Zeek Fields

The following lists field names as they are formatted in Zeek logs, then processed by Logstash and ingested into Elasticsearch.

The original field name (from Zeek) appears on the left, and if changed, the updated name or formatting of the field (Elasticsearch) will appear on the right.

(Zeek => Elastic)

conn.log

type:bro_conn

/etc/logstash/conf.d/1100_preprocess_bro_conn.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

proto => protocol

service

duration

orig_bytes => original_bytes

resp_bytes => respond_bytes

conn_state => connection_state => connection_state_description

Dictionary
S0 "Connection attempt seen, no reply"
S1 "Connection established, not terminated"
S2 "Connection established and close attempt by originator seen (but no reply from responder)"
S3 "Connection established and close attempt by responder seen (but no reply from originator)"
SF "Normal SYN/FIN completion"
REJ "Connection attempt rejected"
RSTO "Connection established, originator aborted (sent a RST)"
RSTR "Established, responder aborted"
RSTOS0 "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder"
RSTRH "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator"
SH "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)"
SHR "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator"
OTH "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)"

local_orig

local_resp => local_respond

missed_bytes

history

orig_pkts => original_packets

orig_ip_bytes => original_ipbytes

resp_pkts => respond_packets

resp_ip_bytes => respond_ipbytes

tunnel_parents

original_country_code

respond_country_code

sensor_name

dhcp.log

type:bro_dhcp

/etc/logstash/conf.d/1101_preprocess_bro_dhcp.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

mac

assigned_ip

lease_time

trans_id => transaction_id

dns.log

type:bro_dns

/etc/logstash/conf.d/1102_preprocess_bro_dns.conf

ts = > timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

proto => protocol

trans_id => transaction_id

rtt

query

qclass => query_class

qclass_name => query_class_name

qtype => query_type

qtype_name => query_type_name

rcode

rcode_name

AA => aa

TC => tc

RD => rd

RA => ra

Z => z

answers

TTLS => ttls (removed if not available)

rejected

dpd.log

type:bro_dpd

/etc/logstash/conf.d/1103_preprocess_bro_dpd.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

proto => protocol

analyzer

failure_reason

files.log

type:bro_files

/etc/logstash/conf.d/1104_preprocess_bro_files.conf

ts => timestamp

fuid

tx_hosts => file_ip

rx_hosts => destination_ip

conn_uids => connection_uids

source

depth

analyzers => analyzer

mime_type => mimetype

filename => file_name

duration

local_orig

is_orig

seen_bytes

total_bytes

missing_bytes

overflow_bytes

timedout => timed_out

parent_fuid

md5

sha1

sha256

extracted

extracted_cutoff

extracted_size

ftp.log

type:bro_ftp

/etc/logstash/conf.d/1105_preprocess_bro_ftp.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

user => ftp_username

password

command => ftp_command

arg => ftp_argument

mime_type => mimetype

file_size

reply_code

reply_msg => reply_message

data_channel.passive => data_channel_passive

data_channel.orig_h => data_channel_source_ip

data_channel.resp_h => data_channel_destination_ip

data_channel.resp_h => data_channel_destination_port

fuid

http.log

type:bro_http

/etc/logstash/conf.d/1106_preprocess_bro_http.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

trans_depth

method

host => virtual_host

uri

referrer

version

user_agent => useragent

request_body_len => request_body_length

response_body_len => response_body_length

status_code

status_message

info_code

info_msg => info_message

tags (removed)

username => user

password

proxied

orig_fuids

orig_filenames

orig_mime_types

resp_fuids

resp_filenames

resp_mime_types

intel.log

type:bro_intel

/etc/logstash/conf.d/1124_preprocess_bro_intel.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

seen.indicator => indicator

seen.indicator_type => indicator_type

seen.where => seen_where

seen.node => seen_node

matched

sources

fuid

file_mime_type => mimetype

file_desc => file_description

irc.log

type:bro_irc

/etc/logstash/conf.d/1107_preprocess_bro_irc.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

nick

user => irc_username

command => irc_command

value

addl => additional_info

dcc_file_name

dcc_file_size

dcc_mime_type

fuid

kerberos.log

type:bro_kerberos

/etc/logstash/conf.d/1108_preprocess_bro_kerberos.conf

timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

request_type

client

service

success => kerberos_success

error_msg => error_message

from => email_from

till => valid_till

cipher

forwardable

renewable

client_cert => client_certificate_subject

client_cert_fuid => client_certificate_uid

server_cert_subject => server_certificate_subject

server_cert_fuid => server_certificate_fuid

modbus.log

type:bro_modbus

/etc/logstash/conf.d/1125_preprocess_bro_modbus.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

func => function

exception

mysql.log

type:bro_mysql

/etc/logstash/conf.d/1121_preprocess_bro_mysql.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

cmd => mysql_command

arg => mysql_argument

success => mysql_success

rows

response

notice.log

type:bro_notice

/etc/logstash/conf.d/1109_preprocess_bro_notice.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

fuid

mime => file_mime_type

desc => file_description

proto => protocol

note => note

msg => msg

sub => sub_msg

src => source_ip

dst => destination_ip

p

n

peer_descr => peer_description

actions => action

suppress_for

dropped

destination_country_code

destination_region

destination_city

destination_latitude

destination_longitude

pe.log

type:bro_pe

/etc/logstash/conf.d/1128_preprocess_bro_pe.conf

ts => timestamp

fuid

machine

compile_ts

os

subsystem

is_exe

is_64bit

uses_aslr

uses_dep

uses_code_integrity

uses_seh

has_import_table

has_export_table

has_cert_table

has_debug_data

section_names

radius.log

type:bro_radius

/etc/logstash/conf.d/1127_preprocess_bro_radius.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

username => radius_username

mac

remote_ip

connect_info

result

logged

rdp.log

type:bro_rdp

/etc/logstash/conf.d/1110_preprocess_bro_rdp.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

cookie

result

security_protocol

keyboard_layout

client_build

client_name

client_dig_product_id => client_digital_product_id

desktop_width

desktop_height

requested_color_depth

cert_type => certificate_type

cert_count => certificate_count

cert_permanent => certificate_permanent

encryption_level

encryption_method

rfb.log

type:bro_rfb

/etc/logstash/conf.d/1129_preprocess_bro_rfb.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

client_major_version

client_minor_version

server_major_version

server_minor_version

authentication_method

auth

share_flag

desktop_name

width

height

signatures.log

type:bro_ssl

/etc/logstash/conf.d/1111_preprocess_bro_signatures.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

note

sig_id => signature_id

event_msg => event_message

sub_msg => sub_message

sig_count => signature_count

host_count

sip.log

type:bro_sip

/etc/logstash/conf.d/1126_preprocess_bro_sip.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

trans_depth

method

uri

date

request_from

request_to

response_from

response_to

reply_to

call_id

seq

subject

request_path

response_path

user_agent

status_code

status_msg

warning

request_body_len => request_body_length

response_body_len => response_body_length

content_type

smtp.log

type:bro_smtp

/etc/logstash/conf.d/1112_preprocess_bro_smtp.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

trans_depth

helo

mailfrom => mail_from

rcptto => recipient_to

date => mail_date

from

to

cc

reply_to

msg_id => message_id

in_reply_to

subject

x_originating_ip

first_received

second_received

last_reply

path

useragent => user_agent

tls

fuids

is_webmail

snmp.log

type:bro_snmp

/etc/logstash/conf.d/1113_preprocess_bro_snmp.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

duration

version

community

get_requests

get_bulk_requests

get_responses

set_requests => set_responses

display_string

up_since

socks.log

type:bro_socks

/etc/logstash/conf.d/1122_preprocess_bro_socks.conf

timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

version

user

password

status => server_status

request

• => request_host

• => request_name

request_p => request_port

bound

• => bound_host

• => bound_name

bound_p => bound_port

software.log

type:bro_software

/etc/logstash/conf.d/1114_preprocess_bro_software.conf

ts => timestamp

host => source_ip

host_p => source_port

software_type

name

major => version_major

minor => version_minor

minor2 => version_minor2

minor3 => version_minor3

addl => version_additional_info

unparsed_version

ssh.log

type:bro_ssh

/etc/logstash/conf.d/1115_preprocess_bro_ssh.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

version

auth_success => authentication_success

auth_attempts => authentication_attempts

direction

client

server

cipher_alg => cipher_algorithm

mac_alg => mac_algorithm

compression_alg => compression_algorithm

kex_alg => kex_algorithm

host_key_alg => host_key_algorithm

host_key

destination_country_code

destination_region

destination_city

destination_latitude

destination_longitude

ssl.log

type:bro_ssl

/etc/logstash/conf.d/1116_preprocess_bro_ssl.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

version

cipher

curve

server_name

resumed

last_alert

next_protocol

established

cert_chain_fuids => certificate_chain_fuids

client_cert_chain_fuids => client_certificate_chain_fuids

subject => certificate_subject

CN => "certificate_common_name"
C => "certificate_country_code"
O => "certificate_organization"
OU => "certificate_organization_unit"
ST => "certificate_state"
SN => "certificate_surname"
L => "certificate_locality"
GN => "certificate_given_name"
pseudonym => "certificate_pseudonym"
serialNumber => "certificate_serial_number"
title => "certificate_title"
initials" => "certificate_initials"

certificate_issuer

CN => "issuer_common_name"
C => "issuer_country_code"
O => "issuer_organization"
OU => "issuer_organization_unit"
ST => "issuer_state"
SN => "issuer_surname"
L => "issuer_locality"
DC => "issuer_distinguished_name"
GN => "issuer_given_name"
pseudonym => "issuer_pseudonym"
serialNumber => "issuer_serial_number"
title => "issuer_title"
initials => "issuer_initials"

client_subject

client_issuer

validation_status

ja3 (if JA3 enabled)

syslog.log

type:bro_syslog

/etc/logstash/conf.d/1117_preprocess_bro_syslog.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

proto => protocol

facility

severity

message

tunnel.log

type:bro_tunnel

/etc/logstash/conf.d/1118_preprocess_bro_tunnel.conf

ts => timestamp

uid

id.orig_h => source_ip

id.orig_p => source_port

id.resp_h => destination_ip

id.resp_p => destination_port

tunnel_type

action

weird.log

type:bro_weird

/etc/logstash/conf.d/1119_preprocess_bro_weird.conf

ts => timestamp

uid

name

addl => additional_info

notice

peer

x509.log

type:bro_x509

/etc/logstash/conf.d/1123_preprocess_bro_x509.conf

ts => timestamp

id

certificate =>

• certificate_version

• certificate_serial

• certificate_subject

• certificate_issuer

• certificate_not_valid_before

• certificate_not_valid_after

• certificate_key_algorithm

• certificate_signing_algorithm

• certificate_key_type

• certificate_key_length

• certificate_exponent

• certificate_curve

san =>

• san_dns

• san_uri

• san_email

• san_ip

basic_constraints =>

• basic_constraints_ca

• basic_constraints_path_length

Pivot Fields

The following fields are formatted as a URL within Kibana, so we can easily pivot from them to the Indicator dashboard by clicking on them:

destination_ip

destination_port

file_ip

indicator

orig_fuids

query

resp_fuids

server_name

source_ip

source_port

uid

virtual_host