收集 Zeek (Bro) 日志
本文档介绍了如何将 Zeek(以前称为 Bro)和 NXLog 与 Google 安全运营部署在一起,以便以 JSON 格式收集 Zeek 日志。本文档还 解释了 Zeek 日志字段如何映射到 Google Security Operations 统一数据模型 (UDM) 字段。
如需大致了解 Google Security Operations 数据提取,请参阅将数据提取到 Google Security Operations。
提取标签用于标识将原始日志数据标准化的解析器 结构化 UDM 格式本文档中的信息适用于具有 BRO_JSON 提取标签的解析器。
准备工作
如需了解为收集 Zeek 日志而部署的组件,请查看 部署架构每个客户部署都可能与此表示法不同,并且可能更复杂。下图显示了如何配置 NXLog 代理和 Google Security Operations Linux 服务器上的转发器,并将日志数据转发到 Google Security Operations。
验证 Google Security Operations 解析器支持的 Zeek 版本。 Google Security Operations 解析器支持以下 Zeek 版本:
- Zeek 4.1.0
- Zeek 4.0.1
- Zeek 5.2.0
- Zeek 6.0.0
在使用 Zeek 解析器之前,请查看 旧版解析器和当前 Zeek 解析器之间的字段映射更改。在迁移过程中,请确保依赖于原始字段的规则、搜索、信息中心或其他进程使用更新后的字段。
例如,在之前的解析器版本中,
server_name
字段会映射到target.hostname
UDM 字段。在当前的 Zeek 解析器中,server_name
字段为 映射到network.tls.client.server_name
UDM 字段。如果您迁移到 当前的 Zeek 解析器,并在规则中使用server_name
字段, 您需要修改规则以使用当前解析器的network.tls.client.server_name
UDM 字段。验证 Google Security Operations 解析器支持的 Zeek 日志类型。 下表列出了 Google 安全运营解析器支持的 Zeek 日志类型:
日志类型 | 说明 |
网络协议 | 包括网络协议的日志文件,如动态主机配置协议 (DHCP) 和域名系统 (DNS)。 |
文件 | 包含以下日志文件:文件分析结果、在线证书状态协议 (OCSP)、可移植可执行文件 (PE) 和 X.509 证书。 |
NetControl | 包括 NetControl 操作和 OpenFlow 调试日志的日志文件。 |
检测 | 包括情报数据匹配、Zeek 通知、警报流、签名匹配和 traceroute 检测的日志文件。 |
网络观察 | 包括 SSL 证书、已完成 TCP 握手的主机、Modbus 主副本、主机上运行的服务以及网络上使用的软件的日志文件。 |
如果您尚未安装并配置 Zeek,请执行此操作。 如需更多信息 请参阅 Zeek 安装。
以 JSON 格式收集 Zeek 日志。如需了解详情,请参阅 将 Zeek 日志输出为 JSON。
确保已配置部署架构中的所有系统 采用世界协调时间 (UTC) 时区。
配置 NXLog 和 Google Security Operations 转发器
- 在 Linux 机器上下载并安装 NXLog Community Edition,
Google Security Operations 转发器运行的 Pod。
- 如需详细了解如何下载 NXLog 社区版,请参阅 NXLog 文档。
- 如需详细了解如何安装所需的 NXLog 软件包和 请参阅在 Linux 系统上安装 NXLog。
- 为每个 NXLog 实例创建一个配置文件。
使用 NXLog im_file 模块从文件中读取内容并将行解析为字段。以下是 NXLog 配置示例:
LogFile /var/log/nxlog/nxlog.log LogLevel INFO define ZEEK_OUTPUT_DESTINATION_ADDRESS <hostname> define ZEEK_OUTPUT_DESTINATION_PORT <port> <Input conn> Module im_file File '/opt/zeek/logs/current/conn.log' Exec $raw_event= "conn" + ' - ' + $raw_event;; </Input> <Input dce_rpc> Module im_file File '/opt/zeek/logs/current/dce_rpc.log' Exec $raw_event= "dce_rpc" + ' - ' + $raw_event;; </Input> <Output out_chronicle> Module om_tcp Host %ZEEK_OUTPUT_DESTINATION_ADDRESS% Port %ZEEK_OUTPUT_DESTINATION_PORT% </Output> <Route zeek_to_chronicle> Path conn, dce_rpc => out_chronicle </Route>
如需使用上述示例配置,请执行以下操作:
- 将
<hostname>
和<port>
值替换为 目标 Linux 服务器。 - 为您要收集的每种 Zeek 日志类型添加输入、输出和路线元素。
- 将
配置 Google Security Operations 转发器以将日志发送到 Google Security Operations, 如需了解详情,请参阅在 Linux 上安装和配置转发器。以下是转发器配置示例。
- syslog: common: enabled: true data_type: BRO_JSON batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60
启动 NXLog 服务。
字段映射参考信息:Zeek 日志字段到 UDM 字段
了解 Google Security Operations 解析器如何将 Zeek 日志字段映射到 有关每种 Zeek 日志类型的 Google Security Operations UDM 事件字段,请参阅 以下部分:
网络协议
下表列出了网络协议日志类型的日志字段 及其对应的 UDM 字段。
原始日志字段 | 日志类型 | UDM 字段 |
---|---|---|
ts | conn.log | metadata.event_timestamp |
uid | conn.log | network.session_id |
id.orig_h | conn.log | principal.ip |
id.orig_p | conn.log | principal.port |
id.resp_h | conn.log | target.ip |
id.resp_p | conn.log | target.port |
proto | conn.log | network.ip_protocol |
service | conn.log | In case of exact match, service is mapped to network.application_protocol. In case of multiple values, service is mapped to additional.fields.key/value. |
duration | conn.log | network.session_duration |
orig_bytes | conn.log | network.sent_bytes |
resp_bytes | conn.log | network.received_bytes |
conn_state | conn.log | metadata.description |
local_orig | conn.log | additional.fields.key/value |
local_resp | conn.log | additional.fields.key/value |
missed_bytes | conn.log | additional.fields.key/value |
history | conn.log | additional.fields.key/value |
orig_pkts | conn.log | additional.fields.key/value |
orig_ip_bytes | conn.log | additional.fields.key/value |
resp_pkts | conn.log | additional.fields.key/value |
resp_ip_bytes | conn.log | additional.fields.key/value |
tunnel_parents | conn.log | additional.fields.key/value |
orig_l2_addr | conn.log | additional.fields.key/value |
resp_l2_addr | conn.log | additional.fields.key/value |
vlan | conn.log | additional.fields.key/value |
inner_vlan | conn.log | additional.fields.key/value |
speculative_service | conn.log | additional.fields.key/value |
ts | dce_rpc.log | metadata.event_timestamp |
uid | dce_rpc.log | network.session_id |
id.orig_h | dce_rpc.log | principal.ip |
id.orig_p | dce_rpc.log | principal.port |
id.resp_h | dce_rpc.log | target.ip |
id.resp_p | dce_rpc.log | target.port |
rtt | dce_rpc.log | additional.fields.key/value |
named_pipe | dce_rpc.log | target.resource.name
Also, target.resource.resource_type is set to "PIPE". |
endpoint | dce_rpc.log | additional.fields.key/value |
operation | dce_rpc.log | additional.fields.key/value |
ts | dhcp.log | metadata.event_timestamp |
uids | dhcp.log | additional.fields.key/value |
client_addr | dhcp.log | target.ip |
server_addr | dhcp.log | principal.ip |
client_port | dhcp.log | target.port |
server_port | dhcp.log | principal.port |
mac | dhcp.log | principal.mac
Machine ID is required for parsing NETWORK_DHCP events. |
host_name | dhcp.log | network.dhcp.client_hostname |
client_fqdn | dhcp.log | target.hostname |
domain | dhcp.log | target.administrative_domain |
requested_addr | dhcp.log | network.dhcp.requested_address |
assigned_addr | dhcp.log | network.dhcp.yiaddr |
lease_time | dhcp.log | network.dhcp.lease_time_seconds |
client_message | dhcp.log | additional.fields.key/value |
server_message | dhcp.log | additional.fields.key/value |
msg_types | dhcp.log | additional.fields.key/value
The log that Zeek produces is a collection of DORA messages in a single log. |
duration | dhcp.log | network.dhcp.seconds |
client_chaddr | dhcp.log | network.dhcp.chaddr |
msg_orig | dhcp.log | additional.fields.key/value |
client_software | dhcp.log | additional.fields.key/value |
server_software | dhcp.log | additional.fields.key/value |
circuit_id | dhcp.log | additional.fields.key/value |
agent_remote_id | dhcp.log | additional.fields.key/value |
subscriber_id | dhcp.log | additional.fields.key/value |
ts | dnp3.log | metadata.event_timestamp |
uid | dnp3.log | network.session_id |
id.orig_h | dnp3.log | principal.ip |
id.orig_p | dnp3.log | principal.port |
id.resp_h | dnp3.log | target.ip |
id.resp_p | dnp3.log | target.port |
fc_request | dnp3.log | additional.fields.key/value |
fc_reply | dnp3.log | additional.fields.key/value |
iin | dnp3.log | additional.fields.key/value |
ts | dns.log | metadata.event_timestamp |
uid | dns.log | network.session_id |
id.orig_h | dns.log | principal.ip |
id.orig_p | dns.log | principal.port |
id.resp_h | dns.log | target.ip |
id.resp_p | dns.log | target.port |
proto | dns.log | network.ip_protocol |
trans_id | dns.log | network.dns.id |
rtt | dns.log | additional.fields.key/value |
query | dns.log | network.dns.questions.name |
qclass | dns.log | network.dns.questions.class |
qclass_name | dns.log | additional.fields.key/value |
qtype | dns.log | network.dns.questions.type |
qtype_name | dns.log | additional.fields.key/value |
rcode | dns.log | network,dns.response_code |
rcode_name | dns.log | additional.fields.key/value |
AA | dns.log | network.dns.authoritative |
TC | dns.log | network.dns.truncated |
RD | dns.log | network.dns.recursion_desired |
RA | dns.log | network.dns.recursion_available |
Z | dns.log | additional.fields.key/value |
answers | dns.log | network.dns.answers.data |
TTLs | dns.log | network.dns.answers.ttl |
rejected | dns.log | additional.fields.key/value |
total_answers | dns.log | additional.fields.key/value |
total_replies | dns.log | additional.fields.key/value |
saw_query | dns.log | additional.fields.key/value |
saw_reply | dns.log | additional.fields.key/value |
auth | dns.log | network.dns.authority.data |
addl | dns.log | network.dns.additional.data |
original_query | dns.log | additional.fields.key/value |
ts | ftp.log | metadata.event_timestamp |
uid | ftp.log | network.session_id |
id.orig_h | ftp.log | principal.ip |
id.orig_p | ftp.log | principal.port |
id.resp_h | ftp.log | target.ip |
id.resp_p | ftp.log | target.port |
user | ftp.log | principal.user.userid |
command | ftp.log | network.ftp.command |
arg | ftp.log | additional.fields.key/value |
mime_type | ftp.log | src.file.mime_type |
file_size | ftp.log | src.file.size |
reply_code | ftp.log | additional.fields.key/value |
reply_msg | ftp.log | additional.fields.key/value |
data_channel.passive | ftp.log | additional.fields.key/value |
data_channel.orig_h | ftp.log | additional.fields.key/value |
data_channel.resp_h | ftp.log | additional.fields.key/value |
data_channel.resp_p | ftp.log | additional.fields.key/value |
cwd | ftp.log | src.file.full_path |
cmdarg.ts | ftp.log | additional.fields.key/value |
cmdarg.cmd | ftp.log | additional.fields.key/value |
cmdarg.arg | ftp.log | additional.fields.key/value |
cmdarg.seq | ftp.log | additional.fields.key/value |
pending_commands | ftp.log | additional.fields.key/value |
passive | ftp.log | additional.fields.key/value |
capture_password | ftp.log | additional.fields.key/value |
fuid | ftp.log | additional.fields.key/value |
last_auth_requested | ftp.log | additional.fields.key/value |
ts | http.log | metadata.event_timestamp |
uid | http.log | network.session_id |
id.orig_h | http.log | principal.ip |
id.orig_p | http.log | principal.port |
id.resp_h | http.log | target.ip |
id.resp_p | http.log | target.port |
trans_depth | http.log | additional.fields.key/value |
method | http.log | network.http.method |
host | http.log | target.hostname |
uri | http.log | target.url is set to "%{host}%{uri}" |
referrer | http.log | network.http.referral_url |
version | http.log | additional.fields.key/value |
user_agent | http.log | network.http.user_agent |
origin | http.log | additional.fields.key/value |
request_body_len | http.log | additional.fields.key/value |
response_body_len | http.log | additional.fields.key/value |
status_code | http.log | network.http.response_code |
status_msg | http.log | additional.fields.key/value |
info_code | http.log | additional.fields.key/value |
info_msg | http.log | additional.fields.key/value |
tags | http.log | additional.fields.key/value |
username | http.log | principal.user.userid |
capture_password | http.log | additional.fields.key/value |
proxied | http.log | additional.fields.key/value |
range_request | http.log | additional.fields.key/value |
orig_fuids | http.log | additional.fields.key/value |
orig_filenames | http.log | additional.fields.key/value |
orig_mime_types | http.log | additional.fields.key/value |
resp_fuids | http.log | additional.fields.key/value |
resp_filenames | http.log | additional.fields.key/value |
resp_mime_types | http.log | additional.fields.key/value |
current_entity | http.log | additional.fields.key/value |
orig_mime_depth | http.log | additional.fields.key/value |
resp_mime_depth | http.log | additional.fields.key/value |
client_header_names | http.log | additional.fields.key/value |
server_header_names | http.log | additional.fields.key/value |
omniture | http.log | additional.fields.key/value |
flash_version | http.log | additional.fields.key/value |
cookie_vars | http.log | additional.fields.key/value |
uri_vars | http.log | additional.fields.key/value |
ts | irc.log | metadata.event_timestamp |
uid | irc.log | network.session_id |
id.orig_h | irc.log | principal.ip |
id.orig_p | irc.log | principal.port |
id.resp_h | irc.log | target.ip |
id.resp_p | irc.log | target.port |
nick | irc.log | additional.fields.key/value |
user | irc.log | principal.user.userid |
command | irc.log | principal.process.command_line |
value | irc.log | additional.fields.key/value |
addl | irc.log | additional.fields.key/value |
dcc_file_name | irc.log | additional.fields.key/value |
dcc_file_size | irc.log | src.file.size |
dcc_mime_type | irc.log | src.file.mime_type |
fuid | irc.log | additional.fields.key/value |
ts | kerberos.log | metadata.event_timestamp |
uid | kerberos.log | network.session_id |
id.orig_h | kerberos.log | principal.ip |
id.orig_p | kerberos.log | principal.port |
id.resp_h | kerberos.log | target.ip |
id.resp_p | kerberos.log | target.port |
request_type | kerberos.log | additional.fields.key/value |
client | kerberos.log | additional.fields.key/value |
service | kerberos.log | additional.fields.key/value |
success | kerberos.log | additional.fields.key/value |
error_code | kerberos.log | additional.fields.key/value |
error_msg | kerberos.log | metadata.description is set to "KERBEROS: %{error_msg}" |
from | kerberos.log | additional.fields.key/value |
till | kerberos.log | additional.fields.key/value |
cipher | kerberos.log | network.tls.cipher |
forwardable | kerberos.log | additional.fields.key/value |
renewable | kerberos.log | additional.fields.key/value |
logged | kerberos.log | additional.fields.key/value |
client_cert.ts | kerberos.log | additional.fields.key/value |
client_cert.fuid | kerberos.log | additional.fields.key/value |
client_cert.tx_hosts | kerberos.log | additional.fields.key/value |
client_cert.rx_hosts | kerberos.log | additional.fields.key/value |
client_cert.conn_uids | kerberos.log | additional.fields.key/value |
client_cert.source | kerberos.log | additional.fields.key/value |
client_cert.depth | kerberos.log | additional.fields.key/value |
client_cert.analyzers | kerberos.log | additional.fields.key/value |
client_cert.mime_type | kerberos.log | additional.fields.key/value |
client_cert.filename | kerberos.log | additional.fields.key/value |
client_cert.duration | kerberos.log | additional.fields.key/value |
client_cert.local_orig | kerberos.log | additional.fields.key/value |
client_cert.is_orig | kerberos.log | additional.fields.key/value |
client_cert.seen_bytes | kerberos.log | additional.fields.key/value |
client_cert.total_bytes | kerberos.log | additional.fields.key/value |
client_cert.missing_bytes | kerberos.log | additional.fields.key/value |
client_cert.overflow_bytes | kerberos.log | additional.fields.key/value |
client_cert.timedout | kerberos.log | additional.fields.key/value |
client_cert.parent_fuid | kerberos.log | additional.fields.key/value |
client_cert.md5 | kerberos.log | network.tls.client.certificate.md5 |
client_cert.sha1 | kerberos.log | network.tls.client.certificate.sha1 |
client_cert.sha256 | kerberos.log | network.tls.client.certificate.sha256 |
client_cert.x509.ts | kerberos.log | additional.fields.key/value |
client_cert.x509.fingerprint | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.version | kerberos.log | network.tls.client.certificate.version |
client_cert.x509.certificate.serial | kerberos.log | network.tls.client.certificate.serial |
client_cert.x509.certificate.subject | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.issuer | kerberos.log | network.tls.client.certificate.issuer |
client_cert.x509.certificate.cn | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.not_valid_before | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.not_valid_after | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.key_alg | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.sig_alg | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.key_type | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.key_length | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.exponent | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.curve | kerberos.log | additional.fields.key/value |
client_cert.x509.handle | kerberos.log | additional.fields.key/value |
client_cert.x509.extensions.name | kerberos.log | additional.fields.key/value |
client_cert.x509.extensions.short_name | kerberos.log | additional.fields.key/value |
client_cert.x509.extensions.oid | kerberos.log | additional.fields.key/value |
client_cert.x509.extensions.critical | kerberos.log | additional.fields.key/value |
client_cert.x509.extensions.value | kerberos.log | additional.fields.key/value |
client_cert.x509.san.dns | kerberos.log | additional.fields.key/value |
client_cert.x509.san.uri | kerberos.log | additional.fields.key/value |
client_cert.x509.san.email | kerberos.log | additional.fields.key/value |
client_cert.x509.san.ip | kerberos.log | additional.fields.key/value |
client_cert.x509.san.other_fields | kerberos.log | additional.fields.key/value |
client_cert.x509.basic_constraints.ca | kerberos.log | additional.fields.key/value |
client_cert.x509.basic_constraints.path_len | kerberos.log | additional.fields.key/value |
client_cert.x509.extensions_cache | kerberos.log | additional.fields.key/value |
client_cert.x509.host_cert | kerberos.log | additional.fields.key/value |
client_cert.x509.client_cert | kerberos.log | additional.fields.key/value |
client_cert.x509.deduplication_index.fingerprint | kerberos.log | additional.fields.key/value |
client_cert.x509.deduplication_index.host_cert | kerberos.log | additional.fields.key/value |
client_cert.x509.deduplication_index.client_cert | kerberos.log | additional.fields.key/value |
client_cert.x509.always_raise_x509_events | kerberos.log | additional.fields.key/value |
client_cert.x509.cert | kerberos.log | additional.fields.key/value |
client_cert.extracted | kerberos.log | additional.fields.key/value |
client_cert.extracted_cutoff | kerberos.log | additional.fields.key/value |
client_cert.extracted_size | kerberos.log | additional.fields.key/value |
client_cert.entropy | kerberos.log | additional.fields.key/value |
client_cert_subject | kerberos.log | network.tls.client.certificate.subject |
client_cert_fuid | kerberos.log | additional.fields.key/value |
server_cert.ts | kerberos.log | additional.fields.key/value |
server_cert.fuid | kerberos.log | additional.fields.key/value |
server_cert.tx_hosts | kerberos.log | additional.fields.key/value |
server_cert.rx_hosts | kerberos.log | additional.fields.key/value |
server_cert.conn_uids | kerberos.log | additional.fields.key/value |
server_cert.source | kerberos.log | additional.fields.key/value |
server_cert.depth | kerberos.log | additional.fields.key/value |
server_cert.analyzers | kerberos.log | additional.fields.key/value |
server_cert.mime_type | kerberos.log | additional.fields.key/value |
server_cert.filename | kerberos.log | additional.fields.key/value |
server_cert.duration | kerberos.log | additional.fields.key/value |
server_cert.local_orig | kerberos.log | additional.fields.key/value |
server_cert.is_orig | kerberos.log | additional.fields.key/value |
server_cert.seen_bytes | kerberos.log | additional.fields.key/value |
server_cert.total_bytes | kerberos.log | additional.fields.key/value |
server_cert.missing_bytes | kerberos.log | additional.fields.key/value |
server_cert.overflow_bytes | kerberos.log | additional.fields.key/value |
server_cert.timedout | kerberos.log | additional.fields.key/value |
server_cert.parent_fuid | kerberos.log | additional.fields.key/value |
server_cert.md5 | kerberos.log | network.tls.server.certificate.md5 |
server_cert.sha1 | kerberos.log | network.tls.server.certificate.sha1 |
server_cert.sha256 | kerberos.log | network.tls.server.certificate.sha256 |
server_cert.x509.ts | kerberos.log | additional.fields.key/value |
server_cert.x509.fingerprint | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.version | kerberos.log | network.tls.server.certificate.version |
server_cert.x509.certificate.serial | kerberos.log | network.tls.server.certificate.serial |
server_cert.x509.certificate.subject | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.issuer | kerberos.log | network.tls.server.certificate.issuer |
server_cert.x509.certificate.cn | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.not_valid_before | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.not_valid_after | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.key_alg | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.sig_alg | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.key_type | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.key_length | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.exponent | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.curve | kerberos.log | additional.fields.key/value |
server_cert.x509.handle | kerberos.log | additional.fields.key/value |
server_cert.x509.extensions.name | kerberos.log | additional.fields.key/value |
server_cert.x509.extensions.short_name | kerberos.log | additional.fields.key/value |
server_cert.x509.extensions.oid | kerberos.log | additional.fields.key/value |
server_cert.x509.extensions.critical | kerberos.log | additional.fields.key/value |
server_cert.x509.extensions.value | kerberos.log | additional.fields.key/value |
server_cert.x509.san.dns | kerberos.log | additional.fields.key/value |
server_cert.x509.san.uri | kerberos.log | additional.fields.key/value |
server_cert.x509.san.email | kerberos.log | additional.fields.key/value |
server_cert.x509.san.ip | kerberos.log | additional.fields.key/value |
server_cert.x509.san.other_fields | kerberos.log | additional.fields.key/value |
server_cert.x509.basic_constraints.ca | kerberos.log | additional.fields.key/value |
server_cert.x509.basic_constraints.path_len | kerberos.log | additional.fields.key/value |
server_cert.x509.extensions_cache | kerberos.log | additional.fields.key/value |
server_cert.x509.host_cert | kerberos.log | additional.fields.key/value |
server_cert.x509.client_cert | kerberos.log | additional.fields.key/value |
server_cert.x509.deduplication_index.fingerprint | kerberos.log | additional.fields.key/value |
server_cert.x509.deduplication_index.host_cert | kerberos.log | additional.fields.key/value |
server_cert.x509.deduplication_index.client_cert | kerberos.log | additional.fields.key/value |
server_cert.x509.always_raise_x509_events | kerberos.log | additional.fields.key/value |
server_cert.x509.cert | kerberos.log | additional.fields.key/value |
server_cert.extracted | kerberos.log | additional.fields.key/value |
server_cert.extracted_cutoff | kerberos.log | additional.fields.key/value |
server_cert.extracted_size | kerberos.log | additional.fields.key/value |
server_cert.entropy | kerberos.log | additional.fields.key/value |
server_cert_subject | kerberos.log | network.tls.server.certificate.subject |
server_cert_fuid | kerberos.log | additional.fields.key/value |
auth_ticket | kerberos.log | additional.fields.key/value |
new_ticket | kerberos.log | additional.fields.key/value |
ts | modbus.log | metadata.event_timestamp |
uid | modbus.log | network.session_id |
id.orig_h | modbus.log | principal.ip |
id.orig_p | modbus.log | principal.port |
id.resp_h | modbus.log | target.ip |
id.resp_p | modbus.log | target.port |
func | modbus.log | additional.fields.key/value |
exception | modbus.log | additional.fields.key/value |
track_address | modbus.log | additional.fields.key/value |
ts | modbus_register_change.log | metadata.event_timestamp |
uid | modbus_register_change.log | network.session_id |
id.orig_h | modbus_register_change.log | principal.ip |
id.orig_p | modbus_register_change.log | principal.port |
id.resp_h | modbus_register_change.log | target.ip |
id.resp_p | modbus_register_change.log | target.port |
register | modbus_register_change.log | additional.fields.key/value |
old_val | modbus_register_change.log | additional.fields.key/value |
new_val | modbus_register_change.log | additional.fields.key/value |
delta | modbus_register_change.log | additional.fields.key/value |
ts | mysql.log | metadata.event_timestamp |
uid | mysql.log | network.session_id |
id.orig_h | mysql.log | principal.ip |
id.orig_p | mysql.log | principal.port |
id.resp_h | mysql.log | target.ip |
id.resp_p | mysql.log | target.port |
cmd | mysql.log | metadata.description |
arg | mysql.log | principal.process.command_line |
success | mysql.log |
If the value of success is "T" or "true," security_result.action is set to "ALLOW" and security_result.summary is set to "Query successfully executed." If the value of success is not "T" or "true," security_result.action is set to "BLOCK" and security_result.summary is set to "Query execution failed." |
rows | mysql.log | security_result.description is set to "Affected rows: %{rows}". If the log type is "mysql.log", the additional field security_result.severity is set to "INFORMATIONAL". |
response | mysql.log | additional.fields.key/value |
ts | ntlm.log | metadata.event_timestamp |
uid | ntlm.log | network.session_id |
id.orig_h | ntlm.log | principal.ip |
id.orig_p | ntlm.log | principal.port |
id.resp_h | ntlm.log | target.ip |
id.resp_p | ntlm.log | target.port |
username | ntlm.log | principal.user.userid |
hostname | ntlm.log | principal.hostname |
domainname | ntlm.log | principal.administrative_domain |
server_nb_computer_name | ntlm.log | additional.fields.key/value |
server_dns_computer_name | ntlm.log | target.hostname |
server_tree_name | ntlm.log | additional.fields.key/value |
success | ntlm.log |
If the value of success is "T" or "true", security_result.action is set to "ALLOW" and security_result.summary is set to "Query successfully executed". If the value of success is not "T" or "true", security_result.action is set to "BLOCK" and security_result.summary is set to "Query execution failed". |
done | ntlm.log | additional.fields.key/value |
ts | ntp.log | metadata.event_timestamp |
uid | ntp.log | network.session_id |
id.orig_h | ntp.log | principal.ip |
id.orig_p | ntp.log | principal.port |
id.resp_h | ntp.log | target.ip |
id.resp_p | ntp.log | target.port |
version | ntp.log | additional.fields.key/value |
mode | ntp.log | additional.fields.key/value |
stratum | ntp.log | additional.fields.key/value |
poll | ntp.log | additional.fields.key/value |
precision | ntp.log | additional.fields.key/value |
root_delay | ntp.log | additional.fields.key/value |
root_disp | ntp.log | additional.fields.key/value |
ref_id | ntp.log | additional.fields.key/value |
ref_time | ntp.log | additional.fields.key/value |
org_time | ntp.log | additional.fields.key/value |
rec_time | ntp.log | additional.fields.key/value |
xmt_time | ntp.log | additional.fields.key/value |
num_exts | ntp.log | additional.fields.key/value |
ts | radius.log | metadata.event_timestamp |
uid | radius.log | network.session_id |
id.orig_h | radius.log | principal.ip |
id.orig_p | radius.log | principal.port |
id.resp_h | radius.log | target.ip |
id.resp_p | radius.log | target.port |
username | radius.log | principal.user.userid |
mac | radius.log | principal.mac |
framed_addr | radius.log | additional.fields.key/value |
tunnel_client | radius.log | additional.fields.key/value |
connect_info | radius.log | additional.fields.key/value |
reply_msg | radius.log | additional.fields.key/value |
result | radius.log | If the log type is "radius.log", the following fields are set:
If the value of the "result" field is "success", security_result.action is set to "ALLOW" and security_result.summary is set to "User login successful". If the value of "result" field is "failed", security_result.action is set to "BLOCK" and security_result.summary is set to "User login failed". |
ttl | radius.log | additional.fields.key/value |
logged | radius.log | additional.fields.key/value |
ts | rdp.log | metadata.event_timestamp |
uid | rdp.log | network.session_id |
id.orig_h | rdp.log | principal.ip |
id.orig_p | rdp.log | principal.port |
id.resp_h | rdp.log | target.ip |
id.resp_p | rdp.log | target.port |
cookie | rdp.log | principal.user.userid |
result | rdp.log | security_result.severity is set to "INFORMATIONAL". security_result.description is set to "%{result} connection with security protocol %{security_protocol}". |
security_protocol | rdp.log | security_result.description is set to "%{result} connection with security protocol %{security_protocol}". |
client_channels | rdp.log | additional.fields.key/value |
keyboard_layout | rdp.log | additional.fields.key/value |
client_build | rdp.log | principal.asset.platform_software.platform_version |
client_name | rdp.log | additional.fields.key/value |
client_dig_product_id | rdp.log | principal.asset.asset_id |
desktop_width | rdp.log | additional.fields.key/value |
desktop_height | rdp.log | additional.fields.key/value |
requested_color_depth | rdp.log | additional.fields.key/value |
cert_type | rdp.log | additional.fields.key/value |
cert_count | rdp.log | additional.fields.key/value |
cert_permanent | rdp.log | additional.fields.key/value |
encryption_level | rdp.log | additional.fields.key/value |
encryption_method | rdp.log | additional.fields.key/value |
analyzer_id | rdp.log | additional.fields.key/value |
done | rdp.log | additional.fields.key/value |
ssl | rdp.log | additional.fields.key/value |
ts | rfb.log | metadata.event_timestamp |
uid | rfb.log | network.session_id |
id.orig_h | rfb.log | principal.ip |
id.orig_p | rfb.log | principal.port |
id.resp_h | rfb.log | target.ip |
id.resp_p | rfb.log | target.port |
client_major_version | rfb.log | additional.fields.key/value |
client_minor_version | rfb.log | additional.fields.key/value |
server_major_version | rfb.log | additional.fields.key/value |
server_minor_version | rfb.log | additional.fields.key/value |
authentication_method | rfb.log | additional.fields.key/value |
auth | rfb.log | additional.fields.key/value |
share_flag | rfb.log | additional.fields.key/value |
desktop_name | rfb.log | target.asset.hostname |
width | rfb.log | additional.fields.key/value |
height | rfb.log | additional.fields.key/value |
done | rfb.log | additional.fields.key/value |
ts | sip.log | metadata.event_timestamp |
uid | sip.log | network.session_id
Also, network.application_protocol is set to "SIP". |
id.orig_h | sip.log | principal.ip |
id.orig_p | sip.log | principal.port |
id.resp_h | sip.log | target.ip |
id.resp_p | sip.log | target.port |
trans_depth | sip.log | additional.fields.key/value |
method | sip.log | metadata.description |
uri | sip.log | about.url |
date | sip.log | additional.fields.key/value |
request_from | sip.log | principal.user.userid and principal.user.user_display_name |
request_to | sip.log | target.user.userid and target.user.user_display_name |
response_from | sip.log | additional.fields.key/value |
response_to | sip.log | additional.fields.key/value |
reply_to | sip.log | additional.fields.key/value |
call_id | sip.log | network.session_id |
seq | sip.log | additional.fields.key/value |
subject | sip.log | additional.fields.key/value |
request_path | sip.log | additional.fields.key/value |
response_path | sip.log | additional.fields.key/value |
user_agent | sip.log | additional.fields.key/value |
status_code | sip.log | security_result.summary is set to "Status Code: %{status_code}". |
status_msg | sip.log | security_result.description |
warning | sip.log | additional.fields.key/value |
request_body_len | sip.log | network.sent_bytes |
response_body_len | sip.log | network.received_bytes |
content_type | sip.log | additional.fields.key/value |
ts | smb_cmd.log | metadata.event_timestamp |
uid | smb_cmd.log | network.session_id |
id.orig_h | smb_cmd.log | principal.ip |
id.orig_p | smb_cmd.log | principal.port |
id.resp_h | smb_cmd.log | target.ip |
id.resp_p | smb_cmd.log | target.port |
command | smb_cmd.log | principal.process.command_line |
sub_command | smb_cmd.log | additional.fields.key/value |
argument | smb_cmd.log | additional.fields.key/value |
status | smb_cmd.log | additional.fields.key/value |
rtt | smb_cmd.log | additional.fields.key/value |
version | smb_cmd.log | metadata.product_version |
username | smb_cmd.log | principal.user.userid |
tree | smb_cmd.log | additional.fields.key/value |
tree_service | smb_cmd.log | additional.fields.key/value |
smb1_offered_dialects | smb_cmd.log | additional.fields.key/value |
smb2_offered_dialects | smb_cmd.log | additional.fields.key/value |
ts | smb_files.log | metadata.event_timestamp |
uid | smb_files.log | network.session_id |
id.orig_h | smb_files.log | principal.ip |
id.orig_p | smb_files.log | principal.port |
id.resp_h | smb_files.log | target.ip |
id.resp_p | smb_files.log | target.port |
fuid | smb_files.log | additional.fields.key/value |
action | smb_files.log | metadata.description is set to "action: %{action} on: %{name}". |
path | smb_files.log | target.file.full_path |
name | smb_files.log | additional.fields.key/value |
size | smb_files.log | target.file.size |
prev_name | smb_files.log | additional.fields.key/value |
times.modified | smb_files.log | additional.fields.key/value |
times.modified_raw | smb_files.log | additional.fields.key/value |
times.accessed | smb_files.log | additional.fields.key/value |
times.accessed_raw | smb_files.log | additional.fields.key/value |
times.created | smb_files.log | additional.fields.key/value |
times.created_raw | smb_files.log | additional.fields.key/value |
times.changed | smb_files.log | additional.fields.key/value |
times.changed_raw | smb_files.log | additional.fields.key/value |
fid | smb_files.log | additional.fields.key/value |
uuid | smb_files.log | additional.fields.key/value |
ts | smb_mapping.log | metadata.event_timestamp |
uid | smb_mapping.log | network.session_id |
id.orig_h | smb_mapping.log | principal.ip |
id.orig_p | smb_mapping.log | principal.port |
id.resp_h | smb_mapping.log | target.ip |
id.resp_p | smb_mapping.log | target.port |
path | smb_mapping.log | target.file.full_path |
service | smb_mapping.log | target.application |
native_file_system | smb_mapping.log | additional.fields.key/value |
share_type | smb_mapping.log | target.resource.resource_type |
ts | smtp.log | metadata.event_timestamp |
uid | smtp.log | network.session_id |
id.orig_h | smtp.log | principal.ip |
id.orig_p | smtp.log | principal.port |
id.resp_h | smtp.log | target.ip |
id.resp_p | smtp.log | target.port |
trans_depth | smtp.log | additional.fields.key/value |
helo | smtp.log | additional.fields.key/value |
mailfrom | smtp.log | additional.fields.key/value |
rcptto | smtp.log | additional.fields.key/value |
date | smtp.log | additional.fields.key/value |
from | smtp.log | network.email.from |
to | smtp.log | email.to |
cc | smtp.log | network.email.cc |
reply_to | smtp.log | email.reply_to |
msg_id | smtp.log | email.mail_id |
in_reply_to | smtp.log | additional.fields.key/value |
subject | smtp.log | email.subject |
x_originating_ip | smtp.log | additional.fields.key/value |
first_received | smtp.log | additional.fields.key/value |
second_received | smtp.log | additional.fields.key/value |
last_reply | smtp.log | additional.fields.key/value |
path | smtp.log | additional.fields.key/value |
user_agent | smtp.log | additional.fields.key/value |
tls | smtp.log | network.tls.established |
process_received_from | smtp.log | additional.fields.key/value |
has_client_activity | smtp.log | additional.fields.key/value |
process_smtp_headers | smtp.log | additional.fields.key/value |
entity.filename | smtp.log | additional.fields.key/value |
entity.excerpt | smtp.log | additional.fields.key/value |
fuids | smtp.log | additional.fields.key/value |
is_webmail | smtp.log | additional.fields.key/value |
ts | snmp.log | metadata.event_timestamp |
uid | snmp.log | network.session_id |
id.orig_h | snmp.log | principal.ip |
id.orig_p | snmp.log | principal.port |
id.resp_h | snmp.log | target.ip |
id.resp_p | snmp.log | target.port |
duration | snmp.log | network.session_duration |
version | snmp.log | metadata.product_version |
community | snmp.log | network.community_id |
get_requests | snmp.log | additional.fields.key/value |
get_bulk_requests | snmp.log | additional.fields.key/value |
get_responses | snmp.log | additional.fields.key/value |
set_requests | snmp.log | additional.fields.key/value |
display_string | snmp.log | metadata.description |
up_since | snmp.log | additional.fields.key/value |
ts | socks.log | metadata.event_timestamp |
uid | socks.log | network.session_id |
id.orig_h | socks.log | principal.ip |
id.orig_p | socks.log | principal.port |
id.resp_h | socks.log | target.ip |
id.resp_p | socks.log | target.port |
version | socks.log | additional.fields.key/value |
user | socks.log | principal.user.userid |
status | socks.log | additional.fields.key/value |
request.host | socks.log | principal.hostname |
request.name | socks.log | additional.fields.key/value |
request_p | socks.log | additional.fields.key/value |
bound.host | socks.log | additional.fields.key/value |
bound.name | socks.log | additional.fields.key/value |
bound_p | socks.log | additional.fields.key/value |
capture_password | socks.log | additional.fields.key/value |
ts | ssh.log | metadata.event_timestamp |
uid | ssh.log | network.session_id |
id.orig_h | ssh.log | principal.ip |
id.orig_p | ssh.log | principal.port |
id.resp_h | ssh.log | target.ip |
id.resp_p | ssh.log | target.port |
version | ssh.log | metadata.product_version |
auth_success | ssh.log | additional.fields.key/value |
auth_attempts | ssh.log | security_result.description is set to "%{auth_attempts} successful SSH authentication attempts were observed". |
direction | ssh.log | network.direction |
client | ssh.log | principal.platform_version |
server | ssh.log | target.platform_version |
cipher_alg | ssh.log | additional.fields.key/value |
mac_alg | ssh.log | additional.fields.key/value |
compression_alg | ssh.log | additional.fields.key/value |
kex_alg | ssh.log | additional.fields.key/value |
host_key_alg | ssh.log | additional.fields.key/value |
host_key | ssh.log | additional.fields.key/value |
logged | ssh.log | additional.fields.key/value |
capabilities.kex_algorithms | ssh.log | additional.fields.key/value |
capabilities.server_host_key_algorithms | ssh.log | additional.fields.key/value |
capabilities.encryption_algorithms | ssh.log | additional.fields.key/value |
capabilities.mac_algorithms | ssh.log | additional.fields.key/value |
capabilities.compression_algorithms | ssh.log | additional.fields.key/value |
capabilities.languages.client_to_server | ssh.log | additional.fields.key/value |
capabilities.languages.server_to_client | ssh.log | additional.fields.key/value |
capabilities.is_server | ssh.log | additional.fields.key/value |
analyzer_id | ssh.log | additional.fields.key/value |
remote_location.country_code | ssh.log | additional.fields.key/value |
remote_location.region | ssh.log | target.asset.location.country_or_region |
remote_location.city | ssh.log | target.asset.location.city |
remote_location.latitude | ssh.log | additional.fields.key/value |
remote_location.longitude | ssh.log | additional.fields.key/value |
ts | ssl.log | metadata.event_timestamp |
uid | ssl.log | metadata.product_log_id |
id.orig_h | ssl.log | principal.ip |
id.orig_p | ssl.log | principal.port |
id.resp_h | ssl.log | target.ip |
id.resp_p | ssl.log | target.port |
version_num | ssl.log | additional.fields.key/value |
version | ssl.log | network.tls.version |
cipher | ssl.log | network.tls.cipher |
curve | ssl.log | network.tls.curve |
server_name | ssl.log | network.tls.client.server_name |
session_id | ssl.log | network.session_id |
resumed | ssl.log | network.tls.resumed |
client_ticket_empty_session_seen | ssl.log | additional.fields.key/value |
client_key_exchange_seen | ssl.log | additional.fields.key/value |
client_psk_seen | ssl.log | additional.fields.key/value |
last_alert | ssl.log | additional.fields.key/value |
next_protocol | ssl.log | network.tls.next_protocol |
analyzer_id | ssl.log | additional.fields.key/value |
established | ssl.log | network.tls.established |
logged | ssl.log | additional.fields.key/value |
ssl_history | ssl.log | additional.fields.key/value |
cert_chain_fps | ssl.log | additional.fields.key/value |
client_cert_chain_fps | ssl.log | additional.fields.key/value |
subject | ssl.log | network.tls.server.certificate.subject |
issuer | ssl.log | network.tls.server.certificate.issuer |
client_subject | ssl.log | network.tls.client.certificate.subject |
client_issuer | ssl.log | network.tls.client.certificate.issuer |
sni_matches_cert | ssl.log | additional.fields.key/value |
server_depth | ssl.log | additional.fields.key/value |
client_depth | ssl.log | additional.fields.key/value |
always_raise_x509_events | ssl.log | additional.fields.key/value |
last_originator_heartbeat_request_size | ssl.log | additional.fields.key/value |
last_responder_heartbeat_request_size | ssl.log | additional.fields.key/value |
originator_heartbeats | ssl.log | additional.fields.key/value |
responder_heartbeats | ssl.log | additional.fields.key/value |
heartbleed_detected | ssl.log | additional.fields.key/value |
enc_appdata_packages | ssl.log | additional.fields.key/value |
enc_appdata_bytes | ssl.log | additional.fields.key/value |
server_version | ssl.log | additional.fields.key/value |
client_version | ssl.log | additional.fields.key/value |
client_ciphers | ssl.log | network.tls.client.supported_ciphers |
ssl_client_exts | ssl.log | additional.fields.key/value |
ssl_server_exts | ssl.log | additional.fields.key/value |
ticket_lifetime_hint | ssl.log | additional.fields.key/value |
dh_param_size | ssl.log | additional.fields.key/value |
point_formats | ssl.log | additional.fields.key/value |
client_curves | ssl.log | additional.fields.key/value |
orig_alpn | ssl.log | additional.fields.key/value |
client_supported_versions | ssl.log | additional.fields.key/value |
server_supported_version | ssl.log | additional.fields.key/value |
psk_key_exchange_modes | ssl.log | additional.fields.key/value |
client_key_share_groups | ssl.log | additional.fields.key/value |
server_key_share_group | ssl.log | additional.fields.key/value |
client_comp_methods | ssl.log | additional.fields.key/value |
comp_method | ssl.log | additional.fields.key/value |
sigalgs | ssl.log | additional.fields.key/value |
hashalgs | ssl.log | additional.fields.key/value |
validation_status | ssl.log | additional.fields.key/value |
validation_code | ssl.log | additional.fields.key/value |
valid_chain | ssl.log | additional.fields.key/value |
ocsp_status | ssl.log | additional.fields.key/value |
ocsp_response | ssl.log | additional.fields.key/value |
valid_scts | ssl.log | additional.fields.key/value |
invalid_scts | ssl.log | additional.fields.key/value |
valid_ct_logs | ssl.log | additional.fields.key/value |
valid_ct_operators | ssl.log | additional.fields.key/value |
valid_ct_operators_list | ssl.log | additional.fields.key/value |
ct_proofs | ssl.log | additional.fields.key/value |
notary.first_seen | ssl.log | additional.fields.key/value |
notary.last_seen | ssl.log | additional.fields.key/value |
notary.times_seen | ssl.log | additional.fields.key/value |
notary.valid | ssl.log | additional.fields.key/value |
ts | syslog.log | metadata.event_timestamp |
uid | syslog.log | network.session_id |
id.orig_h | syslog.log | principal.ip |
id.orig_p | syslog.log | principal.port |
id.resp_h | syslog.log | target.ip |
id.resp_p | syslog.log | target.port |
proto | syslog.log | network.ip_protocol |
facility | syslog.log | additional.fields.key/value |
severity | syslog.log | security_result.severity_details |
message | syslog.log | metadata.description |
ts | tunnel.log | metadata.event_timestamp |
uid | tunnel.log | network.session_id |
id.orig_h | tunnel.log | principal.ip |
id.orig_p | tunnel.log | principal.port |
id.resp_h | tunnel.log | target.ip |
id.resp_p | tunnel.log | target.port |
tunnel_type | tunnel.log | security_result.description is set to "action %{action} on tunnel type {tunnel_type}". |
action | tunnel.log | security_result.description is set to "action %{action} on tunnel type {tunnel_type}". |
文件
下表列出了文件日志类型的日志字段及其 相应的 UDM 字段。
原始日志字段 | 日志类型 | UDM 字段 |
---|---|---|
ts | files.log | metadata.event_timestamp |
fuid | files.log | metadata.product_log_id |
tx_hosts | files.log | principal.ip |
rx_hosts | files.log | target.ip |
conn_uids | files.log | additional.fields.key/value |
source | files.log | network.application_protocol
target.file.full_path |
depth | files.log | additional.fields.key/value |
analyzers | files.log | additional.fields.key/value |
mime_type | files.log | target.file.mime_type |
filename | files.log | target.file.full_path |
duration | files.log | additional.fields.key/value |
local_orig | files.log | additional.fields.key/value |
is_orig | files.log | additional.fields.key/value |
seen_bytes | files.log | target.file.size |
total_bytes | files.log | additional.fields.key/value |
missing_bytes | files.log | additional.fields.key/value |
overflow_bytes | files.log | additional.fields.key/value |
timedout | files.log | additional.fields.key/value |
parent_fuid | files.log | additional.fields.key/value |
md5 | files.log | target.file.md5 |
sha1 | files.log | target.file.sha1 |
sha256 | files.log | target.file.sha256 |
md5 | files.log | network.tls.client.certificate.md5 |
sha1 | files.log | network.tls.client.certificate.sha1 |
sha256 | files.log | network.tls.client.certificate.sha256 |
md5 | files.log | network.tls.server.certificate.md5 |
sha1 | files.log | network.tls.server.certificate.sha1 |
sha256 | files.log | network.tls.server.certificate.sha256 |
x509 | files.log | additional.fields.key/value
This field is a nested field. |
extracted | files.log | additional.fields.key/value |
extracted_cutoff | files.log | additional.fields.key/value |
extracted_size | files.log | additional.fields.key/value |
entropy | files.log | additional.fields.key/value |
ts | ocsp.log | metadata.event_timestamp |
id | ocsp.log | metadata.product_log_id |
hashAlgorithm | ocsp.log | additional.fields.key/value |
issuerNameHash | ocsp.log | additional.fields.key/value |
issuerKeyHash | ocsp.log | additional.fields.key/value |
serialNumber | ocsp.log | tls.server.certificate.serial |
certStatus | ocsp.log | additional.fields.key/value |
revoketime | ocsp.log | network.tls.server.certificate.not_after |
revokereason | ocsp.log | security_result.summary |
thisUpdate | ocsp.log | additional.fields.key/value |
nextUpdate | ocsp.log | additional.fields.key/value |
ts | pe.log | metadata.event_timestamp |
id | pe.log | metadata.product_log_id |
machine | pe.log | target.resource.resource_subtype |
compile_ts | pe.log | additional.fields.key/value |
os | pe.log | target.platform_version
target.resource.resource_type is set to "DEVICE". |
subsystem | pe.log | target.application |
is_exe | pe.log | additional.fields.key/value |
is_64bit | pe.log | additional.fields.key/value |
uses_aslr | pe.log | additional.fields.key/value |
uses_dep | pe.log | additional.fields.key/value |
uses_code_integrity | pe.log | additional.fields.key/value |
uses_seh | pe.log | additional.fields.key/value |
has_import_table | pe.log | additional.fields.key/value |
has_export_table | pe.log | additional.fields.key/value |
has_cert_table | pe.log | additional.fields.key/value |
has_debug_data | pe.log | additional.fields.key/value |
section_names | pe.log | additional.fields.key/value |
ts | x509.log | metadata.event_timestamp
Also, target.application is set to "x509". |
fingerprint | x509.log | additional.fields.key/value |
certificate.version | x509.log | network.tls.server.certificate.version |
certificate.serial | x509.log | network.tls.server.certificate.serial |
certificate.subject | x509.log | network.tls.server.certificate.subject |
certificate.issuer | x509.log | network.tls.server.certificate.issuer |
certificate.cn | x509.log | target.hostname |
certificate.not_valid_before | x509.log | network.tls.server.certificate.not_before |
certificate.not_valid_after | x509.log | network.tls.server.certificate.not_after |
certificate.key_alg | x509.log | additional.fields.key/value |
certificate.sig_alg | x509.log | additional.fields.key/value |
certificate.key_type | x509.log | additional.fields.key/value |
certificate.key_length | x509.log | additional.fields.key/value |
certificate.exponent | x509.log | additional.fields.key/value |
certificate.curve | x509.log | network.tls.curve |
handle | x509.log | additional.fields.key/value |
extensions.name | x509.log | additional.fields.key/value |
extensions.short_name | x509.log | additional.fields.key/value |
extensions.oid | x509.log | additional.fields.key/value |
extensions.critical | x509.log | additional.fields.key/value |
extensions.value | x509.log | additional.fields.key/value |
san.dns | x509.log | additional.fields.key/value |
san.uri | x509.log | additional.fields.key/value |
san.email | x509.log | additional.fields.key/value |
san.ip | x509.log | additional.fields.key/value |
san.other_fields | x509.log | additional.fields.key/value |
basic_constraints.ca | x509.log | additional.fields.key/value |
basic_constraints.path_len | x509.log | additional.fields.key/value |
extensions_cache | x509.log | additional.fields.key/value |
host_cert | x509.log | additional.fields.key/value |
client_cert | x509.log | additional.fields.key/value |
deduplication_index.fingerprint | x509.log | additional.fields.key/value |
deduplication_index.host_cert | x509.log | additional.fields.key/value |
deduplication_index.client_cert | x509.log | additional.fields.key/value |
always_raise_x509_events | x509.log | additional.fields.key/value |
cert | x509.log | additional.fields.key/value |
Netcontrol
下表列出了 netcontrol 日志类型的日志字段及其 相应的 UDM 字段。
原始日志字段 | 日志类型 | UDM 字段 |
---|---|---|
ts | netcontrol.log | metadata.event_timestamp |
rule_id | netcontrol.log | security_result.rule_id |
category | netcontrol.log | security_result.category_details |
cmd | netcontrol.log | additional.fields.key/value |
state | netcontrol.log | additional.fields.key/value |
action | netcontrol.log | security_result.action_details |
target | netcontrol.log | additional.fields.key/value |
entity_type | netcontrol.log | additional.fields.key/value |
entity | netcontrol.log | security_result.summary |
mod | netcontrol.log | additional.fields.key/value |
msg | netcontrol.log | security_result.description |
priority | netcontrol.log | security_result.priority_details |
expire | netcontrol.log | additional.fields.key/value |
location | netcontrol.log | additional.fields.key/value |
plugin | netcontrol.log | additional.fields.key/value |
ts | netcontrol_drop.log | metadata.event_timestamp |
rule_id | netcontrol_drop.log | security_result.rule_id |
orig_h | netcontrol_drop.log | principal.ip |
orig_p | netcontrol_drop.log | principal.port |
resp_h | netcontrol_drop.log | target.ip |
resp_p | netcontrol_drop.log | target.port |
expire | netcontrol_drop.log | additional.fields.key/value |
location | netcontrol_drop.log | additional.fields.key/value |
ts | netcontrol_shunt.log | metadata.event_timestamp |
rule_id | netcontrol_shunt.log | security_result.rule_id |
f.src_h | netcontrol_shunt.log | principal.ip |
f.src_p | netcontrol_shunt.log | principal.port |
f.dst_h | netcontrol_shunt.log | target.ip |
f.dst_p | netcontrol_shunt.log | target.port |
expire | netcontrol_shunt.log | additional.fields.key/value |
location | netcontrol_shunt.log | additional.fields.key/value |
ts | netcontrol_catch_release.log | metadata.event_timestamp |
rule_id | netcontrol_catch_release.log | security_result.rule_id |
ip | netcontrol_catch_release.log | target.ip |
action | netcontrol_catch_release.log | security_result.action_details |
block_interval | netcontrol_catch_release.log | additional.fields.key/value |
watch_interval | netcontrol_catch_release.log | additional.fields.key/value |
blocked_until | netcontrol_catch_release.log | additional.fields.key/value |
watched_until | netcontrol_catch_release.log | additional.fields.key/value |
num_blocked | netcontrol_catch_release.log | additional.fields.key/value |
location | netcontrol_catch_release.log | additional.fields.key/value |
message | netcontrol_catch_release.log | security_result.description |
ts | openflow.log | metadata.event_timestamp |
dpid | openflow.log | additional.fields.key/value |
match.in_port | openflow.log | additional.fields.key/value |
match.dl_src | openflow.log | additional.fields.key/value |
match.dl_dst | openflow.log | additional.fields.key/value |
match.dl_vlan | openflow.log | additional.fields.key/value |
match.dl_vlan_pcp | openflow.log | additional.fields.key/value |
match.dl_type | openflow.log | additional.fields.key/value |
match.nw_tos | openflow.log | additional.fields.key/value |
match.nw_proto | openflow.log | additional.fields.key/value |
match.nw_src | openflow.log | additional.fields.key/value |
match.nw_dst | openflow.log | additional.fields.key/value |
match.tp_src | openflow.log | additional.fields.key/value |
match.tp_dst | openflow.log | additional.fields.key/value |
flow_mod.cookie | openflow.log | additional.fields.key/value |
flow_mod.table_id | openflow.log | additional.fields.key/value |
flow_mod.command | openflow.log | additional.fields.key/value |
flow_mod.idle_timeout | openflow.log | additional.fields.key/value |
flow_mod.hard_timeout | openflow.log | additional.fields.key/value |
flow_mod.priority | openflow.log | additional.fields.key/value |
flow_mod.out_port | openflow.log | additional.fields.key/value |
flow_mod.flags | openflow.log | additional.fields.key/value |
flow_mod.actions.out_ports | openflow.log | additional.fields.key/value |
flow_mod.actions.vlan_vid | openflow.log | additional.fields.key/value |
flow_mod.actions.vlan_pcp | openflow.log | additional.fields.key/value |
flow_mod.actions.vlan_strip | openflow.log | additional.fields.key/value |
flow_mod.actions.dl_src | openflow.log | additional.fields.key/value |
flow_mod.actions.dl_dst | openflow.log | additional.fields.key/value |
flow_mod.actions.nw_tos | openflow.log | additional.fields.key/value |
flow_mod.actions.nw_src | openflow.log | additional.fields.key/value |
flow_mod.actions.nw_dst | openflow.log | additional.fields.key/value |
flow_mod.actions.tp_src | openflow.log | additional.fields.key/value |
flow_mod.actions.tp_dst | openflow.log | additional.fields.key/value |
检测
下表列出了检测日志类型的日志字段及其 相应的 UDM 字段。
原始日志字段 | 日志类型 | UDM 字段 |
---|---|---|
ts | intel.log | metadata.event_timestamp |
uid | intel.log | network.session_id |
id.orig_h | intel.log | principal.ip |
id.orig_p | intel.log | principal.port |
id.resp_h | intel.log | target.ip |
id.resp_p | intel.log | target.port |
seen.indicator | intel.log | additional.fields.key/value |
seen.indicator_type | intel.log | additional.fields.key/value |
seen.host | intel.log | additional.fields.key/value |
seen.where | intel.log | additional.fields.key/value |
seen.node | intel.log | additional.fields.key/value |
seen.conn.id.orig_h | intel.log | additional.fields.key/value |
seen.conn.id.orig_p | intel.log | additional.fields.key/value |
seen.conn.id.resp_h | intel.log | additional.fields.key/value |
seen.conn.id.resp_p | intel.log | additional.fields.key/value |
seen.conn.orig.size | intel.log | network.sent_bytes |
seen.conn.orig.state | intel.log | additional.fields.key/value |
seen.conn.orig.num_pkts | intel.log | additional.fields.key/value |
seen.conn.orig.num_bytes_ip | intel.log | additional.fields.key/value |
seen.conn.orig.flow_label | intel.log | additional.fields.key/value |
seen.conn.orig.l2_addr | intel.log | additional.fields.key/value |
seen.conn.resp.size | intel.log | network.received_bytes |
seen.conn.resp.state | intel.log | additional.fields.key/value |
seen.conn.resp.num_pkts | intel.log | additional.fields.key/value |
seen.conn.resp.num_bytes_ip | intel.log | additional.fields.key/value |
seen.conn.resp.flow_label | intel.log | additional.fields.key/value |
seen.conn.resp.l2_addr | intel.log | additional.fields.key/value |
seen.conn.start_time | intel.log | additional.fields.key/value |
seen.conn.duration | intel.log | network.session_duration |
seen.conn.service | intel.log | additional.fields.key/value |
seen.conn.history | intel.log | metadata.description |
seen.conn.uid | intel.log | network.session_id |
seen.conn.tunnel.queued | intel.log | additional.fields.key/value |
seen.conn.tunnel.dispatched | intel.log | additional.fields.key/value |
seen.conn.vlan | intel.log | additional.fields.key/value |
seen.conn.inner_vlan | intel.log | additional.fields.key/value |
seen.conn.dpd_state | intel.log | additional.fields.key/value |
seen.conn.removal_hooks | intel.log | additional.fields.key/value |
seen.conn.extract_orig | intel.log | additional.fields.key/value |
seen.conn.extract_resp | intel.log | additional.fields.key/value |
seen.conn.thresholds.orig_byte | intel.log | additional.fields.key/value |
seen.conn.thresholds.resp_byte | intel.log | additional.fields.key/value |
seen.conn.thresholds.orig_packet | intel.log | additional.fields.key/value |
seen.conn.thresholds.resp_packet | intel.log | additional.fields.key/value |
seen.conn.thresholds.duration | intel.log | additional.fields.key/value |
seen.conn.dce_rpc_state.uuid | intel.log | additional.fields.key/value |
seen.conn.dce_rpc_state.named_pipe | intel.log | additional.fields.key/value |
seen.conn.dce_rpc_state.ctx_to_uuid | intel.log | additional.fields.key/value |
seen.conn.dce_rpc_backing | intel.log | additional.fields.key/value |
seen.conn.dns_state.pending_query | intel.log | additional.fields.key/value |
seen.conn.dns_state.pending_queries | intel.log | additional.fields.key/value |
seen.conn.dns_state.pending_replies | intel.log | additional.fields.key/value |
seen.conn.ftp_data_reuse | intel.log | additional.fields.key/value |
seen.conn.http_state.pending | intel.log | additional.fields.key/value |
seen.conn.http_state.current_request | intel.log | additional.fields.key/value |
seen.conn.http_state.current_response | intel.log | additional.fields.key/value |
seen.conn.http_state.trans_depth | intel.log | additional.fields.key/value |
seen.conn.sip_state.pending | intel.log | additional.fields.key/value |
seen.conn.sip_state.current_request | intel.log | additional.fields.key/value |
seen.conn.sip_state.current_response | intel.log | additional.fields.key/value |
seen.conn.smb_state.current_cmd | intel.log | additional.fields.key/value |
seen.conn.smb_state.current_file | intel.log | additional.fields.key/value |
seen.conn.smb_state.current_tree | intel.log | additional.fields.key/value |
seen.conn.smb_state.pending_cmds | intel.log | additional.fields.key/value |
seen.conn.smb_state.fid_map | intel.log | additional.fields.key/value |
seen.conn.smb_state.tid_map | intel.log | additional.fields.key/value |
seen.conn.smb_state.uid_map | intel.log | additional.fields.key/value |
seen.conn.smb_state.pipe_map | intel.log | additional.fields.key/value |
seen.conn.smb_state.recent_files | intel.log | additional.fields.key/value |
seen.conn.smtp_state.messages_transferred | intel.log | additional.fields.key/value |
seen.conn.smtp_state.mime_depth | intel.log | additional.fields.key/value |
seen.conn.known_services_done | intel.log | additional.fields.key/value |
seen.conn.mqtt_state.publish | intel.log | additional.fields.key/value |
seen.conn.mqtt_state.subscribe | intel.log | additional.fields.key/value |
seen.conn.speculative_service | intel.log | additional.fields.key/value |
seen.uid | intel.log | additional.fields.key/value |
seen.f.id | intel.log | additional.fields.key/value |
seen.f.parent_id | intel.log | additional.fields.key/value |
seen.f.source | intel.log | target.file.full_path |
seen.f.is_orig | intel.log | additional.fields.key/value |
seen.f.conns | intel.log | additional.fields.key/value |
seen.f.last_active | intel.log | additional.fields.key/value |
seen.f.seen_bytes | intel.log | additional.fields.key/value |
seen.f.total_bytes | intel.log | additional.fields.key/value |
seen.f.missing_bytes | intel.log | additional.fields.key/value |
seen.f.overflow_bytes | intel.log | additional.fields.key/value |
seen.f.timeout_interval | intel.log | additional.fields.key/value |
seen.f.bof_buffer_size | intel.log | additional.fields.key/value |
seen.f.bof_buffer | intel.log | additional.fields.key/value |
seen.f.u2_events | intel.log | additional.fields.key/value |
seen.fuid | intel.log | additional.fields.key/value |
matched | intel.log | additional.fields.key/value |
sources | intel.log | additional.fields.key/value |
fuid | intel.log | additional.fields.key/value |
file_mime_type | intel.log | target.file.mime_type |
file_desc | intel.log | additional.fields.key/value |
cif.tags | intel.log | additional.fields.key/value |
cif.confidence | intel.log | additional.fields.key/value |
cif.source | intel.log | additional.fields.key/value |
cif.description | intel.log | additional.fields.key/value |
cif.firstseen | intel.log | additional.fields.key/value |
cif.lastseen | intel.log | additional.fields.key/value |
ts | notice.log | metadata.event_timestamp |
uid | notice.log | network.session_id |
id.orig_h | notice.log | principal.ip |
id.orig_p | notice.log | principal.port |
id.resp_h | notice.log | target.ip |
id.resp_p | notice.log | target.port |
conn.id.orig_h | notice.log | additional.fields.key/value |
conn.id.orig_p | notice.log | additional.fields.key/value |
conn.id.resp_h | notice.log | additional.fields.key/value |
conn.id.resp_p | notice.log | additional.fields.key/value |
conn.orig.size | notice.log | network.sent_bytes |
conn.orig.state | notice.log | additional.fields.key/value |
conn.orig.num_pkts | notice.log | additional.fields.key/value |
conn.orig.num_bytes_ip | notice.log | additional.fields.key/value |
conn.orig.flow_label | notice.log | additional.fields.key/value |
conn.orig.l2_addr | notice.log | additional.fields.key/value |
conn.resp.size | notice.log | network.received_bytes |
conn.resp.state | notice.log | additional.fields.key/value |
conn.resp.num_pkts | notice.log | additional.fields.key/value |
conn.resp.num_bytes_ip | notice.log | additional.fields.key/value |
conn.resp.flow_label | notice.log | additional.fields.key/value |
conn.resp.l2_addr | notice.log | additional.fields.key/value |
conn.start_time | notice.log | additional.fields.key/value |
conn.duration | notice.log | network.session_duration |
conn.service | notice.log | additional.fields.key/value |
conn.history | notice.log | metadata.description |
conn.uid | notice.log | network.session_id |
conn.tunnel.queued | notice.log | additional.fields.key/value |
conn.tunnel.dispatched | notice.log | additional.fields.key/value |
conn.vlan | notice.log | additional.fields.key/value |
conn.inner_vlan | notice.log | additional.fields.key/value |
conn.dpd_state.violations | notice.log | additional.fields.key/value |
conn.removal_hooks | notice.log | additional.fields.key/value |
conn.extract_orig | notice.log | additional.fields.key/value |
conn.extract_resp | notice.log | additional.fields.key/value |
conn.thresholds.orig_byte | notice.log | additional.fields.key/value |
conn.thresholds.resp_byte | notice.log | additional.fields.key/value |
conn.thresholds.orig_packet | notice.log | additional.fields.key/value |
conn.thresholds.resp_packet | notice.log | additional.fields.key/value |
conn.thresholds.duration | notice.log | additional.fields.key/value |
conn.dce_rpc_state.uuid | notice.log | additional.fields.key/value |
conn.dce_rpc_state.named_pipe | notice.log | additional.fields.key/value |
conn.dce_rpc_state.ctx_to_uuid | notice.log | additional.fields.key/value |
conn.dce_rpc_backing | notice.log | additional.fields.key/value |
conn.dns_state.pending_query | notice.log | additional.fields.key/value |
conn.dns_state.pending_queries | notice.log | additional.fields.key/value |
conn.dns_state.pending_replies | notice.log | additional.fields.key/value |
conn.ftp_data_reuse | notice.log | additional.fields.key/value |
conn.http_state.pending | notice.log | additional.fields.key/value |
conn.http_state.current_request | notice.log | additional.fields.key/value |
conn.http_state.current_response | notice.log | additional.fields.key/value |
conn.http_state.trans_depth | notice.log | additional.fields.key/value |
conn.sip_state.pending | notice.log | additional.fields.key/value |
conn.sip_state.current_request | notice.log | additional.fields.key/value |
conn.sip_state.current_response | notice.log | additional.fields.key/value |
conn.smb_state.pending_cmds | notice.log | additional.fields.key/value |
conn.smb_state.fid_map | notice.log | additional.fields.key/value |
conn.smb_state.tid_map | notice.log | additional.fields.key/value |
conn.smb_state.uid_map | notice.log | additional.fields.key/value |
conn.smb_state.pipe_map | notice.log | additional.fields.key/value |
conn.smb_state.recent_files | notice.log | additional.fields.key/value |
conn.smtp_state.messages_transferred | notice.log | additional.fields.key/value |
conn.smtp_state.mime_depth | notice.log | additional.fields.key/value |
conn.known_services_done | notice.log | additional.fields.key/value |
mqtt.ts | notice.log | additional.fields.key/value |
mqtt.uid | notice.log | additional.fields.key/value |
mqtt.id | notice.log | additional.fields.key/value |
mqtt.proto_name | notice.log | additional.fields.key/value |
mqtt.proto_version | notice.log | additional.fields.key/value |
mqtt.client_id | notice.log | additional.fields.key/value |
mqtt.connect_status | notice.log | additional.fields.key/value |
mqtt.will_topic | notice.log | additional.fields.key/value |
mqtt.will_payload | notice.log | additional.fields.key/value |
conn.mqtt_state.publish | notice.log | additional.fields.key/value |
conn.mqtt_state.subscribe | notice.log | additional.fields.key/value |
conn.speculative_service | notice.log | additional.fields.key/value |
iconn.orig_h | notice.log | additional.fields.key/value |
iconn.resp_h | notice.log | additional.fields.key/value |
iconn.itype | notice.log | additional.fields.key/value |
iconn.icode | notice.log | additional.fields.key/value |
iconn.len | notice.log | additional.fields.key/value |
iconn.hlim | notice.log | additional.fields.key/value |
iconn.v6 | notice.log | additional.fields.key/value |
f.id | notice.log | additional.fields.key/value |
f.parent_id | notice.log | additional.fields.key/value |
f.source | notice.log | target.file.full_path |
f.is_orig | notice.log | additional.fields.key/value |
f.conns | notice.log | additional.fields.key/value |
f.last_active | notice.log | additional.fields.key/value |
f.seen_bytes | notice.log | additional.fields.key/value |
f.total_bytes | notice.log | additional.fields.key/value |
f.missing_bytes | notice.log | additional.fields.key/value |
f.overflow_bytes | notice.log | additional.fields.key/value |
f.timeout_interval | notice.log | additional.fields.key/value |
f.bof_buffer_size | notice.log | additional.fields.key/value |
f.bof_buffer | notice.log | additional.fields.key/value |
f.u2_events | notice.log | additional.fields.key/value |
fuid | notice.log | additional.fields.key/value |
file_mime_type | notice.log | target.file.mime_type |
file_desc | notice.log | additional.fields.key/value |
proto | notice.log | network.ip_protocol |
note | notice.log | security_result.description |
msg | notice.log | security_result.summary |
sub | notice.log | additional.fields.key/value |
src | notice.log | principal.ip |
dst | notice.log | target.ip |
p | notice.log | target.port |
n | notice.log | additional.fields.key/value |
peer_name | notice.log | additional.fields.key/value |
peer_descr | notice.log | additional.fields.key/value |
actions | notice.log | security_result.action_details |
email_dest | notice.log | network.email.to (repeated) |
email_body_sections | notice.log | network.email.subject (repeated) |
email_delay_tokens | notice.log | additional.fields.key/value |
identifier | notice.log | additional.fields.key/value |
suppress_for | notice.log | additional.fields.key/value |
remote_location.country_code | notice.log | additional.fields.key/value |
remote_location.region | notice.log | principal.asset.location.country_or_region |
remote_location.city | notice.log | principal.asset.location.city |
remote_location.latitude | notice.log | additional.fields.key/value |
remote_location.longitude | notice.log | additional.fields.key/value |
dropped | notice.log | security_result.action_details |
ts | signatures.log | metadata.event_timestamp |
uid | signatures.log | network.session_id |
src_addr | signatures.log | principal.ip |
src_port | signatures.log | principal.port |
dst_addr | signatures.log | target.ip |
dst_port | signatures.log | target.port |
note | signatures.log | security_result.summary |
sig_id | signatures.log | additional.fields.key/value |
event_msg | signatures.log | metadata.description |
sub_msg | signatures.log | additional.fields.key/value |
sig_count | signatures.log | additional.fields.key/value |
host_count | signatures.log | additional.fields.key/value |
ts | traceroute.log | metadata.event_timestamp |
src | traceroute.log | principal.ip |
dst | traceroute.log | target.ip |
proto | traceroute.log | network.ip_protocol |
网络观察
下表列出了网络观察日志类型的日志字段 及其对应的 UDM 字段。
原始日志字段 | 日志类型 | UDM 字段 |
---|---|---|
ts | known_certs.log | metadata.event_timestamp |
host | known_certs.log | principal.ip |
port_num | known_certs.log | principal.port |
subject | known_certs.log | network.tls.client.certificate.subject |
issuer_subject | known_certs.log | network.tls.client.certificate.issuer |
serial | known_certs.log | network.tls.client.certificate.serial |
ts | known_hosts.log | metadata.event_timestamp |
host | known_hosts.log | principal.ip |
ts | known_modbus.log | metadata.event_timestamp |
host | known_modbus.log | principal.ip |
device_type | known_modbus.log | target.resource.name
target.resource.resource_type = "DEVICE" |
ts | known_services.log | metadata.event_timestamp |
host | known_services.log | principal.ip |
port_num | known_services.log | principal.port |
port_proto | known_services.log | network.ip_protocol |
service | known_services.log | target.application |
ts | software.log | metadata.event_timestamp |
host | software.log | principal.ip |
host_p | software.log | principal.port |
software_type | software.log | principal.resource.resource_subtype |
name | software.log | principal.resource.name |
version.major | software.log | additional.fields.key/value |
version.minor | software.log | additional.fields.key/value |
version.minor2 | software.log | additional.fields.key/value |
version.minor3 | software.log | additional.fields.key/value |
version.addl | software.log | additional.fields.key/value |
unparsed_version | software.log | additional.fields.key/value |
force_log | software.log | additional.fields.key/value |
url | software.log | metadata.url_back_to_product |
字段映射参考信息:事件 ID 到 UDM 事件类型
要了解解析器如何将日志名称映射到 UDM 事件类型, 请参阅以下部分:
网络协议
下表列出了网络协议日志类型的日志名称 及其对应的 UDM 事件类型。
日志名称 | 说明 | UDM 事件类型 |
---|---|---|
conn.log | TCP/UDP/ICMP connections | NETWORK_CONNECTION |
dce_rpc.log | Distributed Computing Environment/RPC | NETWORK_CONNECTION |
dhcp.log | DHCP leases | NETWORK_DHCP |
dnp3.log | DNP3 (Distributed Network Protocol 3) requests and replies | NETWORK_CONNECTION |
dns.log | DNS activity | NETWORK_DNS |
ftp.log | FTP (File Transfer Protocol) activity | NETWORK_FTP |
http.log | HTTP requests and replies | NETWORK_HTTP |
irc.log | IRC (Internet Relay Chat) commands and responses | NETWORK_CONNECTION |
kerberos.log | Kerberos | NETWORK_CONNECTION |
modbus.log | Modbus commands and responses | NETWORK_CONNECTION |
modbus_register_change.log | Tracks changes to Modbus holding registers | GENERIC_EVENT |
mysql.log | MySQL | NETWORK_UNCATEGORIZED |
ntlm.log | NT LAN Manager (NTLM) | NETWORK_CONNECTION |
ntp.log | Network Time Protocol | NETWORK_CONNECTION |
radius.log | RADIUS authentication attempts | USER_LOGIN |
rdp.log | Remote Desktop Protocol (RDP) | NETWORK_CONNECTION |
rfb.log | Remote Framebuffer (RFB) | NETWORK_CONNECTION |
sip.log | Session Initiation Protocol (SIP) | NETWORK_UNCATEGORIZED |
smb_cmd.log | SMB (Server Message Block) commands | NETWORK_CONNECTION |
smb_files.log | SMB (Server Message Block) files | NETWORK_UNCATEGORIZED |
smb_mapping.log | SMB (Server Message Block) trees | NETWORK_CONNECTION |
smtp.log | SMTP (Simple Mail Transfer Protocol) transactions | NETWORK_SMTP |
snmp.log | SNMP (Simple Network Management Protocol) messages | NETWORK_UNCATEGORIZED |
socks.log | SOCKS proxy requests | NETWORK_CONNECTION |
ssh.log | SSH (Secure Shell) connections | NETWORK_UNCATEGORIZED |
ssl.log | SSL(Secure Sockets Layer)/TLS(Transport Layer Security) handshake info | NETWORK_HTTP
NETWORK_CONNECTION |
syslog.log | Syslog messages | NETWORK_CONNECTION |
tunnel.log | Tunneling protocol events | NETWORK_CONNECTION |
文件
下表列出了文件日志类型的日志名称 及其对应的 UDM 事件类型。
日志名称 | 说明 | UDM 事件类型 |
---|---|---|
files.log | File analysis results | NETWORK_UNCATEGORIZED |
ocsp.log | If policy script is loaded, the Online Certificate Status Protocol (OCSP) log is created. | GENERIC_EVENT |
pe.log | Portable Executable (PE) | GENERIC_EVENT |
x509.log | X.509 certificate info | GENERIC_EVENT |
Netcontrol
下表列出了 netcontrol 日志类型的日志名称 及其对应的 UDM 事件类型。
日志名称 | 说明 | UDM 事件类型 |
---|---|---|
netcontrol.log | NetControl actions | GENERIC_EVENT |
netcontrol_drop.log | NetControl actions | STATUS_UPDATE |
netcontrol_shunt.log | NetControl shunt actions | STATUS_UPDATE |
netcontrol_catch_release.log | NetControl catch and release actions | GENERIC_EVENT |
openflow.log | OpenFlow debug log | GENERIC_EVENT |
检测
下表列出了检测日志类型的日志名称 及其对应的 UDM 事件类型。
日志名称 | 说明 | UDM 事件类型 |
---|---|---|
intel.log | Intelligence data matches | GENERIC_EVENT |
notice.log | Zeek notices | NETWORK_CONNECTION |
notice_alarm.log | The alarm stream | NETWORK_CONNECTION |
signatures.log | Signature matches | GENERIC_EVENT |
traceroute.log | Traceroute detection | NETWORK_UNCATEGORIZED |
网络观察
下表列出了网络观察日志类型的日志名称 及其对应的 UDM 事件类型。
日志名称 | 说明 | UDM 事件类型 |
---|---|---|
known_certs.log | SSL certificates | GENERIC_EVENT |
known_hosts.log | Hosts that completed TCP handshakes | GENERIC_EVENT |
known_modbus.log | Modbus master and secondary | GENERIC_EVENT |
known_services.log | Services running on hosts | GENERIC_EVENT |
software.log | Software used on the network | GENERIC_EVENT |