Stay organized with collections Save and categorize content based on your preferences.

Collect Zeek (Bro) logs

This document describes how you can deploy Zeek (formerly Bro) and NXLog with Chronicle to collect Zeek logs in JSON format. This document also explains how Zeek log fields map to Chronicle Unified Data Model (UDM) fields.

For an overview about Chronicle data ingestion, see Data ingestion to Chronicle.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the BRO_JSON ingestion label.

Before you begin

  • To understand the components deployed to collect Zeek logs, review the deployment architecture. Each customer deployment might differ from this representation and might be more complex. The following diagram shows how you can configure a NXLog agent and a Chronicle forwarder on a Linux server and forward log data to Chronicle.

    Deployment architecture

  • Verify the Zeek versions that the Chronicle parser supports. The Chronicle parser supports the following Zeek versions:

    • Zeek 4.1.0
    • Zeek 4.0.1
  • Before you use the Zeek (Bro) Gold parser, review the changes in field mappings between the default parser and Gold parser listed in this document. As part of the migration, ensure that the rules, searches, dashboards, or other processes that depend on the original fields use the updated fields.

    For example, in the default parser, the "server_name" field is mapped to the "target.hostname" UDM field. In the Zeek (Bro) Gold parser, the "server_name" field is mapped to the "network.tls.client.server_name" UDM field. If you migrate to Zeek (Bro) Gold parser and use "server_name" in your rules, you need to modify the rules to use the "network.tls.client.server_name" UDM field of the Gold parser.

  • Verify the Zeek log types that the Chronicle parser supports. The following table lists the Zeek log types that the Chronicle parser supports:

Log type Description
Network protocols Includes log files of network protocols, such as Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS).
Files Includes the following log files: File analysis results, Online Certificate Status Protocol (OCSP), Portable Executable (PE), and X.509 certificate.
NetControl Includes log files of NetControl actions and OpenFlow debug logs.
Detection Includes log files of intelligence data matches, Zeek notices, alarm stream, signature matches, and traceroute detection.
Network observations Includes log files of SSL certificates, hosts that have completed TCP handshakes, Modbus primary and replica, services running on hosts, and software used on the network.
  • If you have not done so already, install and configure Zeek. For more information, see Zeek installation.

  • Collect Zeek logs in JSON format. For more information, see Output Zeek logs to JSON.

  • Ensure that all systems in the deployment architecture are configured with the UTC time zone.

Configure NXLog and Chronicle forwarder

  1. Download and install NXLog Community Edition on the Linux machine on which Chronicle forwarder runs.
  2. Create a configuration file for each NXLog instance.
  3. Use the NXLog im_file module to read from the file and parse the lines into fields. Here is an example NXLog configuration:

    LogFile /var/log/nxlog/nxlog.log
    LogLevel INFO
    
    define ZEEK_OUTPUT_DESTINATION_ADDRESS <hostname>
    define ZEEK_OUTPUT_DESTINATION_PORT <port>
    
    <Input conn>
       Module      im_file
       File        '/opt/zeek/logs/current/conn.log'
       Exec $raw_event= "conn" + ' - ' + $raw_event;;
    </Input>
    
    <Input dce_rpc>
      Module      im_file
      File        '/opt/zeek/logs/current/dce_rpc.log'
      Exec $raw_event= "dce_rpc" + ' - ' + $raw_event;;
    </Input>
    
    <Output out_chronicle>
      Module  om_tcp
      Host    %ZEEK_OUTPUT_DESTINATION_ADDRESS%
      Port    %ZEEK_OUTPUT_DESTINATION_PORT%
    </Output>
    
    <Route zeek_to_chronicle>
      Path conn, dce_rpc => out_chronicle
    </Route>
    
    

    To use the preceding example configuration, do the following:

    • Replace <hostname> and <port> values with information about the destination Linux server.
    • Add input, output, and route elements for each Zeek log type that you want to collect.
  4. Configure Chronicle forwarder to send logs to Chronicle. For more information, see Installing and configuring the forwarder on Linux. Here is an example forwarder configuration.

      - syslog:
          common:
            enabled: true
            data_type: BRO_JSON
            batch_n_seconds: 10
            batch_n_bytes: 1048576
          tcp_address: 0.0.0.0:10518
          connection_timeout_sec: 60
    
  5. Start the NXLog service.

Field mapping reference: Zeek logs fields to UDM fields

To understand how the Chronicle parser maps Zeek log fields to Chronicle UDM event fields for each Zeek log type, refer to the following sections:

Network protocols

The following table lists the log fields of the network protocols log type and their corresponding UDM fields.

Original log field Log type UDM field
ts conn.log metadata.event_timestamp
uid conn.log network.session_id
id.orig_h conn.log principal.ip
id.orig_p conn.log principal.port
id.resp_h conn.log target.ip
id.resp_p conn.log target.port
proto conn.log network.ip_protocol
service conn.log In case of exact match, service is mapped to network.application_protocol. In case of multiple values, service is mapped to additional.fields.key/value.
duration conn.log network.session_duration
orig_bytes conn.log network.sent_bytes
resp_bytes conn.log network.received_bytes
conn_state conn.log metadata.description
local_orig conn.log additional.fields.key/value
local_resp conn.log additional.fields.key/value
missed_bytes conn.log additional.fields.key/value
history conn.log additional.fields.key/value
orig_pkts conn.log additional.fields.key/value
orig_ip_bytes conn.log additional.fields.key/value
resp_pkts conn.log additional.fields.key/value
resp_ip_bytes conn.log additional.fields.key/value
tunnel_parents conn.log additional.fields.key/value
orig_l2_addr conn.log additional.fields.key/value
resp_l2_addr conn.log additional.fields.key/value
vlan conn.log additional.fields.key/value
inner_vlan conn.log additional.fields.key/value
speculative_service conn.log additional.fields.key/value
ts dce_rpc.log metadata.event_timestamp
uid dce_rpc.log network.session_id
id.orig_h dce_rpc.log principal.ip
id.orig_p dce_rpc.log principal.port
id.resp_h dce_rpc.log target.ip
id.resp_p dce_rpc.log target.port
rtt dce_rpc.log additional.fields.key/value
named_pipe dce_rpc.log target.resource.name

Also, target.resource.resource_type is set to "PIPE".

endpoint dce_rpc.log additional.fields.key/value
operation dce_rpc.log additional.fields.key/value
ts dhcp.log metadata.event_timestamp
uids dhcp.log additional.fields.key/value
client_addr dhcp.log target.ip
server_addr dhcp.log principal.ip
client_port dhcp.log target.port
server_port dhcp.log principal.port
mac dhcp.log principal.mac

Machine ID is required for parsing NETWORK_DHCP events.

host_name dhcp.log network.dhcp.client_hostname
client_fqdn dhcp.log target.hostname
domain dhcp.log target.administrative_domain
requested_addr dhcp.log network.dhcp.requested_address
assigned_addr dhcp.log network.dhcp.yiaddr
lease_time dhcp.log network.dhcp.lease_time_seconds
client_message dhcp.log additional.fields.key/value
server_message dhcp.log additional.fields.key/value
msg_types dhcp.log additional.fields.key/value

The log that Zeek produces is a collection of DORA messages in a single log.

duration dhcp.log network.dhcp.seconds
client_chaddr dhcp.log network.dhcp.chaddr
msg_orig dhcp.log additional.fields.key/value
client_software dhcp.log additional.fields.key/value
server_software dhcp.log additional.fields.key/value
circuit_id dhcp.log additional.fields.key/value
agent_remote_id dhcp.log additional.fields.key/value
subscriber_id dhcp.log additional.fields.key/value
ts dnp3.log metadata.event_timestamp
uid dnp3.log network.session_id
id.orig_h dnp3.log principal.ip
id.orig_p dnp3.log principal.port
id.resp_h dnp3.log target.ip
id.resp_p dnp3.log target.port
fc_request dnp3.log additional.fields.key/value
fc_reply dnp3.log additional.fields.key/value
iin dnp3.log additional.fields.key/value
ts dns.log metadata.event_timestamp
uid dns.log network.session_id
id.orig_h dns.log principal.ip
id.orig_p dns.log principal.port
id.resp_h dns.log target.ip
id.resp_p dns.log target.port
proto dns.log network.ip_protocol
trans_id dns.log network.dns.id
rtt dns.log additional.fields.key/value
query dns.log network.dns.questions.name
qclass dns.log network.dns.questions.class
qclass_name dns.log additional.fields.key/value
qtype dns.log network.dns.questions.type
qtype_name dns.log additional.fields.key/value
rcode dns.log network,dns.response_code
rcode_name dns.log additional.fields.key/value
AA dns.log network.dns.authoritative
TC dns.log network.dns.truncated
RD dns.log network.dns.recursion_desired
RA dns.log network.dns.recursion_available
Z dns.log additional.fields.key/value
answers dns.log network.dns.answers.data
TTLs dns.log network.dns.answers.ttl
rejected dns.log additional.fields.key/value
total_answers dns.log additional.fields.key/value
total_replies dns.log additional.fields.key/value
saw_query dns.log additional.fields.key/value
saw_reply dns.log additional.fields.key/value
auth dns.log network.dns.authority.data
addl dns.log network.dns.additional.data
original_query dns.log additional.fields.key/value
ts ftp.log metadata.event_timestamp
uid ftp.log network.session_id
id.orig_h ftp.log principal.ip
id.orig_p ftp.log principal.port
id.resp_h ftp.log target.ip
id.resp_p ftp.log target.port
user ftp.log principal.user.userid
command ftp.log network.ftp.command
arg ftp.log additional.fields.key/value
mime_type ftp.log src.file.mime_type
file_size ftp.log src.file.size
reply_code ftp.log additional.fields.key/value
reply_msg ftp.log additional.fields.key/value
data_channel.passive ftp.log additional.fields.key/value
data_channel.orig_h ftp.log additional.fields.key/value
data_channel.resp_h ftp.log additional.fields.key/value
data_channel.resp_p ftp.log additional.fields.key/value
cwd ftp.log src.file.full_path
cmdarg.ts ftp.log additional.fields.key/value
cmdarg.cmd ftp.log additional.fields.key/value
cmdarg.arg ftp.log additional.fields.key/value
cmdarg.seq ftp.log additional.fields.key/value
pending_commands ftp.log additional.fields.key/value
passive ftp.log additional.fields.key/value
capture_password ftp.log additional.fields.key/value
fuid ftp.log additional.fields.key/value
last_auth_requested ftp.log additional.fields.key/value
ts http.log metadata.event_timestamp
uid http.log network.session_id
id.orig_h http.log principal.ip
id.orig_p http.log principal.port
id.resp_h http.log target.ip
id.resp_p http.log target.port
trans_depth http.log additional.fields.key/value
method http.log network.http.method
host http.log target.hostname
uri http.log target.url is set to "%{host}%{uri}"
referrer http.log network.http.referral_url
version http.log additional.fields.key/value
user_agent http.log network.http.user_agent
origin http.log additional.fields.key/value
request_body_len http.log additional.fields.key/value
response_body_len http.log additional.fields.key/value
status_code http.log network.http.response_code
status_msg http.log additional.fields.key/value
info_code http.log additional.fields.key/value
info_msg http.log additional.fields.key/value
tags http.log additional.fields.key/value
username http.log principal.user.userid
capture_password http.log additional.fields.key/value
proxied http.log additional.fields.key/value
range_request http.log additional.fields.key/value
orig_fuids http.log additional.fields.key/value
orig_filenames http.log additional.fields.key/value
orig_mime_types http.log additional.fields.key/value
resp_fuids http.log additional.fields.key/value
resp_filenames http.log additional.fields.key/value
resp_mime_types http.log additional.fields.key/value
current_entity http.log additional.fields.key/value
orig_mime_depth http.log additional.fields.key/value
resp_mime_depth http.log additional.fields.key/value
client_header_names http.log additional.fields.key/value
server_header_names http.log additional.fields.key/value
omniture http.log additional.fields.key/value
flash_version http.log additional.fields.key/value
cookie_vars http.log additional.fields.key/value
uri_vars http.log additional.fields.key/value
ts irc.log metadata.event_timestamp
uid irc.log network.session_id
id.orig_h irc.log principal.ip
id.orig_p irc.log principal.port
id.resp_h irc.log target.ip
id.resp_p irc.log target.port
nick irc.log additional.fields.key/value
user irc.log principal.user.userid
command irc.log principal.process.command_line
value irc.log additional.fields.key/value
addl irc.log additional.fields.key/value
dcc_file_name irc.log additional.fields.key/value
dcc_file_size irc.log src.file.size
dcc_mime_type irc.log src.file.mime_type
fuid irc.log additional.fields.key/value
ts kerberos.log metadata.event_timestamp
uid kerberos.log network.session_id
id.orig_h kerberos.log principal.ip
id.orig_p kerberos.log principal.port
id.resp_h kerberos.log target.ip
id.resp_p kerberos.log target.port
request_type kerberos.log additional.fields.key/value
client kerberos.log additional.fields.key/value
service kerberos.log additional.fields.key/value
success kerberos.log additional.fields.key/value
error_code kerberos.log additional.fields.key/value
error_msg kerberos.log metadata.description is set to "KERBEROS: %{error_msg}"
from kerberos.log additional.fields.key/value
till kerberos.log additional.fields.key/value
cipher kerberos.log network.tls.cipher
forwardable kerberos.log additional.fields.key/value
renewable kerberos.log additional.fields.key/value
logged kerberos.log additional.fields.key/value
client_cert.ts kerberos.log additional.fields.key/value
client_cert.fuid kerberos.log additional.fields.key/value
client_cert.tx_hosts kerberos.log additional.fields.key/value
client_cert.rx_hosts kerberos.log additional.fields.key/value
client_cert.conn_uids kerberos.log additional.fields.key/value
client_cert.source kerberos.log additional.fields.key/value
client_cert.depth kerberos.log additional.fields.key/value
client_cert.analyzers kerberos.log additional.fields.key/value
client_cert.mime_type kerberos.log additional.fields.key/value
client_cert.filename kerberos.log additional.fields.key/value
client_cert.duration kerberos.log additional.fields.key/value
client_cert.local_orig kerberos.log additional.fields.key/value
client_cert.is_orig kerberos.log additional.fields.key/value
client_cert.seen_bytes kerberos.log additional.fields.key/value
client_cert.total_bytes kerberos.log additional.fields.key/value
client_cert.missing_bytes kerberos.log additional.fields.key/value
client_cert.overflow_bytes kerberos.log additional.fields.key/value
client_cert.timedout kerberos.log additional.fields.key/value
client_cert.parent_fuid kerberos.log additional.fields.key/value
client_cert.md5 kerberos.log network.tls.client.certificate.md5
client_cert.sha1 kerberos.log network.tls.client.certificate.sha1
client_cert.sha256 kerberos.log network.tls.client.certificate.sha256
client_cert.x509.ts kerberos.log additional.fields.key/value
client_cert.x509.fingerprint kerberos.log additional.fields.key/value
client_cert.x509.certificate.version kerberos.log network.tls.client.certificate.version
client_cert.x509.certificate.serial kerberos.log network.tls.client.certificate.serial
client_cert.x509.certificate.subject kerberos.log additional.fields.key/value
client_cert.x509.certificate.issuer kerberos.log network.tls.client.certificate.issuer
client_cert.x509.certificate.cn kerberos.log additional.fields.key/value
client_cert.x509.certificate.not_valid_before kerberos.log additional.fields.key/value
client_cert.x509.certificate.not_valid_after kerberos.log additional.fields.key/value
client_cert.x509.certificate.key_alg kerberos.log additional.fields.key/value
client_cert.x509.certificate.sig_alg kerberos.log additional.fields.key/value
client_cert.x509.certificate.key_type kerberos.log additional.fields.key/value
client_cert.x509.certificate.key_length kerberos.log additional.fields.key/value
client_cert.x509.certificate.exponent kerberos.log additional.fields.key/value
client_cert.x509.certificate.curve kerberos.log additional.fields.key/value
client_cert.x509.handle kerberos.log additional.fields.key/value
client_cert.x509.extensions.name kerberos.log additional.fields.key/value
client_cert.x509.extensions.short_name kerberos.log additional.fields.key/value
client_cert.x509.extensions.oid kerberos.log additional.fields.key/value
client_cert.x509.extensions.critical kerberos.log additional.fields.key/value
client_cert.x509.extensions.value kerberos.log additional.fields.key/value
client_cert.x509.san.dns kerberos.log additional.fields.key/value
client_cert.x509.san.uri kerberos.log additional.fields.key/value
client_cert.x509.san.email kerberos.log additional.fields.key/value
client_cert.x509.san.ip kerberos.log additional.fields.key/value
client_cert.x509.san.other_fields kerberos.log additional.fields.key/value
client_cert.x509.basic_constraints.ca kerberos.log additional.fields.key/value
client_cert.x509.basic_constraints.path_len kerberos.log additional.fields.key/value
client_cert.x509.extensions_cache kerberos.log additional.fields.key/value
client_cert.x509.host_cert kerberos.log additional.fields.key/value
client_cert.x509.client_cert kerberos.log additional.fields.key/value
client_cert.x509.deduplication_index.fingerprint kerberos.log additional.fields.key/value
client_cert.x509.deduplication_index.host_cert kerberos.log additional.fields.key/value
client_cert.x509.deduplication_index.client_cert kerberos.log additional.fields.key/value
client_cert.x509.always_raise_x509_events kerberos.log additional.fields.key/value
client_cert.x509.cert kerberos.log additional.fields.key/value
client_cert.extracted kerberos.log additional.fields.key/value
client_cert.extracted_cutoff kerberos.log additional.fields.key/value
client_cert.extracted_size kerberos.log additional.fields.key/value
client_cert.entropy kerberos.log additional.fields.key/value
client_cert_subject kerberos.log network.tls.client.certificate.subject
client_cert_fuid kerberos.log additional.fields.key/value
server_cert.ts kerberos.log additional.fields.key/value
server_cert.fuid kerberos.log additional.fields.key/value
server_cert.tx_hosts kerberos.log additional.fields.key/value
server_cert.rx_hosts kerberos.log additional.fields.key/value
server_cert.conn_uids kerberos.log additional.fields.key/value
server_cert.source kerberos.log additional.fields.key/value
server_cert.depth kerberos.log additional.fields.key/value
server_cert.analyzers kerberos.log additional.fields.key/value
server_cert.mime_type kerberos.log additional.fields.key/value
server_cert.filename kerberos.log additional.fields.key/value
server_cert.duration kerberos.log additional.fields.key/value
server_cert.local_orig kerberos.log additional.fields.key/value
server_cert.is_orig kerberos.log additional.fields.key/value
server_cert.seen_bytes kerberos.log additional.fields.key/value
server_cert.total_bytes kerberos.log additional.fields.key/value
server_cert.missing_bytes kerberos.log additional.fields.key/value
server_cert.overflow_bytes kerberos.log additional.fields.key/value
server_cert.timedout kerberos.log additional.fields.key/value
server_cert.parent_fuid kerberos.log additional.fields.key/value
server_cert.md5 kerberos.log network.tls.server.certificate.md5
server_cert.sha1 kerberos.log network.tls.server.certificate.sha1
server_cert.sha256 kerberos.log network.tls.server.certificate.sha256
server_cert.x509.ts kerberos.log additional.fields.key/value
server_cert.x509.fingerprint kerberos.log additional.fields.key/value
server_cert.x509.certificate.version kerberos.log network.tls.server.certificate.version
server_cert.x509.certificate.serial kerberos.log network.tls.server.certificate.serial
server_cert.x509.certificate.subject kerberos.log additional.fields.key/value
server_cert.x509.certificate.issuer kerberos.log network.tls.server.certificate.issuer
server_cert.x509.certificate.cn kerberos.log additional.fields.key/value
server_cert.x509.certificate.not_valid_before kerberos.log additional.fields.key/value
server_cert.x509.certificate.not_valid_after kerberos.log additional.fields.key/value
server_cert.x509.certificate.key_alg kerberos.log additional.fields.key/value
server_cert.x509.certificate.sig_alg kerberos.log additional.fields.key/value
server_cert.x509.certificate.key_type kerberos.log additional.fields.key/value
server_cert.x509.certificate.key_length kerberos.log additional.fields.key/value
server_cert.x509.certificate.exponent kerberos.log additional.fields.key/value
server_cert.x509.certificate.curve kerberos.log additional.fields.key/value
server_cert.x509.handle kerberos.log additional.fields.key/value
server_cert.x509.extensions.name kerberos.log additional.fields.key/value
server_cert.x509.extensions.short_name kerberos.log additional.fields.key/value
server_cert.x509.extensions.oid kerberos.log additional.fields.key/value
server_cert.x509.extensions.critical kerberos.log additional.fields.key/value
server_cert.x509.extensions.value kerberos.log additional.fields.key/value
server_cert.x509.san.dns kerberos.log additional.fields.key/value
server_cert.x509.san.uri kerberos.log additional.fields.key/value
server_cert.x509.san.email kerberos.log additional.fields.key/value
server_cert.x509.san.ip kerberos.log additional.fields.key/value
server_cert.x509.san.other_fields kerberos.log additional.fields.key/value
server_cert.x509.basic_constraints.ca kerberos.log additional.fields.key/value
server_cert.x509.basic_constraints.path_len kerberos.log additional.fields.key/value
server_cert.x509.extensions_cache kerberos.log additional.fields.key/value
server_cert.x509.host_cert kerberos.log additional.fields.key/value
server_cert.x509.client_cert kerberos.log additional.fields.key/value
server_cert.x509.deduplication_index.fingerprint kerberos.log additional.fields.key/value
server_cert.x509.deduplication_index.host_cert kerberos.log additional.fields.key/value
server_cert.x509.deduplication_index.client_cert kerberos.log additional.fields.key/value
server_cert.x509.always_raise_x509_events kerberos.log additional.fields.key/value
server_cert.x509.cert kerberos.log additional.fields.key/value
server_cert.extracted kerberos.log additional.fields.key/value
server_cert.extracted_cutoff kerberos.log additional.fields.key/value
server_cert.extracted_size kerberos.log additional.fields.key/value
server_cert.entropy kerberos.log additional.fields.key/value
server_cert_subject kerberos.log network.tls.server.certificate.subject
server_cert_fuid kerberos.log additional.fields.key/value
auth_ticket kerberos.log additional.fields.key/value
new_ticket kerberos.log additional.fields.key/value
ts modbus.log metadata.event_timestamp
uid modbus.log network.session_id
id.orig_h modbus.log principal.ip
id.orig_p modbus.log principal.port
id.resp_h modbus.log target.ip
id.resp_p modbus.log target.port
func modbus.log additional.fields.key/value
exception modbus.log additional.fields.key/value
track_address modbus.log additional.fields.key/value
ts modbus_register_change.log metadata.event_timestamp
uid modbus_register_change.log network.session_id
id.orig_h modbus_register_change.log principal.ip
id.orig_p modbus_register_change.log principal.port
id.resp_h modbus_register_change.log target.ip
id.resp_p modbus_register_change.log target.port
register modbus_register_change.log additional.fields.key/value
old_val modbus_register_change.log additional.fields.key/value
new_val modbus_register_change.log additional.fields.key/value
delta modbus_register_change.log additional.fields.key/value
ts mysql.log metadata.event_timestamp
uid mysql.log network.session_id
id.orig_h mysql.log principal.ip
id.orig_p mysql.log principal.port
id.resp_h mysql.log target.ip
id.resp_p mysql.log target.port
cmd mysql.log metadata.description
arg mysql.log principal.process.command_line
success mysql.log

If the value of success is "T" or "true," security_result.action is set to "ALLOW" and security_result.summary is set to "Query successfully executed."

If the value of success is not "T" or "true," security_result.action is set to "BLOCK" and security_result.summary is set to "Query execution failed."

rows mysql.log security_result.description is set to "Affected rows: %{rows}". If the log type is "mysql.log", the additional field security_result.severity is set to "INFORMATIONAL".
response mysql.log additional.fields.key/value
ts ntlm.log metadata.event_timestamp
uid ntlm.log network.session_id
id.orig_h ntlm.log principal.ip
id.orig_p ntlm.log principal.port
id.resp_h ntlm.log target.ip
id.resp_p ntlm.log target.port
username ntlm.log principal.user.userid
hostname ntlm.log principal.hostname
domainname ntlm.log principal.administrative_domain
server_nb_computer_name ntlm.log additional.fields.key/value
server_dns_computer_name ntlm.log target.hostname
server_tree_name ntlm.log additional.fields.key/value
success ntlm.log

If the value of success is "T" or "true", security_result.action is set to "ALLOW" and security_result.summary is set to "Query successfully executed".

If the value of success is not "T" or "true", security_result.action is set to "BLOCK" and security_result.summary is set to "Query execution failed".

done ntlm.log additional.fields.key/value
ts ntp.log metadata.event_timestamp
uid ntp.log network.session_id
id.orig_h ntp.log principal.ip
id.orig_p ntp.log principal.port
id.resp_h ntp.log target.ip
id.resp_p ntp.log target.port
version ntp.log additional.fields.key/value
mode ntp.log additional.fields.key/value
stratum ntp.log additional.fields.key/value
poll ntp.log additional.fields.key/value
precision ntp.log additional.fields.key/value
root_delay ntp.log additional.fields.key/value
root_disp ntp.log additional.fields.key/value
ref_id ntp.log additional.fields.key/value
ref_time ntp.log additional.fields.key/value
org_time ntp.log additional.fields.key/value
rec_time ntp.log additional.fields.key/value
xmt_time ntp.log additional.fields.key/value
num_exts ntp.log additional.fields.key/value
ts radius.log metadata.event_timestamp
uid radius.log network.session_id
id.orig_h radius.log principal.ip
id.orig_p radius.log principal.port
id.resp_h radius.log target.ip
id.resp_p radius.log target.port
username radius.log principal.user.userid
mac radius.log principal.mac
framed_addr radius.log additional.fields.key/value
tunnel_client radius.log additional.fields.key/value
connect_info radius.log additional.fields.key/value
reply_msg radius.log additional.fields.key/value
result radius.log If the log type is "radius.log", the following fields are set:
  • extensions.auth.type is set to "MACHINE".
  • metadata.description is set to "RADIUS authentication attempts %{result}".
  • security_result.action
  • security_result.summary
  • If the value of the "result" field is "success", security_result.action is set to "ALLOW" and security_result.summary is set to "User login successful".

    If the value of "result" field is "failed", security_result.action is set to "BLOCK" and security_result.summary is set to "User login failed".

    ttl radius.log additional.fields.key/value
    logged radius.log additional.fields.key/value
    ts rdp.log metadata.event_timestamp
    uid rdp.log network.session_id
    id.orig_h rdp.log principal.ip
    id.orig_p rdp.log principal.port
    id.resp_h rdp.log target.ip
    id.resp_p rdp.log target.port
    cookie rdp.log principal.user.userid
    result rdp.log security_result.severity is set to "INFORMATIONAL". security_result.description is set to "%{result} connection with security protocol %{security_protocol}".
    security_protocol rdp.log security_result.description is set to "%{result} connection with security protocol %{security_protocol}".
    client_channels rdp.log additional.fields.key/value
    keyboard_layout rdp.log additional.fields.key/value
    client_build rdp.log principal.asset.platform_software.platform_version
    client_name rdp.log additional.fields.key/value
    client_dig_product_id rdp.log principal.asset.asset_id
    desktop_width rdp.log additional.fields.key/value
    desktop_height rdp.log additional.fields.key/value
    requested_color_depth rdp.log additional.fields.key/value
    cert_type rdp.log additional.fields.key/value
    cert_count rdp.log additional.fields.key/value
    cert_permanent rdp.log additional.fields.key/value
    encryption_level rdp.log additional.fields.key/value
    encryption_method rdp.log additional.fields.key/value
    analyzer_id rdp.log additional.fields.key/value
    done rdp.log additional.fields.key/value
    ssl rdp.log additional.fields.key/value
    ts rfb.log metadata.event_timestamp
    uid rfb.log network.session_id
    id.orig_h rfb.log principal.ip
    id.orig_p rfb.log principal.port
    id.resp_h rfb.log target.ip
    id.resp_p rfb.log target.port
    client_major_version rfb.log additional.fields.key/value
    client_minor_version rfb.log additional.fields.key/value
    server_major_version rfb.log additional.fields.key/value
    server_minor_version rfb.log additional.fields.key/value
    authentication_method rfb.log additional.fields.key/value
    auth rfb.log additional.fields.key/value
    share_flag rfb.log additional.fields.key/value
    desktop_name rfb.log target.asset.hostname
    width rfb.log additional.fields.key/value
    height rfb.log additional.fields.key/value
    done rfb.log additional.fields.key/value
    ts sip.log metadata.event_timestamp
    uid sip.log network.session_id

    Also, network.application_protocol is set to "SIP".

    id.orig_h sip.log principal.ip
    id.orig_p sip.log principal.port
    id.resp_h sip.log target.ip
    id.resp_p sip.log target.port
    trans_depth sip.log additional.fields.key/value
    method sip.log metadata.description
    uri sip.log about.url
    date sip.log additional.fields.key/value
    request_from sip.log principal.user.userid and principal.user.user_display_name
    request_to sip.log target.user.userid and target.user.user_display_name
    response_from sip.log additional.fields.key/value
    response_to sip.log additional.fields.key/value
    reply_to sip.log additional.fields.key/value
    call_id sip.log network.session_id
    seq sip.log additional.fields.key/value
    subject sip.log additional.fields.key/value
    request_path sip.log additional.fields.key/value
    response_path sip.log additional.fields.key/value
    user_agent sip.log additional.fields.key/value
    status_code sip.log security_result.summary is set to "Status Code: %{status_code}".
    status_msg sip.log security_result.description
    warning sip.log additional.fields.key/value
    request_body_len sip.log network.sent_bytes
    response_body_len sip.log network.received_bytes
    content_type sip.log additional.fields.key/value
    ts smb_cmd.log metadata.event_timestamp
    uid smb_cmd.log network.session_id
    id.orig_h smb_cmd.log principal.ip
    id.orig_p smb_cmd.log principal.port
    id.resp_h smb_cmd.log target.ip
    id.resp_p smb_cmd.log target.port
    command smb_cmd.log principal.process.command_line
    sub_command smb_cmd.log additional.fields.key/value
    argument smb_cmd.log additional.fields.key/value
    status smb_cmd.log additional.fields.key/value
    rtt smb_cmd.log additional.fields.key/value
    version smb_cmd.log metadata.product_version
    username smb_cmd.log principal.user.userid
    tree smb_cmd.log additional.fields.key/value
    tree_service smb_cmd.log additional.fields.key/value
    smb1_offered_dialects smb_cmd.log additional.fields.key/value
    smb2_offered_dialects smb_cmd.log additional.fields.key/value
    ts smb_files.log metadata.event_timestamp
    uid smb_files.log network.session_id
    id.orig_h smb_files.log principal.ip
    id.orig_p smb_files.log principal.port
    id.resp_h smb_files.log target.ip
    id.resp_p smb_files.log target.port
    fuid smb_files.log additional.fields.key/value
    action smb_files.log metadata.description is set to "action: %{action} on: %{name}".
    path smb_files.log target.file.full_path
    name smb_files.log additional.fields.key/value
    size smb_files.log target.file.size
    prev_name smb_files.log additional.fields.key/value
    times.modified smb_files.log additional.fields.key/value
    times.modified_raw smb_files.log additional.fields.key/value
    times.accessed smb_files.log additional.fields.key/value
    times.accessed_raw smb_files.log additional.fields.key/value
    times.created smb_files.log additional.fields.key/value
    times.created_raw smb_files.log additional.fields.key/value
    times.changed smb_files.log additional.fields.key/value
    times.changed_raw smb_files.log additional.fields.key/value
    fid smb_files.log additional.fields.key/value
    uuid smb_files.log additional.fields.key/value
    ts smb_mapping.log metadata.event_timestamp
    uid smb_mapping.log network.session_id
    id.orig_h smb_mapping.log principal.ip
    id.orig_p smb_mapping.log principal.port
    id.resp_h smb_mapping.log target.ip
    id.resp_p smb_mapping.log target.port
    path smb_mapping.log target.file.full_path
    service smb_mapping.log target.application
    native_file_system smb_mapping.log additional.fields.key/value
    share_type smb_mapping.log target.resource.resource_type
    ts smtp.log metadata.event_timestamp
    uid smtp.log network.session_id
    id.orig_h smtp.log principal.ip
    id.orig_p smtp.log principal.port
    id.resp_h smtp.log target.ip
    id.resp_p smtp.log target.port
    trans_depth smtp.log additional.fields.key/value
    helo smtp.log additional.fields.key/value
    mailfrom smtp.log additional.fields.key/value
    rcptto smtp.log additional.fields.key/value
    date smtp.log additional.fields.key/value
    from smtp.log network.email.from
    to smtp.log email.to
    cc smtp.log network.email.cc
    reply_to smtp.log email.reply_to
    msg_id smtp.log email.mail_id
    in_reply_to smtp.log additional.fields.key/value
    subject smtp.log email.subject
    x_originating_ip smtp.log additional.fields.key/value
    first_received smtp.log additional.fields.key/value
    second_received smtp.log additional.fields.key/value
    last_reply smtp.log additional.fields.key/value
    path smtp.log additional.fields.key/value
    user_agent smtp.log additional.fields.key/value
    tls smtp.log network.tls.established
    process_received_from smtp.log additional.fields.key/value
    has_client_activity smtp.log additional.fields.key/value
    process_smtp_headers smtp.log additional.fields.key/value
    entity.filename smtp.log additional.fields.key/value
    entity.excerpt smtp.log additional.fields.key/value
    fuids smtp.log additional.fields.key/value
    is_webmail smtp.log additional.fields.key/value
    ts snmp.log metadata.event_timestamp
    uid snmp.log network.session_id
    id.orig_h snmp.log principal.ip
    id.orig_p snmp.log principal.port
    id.resp_h snmp.log target.ip
    id.resp_p snmp.log target.port
    duration snmp.log network.session_duration
    version snmp.log metadata.product_version
    community snmp.log network.community_id
    get_requests snmp.log additional.fields.key/value
    get_bulk_requests snmp.log additional.fields.key/value
    get_responses snmp.log additional.fields.key/value
    set_requests snmp.log additional.fields.key/value
    display_string snmp.log metadata.description
    up_since snmp.log additional.fields.key/value
    ts socks.log metadata.event_timestamp
    uid socks.log network.session_id
    id.orig_h socks.log principal.ip
    id.orig_p socks.log principal.port
    id.resp_h socks.log target.ip
    id.resp_p socks.log target.port
    version socks.log additional.fields.key/value
    user socks.log principal.user.userid
    status socks.log additional.fields.key/value
    request.host socks.log principal.hostname
    request.name socks.log additional.fields.key/value
    request_p socks.log additional.fields.key/value
    bound.host socks.log additional.fields.key/value
    bound.name socks.log additional.fields.key/value
    bound_p socks.log additional.fields.key/value
    capture_password socks.log additional.fields.key/value
    ts ssh.log metadata.event_timestamp
    uid ssh.log network.session_id
    id.orig_h ssh.log principal.ip
    id.orig_p ssh.log principal.port
    id.resp_h ssh.log target.ip
    id.resp_p ssh.log target.port
    version ssh.log metadata.product_version
    auth_success ssh.log additional.fields.key/value
    auth_attempts ssh.log security_result.description is set to "%{auth_attempts} successful SSH authentication attempts were observed".
    direction ssh.log network.direction
    client ssh.log principal.platform_version
    server ssh.log target.platform_version
    cipher_alg ssh.log additional.fields.key/value
    mac_alg ssh.log additional.fields.key/value
    compression_alg ssh.log additional.fields.key/value
    kex_alg ssh.log additional.fields.key/value
    host_key_alg ssh.log additional.fields.key/value
    host_key ssh.log additional.fields.key/value
    logged ssh.log additional.fields.key/value
    capabilities.kex_algorithms ssh.log additional.fields.key/value
    capabilities.server_host_key_algorithms ssh.log additional.fields.key/value
    capabilities.encryption_algorithms ssh.log additional.fields.key/value
    capabilities.mac_algorithms ssh.log additional.fields.key/value
    capabilities.compression_algorithms ssh.log additional.fields.key/value
    capabilities.languages.client_to_server ssh.log additional.fields.key/value
    capabilities.languages.server_to_client ssh.log additional.fields.key/value
    capabilities.is_server ssh.log additional.fields.key/value
    analyzer_id ssh.log additional.fields.key/value
    remote_location.country_code ssh.log additional.fields.key/value
    remote_location.region ssh.log target.asset.location.country_or_region
    remote_location.city ssh.log target.asset.location.city
    remote_location.latitude ssh.log additional.fields.key/value
    remote_location.longitude ssh.log additional.fields.key/value
    ts ssl.log metadata.event_timestamp
    uid ssl.log metadata.product_log_id
    id.orig_h ssl.log principal.ip
    id.orig_p ssl.log principal.port
    id.resp_h ssl.log target.ip
    id.resp_p ssl.log target.port
    version_num ssl.log additional.fields.key/value
    version ssl.log network.tls.version
    cipher ssl.log network.tls.cipher
    curve ssl.log network.tls.curve
    server_name ssl.log network.tls.client.server_name
    session_id ssl.log network.session_id
    resumed ssl.log network.tls.resumed
    client_ticket_empty_session_seen ssl.log additional.fields.key/value
    client_key_exchange_seen ssl.log additional.fields.key/value
    client_psk_seen ssl.log additional.fields.key/value
    last_alert ssl.log additional.fields.key/value
    next_protocol ssl.log network.tls.next_protocol
    analyzer_id ssl.log additional.fields.key/value
    established ssl.log network.tls.established
    logged ssl.log additional.fields.key/value
    ssl_history ssl.log additional.fields.key/value
    cert_chain_fps ssl.log additional.fields.key/value
    client_cert_chain_fps ssl.log additional.fields.key/value
    subject ssl.log network.tls.server.certificate.subject
    issuer ssl.log network.tls.server.certificate.issuer
    client_subject ssl.log network.tls.client.certificate.subject
    client_issuer ssl.log network.tls.client.certificate.issuer
    sni_matches_cert ssl.log additional.fields.key/value
    server_depth ssl.log additional.fields.key/value
    client_depth ssl.log additional.fields.key/value
    always_raise_x509_events ssl.log additional.fields.key/value
    last_originator_heartbeat_request_size ssl.log additional.fields.key/value
    last_responder_heartbeat_request_size ssl.log additional.fields.key/value
    originator_heartbeats ssl.log additional.fields.key/value
    responder_heartbeats ssl.log additional.fields.key/value
    heartbleed_detected ssl.log additional.fields.key/value
    enc_appdata_packages ssl.log additional.fields.key/value
    enc_appdata_bytes ssl.log additional.fields.key/value
    server_version ssl.log additional.fields.key/value
    client_version ssl.log additional.fields.key/value
    client_ciphers ssl.log network.tls.client.supported_ciphers
    ssl_client_exts ssl.log additional.fields.key/value
    ssl_server_exts ssl.log additional.fields.key/value
    ticket_lifetime_hint ssl.log additional.fields.key/value
    dh_param_size ssl.log additional.fields.key/value
    point_formats ssl.log additional.fields.key/value
    client_curves ssl.log additional.fields.key/value
    orig_alpn ssl.log additional.fields.key/value
    client_supported_versions ssl.log additional.fields.key/value
    server_supported_version ssl.log additional.fields.key/value
    psk_key_exchange_modes ssl.log additional.fields.key/value
    client_key_share_groups ssl.log additional.fields.key/value
    server_key_share_group ssl.log additional.fields.key/value
    client_comp_methods ssl.log additional.fields.key/value
    comp_method ssl.log additional.fields.key/value
    sigalgs ssl.log additional.fields.key/value
    hashalgs ssl.log additional.fields.key/value
    validation_status ssl.log additional.fields.key/value
    validation_code ssl.log additional.fields.key/value
    valid_chain ssl.log additional.fields.key/value
    ocsp_status ssl.log additional.fields.key/value
    ocsp_response ssl.log additional.fields.key/value
    valid_scts ssl.log additional.fields.key/value
    invalid_scts ssl.log additional.fields.key/value
    valid_ct_logs ssl.log additional.fields.key/value
    valid_ct_operators ssl.log additional.fields.key/value
    valid_ct_operators_list ssl.log additional.fields.key/value
    ct_proofs ssl.log additional.fields.key/value
    notary.first_seen ssl.log additional.fields.key/value
    notary.last_seen ssl.log additional.fields.key/value
    notary.times_seen ssl.log additional.fields.key/value
    notary.valid ssl.log additional.fields.key/value
    ts syslog.log metadata.event_timestamp
    uid syslog.log network.session_id
    id.orig_h syslog.log principal.ip
    id.orig_p syslog.log principal.port
    id.resp_h syslog.log target.ip
    id.resp_p syslog.log target.port
    proto syslog.log network.ip_protocol
    facility syslog.log additional.fields.key/value
    severity syslog.log security_result.severity_details
    message syslog.log metadata.description
    ts tunnel.log metadata.event_timestamp
    uid tunnel.log network.session_id
    id.orig_h tunnel.log principal.ip
    id.orig_p tunnel.log principal.port
    id.resp_h tunnel.log target.ip
    id.resp_p tunnel.log target.port
    tunnel_type tunnel.log security_result.description is set to "action %{action} on tunnel type {tunnel_type}".
    action tunnel.log security_result.description is set to "action %{action} on tunnel type {tunnel_type}".

    Files

    The following table lists the log fields of the files log type and their corresponding UDM fields.

    Original log field Log type UDM field
    ts files.log metadata.event_timestamp
    fuid files.log metadata.product_log_id
    tx_hosts files.log principal.ip
    rx_hosts files.log target.ip
    conn_uids files.log additional.fields.key/value
    source files.log network.application_protocol

    target.file.full_path

    depth files.log additional.fields.key/value
    analyzers files.log additional.fields.key/value
    mime_type files.log target.file.mime_type
    filename files.log target.file.full_path
    duration files.log additional.fields.key/value
    local_orig files.log additional.fields.key/value
    is_orig files.log additional.fields.key/value
    seen_bytes files.log target.file.size
    total_bytes files.log additional.fields.key/value
    missing_bytes files.log additional.fields.key/value
    overflow_bytes files.log additional.fields.key/value
    timedout files.log additional.fields.key/value
    parent_fuid files.log additional.fields.key/value
    md5 files.log target.file.md5
    sha1 files.log target.file.sha1
    sha256 files.log target.file.sha256
    x509 files.log additional.fields.key/value

    This field is a nested field.

    extracted files.log additional.fields.key/value
    extracted_cutoff files.log additional.fields.key/value
    extracted_size files.log additional.fields.key/value
    entropy files.log additional.fields.key/value
    ts ocsp.log metadata.event_timestamp
    id ocsp.log metadata.product_log_id
    hashAlgorithm ocsp.log additional.fields.key/value
    issuerNameHash ocsp.log additional.fields.key/value
    issuerKeyHash ocsp.log additional.fields.key/value
    serialNumber ocsp.log tls.server.certificate.serial
    certStatus ocsp.log additional.fields.key/value
    revoketime ocsp.log network.tls.server.certificate.not_after
    revokereason ocsp.log security_result.summary
    thisUpdate ocsp.log additional.fields.key/value
    nextUpdate ocsp.log additional.fields.key/value
    ts pe.log metadata.event_timestamp
    id pe.log metadata.product_log_id
    machine pe.log target.resource.resource_subtype
    compile_ts pe.log additional.fields.key/value
    os pe.log target.platform_version

    target.resource.resource_type is set to "DEVICE".

    subsystem pe.log target.application
    is_exe pe.log additional.fields.key/value
    is_64bit pe.log additional.fields.key/value
    uses_aslr pe.log additional.fields.key/value
    uses_dep pe.log additional.fields.key/value
    uses_code_integrity pe.log additional.fields.key/value
    uses_seh pe.log additional.fields.key/value
    has_import_table pe.log additional.fields.key/value
    has_export_table pe.log additional.fields.key/value
    has_cert_table pe.log additional.fields.key/value
    has_debug_data pe.log additional.fields.key/value
    section_names pe.log additional.fields.key/value
    ts x509.log metadata.event_timestamp

    Also, target.application is set to "x509".

    fingerprint x509.log additional.fields.key/value
    certificate.version x509.log network.tls.server.certificate.version
    certificate.serial x509.log network.tls.server.certificate.serial
    certificate.subject x509.log network.tls.server.certificate.subject
    certificate.issuer x509.log network.tls.server.certificate.issuer
    certificate.cn x509.log target.hostname
    certificate.not_valid_before x509.log network.tls.server.certificate.not_before
    certificate.not_valid_after x509.log network.tls.server.certificate.not_after
    certificate.key_alg x509.log additional.fields.key/value
    certificate.sig_alg x509.log additional.fields.key/value
    certificate.key_type x509.log additional.fields.key/value
    certificate.key_length x509.log additional.fields.key/value
    certificate.exponent x509.log additional.fields.key/value
    certificate.curve x509.log network.tls.curve
    handle x509.log additional.fields.key/value
    extensions.name x509.log additional.fields.key/value
    extensions.short_name x509.log additional.fields.key/value
    extensions.oid x509.log additional.fields.key/value
    extensions.critical x509.log additional.fields.key/value
    extensions.value x509.log additional.fields.key/value
    san.dns x509.log additional.fields.key/value
    san.uri x509.log additional.fields.key/value
    san.email x509.log additional.fields.key/value
    san.ip x509.log additional.fields.key/value
    san.other_fields x509.log additional.fields.key/value
    basic_constraints.ca x509.log additional.fields.key/value
    basic_constraints.path_len x509.log additional.fields.key/value
    extensions_cache x509.log additional.fields.key/value
    host_cert x509.log additional.fields.key/value
    client_cert x509.log additional.fields.key/value
    deduplication_index.fingerprint x509.log additional.fields.key/value
    deduplication_index.host_cert x509.log additional.fields.key/value
    deduplication_index.client_cert x509.log additional.fields.key/value
    always_raise_x509_events x509.log additional.fields.key/value
    cert x509.log additional.fields.key/value

    Netcontrol

    The following table lists the log fields of the netcontrol log type and their corresponding UDM fields.

    Original log field Log type UDM field
    ts netcontrol.log metadata.event_timestamp
    rule_id netcontrol.log security_result.rule_id
    category netcontrol.log security_result.category_details
    cmd netcontrol.log additional.fields.key/value
    state netcontrol.log additional.fields.key/value
    action netcontrol.log security_result.action_details
    target netcontrol.log additional.fields.key/value
    entity_type netcontrol.log additional.fields.key/value
    entity netcontrol.log security_result.summary
    mod netcontrol.log additional.fields.key/value
    msg netcontrol.log security_result.description
    priority netcontrol.log security_result.priority_details
    expire netcontrol.log additional.fields.key/value
    location netcontrol.log additional.fields.key/value
    plugin netcontrol.log additional.fields.key/value
    ts netcontrol_drop.log metadata.event_timestamp
    rule_id netcontrol_drop.log security_result.rule_id
    orig_h netcontrol_drop.log principal.ip
    orig_p netcontrol_drop.log principal.port
    resp_h netcontrol_drop.log target.ip
    resp_p netcontrol_drop.log target.port
    expire netcontrol_drop.log additional.fields.key/value
    location netcontrol_drop.log additional.fields.key/value
    ts netcontrol_shunt.log metadata.event_timestamp
    rule_id netcontrol_shunt.log security_result.rule_id
    f.src_h netcontrol_shunt.log principal.ip
    f.src_p netcontrol_shunt.log principal.port
    f.dst_h netcontrol_shunt.log target.ip
    f.dst_p netcontrol_shunt.log target.port
    expire netcontrol_shunt.log additional.fields.key/value
    location netcontrol_shunt.log additional.fields.key/value
    ts netcontrol_catch_release.log metadata.event_timestamp
    rule_id netcontrol_catch_release.log security_result.rule_id
    ip netcontrol_catch_release.log target.ip
    action netcontrol_catch_release.log security_result.action_details
    block_interval netcontrol_catch_release.log additional.fields.key/value
    watch_interval netcontrol_catch_release.log additional.fields.key/value
    blocked_until netcontrol_catch_release.log additional.fields.key/value
    watched_until netcontrol_catch_release.log additional.fields.key/value
    num_blocked netcontrol_catch_release.log additional.fields.key/value
    location netcontrol_catch_release.log additional.fields.key/value
    message netcontrol_catch_release.log security_result.description
    ts openflow.log metadata.event_timestamp
    dpid openflow.log additional.fields.key/value
    match.in_port openflow.log additional.fields.key/value
    match.dl_src openflow.log additional.fields.key/value
    match.dl_dst openflow.log additional.fields.key/value
    match.dl_vlan openflow.log additional.fields.key/value
    match.dl_vlan_pcp openflow.log additional.fields.key/value
    match.dl_type openflow.log additional.fields.key/value
    match.nw_tos openflow.log additional.fields.key/value
    match.nw_proto openflow.log additional.fields.key/value
    match.nw_src openflow.log additional.fields.key/value
    match.nw_dst openflow.log additional.fields.key/value
    match.tp_src openflow.log additional.fields.key/value
    match.tp_dst openflow.log additional.fields.key/value
    flow_mod.cookie openflow.log additional.fields.key/value
    flow_mod.table_id openflow.log additional.fields.key/value
    flow_mod.command openflow.log additional.fields.key/value
    flow_mod.idle_timeout openflow.log additional.fields.key/value
    flow_mod.hard_timeout openflow.log additional.fields.key/value
    flow_mod.priority openflow.log additional.fields.key/value
    flow_mod.out_port openflow.log additional.fields.key/value
    flow_mod.flags openflow.log additional.fields.key/value
    flow_mod.actions.out_ports openflow.log additional.fields.key/value
    flow_mod.actions.vlan_vid openflow.log additional.fields.key/value
    flow_mod.actions.vlan_pcp openflow.log additional.fields.key/value
    flow_mod.actions.vlan_strip openflow.log additional.fields.key/value
    flow_mod.actions.dl_src openflow.log additional.fields.key/value
    flow_mod.actions.dl_dst openflow.log additional.fields.key/value
    flow_mod.actions.nw_tos openflow.log additional.fields.key/value
    flow_mod.actions.nw_src openflow.log additional.fields.key/value
    flow_mod.actions.nw_dst openflow.log additional.fields.key/value
    flow_mod.actions.tp_src openflow.log additional.fields.key/value
    flow_mod.actions.tp_dst openflow.log additional.fields.key/value

    Detection

    The following table lists the log fields of the detection log type and their corresponding UDM fields.

    Original log field Log type UDM field
    ts intel.log metadata.event_timestamp
    uid intel.log network.session_id
    id.orig_h intel.log principal.ip
    id.orig_p intel.log principal.port
    id.resp_h intel.log target.ip
    id.resp_p intel.log target.port
    seen.indicator intel.log additional.fields.key/value
    seen.indicator_type intel.log additional.fields.key/value
    seen.host intel.log additional.fields.key/value
    seen.where intel.log additional.fields.key/value
    seen.node intel.log additional.fields.key/value
    seen.conn.id.orig_h intel.log additional.fields.key/value
    seen.conn.id.orig_p intel.log additional.fields.key/value
    seen.conn.id.resp_h intel.log additional.fields.key/value
    seen.conn.id.resp_p intel.log additional.fields.key/value
    seen.conn.orig.size intel.log network.sent_bytes
    seen.conn.orig.state intel.log additional.fields.key/value
    seen.conn.orig.num_pkts intel.log additional.fields.key/value
    seen.conn.orig.num_bytes_ip intel.log additional.fields.key/value
    seen.conn.orig.flow_label intel.log additional.fields.key/value
    seen.conn.orig.l2_addr intel.log additional.fields.key/value
    seen.conn.resp.size intel.log network.received_bytes
    seen.conn.resp.state intel.log additional.fields.key/value
    seen.conn.resp.num_pkts intel.log additional.fields.key/value
    seen.conn.resp.num_bytes_ip intel.log additional.fields.key/value
    seen.conn.resp.flow_label intel.log additional.fields.key/value
    seen.conn.resp.l2_addr intel.log additional.fields.key/value
    seen.conn.start_time intel.log additional.fields.key/value
    seen.conn.duration intel.log network.session_duration
    seen.conn.service intel.log additional.fields.key/value
    seen.conn.history intel.log metadata.description
    seen.conn.uid intel.log network.session_id
    seen.conn.tunnel.queued intel.log additional.fields.key/value
    seen.conn.tunnel.dispatched intel.log additional.fields.key/value
    seen.conn.vlan intel.log additional.fields.key/value
    seen.conn.inner_vlan intel.log additional.fields.key/value
    seen.conn.dpd_state intel.log additional.fields.key/value
    seen.conn.removal_hooks intel.log additional.fields.key/value
    seen.conn.extract_orig intel.log additional.fields.key/value
    seen.conn.extract_resp intel.log additional.fields.key/value
    seen.conn.thresholds.orig_byte intel.log additional.fields.key/value
    seen.conn.thresholds.resp_byte intel.log additional.fields.key/value
    seen.conn.thresholds.orig_packet intel.log additional.fields.key/value
    seen.conn.thresholds.resp_packet intel.log additional.fields.key/value
    seen.conn.thresholds.duration intel.log additional.fields.key/value
    seen.conn.dce_rpc_state.uuid intel.log additional.fields.key/value
    seen.conn.dce_rpc_state.named_pipe intel.log additional.fields.key/value
    seen.conn.dce_rpc_state.ctx_to_uuid intel.log additional.fields.key/value
    seen.conn.dce_rpc_backing intel.log additional.fields.key/value
    seen.conn.dns_state.pending_query intel.log additional.fields.key/value
    seen.conn.dns_state.pending_queries intel.log additional.fields.key/value
    seen.conn.dns_state.pending_replies intel.log additional.fields.key/value
    seen.conn.ftp_data_reuse intel.log additional.fields.key/value
    seen.conn.http_state.pending intel.log additional.fields.key/value
    seen.conn.http_state.current_request intel.log additional.fields.key/value
    seen.conn.http_state.current_response intel.log additional.fields.key/value
    seen.conn.http_state.trans_depth intel.log additional.fields.key/value
    seen.conn.sip_state.pending intel.log additional.fields.key/value
    seen.conn.sip_state.current_request intel.log additional.fields.key/value
    seen.conn.sip_state.current_response intel.log additional.fields.key/value
    seen.conn.smb_state.current_cmd intel.log additional.fields.key/value
    seen.conn.smb_state.current_file intel.log additional.fields.key/value
    seen.conn.smb_state.current_tree intel.log additional.fields.key/value
    seen.conn.smb_state.pending_cmds intel.log additional.fields.key/value
    seen.conn.smb_state.fid_map intel.log additional.fields.key/value
    seen.conn.smb_state.tid_map intel.log additional.fields.key/value
    seen.conn.smb_state.uid_map intel.log additional.fields.key/value
    seen.conn.smb_state.pipe_map intel.log additional.fields.key/value
    seen.conn.smb_state.recent_files intel.log additional.fields.key/value
    seen.conn.smtp_state.messages_transferred intel.log additional.fields.key/value
    seen.conn.smtp_state.mime_depth intel.log additional.fields.key/value
    seen.conn.known_services_done intel.log additional.fields.key/value
    seen.conn.mqtt_state.publish intel.log additional.fields.key/value
    seen.conn.mqtt_state.subscribe intel.log additional.fields.key/value
    seen.conn.speculative_service intel.log additional.fields.key/value
    seen.uid intel.log additional.fields.key/value
    seen.f.id intel.log additional.fields.key/value
    seen.f.parent_id intel.log additional.fields.key/value
    seen.f.source intel.log target.file.full_path
    seen.f.is_orig intel.log additional.fields.key/value
    seen.f.conns intel.log additional.fields.key/value
    seen.f.last_active intel.log additional.fields.key/value
    seen.f.seen_bytes intel.log additional.fields.key/value
    seen.f.total_bytes intel.log additional.fields.key/value
    seen.f.missing_bytes intel.log additional.fields.key/value
    seen.f.overflow_bytes intel.log additional.fields.key/value
    seen.f.timeout_interval intel.log additional.fields.key/value
    seen.f.bof_buffer_size intel.log additional.fields.key/value
    seen.f.bof_buffer intel.log additional.fields.key/value
    seen.f.u2_events intel.log additional.fields.key/value
    seen.fuid intel.log additional.fields.key/value
    matched intel.log additional.fields.key/value
    sources intel.log additional.fields.key/value
    fuid intel.log additional.fields.key/value
    file_mime_type intel.log target.file.mime_type
    file_desc intel.log additional.fields.key/value
    cif.tags intel.log additional.fields.key/value
    cif.confidence intel.log additional.fields.key/value
    cif.source intel.log additional.fields.key/value
    cif.description intel.log additional.fields.key/value
    cif.firstseen intel.log additional.fields.key/value
    cif.lastseen intel.log additional.fields.key/value
    ts notice.log

    notice_alarm.log

    metadata.event_timestamp
    uid notice.log

    notice_alarm.log

    network.session_id
    id.orig_h notice.log

    notice_alarm.log

    principal.ip
    id.orig_p notice.log

    notice_alarm.log

    principal.port
    id.resp_h notice.log

    notice_alarm.log

    target.ip
    id.resp_p notice.log

    notice_alarm.log

    target.port
    conn.id.orig_h notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.id.orig_p notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.id.resp_h notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.id.resp_p notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.orig.size notice.log

    notice_alarm.log

    network.sent_bytes
    conn.orig.state notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.orig.num_pkts notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.orig.num_bytes_ip notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.orig.flow_label notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.orig.l2_addr notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.resp.size notice.log

    notice_alarm.log

    network.received_bytes
    conn.resp.state notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.resp.num_pkts notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.resp.num_bytes_ip notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.resp.flow_label notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.resp.l2_addr notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.start_time notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.duration notice.log

    notice_alarm.log

    network.session_duration
    conn.service notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.history notice.log

    notice_alarm.log

    metadata.description
    conn.uid notice.log

    notice_alarm.log

    network.session_id
    conn.tunnel.queued notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.tunnel.dispatched notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.vlan notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.inner_vlan notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.dpd_state.violations notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.removal_hooks notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.extract_orig notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.extract_resp notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.thresholds.orig_byte notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.thresholds.resp_byte notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.thresholds.orig_packet notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.thresholds.resp_packet notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.thresholds.duration notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.dce_rpc_state.uuid notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.dce_rpc_state.named_pipe notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.dce_rpc_state.ctx_to_uuid notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.dce_rpc_backing notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.dns_state.pending_query notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.dns_state.pending_queries notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.dns_state.pending_replies notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.ftp_data_reuse notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.http_state.pending notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.http_state.current_request notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.http_state.current_response notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.http_state.trans_depth notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.sip_state.pending notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.sip_state.current_request notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.sip_state.current_response notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.smb_state.pending_cmds notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.smb_state.fid_map notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.smb_state.tid_map notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.smb_state.uid_map notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.smb_state.pipe_map notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.smb_state.recent_files notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.smtp_state.messages_transferred notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.smtp_state.mime_depth notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.known_services_done notice.log

    notice_alarm.log

    additional.fields.key/value
    mqtt.ts notice.log

    notice_alarm.log

    additional.fields.key/value
    mqtt.uid notice.log

    notice_alarm.log

    additional.fields.key/value
    mqtt.id notice.log

    notice_alarm.log

    additional.fields.key/value
    mqtt.proto_name notice.log

    notice_alarm.log

    additional.fields.key/value
    mqtt.proto_version notice.log

    notice_alarm.log

    additional.fields.key/value
    mqtt.client_id notice.log

    notice_alarm.log

    additional.fields.key/value
    mqtt.connect_status notice.log

    notice_alarm.log

    additional.fields.key/value
    mqtt.will_topic notice.log

    notice_alarm.log

    additional.fields.key/value
    mqtt.will_payload notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.mqtt_state.publish notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.mqtt_state.subscribe notice.log

    notice_alarm.log

    additional.fields.key/value
    conn.speculative_service notice.log

    notice_alarm.log

    additional.fields.key/value
    iconn.orig_h notice.log

    notice_alarm.log

    additional.fields.key/value
    iconn.resp_h notice.log

    notice_alarm.log

    additional.fields.key/value
    iconn.itype notice.log

    notice_alarm.log

    additional.fields.key/value
    iconn.icode notice.log

    notice_alarm.log

    additional.fields.key/value
    iconn.len notice.log

    notice_alarm.log

    additional.fields.key/value
    iconn.hlim notice.log

    notice_alarm.log

    additional.fields.key/value
    iconn.v6 notice.log

    notice_alarm.log

    additional.fields.key/value
    f.id notice.log

    notice_alarm.log

    additional.fields.key/value
    f.parent_id notice.log

    notice_alarm.log

    additional.fields.key/value
    f.source notice.log

    notice_alarm.log

    target.file.full_path
    f.is_orig notice.log

    notice_alarm.log

    additional.fields.key/value
    f.conns notice.log

    notice_alarm.log

    additional.fields.key/value
    f.last_active notice.log

    notice_alarm.log

    additional.fields.key/value
    f.seen_bytes notice.log

    notice_alarm.log

    additional.fields.key/value
    f.total_bytes notice.log

    notice_alarm.log

    additional.fields.key/value
    f.missing_bytes notice.log

    notice_alarm.log

    additional.fields.key/value
    f.overflow_bytes notice.log

    notice_alarm.log

    additional.fields.key/value
    f.timeout_interval notice.log

    notice_alarm.log

    additional.fields.key/value
    f.bof_buffer_size notice.log

    notice_alarm.log

    additional.fields.key/value
    f.bof_buffer notice.log

    notice_alarm.log

    additional.fields.key/value
    f.u2_events notice.log

    notice_alarm.log

    additional.fields.key/value
    fuid notice.log

    notice_alarm.log

    additional.fields.key/value
    file_mime_type notice.log

    notice_alarm.log

    target.file.mime_type
    file_desc notice.log

    notice_alarm.log

    additional.fields.key/value
    proto notice.log

    notice_alarm.log

    network.ip_protocol
    note notice.log

    notice_alarm.log

    security_result.description
    msg notice.log

    notice_alarm.log

    security_result.summary
    sub notice.log

    notice_alarm.log

    additional.fields.key/value
    src notice.log

    notice_alarm.log

    principal.ip
    dst notice.log

    notice_alarm.log

    target.ip
    p notice.log

    notice_alarm.log

    target.port
    n notice.log

    notice_alarm.log

    additional.fields.key/value
    peer_name notice.log

    notice_alarm.log

    additional.fields.key/value
    peer_descr notice.log

    notice_alarm.log

    additional.fields.key/value
    actions notice.log

    notice_alarm.log

    security_result.action_details
    email_dest notice.log

    notice_alarm.log

    network.email.to (repeated)
    email_body_sections notice.log

    notice_alarm.log

    network.email.subject (repeated)
    email_delay_tokens notice.log

    notice_alarm.log

    additional.fields.key/value
    identifier notice.log

    notice_alarm.log

    additional.fields.key/value
    suppress_for notice.log

    notice_alarm.log

    additional.fields.key/value
    remote_location.country_code notice.log

    notice_alarm.log

    additional.fields.key/value
    remote_location.region notice.log

    notice_alarm.log

    principal.asset.location.country_or_region
    remote_location.city notice.log

    notice_alarm.log

    principal.asset.location.city
    remote_location.latitude notice.log

    notice_alarm.log

    additional.fields.key/value
    remote_location.longitude notice.log

    notice_alarm.log

    additional.fields.key/value
    dropped notice.log

    notice_alarm.log

    security_result.action_details
    ts signatures.log metadata.event_timestamp
    uid signatures.log network.session_id
    src_addr signatures.log principal.ip
    src_port signatures.log principal.port
    dst_addr signatures.log target.ip
    dst_port signatures.log target.port
    note signatures.log security_result.summary
    sig_id signatures.log additional.fields.key/value
    event_msg signatures.log metadata.description
    sub_msg signatures.log additional.fields.key/value
    sig_count signatures.log additional.fields.key/value
    host_count signatures.log additional.fields.key/value
    ts traceroute.log metadata.event_timestamp
    src traceroute.log principal.ip
    dst traceroute.log target.ip
    proto traceroute.log network.ip_protocol

    Network Observations

    The following table lists the log fields of the network observations log type and their corresponding UDM fields.

    Original log field Log type UDM field
    ts known_certs.log metadata.event_timestamp
    host known_certs.log principal.ip
    port_num known_certs.log principal.port
    subject known_certs.log network.tls.client.certificate.subject
    issuer_subject known_certs.log network.tls.client.certificate.issuer
    serial known_certs.log network.tls.client.certificate.serial
    ts known_hosts.log metadata.event_timestamp
    host known_hosts.log principal.ip
    ts known_modbus.log metadata.event_timestamp
    host known_modbus.log principal.ip
    device_type known_modbus.log target.resource.name

    target.resource.resource_type = "DEVICE"

    ts known_services.log metadata.event_timestamp
    host known_services.log principal.ip
    port_num known_services.log principal.port
    port_proto known_services.log network.ip_protocol
    service known_services.log target.application
    ts software.log metadata.event_timestamp
    host software.log principal.ip
    host_p software.log principal.port
    software_type software.log principal.resource.resource_subtype
    name software.log principal.resource.name
    version.major software.log additional.fields.key/value
    version.minor software.log additional.fields.key/value
    version.minor2 software.log additional.fields.key/value
    version.minor3 software.log additional.fields.key/value
    version.addl software.log additional.fields.key/value
    unparsed_version software.log additional.fields.key/value
    force_log software.log additional.fields.key/value
    url software.log metadata.url_back_to_product

    Field mapping reference: Event ID to UDM event type

    To understand how the parser maps log names to UDM event types, refer to the following sections:

    Network protocols

    The following table lists the log names of the network protocols log type and their corresponding UDM event types.

    Log name Description UDM event type
    conn.log TCP/UDP/ICMP connections NETWORK_CONNECTION
    dce_rpc.log Distributed Computing Environment/RPC NETWORK_CONNECTION
    dhcp.log DHCP leases NETWORK_DHCP
    dnp3.log DNP3 (Distributed Network Protocol 3) requests and replies NETWORK_CONNECTION
    dns.log DNS activity NETWORK_DNS
    ftp.log FTP (File Transfer Protocol) activity NETWORK_FTP
    http.log HTTP requests and replies NETWORK_HTTP
    irc.log IRC (Internet Relay Chat) commands and responses NETWORK_CONNECTION
    kerberos.log Kerberos NETWORK_CONNECTION
    modbus.log Modbus commands and responses NETWORK_CONNECTION
    modbus_register_change.log Tracks changes to Modbus holding registers GENERIC_EVENT
    mysql.log MySQL NETWORK_UNCATEGORIZED
    ntlm.log NT LAN Manager (NTLM) NETWORK_CONNECTION
    ntp.log Network Time Protocol NETWORK_CONNECTION
    radius.log RADIUS authentication attempts USER_LOGIN
    rdp.log Remote Desktop Protocol (RDP) NETWORK_CONNECTION
    rfb.log Remote Framebuffer (RFB) NETWORK_CONNECTION
    sip.log Session Initiation Protocol (SIP) NETWORK_UNCATEGORIZED
    smb_cmd.log SMB (Server Message Block) commands NETWORK_CONNECTION
    smb_files.log SMB (Server Message Block) files NETWORK_UNCATEGORIZED
    smb_mapping.log SMB (Server Message Block) trees NETWORK_CONNECTION
    smtp.log SMTP (Simple Mail Transfer Protocol) transactions NETWORK_SMTP
    snmp.log SNMP (Simple Network Management Protocol) messages NETWORK_UNCATEGORIZED
    socks.log SOCKS proxy requests NETWORK_CONNECTION
    ssh.log SSH (Secure Shell) connections NETWORK_UNCATEGORIZED
    ssl.log SSL(Secure Sockets Layer)/TLS(Transport Layer Security) handshake info NETWORK_HTTP

    NETWORK_CONNECTION

    syslog.log Syslog messages NETWORK_CONNECTION
    tunnel.log Tunneling protocol events NETWORK_CONNECTION

    Files

    The following table lists the log names of the files log type and their corresponding UDM event types.

    Log name Description UDM event type
    files.log File analysis results NETWORK_UNCATEGORIZED
    ocsp.log If policy script is loaded, the Online Certificate Status Protocol (OCSP) log is created. GENERIC_EVENT
    pe.log Portable Executable (PE) GENERIC_EVENT
    x509.log X.509 certificate info GENERIC_EVENT

    Netcontrol

    The following table lists the log names of the netcontrol log type and their corresponding UDM event types.

    Log name Description UDM event type
    netcontrol.log NetControl actions GENERIC_EVENT
    netcontrol_drop.log NetControl actions STATUS_UPDATE
    netcontrol_shunt.log NetControl shunt actions STATUS_UPDATE
    netcontrol_catch_release.log NetControl catch and release actions GENERIC_EVENT
    openflow.log OpenFlow debug log GENERIC_EVENT

    Detection

    The following table lists the log names of the detection log type and their corresponding UDM event types.

    Log name Description UDM event type
    intel.log Intelligence data matches GENERIC_EVENT
    notice.log Zeek notices NETWORK_CONNECTION
    notice_alarm.log The alarm stream NETWORK_CONNECTION
    signatures.log Signature matches GENERIC_EVENT
    traceroute.log Traceroute detection NETWORK_UNCATEGORIZED

    Network observations

    The following table lists the log names of the network observations log type and their corresponding UDM event types.

    Log name Description UDM event type
    known_certs.log SSL certificates GENERIC_EVENT
    known_hosts.log Hosts that completed TCP handshakes GENERIC_EVENT
    known_modbus.log Modbus master and secondary GENERIC_EVENT
    known_services.log Services running on hosts GENERIC_EVENT
    software.log Software used on the network GENERIC_EVENT

    What's next