunnel Fields exported by the Zeek SSH log. The type of tunnel. type: keyword The type of activity that occurred. type: keyword ## weird Fields exported by the Zeek Weird log. The name of the weird that occurred. type: keyword Additional information accompanying the weird if any. type: keyword Indicate if this weird was also turned into a notice. type: boolean The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble. type: keyword This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird. type: keyword ## x509 Fields exported by the Zeek x509 log. File id of this certificate. type: keyword ## certificate Basic information about the certificate. Version number. type: integer Serial number. type: keyword ## subject Subject. Country provided in the certificate subject. type: keyword Common name provided in the certificate subject. type: keyword Locality provided in the certificate subject. type: keyword Organization provided in the certificate subject. type: keyword Organizational unit provided in the certificate subject. type: keyword State or province provided in the certificate subject. type: keyword ## issuer Issuer. Country provided in the certificate issuer field. type: keyword Common name provided in the certificate issuer field. type: keyword Locality provided in the certificate issuer field. type: keyword Organization provided in the certificate issuer field. type: keyword Organizational unit provided in the certificate issuer field. type: keyword State or province provided in the certificate issuer field. type: keyword Last (most specific) common name. type: keyword ## valid Certificate validity timestamps Timestamp before when certificate is not valid. type: date Timestamp after when certificate is not valid. type: date Name of the key algorithm. type: keyword Key type, if key parseable by openssl (either rsa, dsa or ec). type: keyword Key length in bits. type: integer Name of the signature algorithm. type: keyword Exponent, if RSA-certificate. type: keyword Curve, if EC-certificate. type: keyword ## san Subject alternative name extension of the certificate. List of DNS entries in SAN. type: keyword List of URI entries in SAN. type: keyword List of email entries in SAN. type: keyword List of IP entries in SAN. type: ip True if the certificate contained other, not recognized or parsed name fields. type: boolean ## basic_constraints Basic constraints extension of the certificate. CA flag set or not. type: boolean Maximum path length. type: integer Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded Logging of certificate is suppressed if set to F. type: boolean