name: Zeek Event Logs
description: 'Zeek provides, network, metadata on over 40+ different applications and protocols. Additionally, Zeek provides a framework that enables the community to extend various functionality, protocol analzers/parsers, and or add additional (meta)data. The data is broken up into a log for each application/protocol. For example, all DNS data is stored in dns.log and all HTTP data is stored in http.log.


  Across all of the logs is over 1,000 fields that contain data ranging from common netflow (ie: bytes, packets, etc..) to application layer data (ie: HTTP headers, TLS Certificate info, etc..). To name just a few of the log types: Connection/Flow, HTTP, SSL/TLS, DNS, RDP, SMB, Kerberos, ModBus, Intel, FTP, SSH, GQUIC, SQL, etc.. It also hashes files and can extract them too.


  Zeek logs have a unique ability to pivot between logs the various logs via uid fields. For example: an HTTP connection results in a http.log and conn.log. Also, if a file was transferred/downloaded during the connection then there would be an additional files.log. Therefore, you not only obtain HTTP (header) fields, duration of connection, bytes sent/received, packets, hash of the file, size of the file, etc.. but you can pivot between the three logs too!


  The main field to pivot across will be normalized to event_uid and all other UIDs that can be pivoted/joined across will be set in any_event_uid'
images: []
references:
- text: Zeek Website
  link: https://docs.zeek.org/en/stable/script-reference/log-files.html