Skip to content

Instantly share code, notes, and snippets.

@chadbrewbaker

chadbrewbaker/corelight-logs.schema.json

Created October 18, 2021 16:36
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save chadbrewbaker/332d6a0a38488ef4610757419778b37f to your computer and use it in GitHub Desktop.
Save chadbrewbaker/332d6a0a38488ef4610757419778b37f to your computer and use it in GitHub Desktop.
Download ZIP
Latest Corelight schema - still beta, might be breaking changes
Raw
corelight-logs.schema.json
{
"$schema": "https://json-schema.org/draft/2019-09/schema",
"$id": "https://corelight.com/software-sensor.schema.json",
"title": "Corelight Logs",
"description": "Definition of all of the potential logs for this installation",
"$defs": {
"time": {"type": "string", "pattern": "[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-5][0-9]:[0-5][0-9]\\.?[0-9]{0,6}Z"},
"port": {"type": "integer", "minimum": 0, "maximum": 65535},
"count": {"type": "integer", "minimum": 0, "maximum": 18446744073709551615},
"int": {"type": "integer", "minimum": -9223372036854775807, "maximum": 9223372036854775807},
"addr": {"type": "string", "pattern": "^(((((((([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))|(((((([0-9A-Fa-f]{1,4}:){7})([0-9A-Fa-f]{1,4}))|((((((((::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,6})?)|([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,5})?))|([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?))|([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?))|([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?))|([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?))|([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){5}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?))|([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){6}::)))|((([0-9A-Fa-f]{1,4}:){6})((((((([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))))|(((((((::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)((((((([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])))|(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)((((((([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))))|(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)((((((([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))))|(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)((((((([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))))|(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)((((((([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))))|(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::)((((((([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))))))$"}
},
"oneOf": [
{
"title": "ntlm",
"description": "Definition of the ntlm log for this installation",
"type": "object",
"properties": {
"_path": {"const": "ntlm"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Timestamp for when the event happened.", "$ref": "#/$defs/time"},
"server_tree_name": {"description":"Tree name given by the server in a CHALLENGE.", "type": "string"},
"uid": {"description":"Unique ID for the connection.", "type": "string"},
"server_dns_computer_name": {"description":"DNS name given by the server in a CHALLENGE.", "type": "string"},
"success": {"description":"Indicate whether or not the authentication was successful.", "type": "boolean"},
"username": {"description":"Username given by the client.", "type": "string"},
"domainname": {"description":"Domainname given by the client.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"server_nb_computer_name": {"description":"NetBIOS name given by the server in a CHALLENGE.", "type": "string"},
"hostname": {"description":"Hostname given by the client.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "intel",
"description": "Definition of the intel log for this installation",
"type": "object",
"properties": {
"_path": {"const": "intel"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Timestamp when the data was discovered.", "$ref": "#/$defs/time"},
"sources": {"description":"Sources which supplied data that resulted in this match.", "type": "array", "items": {"type": "string"}, "uniqueItems": true},
"file_desc": {"description":"Frequently files can be \"described\" to give a bit more context.\nIf the $f field is provided this field will be automatically\nfilled out.", "type": "string"},
"fuid": {"description":"If a file was associated with this intelligence hit,\nthis is the uid for the file.", "type": "string"},
"seen.indicator_type": {"description":"The type of data that the indicator represents.", "type": "string"},
"seen.where": {"description":"Where the data was discovered.", "type": "string"},
"seen.indicator": {"description":"The string if the data is about a string.", "type": "string"},
"seen.node": {"description":"The name of the node where the match was discovered.", "type": "string"},
"uid": {"description":"If a connection was associated with this intelligence hit,\nthis is the uid for the connection", "type": "string"},
"file_mime_type": {"description":"A mime type if the intelligence hit is related to a file.\nIf the $f field is provided this will be automatically filled\nout.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"matched": {"description":"Which indicator types matched.", "type": "array", "items": {"type": "string"}, "uniqueItems": true}
},
"additionalProperties": false
},
{
"title": "mysql",
"description": "Definition of the mysql log for this installation",
"type": "object",
"properties": {
"_path": {"const": "mysql"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Timestamp for when the event happened.", "$ref": "#/$defs/time"},
"response": {"description":"Server message, if any", "type": "string"},
"arg": {"description":"The argument issued to the command", "type": "string"},
"rows": {"description":"The number of affected rows, if any", "$ref": "#/$defs/count"},
"uid": {"description":"Unique ID for the connection.", "type": "string"},
"success": {"description":"Did the server tell us that the command succeeded?", "type": "boolean"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"cmd": {"description":"The command that was issued", "type": "string"}
},
"additionalProperties": false
},
{
"title": "ldap",
"description": "Definition of the ldap log for this installation",
"type": "object",
"properties": {
"_path": {"const": "ldap"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"$ref": "#/$defs/time"},
"argument": {"type": "array", "items": {"type": "string"}},
"message_id": {"$ref": "#/$defs/int"},
"result": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
"uid": {"type": "string"},
"diagnostic_message": {"type": "array", "items": {"type": "string"}},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"object": {"type": "array", "items": {"type": "string"}},
"opcode": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
"proto": {"type": "string"},
"version": {"$ref": "#/$defs/int"}
},
"additionalProperties": false
},
{
"title": "netcontrol_shunt",
"description": "Definition of the netcontrol_shunt log for this installation",
"type": "object",
"properties": {
"_path": {"const": "netcontrol_shunt"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Time at which the recorded activity occurred.", "$ref": "#/$defs/time"},
"expire": {"description":"Expiry time of the shunt.", "type": "number"},
"location": {"description":"Location where the underlying action was triggered.", "type": "string"},
"rule_id": {"description":"ID of the rule; unique during each Zeek run.", "type": "string"},
"f.src_h": {"description":"The source IP address.", "$ref": "#/$defs/addr"},
"f.src_p": {"description":"The source port number.", "$ref": "#/$defs/port"},
"f.dst_p": {"description":"The desintation port number.", "$ref": "#/$defs/port"},
"f.dst_h": {"description":"The destination IP address.", "$ref": "#/$defs/addr"}
},
"additionalProperties": false
},
{
"title": "ftp",
"description": "Definition of the ftp log for this installation",
"type": "object",
"properties": {
"_path": {"const": "ftp"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"user": {"description":"User name for the current FTP session.", "type": "string"},
"file_size": {"description":"Size of the file if the command indicates a file transfer.", "$ref": "#/$defs/count"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"reply_code": {"description":"Reply code from the server in response to the command.", "$ref": "#/$defs/count"},
"fuid": {"description":"File unique ID.", "type": "string"},
"uid": {"description":"Unique ID for the connection.", "type": "string"},
"data_channel.resp_p": {"description":"The port at which the acceptor is listening for the data\nconnection.", "$ref": "#/$defs/port"},
"data_channel.orig_h": {"description":"The host that will be initiating the data connection.", "$ref": "#/$defs/addr"},
"data_channel.resp_h": {"description":"The host that will be accepting the data connection.", "$ref": "#/$defs/addr"},
"data_channel.passive": {"description":"Whether PASV mode is toggled for control channel.", "type": "boolean"},
"mime_type": {"description":"Sniffed mime type of file.", "type": "string"},
"ts": {"description":"Time when the command was sent.", "$ref": "#/$defs/time"},
"arg": {"description":"Argument for the command if one is given.", "type": "string"},
"password": {"description":"Password for the current FTP session if captured.", "type": "string"},
"command": {"description":"Command given by the client.", "type": "string"},
"reply_msg": {"description":"Reply message from the server in response to the command.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "meterpreter_headers",
"description": "Definition of the meterpreter_headers log for this installation",
"type": "object",
"properties": {
"_path": {"const": "meterpreter_headers"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"guid": {"type": "string"},
"uid": {"type": "string"},
"staged": {"type": "boolean"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"encrypted": {"type": "boolean"},
"protocol": {"type": "string"},
"start_time": {"$ref": "#/$defs/time"}
},
"additionalProperties": false
},
{
"title": "unknown_mime_type_discovery",
"description": "Definition of the unknown_mime_type_discovery log for this installation",
"type": "object",
"properties": {
"_path": {"const": "unknown_mime_type_discovery"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Timestamp for when the file was discovered", "$ref": "#/$defs/time"},
"fid": {"description":"File ID", "type": "string"},
"bof": {"description":"Begin Of File. This is the extracted chunk of \nthe file you can look through to create a \nsignature to match on this file in the future.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "suricata_stats",
"description": "Definition of the suricata_stats log for this installation",
"type": "object",
"properties": {
"_path": {"const": "suricata_stats"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"raw_mgmt": {"description":"The raw mgmt string from Suricata", "type": "string"}
},
"additionalProperties": false
},
{
"title": "traceroute",
"description": "Definition of the traceroute log for this installation",
"type": "object",
"properties": {
"_path": {"const": "traceroute"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Timestamp", "$ref": "#/$defs/time"},
"src": {"description":"Address initiating the traceroute.", "$ref": "#/$defs/addr"},
"dst": {"description":"Destination address of the traceroute.", "$ref": "#/$defs/addr"},
"proto": {"description":"Protocol used for the traceroute.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "rfb",
"description": "Definition of the rfb log for this installation",
"type": "object",
"properties": {
"_path": {"const": "rfb"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Timestamp for when the event happened.", "$ref": "#/$defs/time"},
"server_major_version": {"description":"Major version of the server.", "type": "string"},
"server_minor_version": {"description":"Minor version of the server.", "type": "string"},
"authentication_method": {"description":"Identifier of authentication method used.", "type": "string"},
"share_flag": {"description":"Whether the client has an exclusive or a shared session.", "type": "boolean"},
"client_major_version": {"description":"Major version of the client.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"width": {"description":"Width of the screen that is being shared.", "$ref": "#/$defs/count"},
"client_minor_version": {"description":"Minor version of the client.", "type": "string"},
"desktop_name": {"description":"Name of the screen that is being shared.", "type": "string"},
"uid": {"description":"Unique ID for the connection.", "type": "string"},
"height": {"description":"Height of the screen that is being shared.", "$ref": "#/$defs/count"},
"auth": {"description":"Whether or not authentication was successful.", "type": "boolean"}
},
"additionalProperties": false
},
{
"title": "modbus",
"description": "Definition of the modbus log for this installation",
"type": "object",
"properties": {
"_path": {"const": "modbus"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Time of the request.", "$ref": "#/$defs/time"},
"func": {"description":"The name of the function message that was sent.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"exception": {"description":"The exception if the response was a failure.", "type": "string"},
"uid": {"description":"Unique identifier for the connection.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "stepping",
"description": "Definition of the stepping log for this installation",
"type": "object",
"properties": {
"_path": {"const": "stepping"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Start time of first connection.", "$ref": "#/$defs/time"},
"direct": {"description":"Whether this is a direct client1->server1->server2 stepping stone,\nor an indirect client1->server1->...client2->server2 stepping stone.", "type": "boolean"},
"dt": {"description":"Time elapsed until start of second connection.", "type": "number"},
"uid1": {"description":"Connection identifier of first connection.", "type": "string"},
"server1_h": {"description":"First connection server address.", "$ref": "#/$defs/addr"},
"client1_h": {"description":"First connection client address.", "$ref": "#/$defs/addr"},
"client2_p": {"description":"Second connection client port.", "$ref": "#/$defs/port"},
"uid2": {"description":"Connection identifier of second connection.", "type": "string"},
"server1_p": {"description":"First connection server port.", "$ref": "#/$defs/port"},
"client1_p": {"description":"First connection client port.", "$ref": "#/$defs/port"},
"server2_h": {"description":"Second connection server address.", "$ref": "#/$defs/addr"},
"client2_h": {"description":"Second connection client address.", "$ref": "#/$defs/addr"},
"server2_p": {"description":"Second connection server port.", "$ref": "#/$defs/port"}
},
"additionalProperties": false
},
{
"title": "notice_alarm",
"description": "Definition of the notice_alarm log for this installation",
"type": "object",
"properties": {
"_path": {"const": "notice_alarm"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"remote_location.region": {"description":"The region.", "type": "string"},
"remote_location.latitude": {"description":"Latitude.", "type": "number"},
"remote_location.city": {"description":"The city.", "type": "string"},
"remote_location.longitude": {"description":"Longitude.", "type": "number"},
"remote_location.country_code": {"description":"The country code.", "type": "string"},
"note": {"description":"The :zeek:type:`Notice::Type` of the notice.", "type": "string"},
"src": {"description":"Source address, if we don't have a :zeek:type:`conn_id`.", "$ref": "#/$defs/addr"},
"p": {"description":"Associated port, if we don't have a :zeek:type:`conn_id`.", "$ref": "#/$defs/port"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"actions": {"description":"The actions which have been applied to this notice.", "type": "array", "items": {"type": "string"}, "uniqueItems": true},
"fuid": {"description":"A file unique ID if this notice is related to a file. If\nthe *f* field is provided, this will be automatically filled\nout.", "type": "string"},
"uid": {"description":"A connection UID which uniquely identifies the endpoints\nconcerned with the notice.", "type": "string"},
"proto": {"description":"The transport protocol. Filled automatically when either\n*conn*, *iconn* or *p* is specified.", "type": "string"},
"sub": {"description":"The human readable sub-message.", "type": "string"},
"n": {"description":"Associated count, or perhaps a status code.", "$ref": "#/$defs/count"},
"ts": {"description":"An absolute time indicating when the notice occurred,\ndefaults to the current network time.", "$ref": "#/$defs/time"},
"file_desc": {"description":"Frequently files can be \"described\" to give a bit more\ncontext. This field will typically be automatically filled\nout from an fa_file record. For example, if a notice was\nrelated to a file over HTTP, the URL of the request would\nbe shown.", "type": "string"},
"peer_descr": {"description":"Textual description for the peer that raised this notice,\nincluding name, host address and port.", "type": "string"},
"dst": {"description":"Destination address.", "$ref": "#/$defs/addr"},
"suppress_for": {"description":"This field indicates the length of time that this\nunique notice should be suppressed.", "type": "number"},
"msg": {"description":"The human readable message for the notice.", "type": "string"},
"file_mime_type": {"description":"A mime type if the notice is related to a file. If the *f*\nfield is provided, this will be automatically filled out.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "x509",
"description": "Definition of the x509 log for this installation",
"type": "object",
"properties": {
"_path": {"const": "x509"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Current timestamp.", "$ref": "#/$defs/time"},
"certificate.key_alg": {"description":"Name of the key algorithm", "type": "string"},
"certificate.exponent": {"description":"Exponent, if RSA-certificate", "type": "string"},
"certificate.key_length": {"description":"Key length in bits", "$ref": "#/$defs/count"},
"certificate.not_valid_after": {"description":"Timestamp after when certificate is not valid.", "$ref": "#/$defs/time"},
"certificate.key_type": {"description":"Key type, if key parseable by openssl (either rsa, dsa or ec)", "type": "string"},
"certificate.serial": {"description":"Serial number.", "type": "string"},
"certificate.curve": {"description":"Curve, if EC-certificate", "type": "string"},
"certificate.issuer": {"description":"Issuer.", "type": "string"},
"certificate.subject": {"description":"Subject.", "type": "string"},
"certificate.not_valid_before": {"description":"Timestamp before when certificate is not valid.", "$ref": "#/$defs/time"},
"certificate.sig_alg": {"description":"Name of the signature algorithm", "type": "string"},
"certificate.version": {"description":"Version number.", "$ref": "#/$defs/count"},
"basic_constraints.path_len": {"description":"Maximum path length", "$ref": "#/$defs/count"},
"basic_constraints.ca": {"description":"CA flag set?", "type": "boolean"},
"san.uri": {"description":"List of URI entries in SAN", "type": "array", "items": {"type": "string"}},
"san.dns": {"description":"List of DNS entries in SAN", "type": "array", "items": {"type": "string"}},
"san.email": {"description":"List of email entries in SAN", "type": "array", "items": {"type": "string"}},
"san.ip": {"description":"List of IP entries in SAN", "type": "array", "items": {"$ref": "#/$defs/addr"}},
"id": {"description":"File id of this certificate.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "rdp",
"description": "Definition of the rdp log for this installation",
"type": "object",
"properties": {
"_path": {"const": "rdp"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"cert_count": {"description":"The number of certs seen. X.509 can transfer an \nentire certificate chain.", "$ref": "#/$defs/count"},
"auth_success": {"description":"Whether the client successfully authenticated or not", "type": "boolean"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"client_dig_product_id": {"description":"Product ID of the client machine.", "type": "string"},
"rdfp_string": {"description":"A fingerprint which represents am RDP client", "type": "string"},
"cookie": {"description":"Cookie value used by the client machine.\nThis is typically a username.", "type": "string"},
"cert_type": {"description":"If the connection is being encrypted with native\nRDP encryption, this is the type of cert \nbeing used.", "type": "string"},
"uid": {"description":"Unique ID for the connection.", "type": "string"},
"keyboard_layout": {"description":"Keyboard layout (language) of the client machine.", "type": "string"},
"client_name": {"description":"Name of the client machine.", "type": "string"},
"result": {"description":"Status result for the connection. It's a mix between\nRDP negotation failure messages and GCC server create\nresponse messages.", "type": "string"},
"security_protocol": {"description":"Security protocol chosen by the server.", "type": "string"},
"rdpeudp_uid": {"description":"The connection UID of the UDP connection which assisted this TCP connection. If UDP was not used, this is unset.", "type": "string"},
"rdfp_hash": {"type": "string"},
"encryption_method": {"description":"Encryption method of the connection. ", "type": "string"},
"encryption_level": {"description":"Encryption level of the connection.", "type": "string"},
"client_build": {"description":"RDP client version used by the client machine.", "type": "string"},
"inferences": {"description":"A set of inference \"tags\" about the connection", "type": "array", "items": {"type": "string"}, "uniqueItems": true},
"cert_permanent": {"description":"Indicates if the provided certificate or certificate\nchain is permanent or temporary.", "type": "boolean"},
"ts": {"description":"Timestamp for when the event happened.", "$ref": "#/$defs/time"},
"desktop_width": {"description":"Desktop width of the client machine.", "$ref": "#/$defs/count"},
"requested_color_depth": {"description":"The color depth requested by the client in \nthe high_color_depth field.", "type": "string"},
"desktop_height": {"description":"Desktop height of the client machine.", "$ref": "#/$defs/count"},
"channels_joined": {"description":"The number of channels a client joined during the connection sequence", "$ref": "#/$defs/int"},
"client_channels": {"description":"The channels requested by the client", "type": "array", "items": {"type": "string"}}
},
"additionalProperties": false
},
{
"title": "software",
"description": "Definition of the software log for this installation",
"type": "object",
"properties": {
"_path": {"const": "software"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"The time at which the software was detected.", "$ref": "#/$defs/time"},
"software_type": {"description":"The type of software detected (e.g. :zeek:enum:`HTTP::SERVER`).", "type": "string"},
"host_p": {"description":"The port on which the software is running. Only sensible for\nserver software.", "$ref": "#/$defs/port"},
"name": {"description":"Name of the software (e.g. Apache).", "type": "string"},
"host": {"description":"The IP address detected running the software.", "$ref": "#/$defs/addr"},
"unparsed_version": {"description":"The full unparsed version string found because the version\nparsing doesn't always work reliably in all cases and this\nacts as a fallback in the logs.", "type": "string"},
"version.major": {"description":"Major version number.", "$ref": "#/$defs/count"},
"version.minor3": {"description":"Minor updates number.", "$ref": "#/$defs/count"},
"version.addl": {"description":"Additional version string (e.g. \"beta42\").", "type": "string"},
"version.minor2": {"description":"Minor subversion number.", "$ref": "#/$defs/count"},
"version.minor": {"description":"Minor version number.", "$ref": "#/$defs/count"}
},
"additionalProperties": false
},
{
"title": "snmp",
"description": "Definition of the snmp log for this installation",
"type": "object",
"properties": {
"_path": {"const": "snmp"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Timestamp of first packet belonging to the SNMP session.", "$ref": "#/$defs/time"},
"up_since": {"description":"The time at which the SNMP responder endpoint claims it's been\nup since.", "$ref": "#/$defs/time"},
"get_bulk_requests": {"description":"The number of variable bindings in GetBulkRequest PDUs seen for\nthe session.", "$ref": "#/$defs/count"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"get_responses": {"description":"The number of variable bindings in GetResponse/Response PDUs seen\nfor the session.", "$ref": "#/$defs/count"},
"uid": {"description":"The unique ID for the connection.", "type": "string"},
"get_requests": {"description":"The number of variable bindings in GetRequest/GetNextRequest PDUs\nseen for the session.", "$ref": "#/$defs/count"},
"duration": {"description":"The amount of time between the first packet beloning to\nthe SNMP session and the latest one seen.", "type": "number"},
"community": {"description":"The community string of the first SNMP packet associated with\nthe session. This is used as part of SNMP's (v1 and v2c)\nadministrative/security framework. See :rfc:`1157` or :rfc:`1901`.", "type": "string"},
"display_string": {"description":"A system description of the SNMP responder endpoint.", "type": "string"},
"version": {"description":"The version of SNMP being used.", "type": "string"},
"set_requests": {"description":"The number of variable bindings in SetRequest PDUs seen for\nthe session.", "$ref": "#/$defs/count"}
},
"additionalProperties": false
},
{
"title": "stun_nat",
"description": "Definition of the stun_nat log for this installation",
"type": "object",
"properties": {
"_path": {"const": "stun_nat"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"$ref": "#/$defs/time"},
"wan_addr": {"description":"The WAN address as reported by STUN", "$ref": "#/$defs/addr"},
"uid": {"type": "string"},
"lan_addr": {"description":"The NAT'd LAN address as reported by STUN", "$ref": "#/$defs/addr"},
"is_orig": {"type": "boolean"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"wan_port": {"description":"The mapped port", "$ref": "#/$defs/count"},
"proto": {"description":"The protocol", "type": "string"}
},
"additionalProperties": false
},
{
"title": "corelight_metrics",
"description": "Definition of the corelight_metrics log for this installation",
"type": "object",
"properties": {
"_path": {"const": "corelight_metrics"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"$ref": "#/$defs/time"},
"metric.typ": {"type": "string"},
"metric.name": {"type": "string"},
"metric.unit": {"type": "string"},
"metric.desc": {"type": "string"},
"val": {"type": "number"},
"process": {"type": "string"}
},
"additionalProperties": false
},
{
"title": "tlsfp",
"description": "Definition of the tlsfp log for this installation",
"type": "object",
"properties": {
"_path": {"const": "tlsfp"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"client_version": {"$ref": "#/$defs/count"},
"ec_point_fmt": {"type": "string"},
"e_curves": {"type": "string"},
"client_ciphers": {"type": "string"},
"extensions": {"type": "string"}
},
"additionalProperties": false
},
{
"title": "smb_files",
"description": "Definition of the smb_files log for this installation",
"type": "object",
"properties": {
"_path": {"const": "smb_files"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Time when the file was first discovered.", "$ref": "#/$defs/time"},
"data_len_req": {"$ref": "#/$defs/count"},
"name": {"description":"Filename if one was seen.", "type": "string"},
"action": {"description":"Action this log record represents.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"times.changed": {"description":"The time when the file was last modified.", "$ref": "#/$defs/time"},
"times.created": {"description":"The time the file was created.", "$ref": "#/$defs/time"},
"times.modified": {"description":"The time when data was last written to the file.", "$ref": "#/$defs/time"},
"times.accessed": {"description":"The time when the file was last accessed.", "$ref": "#/$defs/time"},
"fuid": {"description":"Unique ID of the file.", "type": "string"},
"prev_name": {"description":"If the rename action was seen, this will be\nthe file's previous name.", "type": "string"},
"uid": {"description":"Unique ID of the connection the file was sent over.", "type": "string"},
"data_len_rsp": {"$ref": "#/$defs/count"},
"data_offset_req": {"$ref": "#/$defs/count"},
"size": {"description":"Total size of the file.", "$ref": "#/$defs/count"},
"path": {"description":"Path pulled from the tree this file was transferred to or from.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "smtp_links",
"description": "Definition of the smtp_links log for this installation",
"type": "object",
"properties": {
"_path": {"const": "smtp_links"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"$ref": "#/$defs/time"},
"fuid": {"type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"link": {"type": "string"},
"uid": {"type": "string"}
},
"additionalProperties": false
},
{
"title": "print",
"description": "Definition of the print log for this installation",
"type": "object",
"properties": {
"_path": {"const": "print"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"The network time at which the print statement was executed.", "$ref": "#/$defs/time"},
"vals": {"description":"Set of strings passed to the print statement.", "type": "array", "items": {"type": "string"}}
},
"additionalProperties": false
},
{
"title": "files",
"description": "Definition of the files log for this installation",
"type": "object",
"properties": {
"_path": {"const": "files"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"seen_bytes": {"description":"Number of bytes provided to the file analysis engine for the file.", "$ref": "#/$defs/count"},
"source": {"description":"An identification of the source of the file data. E.g. it\nmay be a network protocol over which it was transferred, or a\nlocal file path which was read, or some other input source.", "type": "string"},
"extracted": {"description":"Local filename of extracted file.", "type": "string"},
"depth": {"description":"A value to represent the depth of this file in relation\nto its source. In SMTP, it is the depth of the MIME\nattachment on the message. In HTTP, it is the depth of the\nrequest within the TCP connection.", "$ref": "#/$defs/count"},
"extracted_cutoff": {"description":"Set to true if the file being extracted was cut off\nso the whole file was not logged.", "type": "boolean"},
"fuid": {"description":"An identifier associated with a single file.", "type": "string"},
"sha1": {"description":"A SHA1 digest of the file contents.", "type": "string"},
"sha256": {"description":"A SHA256 digest of the file contents.", "type": "string"},
"rx_hosts": {"description":"If this file was transferred over a network\nconnection this should show the host or hosts that\nthe data traveled to.", "type": "array", "items": {"$ref": "#/$defs/addr"}, "uniqueItems": true},
"duration": {"description":"The duration the file was analyzed for.", "type": "number"},
"timedout": {"description":"Whether the file analysis timed out at least once for the file.", "type": "boolean"},
"is_orig": {"description":"If the source of this file is a network connection, this field\nindicates if the file is being sent by the originator of the\nconnection or the responder.", "type": "boolean"},
"missing_bytes": {"description":"The number of bytes in the file stream that were completely missed\nduring the process of analysis e.g. due to dropped packets.", "$ref": "#/$defs/count"},
"mime_type": {"description":"A mime type provided by the strongest file magic signature\nmatch against the *bof_buffer* field of :zeek:see:`fa_file`,\nor in the cases where no buffering of the beginning of file\noccurs, an initial guess of the mime type based on the first\ndata seen.", "type": "string"},
"ts": {"description":"The time when the file was first seen.", "$ref": "#/$defs/time"},
"total_bytes": {"description":"Total number of bytes that are supposed to comprise the full file.", "$ref": "#/$defs/count"},
"parent_fuid": {"description":"Identifier associated with a container file from which this one was\nextracted as part of the file analysis.", "type": "string"},
"extracted_size": {"description":"The number of bytes extracted to disk.", "$ref": "#/$defs/count"},
"analyzers": {"description":"A set of analysis types done during the file analysis.", "type": "array", "items": {"type": "string"}, "uniqueItems": true},
"overflow_bytes": {"description":"The number of bytes in the file stream that were not delivered to\nstream file analyzers. This could be overlapping bytes or \nbytes that couldn't be reassembled.", "$ref": "#/$defs/count"},
"conn_uids": {"description":"Connection UIDs over which the file was transferred.", "type": "array", "items": {"type": "string"}, "uniqueItems": true},
"local_orig": {"description":"If the source of this file is a network connection, this field\nindicates if the data originated from the local network or not as\ndetermined by the configured :zeek:see:`Site::local_nets`.", "type": "boolean"},
"tx_hosts": {"description":"If this file was transferred over a network\nconnection this should show the host or hosts that\nthe data sourced from.", "type": "array", "items": {"$ref": "#/$defs/addr"}, "uniqueItems": true},
"filename": {"description":"A filename for the file if one is available from the source\nfor the file. These will frequently come from\n\"Content-Disposition\" headers in network protocols.", "type": "string"},
"md5": {"description":"An MD5 digest of the file contents.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "meterpreter",
"description": "Definition of the meterpreter log for this installation",
"type": "object",
"properties": {
"_path": {"const": "meterpreter"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"reason": {"type": "string"},
"os": {"type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"uid": {"type": "string"},
"start_time": {"$ref": "#/$defs/time"},
"protocol": {"type": "string"}
},
"additionalProperties": false
},
{
"title": "etc_viz",
"description": "Definition of the etc_viz log for this installation",
"type": "object",
"properties": {
"_path": {"const": "etc_viz"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"service": {"description":"The service(s) associated with the connection.", "type": "array", "items": {"type": "string"}, "uniqueItems": true},
"server_a": {"description":"The address of the server in the connection.", "$ref": "#/$defs/addr"},
"s2c_viz.pdu1_enc": {"description":"Whether the first PDU (or a proxy for it) was consistent\nwith being encrypted.", "type": "boolean"},
"s2c_viz.enc_dev": {"description":"TBD. of aggregated encrypted blocks.", "type": "number"},
"s2c_viz.enc_frac": {"description":"Proportion of flow (in terms of blocks) consistent\nwith encryption.", "type": "number"},
"s2c_viz.clr_frac": {"description":"Proportion of flow (in terms of blocks) consistent\nwith clear-text.", "type": "number"},
"s2c_viz.size": {"description":"The total size of the flow.", "$ref": "#/$defs/count"},
"s2c_viz.clr_ex": {"description":"For flows with some clear-text, a snippet.", "type": "string"},
"uid": {"description":"The unique identifier of the connection.", "type": "string"},
"c2s_viz.pdu1_enc": {"description":"Whether the first PDU (or a proxy for it) was consistent\nwith being encrypted.", "type": "boolean"},
"c2s_viz.enc_dev": {"description":"TBD. of aggregated encrypted blocks.", "type": "number"},
"c2s_viz.enc_frac": {"description":"Proportion of flow (in terms of blocks) consistent\nwith encryption.", "type": "number"},
"c2s_viz.clr_frac": {"description":"Proportion of flow (in terms of blocks) consistent\nwith clear-text.", "type": "number"},
"c2s_viz.size": {"description":"The total size of the flow.", "$ref": "#/$defs/count"},
"c2s_viz.clr_ex": {"description":"For flows with some clear-text, a snippet.", "type": "string"},
"server_p": {"description":"The port of the server in the connection.", "$ref": "#/$defs/port"},
"viz_stat": {"description":"The associated visibility status string.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "openflow",
"description": "Definition of the openflow log for this installation",
"type": "object",
"properties": {
"_path": {"const": "openflow"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Network time.", "$ref": "#/$defs/time"},
"flow_mod.cookie": {"description":"Opaque controller-issued identifier.", "$ref": "#/$defs/count"},
"flow_mod.table_id": {"description":"Table to put the flow in. OFPTT_ALL can be used for delete,\nto delete flows from all matching tables.", "$ref": "#/$defs/count"},
"flow_mod.idle_timeout": {"description":"Idle time before discarding (seconds).", "$ref": "#/$defs/count"},
"flow_mod.out_port": {"description":"For OFPFC_DELETE* commands, require matching entried to include\nthis as an output port/group. OFPP_ANY/OFPG_ANY means no restrictions.", "$ref": "#/$defs/count"},
"flow_mod.command": {"description":"One of OFPFC_*.", "type": "string"},
"flow_mod.out_group": {"$ref": "#/$defs/count"},
"flow_mod.flags": {"description":"Bitmap of the OFPFF_* flags", "$ref": "#/$defs/count"},
"flow_mod.priority": {"description":"Priority level of flow entry.", "$ref": "#/$defs/count"},
"flow_mod.hard_timeout": {"description":"Max time before discarding (seconds).", "$ref": "#/$defs/count"},
"actions.out_ports": {"description":"Output ports to send data to.", "type": "array", "items": {"$ref": "#/$defs/count"}},
"actions.tp_dst": {"description":"Set tcp/udp destination port.", "$ref": "#/$defs/count"},
"actions.nw_tos": {"description":"Set ip tos to this value.", "$ref": "#/$defs/count"},
"actions.vlan_pcp": {"description":"Set vlan priority to this value.", "$ref": "#/$defs/count"},
"actions.dl_src": {"description":"Set ethernet source address.", "type": "string"},
"actions.vlan_strip": {"description":"Strip vlan tag.", "type": "boolean"},
"actions.vlan_vid": {"description":"Set vlan vid to this value.", "$ref": "#/$defs/count"},
"actions.nw_src": {"description":"Set source to this ip.", "$ref": "#/$defs/addr"},
"actions.nw_dst": {"description":"Set destination to this ip.", "$ref": "#/$defs/addr"},
"actions.tp_src": {"description":"Set tcp/udp source port.", "$ref": "#/$defs/count"},
"actions.dl_dst": {"description":"Set ethernet destination address.", "type": "string"},
"match.tp_dst": {"$ref": "#/$defs/count"},
"match.nw_tos": {"$ref": "#/$defs/count"},
"match.nw_proto": {"$ref": "#/$defs/count"},
"match.dl_src": {"type": "string"},
"match.nw_src": {"type": "string"},
"match.nw_dst": {"type": "string"},
"match.tp_src": {"$ref": "#/$defs/count"},
"match.in_port": {"$ref": "#/$defs/count"},
"match.dl_type": {"$ref": "#/$defs/count"},
"match.dl_vlan_pcp": {"$ref": "#/$defs/count"},
"match.dl_vlan": {"$ref": "#/$defs/count"},
"match.dl_dst": {"type": "string"},
"dpid": {"description":"OpenFlow switch datapath id.", "$ref": "#/$defs/count"}
},
"additionalProperties": false
},
{
"title": "pe",
"description": "Definition of the pe log for this installation",
"type": "object",
"properties": {
"_path": {"const": "pe"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"subsystem": {"description":"The subsystem that is required to run this file.", "type": "string"},
"id": {"description":"File id of this portable executable file.", "type": "string"},
"uses_seh": {"description":"Does the file use structured exception handing?", "type": "boolean"},
"machine": {"description":"The target machine that the file was compiled for.", "type": "string"},
"has_import_table": {"description":"Does the file have an import table?", "type": "boolean"},
"has_cert_table": {"description":"Does the file have an attribute certificate table?", "type": "boolean"},
"os": {"description":"The required operating system.", "type": "string"},
"ts": {"description":"Current timestamp.", "$ref": "#/$defs/time"},
"uses_code_integrity": {"description":"Does the file enforce code integrity checks?", "type": "boolean"},
"has_debug_data": {"description":"Does the file have a debug table?", "type": "boolean"},
"uses_aslr": {"description":"Does the file support Address Space Layout Randomization?", "type": "boolean"},
"is_64bit": {"description":"Is the file a 64-bit executable?", "type": "boolean"},
"has_export_table": {"description":"Does the file have an export table?", "type": "boolean"},
"section_names": {"description":"The names of the sections, in order.", "type": "array", "items": {"type": "string"}},
"uses_dep": {"description":"Does the file support Data Execution Prevention?", "type": "boolean"},
"compile_ts": {"description":"The time that the file was created at.", "$ref": "#/$defs/time"},
"is_exe": {"description":"Is the file an executable, or just an object file?", "type": "boolean"}
},
"additionalProperties": false
},
{
"title": "generic_icmp_tunnels",
"description": "Definition of the generic_icmp_tunnels log for this installation",
"type": "object",
"properties": {
"_path": {"const": "generic_icmp_tunnels"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"$ref": "#/$defs/time"},
"seq": {"$ref": "#/$defs/count"},
"uid": {"type": "string"},
"orig": {"$ref": "#/$defs/addr"},
"resp": {"$ref": "#/$defs/addr"},
"id": {"$ref": "#/$defs/count"},
"detection": {"type": "string"},
"payload": {"type": "string"},
"payload_len": {"$ref": "#/$defs/count"},
"bytes": {"$ref": "#/$defs/count"}
},
"additionalProperties": false
},
{
"title": "smtp",
"description": "Definition of the smtp log for this installation",
"type": "object",
"properties": {
"_path": {"const": "smtp"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"reply_to": {"description":"Contents of the ReplyTo header.", "type": "string"},
"last_reply": {"description":"The last message that the server sent to the client.", "type": "string"},
"mailfrom": {"description":"Email addresses found in the From header.", "type": "string"},
"x_originating_ip": {"description":"Contents of the X-Originating-IP header.", "$ref": "#/$defs/addr"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"uid": {"description":"Unique ID for the connection.", "type": "string"},
"subject": {"description":"Contents of the Subject header.", "type": "string"},
"tls": {"description":"Indicates that the connection has switched to using TLS.", "type": "boolean"},
"path": {"description":"The message transmission path, as extracted from the headers.", "type": "array", "items": {"$ref": "#/$defs/addr"}},
"rcptto": {"description":"Email addresses found in the Rcpt header.", "type": "array", "items": {"type": "string"}, "uniqueItems": true},
"from": {"description":"Contents of the From header.", "type": "string"},
"trans_depth": {"description":"A count to represent the depth of this message transaction in\na single connection where multiple messages were transferred.", "$ref": "#/$defs/count"},
"date": {"description":"Contents of the Date header.", "type": "string"},
"in_reply_to": {"description":"Contents of the In-Reply-To header.", "type": "string"},
"fuids": {"description":"An ordered vector of file unique IDs seen attached to\nthe message.", "type": "array", "items": {"type": "string"}},
"is_webmail": {"description":"Boolean indicator of if the message was sent through a\nwebmail interface.", "type": "boolean"},
"ts": {"description":"Time when the message was first seen.", "$ref": "#/$defs/time"},
"to": {"description":"Contents of the To header.", "type": "array", "items": {"type": "string"}, "uniqueItems": true},
"msg_id": {"description":"Contents of the MsgID header.", "type": "string"},
"second_received": {"description":"Contents of the second Received header.", "type": "string"},
"first_received": {"description":"Contents of the first Received header.", "type": "string"},
"helo": {"description":"Contents of the Helo header.", "type": "string"},
"user_agent": {"description":"Value of the User-Agent header from the client.", "type": "string"},
"cc": {"description":"Contents of the CC header.", "type": "array", "items": {"type": "string"}, "uniqueItems": true}
},
"additionalProperties": false
},
{
"title": "dnp3",
"description": "Definition of the dnp3 log for this installation",
"type": "object",
"properties": {
"_path": {"const": "dnp3"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Time of the request.", "$ref": "#/$defs/time"},
"fc_request": {"description":"The name of the function message in the request.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"iin": {"description":"The response's \"internal indication number\".", "$ref": "#/$defs/count"},
"uid": {"description":"Unique identifier for the connection.", "type": "string"},
"fc_reply": {"description":"The name of the function message in the reply.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "netcontrol_drop",
"description": "Definition of the netcontrol_drop log for this installation",
"type": "object",
"properties": {
"_path": {"const": "netcontrol_drop"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Time at which the recorded activity occurred.", "$ref": "#/$defs/time"},
"resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"expire": {"description":"Expiry time of the shunt.", "type": "number"},
"orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"location": {"description":"Location where the underlying action was triggered.", "type": "string"},
"resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"rule_id": {"description":"ID of the rule; unique during each Zeek run.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "smb_mapping",
"description": "Definition of the smb_mapping log for this installation",
"type": "object",
"properties": {
"_path": {"const": "smb_mapping"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Time when the tree was mapped.", "$ref": "#/$defs/time"},
"service": {"description":"The type of resource of the tree (disk share, printer share, named pipe, etc.).", "type": "string"},
"native_file_system": {"description":"File system of the tree.", "type": "string"},
"uid": {"description":"Unique ID of the connection the tree was mapped over.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"path": {"description":"Name of the tree path.", "type": "string"},
"share_type": {"description":"If this is SMB2, a share type will be included. For SMB1,\nthe type of share will be deduced and included as well.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "suricata_eve",
"description": "Definition of the suricata_eve log for this installation",
"type": "object",
"properties": {
"_path": {"const": "suricata_eve"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"raw_alert": {"description":"The raw alert string from Suricata", "type": "string"}
},
"additionalProperties": false
},
{
"title": "ldap_search",
"description": "Definition of the ldap_search log for this installation",
"type": "object",
"properties": {
"_path": {"const": "ldap_search"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"$ref": "#/$defs/time"},
"deref": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
"message_id": {"$ref": "#/$defs/int"},
"base_object": {"type": "array", "items": {"type": "string"}},
"result_count": {"$ref": "#/$defs/count"},
"uid": {"type": "string"},
"result": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
"scope": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
"diagnostic_message": {"type": "array", "items": {"type": "string"}},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"proto": {"type": "string"}
},
"additionalProperties": false
},
{
"title": "irc",
"description": "Definition of the irc log for this installation",
"type": "object",
"properties": {
"_path": {"const": "irc"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Timestamp when the command was seen.", "$ref": "#/$defs/time"},
"dcc_mime_type": {"description":"Sniffed mime type of the file.", "type": "string"},
"user": {"description":"Username given for the connection.", "type": "string"},
"value": {"description":"Value for the command given by the client.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"addl": {"description":"Any additional data for the command.", "type": "string"},
"dcc_file_size": {"description":"Size of the DCC transfer as indicated by the sender.", "$ref": "#/$defs/count"},
"fuid": {"description":"File unique ID.", "type": "string"},
"uid": {"description":"Unique ID for the connection.", "type": "string"},
"dcc_file_name": {"description":"DCC filename requested.", "type": "string"},
"nick": {"description":"Nickname given for the connection.", "type": "string"},
"command": {"description":"Command given by the client.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "ipsec",
"description": "Definition of the ipsec log for this installation",
"type": "object",
"properties": {
"_path": {"const": "ipsec"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"message_id": {"description":"Message ID", "$ref": "#/$defs/count"},
"flag_a": {"description":"Flag A", "type": "boolean"},
"transforms": {"description":"Transforms", "type": "array", "items": {"type": "string"}},
"flag_c": {"description":"Flag C", "type": "boolean"},
"maj_ver": {"description":"Major Version", "$ref": "#/$defs/count"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"proposals": {"description":"Proposals", "type": "array", "items": {"$ref": "#/$defs/count"}},
"flag_r": {"description":"Flag R", "type": "boolean"},
"flag_e": {"description":"Flag E", "type": "boolean"},
"uid": {"type": "string"},
"is_orig": {"type": "boolean"},
"exchange_type": {"description":"Exchange Type", "$ref": "#/$defs/count"},
"vendor_ids": {"description":"Vendor IDs", "type": "array", "items": {"type": "string"}},
"ke_dh_groups": {"description":"KE DH Group number", "type": "array", "items": {"$ref": "#/$defs/count"}},
"responder_spi": {"description":"Responder security parameters index", "type": "string"},
"transform_attributes": {"description":"Transform Attributes", "type": "array", "items": {"type": "string"}},
"certificates": {"description":"Certificate hashes", "type": "array", "items": {"type": "string"}},
"ts": {"$ref": "#/$defs/time"},
"notify_messages": {"description":"Notify Message Types", "type": "array", "items": {"type": "string"}},
"length": {"description":"Length of headers plus payload", "$ref": "#/$defs/count"},
"flag_v": {"description":"Flag V", "type": "boolean"},
"hash": {"description":"Cipher hash of this IPSec transaction info:\nvendor_ids, notify_messages, transforms, ke_dh_groups, and proposals", "type": "string"},
"flag_i": {"description":"Flag I", "type": "boolean"},
"initiator_spi": {"description":"Initiator security parameters index", "type": "string"},
"min_ver": {"description":"Minor Version", "$ref": "#/$defs/count"}
},
"additionalProperties": false
},
{
"title": "ntp",
"description": "Definition of the ntp log for this installation",
"type": "object",
"properties": {
"_path": {"const": "ntp"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"root_delay": {"description":"Total round-trip delay to the reference clock.", "type": "number"},
"mode": {"description":"The NTP mode being used.", "$ref": "#/$defs/count"},
"ref_id": {"description":"For stratum 0, 4 character string used for debugging.\nFor stratum 1, ID assigned to the reference clock by IANA.\nAbove stratum 1, when using IPv4, the IP address of the reference\nclock. Note that the NTP protocol did not originally specify a\nlarge enough field to represent IPv6 addresses, so they use\nthe first four bytes of the MD5 hash of the reference clock's\nIPv6 address (i.e. an IPv4 address here is not necessarily IPv4).", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"stratum": {"description":"The stratum (primary server, secondary server, etc.).", "$ref": "#/$defs/count"},
"ref_time": {"description":"Time when the system clock was last set or correct.", "$ref": "#/$defs/time"},
"xmt_time": {"description":"Time at the server when the response departed for the NTP client.", "$ref": "#/$defs/time"},
"uid": {"description":"Unique ID for the connection.", "type": "string"},
"poll": {"description":"The maximum interval between successive messages.", "type": "number"},
"version": {"description":"The NTP version number (1, 2, 3, 4).", "$ref": "#/$defs/count"},
"ts": {"description":"Timestamp for when the event happened.", "$ref": "#/$defs/time"},
"rec_time": {"description":"Time at the server when the request arrived from the NTP client.", "$ref": "#/$defs/time"},
"num_exts": {"description":"Number of extension fields (which are not currently parsed).", "$ref": "#/$defs/count"},
"root_disp": {"description":"Total dispersion to the reference clock.", "type": "number"},
"org_time": {"description":"Time at the client when the request departed for the NTP server.", "$ref": "#/$defs/time"},
"precision": {"description":"The precision of the system clock.", "type": "number"}
},
"additionalProperties": false
},
{
"title": "reporter",
"description": "Definition of the reporter log for this installation",
"type": "object",
"properties": {
"_path": {"const": "reporter"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"The network time at which the reporter event was generated.", "$ref": "#/$defs/time"},
"message": {"description":"An info/warning/error message that could have either been\ngenerated from the internal Zeek core or at the scripting-layer.", "type": "string"},
"location": {"description":"This is the location in a Zeek script where the message originated.\nNot all reporter messages will have locations in them though.", "type": "string"},
"level": {"description":"The severity of the reporter message. Levels are INFO for informational\nmessages, not needing specific attention; WARNING for warning of a potential\nproblem, and ERROR for a non-fatal error that should be addressed, but doesn't\nterminate program execution.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "sip",
"description": "Definition of the sip log for this installation",
"type": "object",
"properties": {
"_path": {"const": "sip"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"request_path": {"description":"The client message transmission path, as extracted from the headers.", "type": "array", "items": {"type": "string"}},
"method": {"description":"Verb used in the SIP request (INVITE, REGISTER etc.).", "type": "string"},
"reply_to": {"description":"Contents of the Reply-To: header", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"response_path": {"description":"The server message transmission path, as extracted from the headers.", "type": "array", "items": {"type": "string"}},
"trans_depth": {"description":"Represents the pipelined depth into the connection of this\nrequest/response transaction.", "$ref": "#/$defs/count"},
"date": {"description":"Contents of the Date: header from the client", "type": "string"},
"request_body_len": {"description":"Contents of the Content-Length: header from the client", "$ref": "#/$defs/count"},
"subject": {"description":"Contents of the Subject: header from the client", "type": "string"},
"uid": {"description":"Unique ID for the connection.", "type": "string"},
"call_id": {"description":"Contents of the Call-ID: header from the client", "type": "string"},
"uri": {"description":"URI used in the request.", "type": "string"},
"content_type": {"description":"Contents of the Content-Type: header from the server", "type": "string"},
"ts": {"description":"Timestamp for when the request happened.", "$ref": "#/$defs/time"},
"status_code": {"description":"Status code returned by the server.", "$ref": "#/$defs/count"},
"response_to": {"description":"Contents of the response To: header", "type": "string"},
"status_msg": {"description":"Status message returned by the server.", "type": "string"},
"warning": {"description":"Contents of the Warning: header", "type": "string"},
"response_from": {"description":"Contents of the response From: header\nNote: The ``tag=`` value that's usually appended to the sender\nis stripped off and not logged.", "type": "string"},
"request_to": {"description":"Contents of the To: header", "type": "string"},
"response_body_len": {"description":"Contents of the Content-Length: header from the server", "$ref": "#/$defs/count"},
"seq": {"description":"Contents of the CSeq: header from the client", "type": "string"},
"request_from": {"description":"Contents of the request From: header\nNote: The tag= value that's usually appended to the sender\nis stripped off and not logged.", "type": "string"},
"user_agent": {"description":"Contents of the User-Agent: header from the client", "type": "string"}
},
"additionalProperties": false
},
{
"title": "broker",
"description": "Definition of the broker log for this installation",
"type": "object",
"properties": {
"_path": {"const": "broker"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"The network time at which a Broker event occurred.", "$ref": "#/$defs/time"},
"message": {"description":"An optional message describing the Broker event in more detail", "type": "string"},
"ev": {"description":"The event being logged.", "type": "string"},
"ty": {"description":"The type of the Broker event.", "type": "string"},
"peer.bound_port": {"description":"The port where the endpoint is bound to.", "$ref": "#/$defs/port"},
"peer.address": {"description":"The IP address or hostname where the endpoint listens.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "dns",
"description": "Definition of the dns log for this installation",
"type": "object",
"properties": {
"_path": {"const": "dns"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"Z": {"description":"A reserved field that is usually zero in\nqueries and responses.", "$ref": "#/$defs/count"},
"trans_id": {"description":"A 16-bit identifier assigned by the program that generated\nthe DNS query. Also used in responses to match up replies to\noutstanding queries.", "$ref": "#/$defs/count"},
"rcode_name": {"description":"A descriptive name for the response code value.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"qclass_name": {"description":"A descriptive name for the class of the query.", "type": "string"},
"uid": {"description":"A unique identifier of the connection over which DNS messages\nare being transferred.", "type": "string"},
"answers": {"description":"The set of resource descriptions in the query answer.", "type": "array", "items": {"type": "string"}},
"query": {"description":"The domain name that is the subject of the DNS query.", "type": "string"},
"RA": {"description":"The Recursion Available bit in a response message indicates\nthat the name server supports recursive queries.", "type": "boolean"},
"RD": {"description":"The Recursion Desired bit in a request message indicates that\nthe client wants recursive service for this query.", "type": "boolean"},
"proto": {"description":"The transport layer protocol of the connection.", "type": "string"},
"TC": {"description":"The Truncation bit specifies that the message was truncated.", "type": "boolean"},
"rcode": {"description":"The response code value in DNS response messages.", "$ref": "#/$defs/count"},
"ts": {"description":"The earliest time at which a DNS protocol message over the\nassociated connection is observed.", "$ref": "#/$defs/time"},
"qtype": {"description":"A QTYPE value specifying the type of the query.", "$ref": "#/$defs/count"},
"AA": {"description":"The Authoritative Answer bit for response messages specifies\nthat the responding name server is an authority for the\ndomain name in the question section.", "type": "boolean"},
"TTLs": {"description":"The caching intervals of the associated RRs described by the\n*answers* field.", "type": "array", "items": {"type": "number"}},
"qclass": {"description":"The QCLASS value specifying the class of the query.", "$ref": "#/$defs/count"},
"rtt": {"description":"Round trip time for the query and response. This indicates\nthe delay between when the request was seen until the\nanswer started.", "type": "number"},
"qtype_name": {"description":"A descriptive name for the type of the query.", "type": "string"},
"rejected": {"description":"The DNS query was rejected by the server.", "type": "boolean"}
},
"additionalProperties": false
},
{
"title": "corelight_cloud_stats",
"description": "Definition of the corelight_cloud_stats log for this installation",
"type": "object",
"properties": {
"_path": {"const": "corelight_cloud_stats"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"extracted_files_disk_files": {"$ref": "#/$defs/count"},
"bytes_recv": {"description":"Number of bytes received since the last stats interval if\nreading live traffic.", "$ref": "#/$defs/count"},
"pkts_link": {"description":"Number of packets seen on the link.", "$ref": "#/$defs/count"},
"extracted_files_ssh_remote_size": {"description":"You will onyl get the following two with STP ", "$ref": "#/$defs/count"},
"extracted_files_ssh_remote_avail": {"$ref": "#/$defs/count"},
"jemalloc_total_allocated": {"$ref": "#/$defs/count"},
"reassem_file_size": {"description":"Current size of File data in reassembly.", "$ref": "#/$defs/count"},
"weirds": {"description":"Number of weirds generated in core.", "$ref": "#/$defs/count"},
"timers": {"description":"Number of timers ever scheduled.", "$ref": "#/$defs/count"},
"disk_free": {"$ref": "#/$defs/int"},
"jemalloc_allocated": {"$ref": "#/$defs/count"},
"batch_logs_ssh_remote_avail": {"$ref": "#/$defs/count"},
"udp_conns": {"description":"UDP connections seen since last stats interval.", "$ref": "#/$defs/count"},
"active_icmp_conns": {"description":"ICMP connections currently in memory.", "$ref": "#/$defs/count"},
"tcp_conns": {"description":"TCP connections seen since last stats interval.", "$ref": "#/$defs/count"},
"active_dns_requests": {"description":"Current number of DNS requests awaiting a reply.", "$ref": "#/$defs/count"},
"final": {"description":"Is this a final stats report before shutdown?", "type": "boolean"},
"batch_logs_ssh_remote_size": {"description":"You will only get the following two with SFTP", "$ref": "#/$defs/count"},
"active_udp_conns": {"description":"UDP connections currently in memory.", "$ref": "#/$defs/count"},
"batch_logs_disk_bytes": {"$ref": "#/$defs/count"},
"jemalloc_total_deallocated": {"$ref": "#/$defs/count"},
"disk_size": {"$ref": "#/$defs/int"},
"jemalloc_active": {"$ref": "#/$defs/count"},
"jemalloc_metadata": {"$ref": "#/$defs/count"},
"batch_logs_disk_files": {"$ref": "#/$defs/count"},
"batch_logs_ssh_files": {"$ref": "#/$defs/count"},
"active_files": {"description":"Current number of files currently being processed.", "$ref": "#/$defs/count"},
"disk_used": {"$ref": "#/$defs/int"},
"pkt_lag": {"description":"Lag between the wall clock and packet timestamps if reading\nlive traffic.", "type": "number"},
"pkts_dropped": {"description":"Number of packets dropped.", "$ref": "#/$defs/count"},
"active_tcp_conns": {"description":"TCP connections currently in memory.", "$ref": "#/$defs/count"},
"extracted_files_ssh_bytes": {"$ref": "#/$defs/count"},
"ts": {"description":"Timestamp for the measurement.", "$ref": "#/$defs/time"},
"jemalloc_resident": {"$ref": "#/$defs/count"},
"reassem_tcp_size": {"description":"Current size of TCP data in reassembly.", "$ref": "#/$defs/count"},
"dns_requests": {"description":"Number of DNS requests seen.", "$ref": "#/$defs/count"},
"events_proc": {"description":"Number of events processed.", "$ref": "#/$defs/count"},
"extracted_files_disk_bytes": {"$ref": "#/$defs/count"},
"disk_avail_pct": {"type": "number"},
"mem": {"description":"Amount of memory currently in use in MB.", "$ref": "#/$defs/count"},
"pkts_proc": {"description":"Number of packets processed since the last stats interval.", "$ref": "#/$defs/count"},
"extracted_files_ssh_files": {"$ref": "#/$defs/count"},
"batch_logs_ssh_bytes": {"$ref": "#/$defs/count"},
"icmp_conns": {"description":"ICMP connections seen since last stats interval.", "$ref": "#/$defs/count"},
"events_queued": {"description":"Number of events that have been queued.", "$ref": "#/$defs/count"},
"jemalloc_retained": {"$ref": "#/$defs/count"},
"peer": {"description":"Peer that generated this log. Mostly for clusters.", "type": "string"},
"files": {"description":"Number of files seen.", "$ref": "#/$defs/count"},
"jemalloc_mapped": {"$ref": "#/$defs/count"},
"extracted_files_failed": {"$ref": "#/$defs/count"},
"active_timers": {"description":"Current number of scheduled timers.", "$ref": "#/$defs/count"},
"reassem_unknown_size": {"description":"Current size of unknown data in reassembly (this is only PIA buffer right now).", "$ref": "#/$defs/count"},
"reassem_frag_size": {"description":"Current size of packet fragment data in reassembly.", "$ref": "#/$defs/count"},
"disk_avail": {"$ref": "#/$defs/int"}
},
"additionalProperties": false
},
{
"title": "icmp_specific_tunnels",
"description": "Definition of the icmp_specific_tunnels log for this installation",
"type": "object",
"properties": {
"_path": {"const": "icmp_specific_tunnels"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"$ref": "#/$defs/time"},
"seq": {"$ref": "#/$defs/count"},
"duration": {"type": "number"},
"tunnel": {"type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"start_time": {"$ref": "#/$defs/time"},
"payload": {"type": "string"},
"icmp_id": {"$ref": "#/$defs/count"}
},
"additionalProperties": false
},
{
"title": "ja3sfp",
"description": "Definition of the ja3sfp log for this installation",
"type": "object",
"properties": {
"_path": {"const": "ja3sfp"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"server_version": {"$ref": "#/$defs/count"},
"server_cipher": {"$ref": "#/$defs/count"},
"server_extensions": {"type": "string"}
},
"additionalProperties": false
},
{
"title": "png",
"description": "Definition of the png log for this installation",
"type": "object",
"properties": {
"_path": {"const": "png"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Current timestamp", "$ref": "#/$defs/time"},
"chunks": {"description":"Chunk types in the PNG, in the order in which they appeared", "type": "array", "items": {"type": "string"}},
"bit_depth": {"description":"Image bit depth", "$ref": "#/$defs/count"},
"height": {"description":"height in pixels", "$ref": "#/$defs/count"},
"interlaced": {"description":"Flag is set to true if image is interlaced", "type": "boolean"},
"id": {"description":"File ID of this PNG", "type": "string"},
"colour_type": {"description":"Image colour type", "type": "string"},
"last_modified": {"description":"Last modification time", "$ref": "#/$defs/time"},
"width": {"description":"Image width in pixels", "$ref": "#/$defs/count"}
},
"additionalProperties": false
},
{
"title": "dce_rpc",
"description": "Definition of the dce_rpc log for this installation",
"type": "object",
"properties": {
"_path": {"const": "dce_rpc"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Timestamp for when the event happened.", "$ref": "#/$defs/time"},
"uid": {"description":"Unique ID for the connection.", "type": "string"},
"named_pipe": {"description":"Remote pipe name.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"endpoint": {"description":"Endpoint name looked up from the uuid.", "type": "string"},
"rtt": {"description":"Round trip time from the request to the response.\nIf either the request or response wasn't seen, \nthis will be null.", "type": "number"},
"operation": {"description":"Operation seen in the call.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "signatures",
"description": "Definition of the signatures log for this installation",
"type": "object",
"properties": {
"_path": {"const": "signatures"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"The network time at which a signature matching type of event\nto be logged has occurred.", "$ref": "#/$defs/time"},
"note": {"description":"Notice associated with signature event.", "type": "string"},
"src_addr": {"description":"The host which triggered the signature match event.", "$ref": "#/$defs/addr"},
"sig_count": {"description":"Number of sigs, usually from summary count.", "$ref": "#/$defs/count"},
"dst_port": {"description":"The destination host port which was sent the payload that\ntriggered the signature match.", "$ref": "#/$defs/port"},
"uid": {"description":"A unique identifier of the connection which triggered the\nsignature match event.", "type": "string"},
"sig_id": {"description":"The name of the signature that matched.", "type": "string"},
"sub_msg": {"description":"Extracted payload data or extra message.", "type": "string"},
"event_msg": {"description":"A more descriptive message of the signature-matching event.", "type": "string"},
"dst_addr": {"description":"The destination host which was sent the payload that\ntriggered the signature match.", "$ref": "#/$defs/addr"},
"src_port": {"description":"The host port on which the signature-matching activity\noccurred.", "$ref": "#/$defs/port"},
"host_count": {"description":"Number of hosts, from a summary count.", "$ref": "#/$defs/count"}
},
"additionalProperties": false
},
{
"title": "socks",
"description": "Definition of the socks log for this installation",
"type": "object",
"properties": {
"_path": {"const": "socks"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Time when the proxy connection was first detected.", "$ref": "#/$defs/time"},
"bound_p": {"description":"Server bound port.", "$ref": "#/$defs/port"},
"user": {"description":"Username used to request a login to the proxy.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"password": {"description":"Password used to request a login to the proxy.", "type": "string"},
"request.host": {"$ref": "#/$defs/addr"},
"request.name": {"type": "string"},
"uid": {"description":"Unique ID for the tunnel - may correspond to connection uid\nor be non-existent.", "type": "string"},
"request_p": {"description":"Client requested port.", "$ref": "#/$defs/port"},
"status": {"description":"Server status for the attempt at using the proxy.", "type": "string"},
"bound.host": {"$ref": "#/$defs/addr"},
"bound.name": {"type": "string"},
"version": {"description":"Protocol version of SOCKS.", "$ref": "#/$defs/count"}
},
"additionalProperties": false
},
{
"title": "corelight_license_capacity",
"description": "Definition of the corelight_license_capacity log for this installation",
"type": "object",
"properties": {
"_path": {"const": "corelight_license_capacity"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"note": {"type": "string"},
"mbps": {"type": "number"}
},
"additionalProperties": false
},
{
"title": "stats",
"description": "Definition of the stats log for this installation",
"type": "object",
"properties": {
"_path": {"const": "stats"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"active_files": {"description":"Current number of files actively being seen.", "$ref": "#/$defs/count"},
"pkts_link": {"description":"Number of packets seen on the link since the last stats\ninterval if reading live traffic.", "$ref": "#/$defs/count"},
"bytes_recv": {"description":"Number of bytes received since the last stats interval if\nreading live traffic.", "$ref": "#/$defs/count"},
"pkt_lag": {"description":"Lag between the wall clock and packet timestamps if reading\nlive traffic.", "type": "number"},
"mem": {"description":"Amount of memory currently in use in MB.", "$ref": "#/$defs/count"},
"active_tcp_conns": {"description":"TCP connections currently in memory.", "$ref": "#/$defs/count"},
"pkts_dropped": {"description":"Number of packets dropped since the last stats interval if\nreading live traffic.", "$ref": "#/$defs/count"},
"reassem_file_size": {"description":"Current size of File data in reassembly.", "$ref": "#/$defs/count"},
"pkts_proc": {"description":"Number of packets processed since the last stats interval.", "$ref": "#/$defs/count"},
"timers": {"description":"Number of timers scheduled since last stats interval.", "$ref": "#/$defs/count"},
"udp_conns": {"description":"UDP connections seen since last stats interval.", "$ref": "#/$defs/count"},
"icmp_conns": {"description":"ICMP connections seen since last stats interval.", "$ref": "#/$defs/count"},
"active_icmp_conns": {"description":"ICMP connections currently in memory.", "$ref": "#/$defs/count"},
"events_queued": {"description":"Number of events that have been queued since the last stats\ninterval.", "$ref": "#/$defs/count"},
"ts": {"description":"Timestamp for the measurement.", "$ref": "#/$defs/time"},
"tcp_conns": {"description":"TCP connections seen since last stats interval.", "$ref": "#/$defs/count"},
"active_dns_requests": {"description":"Current number of DNS requests awaiting a reply.", "$ref": "#/$defs/count"},
"peer": {"description":"Peer that generated this log. Mostly for clusters.", "type": "string"},
"files": {"description":"Number of files seen since last stats interval.", "$ref": "#/$defs/count"},
"active_udp_conns": {"description":"UDP connections currently in memory.", "$ref": "#/$defs/count"},
"active_timers": {"description":"Current number of scheduled timers.", "$ref": "#/$defs/count"},
"reassem_unknown_size": {"description":"Current size of unknown data in reassembly (this is only PIA buffer right now).", "$ref": "#/$defs/count"},
"reassem_frag_size": {"description":"Current size of packet fragment data in reassembly.", "$ref": "#/$defs/count"},
"dns_requests": {"description":"Number of DNS requests seen since last stats interval.", "$ref": "#/$defs/count"},
"reassem_tcp_size": {"description":"Current size of TCP data in reassembly.", "$ref": "#/$defs/count"},
"events_proc": {"description":"Number of events processed since the last stats interval.", "$ref": "#/$defs/count"}
},
"additionalProperties": false
},
{
"title": "conn",
"description": "Definition of the conn log for this installation",
"type": "object",
"properties": {
"_path": {"const": "conn"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"orig_l2_addr": {"description":"Link-layer address of the originator, if available.", "type": "string"},
"conn_state": {"description":"Possible *conn_state* values:\n\n* S0: Connection attempt seen, no reply.\n\n* S1: Connection established, not terminated.\n\n* SF: Normal establishment and termination.\n Note that this is the same symbol as for state S1.\n You can tell the two apart because for S1 there will not be any\n byte counts in the summary, while for SF there will be.\n\n* REJ: Connection attempt rejected.\n\n* S2: Connection established and close attempt by originator seen\n (but no reply from responder).\n\n* S3: Connection established and close attempt by responder seen\n (but no reply from originator).\n\n* RSTO: Connection established, originator aborted (sent a RST).\n\n* RSTR: Responder sent a RST.\n\n* RSTOS0: Originator sent a SYN followed by a RST, we never saw a\n SYN-ACK from the responder.\n\n* RSTRH: Responder sent a SYN ACK followed by a RST, we never saw a\n SYN from the (purported) originator.\n\n* SH: Originator sent a SYN followed by a FIN, we never saw a\n SYN ACK from the responder (hence the connection was \"half\" open).\n\n* SHR: Responder sent a SYN ACK followed by a FIN, we never saw a\n SYN from the originator.\n\n* OTH: No SYN seen, just midstream traffic (one example of this\n is a \"partial connection\" that was not later closed).", "type": "string"},
"resp_l2_addr": {"description":"Link-layer address of the responder, if available.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"resp_ip_bytes": {"description":"Number of IP level bytes that the responder sent (as seen on\nthe wire, taken from the IP total_length header field).\nOnly set if :zeek:id:`use_conn_size_analyzer` = T.", "$ref": "#/$defs/count"},
"service": {"description":"An identification of an application protocol being sent over\nthe connection.", "type": "string"},
"local_resp": {"description":"If the connection is responded to locally, this value will be T.\nIf it was responded to remotely it will be F. In the case that\nthe :zeek:id:`Site::local_nets` variable is undefined, this\nfield will be left empty at all times.", "type": "boolean"},
"uid": {"description":"A unique identifier of the connection.", "type": "string"},
"resp_cc": {"description":"Country code for GeoIP lookup of the responding IP address.", "type": "string"},
"duration": {"description":"How long the connection lasted. For 3-way or 4-way connection\ntear-downs, this will not include the final ACK.", "type": "number"},
"proto": {"description":"The transport layer protocol of the connection.", "type": "string"},
"orig_pkts": {"description":"Number of packets that the originator sent.\nOnly set if :zeek:id:`use_conn_size_analyzer` = T.", "$ref": "#/$defs/count"},
"ts": {"description":"This is the time of the first packet.", "$ref": "#/$defs/time"},
"tunnel_parents": {"description":"If this connection was over a tunnel, indicate the\n*uid* values for any encapsulating parent connections\nused over the lifetime of this inner connection.", "type": "array", "items": {"type": "string"}, "uniqueItems": true},
"history": {"description":"Records the state history of connections as a string of\nletters. The meaning of those letters is:\n\n====== ====================================================\nLetter Meaning\n====== ====================================================\ns a SYN w/o the ACK bit set\nh a SYN+ACK (\"handshake\")\na a pure ACK\nd packet with payload (\"data\")\nf packet with FIN bit set\nr packet with RST bit set\nc packet with a bad checksum (applies to UDP too)\ng a content gap\nt packet with retransmitted payload\nw packet with a zero window advertisement\ni inconsistent packet (e.g. FIN+RST bits set)\nq multi-flag packet (SYN+FIN or SYN+RST bits set)\n^ connection direction was flipped by Zeek's heuristic\n====== ====================================================\n\nIf the event comes from the originator, the letter is in\nupper-case; if it comes from the responder, it's in\nlower-case. The 'a', 'd', 'i' and 'q' flags are\nrecorded a maximum of one time in either direction regardless\nof how many are actually seen. 'f', 'h', 'r' and\n's' can be recorded multiple times for either direction\nif the associated sequence number differs from the\nlast-seen packet of the same flag type.\n'c', 'g', 't' and 'w' are recorded in a logarithmic fashion:\nthe second instance represents that the event was seen\n(at least) 10 times; the third instance, 100 times; etc.", "type": "string"},
"orig_bytes": {"description":"The number of payload bytes the originator sent. For TCP\nthis is taken from sequence numbers and might be inaccurate\n(e.g., due to large connections).", "$ref": "#/$defs/count"},
"orig_cc": {"description":"The name of the node where this connection was analyzed.\nCountry code for GeoIP lookup of the originating IP address.", "type": "string"},
"orig_ip_bytes": {"description":"Number of IP level bytes that the originator sent (as seen on\nthe wire, taken from the IP total_length header field).\nOnly set if :zeek:id:`use_conn_size_analyzer` = T.", "$ref": "#/$defs/count"},
"resp_pkts": {"description":"Number of packets that the responder sent.\nOnly set if :zeek:id:`use_conn_size_analyzer` = T.", "$ref": "#/$defs/count"},
"local_orig": {"description":"If the connection is originated locally, this value will be T.\nIf it was originated remotely it will be F. In the case that\nthe :zeek:id:`Site::local_nets` variable is undefined, this\nfield will be left empty at all times.", "type": "boolean"},
"resp_bytes": {"description":"The number of payload bytes the responder sent. See\n*orig_bytes*.", "$ref": "#/$defs/count"},
"community_id": {"type": "string"},
"missed_bytes": {"description":"Indicates the number of bytes missed in content gaps, which\nis representative of packet loss. A value other than zero\nwill normally cause protocol analysis to fail but some\nanalysis may have been completed prior to the packet loss.", "$ref": "#/$defs/count"},
"suri_ids": {"type": "array", "items": {"type": "string"}, "uniqueItems": true}
},
"additionalProperties": false
},
{
"title": "suricata_corelight",
"description": "Definition of the suricata_corelight log for this installation",
"type": "object",
"properties": {
"_path": {"const": "suricata_corelight"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"The Suricata alert timestamp", "$ref": "#/$defs/time"},
"alert.signature": {"type": "string"},
"alert.signature_id": {"$ref": "#/$defs/count"},
"alert.gid": {"$ref": "#/$defs/count"},
"alert.severity": {"$ref": "#/$defs/count"},
"alert.category": {"type": "string"},
"alert.action": {"type": "string"},
"alert.metadata": {"type": "array", "items": {"type": "string"}},
"alert.rev": {"$ref": "#/$defs/count"},
"icmp_code": {"description":"The icmp code if this was ICMP.", "$ref": "#/$defs/count"},
"id.orig_p": {"$ref": "#/$defs/port"},
"id.resp_p": {"$ref": "#/$defs/port"},
"id.orig_h": {"$ref": "#/$defs/addr"},
"id.resp_h": {"$ref": "#/$defs/addr"},
"service": {"description":"The service name (e.g., http)", "type": "string"},
"community_id": {"description":"The community id", "type": "string"},
"uid": {"description":"The conn log identifier [from conn.log].", "type": "string"},
"icmp_type": {"description":"The icmp type if this was ICMP.", "$ref": "#/$defs/count"},
"flow_id": {"description":"The flow id", "$ref": "#/$defs/count"},
"suri_id": {"description":"The Suricata log id.", "type": "string"},
"tx_id": {"description":"The transaction id", "$ref": "#/$defs/count"},
"pcap_cnt": {"description":"The pcap record count", "$ref": "#/$defs/count"},
"metadata": {"description":"Alert metadata, if any", "type": "array", "items": {"type": "string"}}
},
"additionalProperties": false
},
{
"title": "facefish_rootkit",
"description": "Definition of the facefish_rootkit log for this installation",
"type": "object",
"properties": {
"_path": {"const": "facefish_rootkit"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Time the Facefish rootkit was encountered", "$ref": "#/$defs/time"},
"uid": {"description":"Unique ID for the connection", "type": "string"},
"command": {"description":"Command", "type": "string"},
"is_orig": {"description":"Is orig?", "type": "boolean"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"crc32_payload": {"description":"CRC32 of the payload", "$ref": "#/$defs/count"},
"payload_len": {"description":"Payload Length", "$ref": "#/$defs/count"}
},
"additionalProperties": false
},
{
"title": "tunnel",
"description": "Definition of the tunnel log for this installation",
"type": "object",
"properties": {
"_path": {"const": "tunnel"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Time at which some tunnel activity occurred.", "$ref": "#/$defs/time"},
"tunnel_type": {"description":"The type of tunnel.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"action": {"description":"The type of activity that occurred.", "type": "string"},
"uid": {"description":"The unique identifier for the tunnel, which may correspond\nto a :zeek:type:`connection`'s *uid* field for non-IP-in-IP tunnels.\nThis is optional because there could be numerous connections\nfor payload proxies like SOCKS but we should treat it as a\nsingle tunnel.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "stun",
"description": "Definition of the stun log for this installation",
"type": "object",
"properties": {
"_path": {"const": "stun"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"$ref": "#/$defs/time"},
"attr_val": {"description":"The attribute value", "type": "string"},
"uid": {"type": "string"},
"method": {"description":"The STUN method", "type": "string"},
"attr_type": {"description":"The attribute type", "type": "string"},
"is_orig": {"type": "boolean"},
"trans_id": {"description":"The transaction ID", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"class": {"description":"The STUN class", "type": "string"},
"proto": {"description":"The protocol", "type": "string"}
},
"additionalProperties": false
},
{
"title": "dpd",
"description": "Definition of the dpd log for this installation",
"type": "object",
"properties": {
"_path": {"const": "dpd"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Timestamp for when protocol analysis failed.", "$ref": "#/$defs/time"},
"failure_reason": {"description":"The textual reason for the analysis failure.", "type": "string"},
"analyzer": {"description":"The analyzer that generated the violation.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"uid": {"description":"Connection unique ID.", "type": "string"},
"proto": {"description":"Transport protocol for the violation.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "syslog",
"description": "Definition of the syslog log for this installation",
"type": "object",
"properties": {
"_path": {"const": "syslog"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Timestamp when the syslog message was seen.", "$ref": "#/$defs/time"},
"message": {"description":"The plain text message.", "type": "string"},
"uid": {"description":"Unique ID for the connection.", "type": "string"},
"severity": {"description":"Syslog severity for the message.", "type": "string"},
"facility": {"description":"Syslog facility for the message.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"proto": {"description":"Protocol over which the message was seen.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "tftp",
"description": "Definition of the tftp log for this installation",
"type": "object",
"properties": {
"_path": {"const": "tftp"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Timestamp for when the request happened.", "$ref": "#/$defs/time"},
"error_msg": {"description":"Any error message encountered.", "type": "string"},
"error_code": {"description":"Any error code encountered.", "$ref": "#/$defs/count"},
"wrq": {"description":"True for write requests, False for read request.", "type": "boolean"},
"mode": {"description":"Mode of request.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"fname": {"description":"File name of request.", "type": "string"},
"block_sent": {"description":"Highest block number sent.", "$ref": "#/$defs/count"},
"block_acked": {"description":"Highest block number ackknowledged.", "$ref": "#/$defs/count"},
"uid": {"description":"Unique ID for the connection.", "type": "string"},
"uid_data": {"description":"UID of data connection", "type": "string"},
"size": {"description":"Number of bytes sent.", "$ref": "#/$defs/count"}
},
"additionalProperties": false
},
{
"title": "ssl",
"description": "Definition of the ssl log for this installation",
"type": "object",
"properties": {
"_path": {"const": "ssl"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"curve": {"description":"Elliptic curve the server chose when using ECDH/ECDHE.", "type": "string"},
"cert_chain_fuids": {"description":"An ordered vector of all certificate file unique IDs for the\ncertificates offered by the server.", "type": "array", "items": {"type": "string"}},
"uid": {"description":"Unique ID for the connection.", "type": "string"},
"established": {"description":"Flag to indicate if this ssl session has been established\nsuccessfully, or if it was aborted during the handshake.", "type": "boolean"},
"subject": {"description":"Subject of the X.509 certificate offered by the server.", "type": "string"},
"next_protocol": {"description":"Next protocol the server chose using the application layer\nnext protocol extension, if present.", "type": "string"},
"version": {"description":"SSL/TLS version that the server chose.", "type": "string"},
"client_issuer": {"description":"Subject of the signer of the X.509 certificate offered by the\nclient.", "type": "string"},
"last_alert": {"description":"Last alert that was seen during the connection.", "type": "string"},
"validation_status": {"description":"Result of certificate validation for this connection.", "type": "string"},
"ja3": {"type": "string"},
"resumed": {"description":"Flag to indicate if the session was resumed reusing\nthe key material exchanged in an earlier connection.", "type": "boolean"},
"client_subject": {"description":"Subject of the X.509 certificate offered by the client.", "type": "string"},
"client_cert_chain_fuids": {"description":"An ordered vector of all certificate file unique IDs for the\ncertificates offered by the client.", "type": "array", "items": {"type": "string"}},
"ts": {"description":"Time when the SSL connection was first detected.", "$ref": "#/$defs/time"},
"issuer": {"description":"Subject of the signer of the X.509 certificate offered by the\nserver.", "type": "string"},
"encrypted_dns_resp_h": {"type": "boolean"},
"cipher": {"description":"SSL/TLS cipher suite that the server chose.", "type": "string"},
"server_name": {"description":"Value of the Server Name Indicator SSL/TLS extension. It\nindicates the server name that the client was requesting.", "type": "string"},
"ja3s": {"type": "string"}
},
"additionalProperties": false
},
{
"title": "notice",
"description": "Definition of the notice log for this installation",
"type": "object",
"properties": {
"_path": {"const": "notice"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"remote_location.region": {"description":"The region.", "type": "string"},
"remote_location.latitude": {"description":"Latitude.", "type": "number"},
"remote_location.city": {"description":"The city.", "type": "string"},
"remote_location.longitude": {"description":"Longitude.", "type": "number"},
"remote_location.country_code": {"description":"The country code.", "type": "string"},
"note": {"description":"The :zeek:type:`Notice::Type` of the notice.", "type": "string"},
"src": {"description":"Source address, if we don't have a :zeek:type:`conn_id`.", "$ref": "#/$defs/addr"},
"p": {"description":"Associated port, if we don't have a :zeek:type:`conn_id`.", "$ref": "#/$defs/port"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"actions": {"description":"The actions which have been applied to this notice.", "type": "array", "items": {"type": "string"}, "uniqueItems": true},
"fuid": {"description":"A file unique ID if this notice is related to a file. If\nthe *f* field is provided, this will be automatically filled\nout.", "type": "string"},
"uid": {"description":"A connection UID which uniquely identifies the endpoints\nconcerned with the notice.", "type": "string"},
"proto": {"description":"The transport protocol. Filled automatically when either\n*conn*, *iconn* or *p* is specified.", "type": "string"},
"sub": {"description":"The human readable sub-message.", "type": "string"},
"n": {"description":"Associated count, or perhaps a status code.", "$ref": "#/$defs/count"},
"ts": {"description":"An absolute time indicating when the notice occurred,\ndefaults to the current network time.", "$ref": "#/$defs/time"},
"file_desc": {"description":"Frequently files can be \"described\" to give a bit more\ncontext. This field will typically be automatically filled\nout from an fa_file record. For example, if a notice was\nrelated to a file over HTTP, the URL of the request would\nbe shown.", "type": "string"},
"peer_descr": {"description":"Textual description for the peer that raised this notice,\nincluding name, host address and port.", "type": "string"},
"dst": {"description":"Destination address.", "$ref": "#/$defs/addr"},
"suppress_for": {"description":"This field indicates the length of time that this\nunique notice should be suppressed.", "type": "number"},
"msg": {"description":"The human readable message for the notice.", "type": "string"},
"file_mime_type": {"description":"A mime type if the notice is related to a file. If the *f*\nfield is provided, this will be automatically filled out.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "loaded_scripts",
"description": "Definition of the loaded_scripts log for this installation",
"type": "object",
"properties": {
"_path": {"const": "loaded_scripts"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"name": {"description":"Name of the script loaded potentially with spaces included\nbefore the file name to indicate load depth. The convention\nis two spaces per level of depth.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "weird",
"description": "Definition of the weird log for this installation",
"type": "object",
"properties": {
"_path": {"const": "weird"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"The time when the weird occurred.", "$ref": "#/$defs/time"},
"notice": {"description":"Indicate if this weird was also turned into a notice.", "type": "boolean"},
"addl": {"description":"Additional information accompanying the weird if any.", "type": "string"},
"name": {"description":"The name of the weird that occurred.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"peer": {"description":"The peer that originated this weird. This is helpful in\ncluster deployments if a particular cluster node is having\ntrouble to help identify which node is having trouble.", "type": "string"},
"source": {"description":"The source of the weird. When reported by an analyzer, this\nshould be the name of the analyzer.", "type": "string"},
"uid": {"description":"If a connection is associated with this weird, this will be\nthe connection's unique ID.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "radius",
"description": "Definition of the radius log for this installation",
"type": "object",
"properties": {
"_path": {"const": "radius"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Timestamp for when the event happened.", "$ref": "#/$defs/time"},
"ttl": {"description":"The duration between the first request and\neither the \"Access-Accept\" message or an error.\nIf the field is empty, it means that either\nthe request or response was not seen.", "type": "number"},
"tunnel_client": {"description":"Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel,\nif present. This is collected from the Tunnel-Client-Endpoint\nattribute.", "type": "string"},
"result": {"description":"Successful or failed authentication.", "type": "string"},
"connect_info": {"description":"Connect info, if present.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"mac": {"description":"MAC address, if present.", "type": "string"},
"uid": {"description":"Unique ID for the connection.", "type": "string"},
"username": {"description":"The username, if present.", "type": "string"},
"framed_addr": {"description":"The address given to the network access server, if\npresent. This is only a hint from the RADIUS server\nand the network access server is not required to honor \nthe address.", "$ref": "#/$defs/addr"},
"reply_msg": {"description":"Reply message from the server challenge. This is \nfrequently shown to the user authenticating.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "cluster",
"description": "Definition of the cluster log for this installation",
"type": "object",
"properties": {
"_path": {"const": "cluster"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"The time at which a cluster message was generated.", "$ref": "#/$defs/time"},
"message": {"description":"A message indicating information about the cluster's operation.", "type": "string"},
"node": {"description":"The name of the node that is creating the log record.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "capture_loss",
"description": "Definition of the capture_loss log for this installation",
"type": "object",
"properties": {
"_path": {"const": "capture_loss"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Timestamp for when the measurement occurred.", "$ref": "#/$defs/time"},
"ts_delta": {"description":"The time delay between this measurement and the last.", "type": "number"},
"peer": {"description":"In the event that there are multiple Zeek instances logging\nto the same host, this distinguishes each peer with its\nindividual name.", "type": "string"},
"acks": {"description":"Total number of ACKs seen in the previous measurement interval.", "$ref": "#/$defs/count"},
"gaps": {"description":"Number of missed ACKs from the previous measurement interval.", "$ref": "#/$defs/count"},
"percent_lost": {"description":"Percentage of ACKs seen where the data being ACKed wasn't seen.", "type": "number"}
},
"additionalProperties": false
},
{
"title": "netcontrol",
"description": "Definition of the netcontrol log for this installation",
"type": "object",
"properties": {
"_path": {"const": "netcontrol"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Time at which the recorded activity occurred.", "$ref": "#/$defs/time"},
"plugin": {"description":"Plugin triggering the log entry.", "type": "string"},
"expire": {"description":"Expiry time of the log entry.", "type": "number"},
"action": {"description":"String describing an action the entry is about.", "type": "string"},
"msg": {"description":"String with an additional message.", "type": "string"},
"location": {"description":"Location where the underlying action was triggered.", "type": "string"},
"rule_id": {"description":"ID of the rule; unique during each Zeek run.", "type": "string"},
"entity_type": {"description":"Type of the entity the log entry is about.", "type": "string"},
"category": {"description":"Type of the log entry.", "type": "string"},
"target": {"description":"The target type of the action.", "type": "string"},
"entity": {"description":"String describing the entity the log entry is about.", "type": "string"},
"state": {"description":"State the log entry reflects.", "type": "string"},
"cmd": {"description":"The command the log entry is about.", "type": "string"},
"mod": {"description":"String describing the optional modification of the entry (e.h. redirect)", "type": "string"},
"priority": {"description":"Number describing the priority of the log entry.", "$ref": "#/$defs/int"}
},
"additionalProperties": false
},
{
"title": "config",
"description": "Definition of the config log for this installation",
"type": "object",
"properties": {
"_path": {"const": "config"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Timestamp at which the configuration change occured.", "$ref": "#/$defs/time"},
"new_value": {"description":"Value after the change.", "type": "string"},
"old_value": {"description":"Value before the change.", "type": "string"},
"id": {"description":"ID of the value that was changed.", "type": "string"},
"location": {"description":"Optional location that triggered the change.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "dhcp",
"description": "Definition of the dhcp log for this installation",
"type": "object",
"properties": {
"_path": {"const": "dhcp"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"msg_types": {"description":"The DHCP message types seen by this DHCP transaction", "type": "array", "items": {"type": "string"}},
"assigned_addr": {"description":"IP address assigned by the server.", "$ref": "#/$defs/addr"},
"mac": {"description":"Client's hardware address.", "type": "string"},
"client_fqdn": {"description":"FQDN given by client in Client FQDN option 81.", "type": "string"},
"server_addr": {"description":"IP address of the server involved in actually\nhanding out the lease. There could be other\nservers replying with OFFER messages which won't\nbe represented here. Getting an address in this\nfield also requires that the server handing out\nthe lease also sources packets from a non-broadcast\nIP address.", "$ref": "#/$defs/addr"},
"duration": {"description":"Duration of the DHCP \"session\" representing the \ntime from the first message to the last.", "type": "number"},
"requested_addr": {"description":"IP address requested by the client.", "$ref": "#/$defs/addr"},
"server_message": {"description":"Message typically accompanied with a DHCP_NAK to let\nthe client know why it rejected the request.", "type": "string"},
"domain": {"description":"Domain given by the server in option 15.", "type": "string"},
"ts": {"description":"The earliest time at which a DHCP message over the\nassociated connection is observed.", "$ref": "#/$defs/time"},
"client_message": {"description":"Message typically accompanied with a DHCP_DECLINE\nso the client can tell the server why it rejected\nan address.", "type": "string"},
"client_addr": {"description":"IP address of the client. If a transaction\nis only a client sending INFORM messages then\nthere is no lease information exchanged so this\nis helpful to know who sent the messages.\nGetting an address in this field does require\nthat the client sources at least one DHCP message\nusing a non-broadcast address.", "$ref": "#/$defs/addr"},
"uids": {"description":"A series of unique identifiers of the connections over which\nDHCP is occurring. This behavior with multiple connections is\nunique to DHCP because of the way it uses broadcast packets\non local networks.", "type": "array", "items": {"type": "string"}, "uniqueItems": true},
"lease_time": {"description":"IP address lease interval.", "type": "number"},
"host_name": {"description":"Name given by client in Hostname option 12.", "type": "string"}
},
"additionalProperties": false
},
{
"title": "corelight_profiling",
"description": "Definition of the corelight_profiling log for this installation",
"type": "object",
"properties": {
"_path": {"const": "corelight_profiling"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"$ref": "#/$defs/time"},
"prof.core_stack": {"type": "string"},
"prof.sched_wait_ns": {"$ref": "#/$defs/count"},
"prof.script_stack": {"description":"Execution state is not always within the script interpreter\nso there won't always be a script stack which forces this to be optional", "type": "string"},
"node": {"type": "string"}
},
"additionalProperties": false
},
{
"title": "conn_long",
"description": "Definition of the conn_long log for this installation",
"type": "object",
"properties": {
"_path": {"const": "conn_long"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"orig_l2_addr": {"description":"Link-layer address of the originator, if available.", "type": "string"},
"conn_state": {"description":"Possible *conn_state* values:\n\n* S0: Connection attempt seen, no reply.\n\n* S1: Connection established, not terminated.\n\n* SF: Normal establishment and termination.\n Note that this is the same symbol as for state S1.\n You can tell the two apart because for S1 there will not be any\n byte counts in the summary, while for SF there will be.\n\n* REJ: Connection attempt rejected.\n\n* S2: Connection established and close attempt by originator seen\n (but no reply from responder).\n\n* S3: Connection established and close attempt by responder seen\n (but no reply from originator).\n\n* RSTO: Connection established, originator aborted (sent a RST).\n\n* RSTR: Responder sent a RST.\n\n* RSTOS0: Originator sent a SYN followed by a RST, we never saw a\n SYN-ACK from the responder.\n\n* RSTRH: Responder sent a SYN ACK followed by a RST, we never saw a\n SYN from the (purported) originator.\n\n* SH: Originator sent a SYN followed by a FIN, we never saw a\n SYN ACK from the responder (hence the connection was \"half\" open).\n\n* SHR: Responder sent a SYN ACK followed by a FIN, we never saw a\n SYN from the originator.\n\n* OTH: No SYN seen, just midstream traffic (one example of this\n is a \"partial connection\" that was not later closed).", "type": "string"},
"resp_l2_addr": {"description":"Link-layer address of the responder, if available.", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"resp_ip_bytes": {"description":"Number of IP level bytes that the responder sent (as seen on\nthe wire, taken from the IP total_length header field).\nOnly set if :zeek:id:`use_conn_size_analyzer` = T.", "$ref": "#/$defs/count"},
"service": {"description":"An identification of an application protocol being sent over\nthe connection.", "type": "string"},
"local_resp": {"description":"If the connection is responded to locally, this value will be T.\nIf it was responded to remotely it will be F. In the case that\nthe :zeek:id:`Site::local_nets` variable is undefined, this\nfield will be left empty at all times.", "type": "boolean"},
"uid": {"description":"A unique identifier of the connection.", "type": "string"},
"resp_cc": {"description":"Country code for GeoIP lookup of the responding IP address.", "type": "string"},
"duration": {"description":"How long the connection lasted. For 3-way or 4-way connection\ntear-downs, this will not include the final ACK.", "type": "number"},
"proto": {"description":"The transport layer protocol of the connection.", "type": "string"},
"orig_pkts": {"description":"Number of packets that the originator sent.\nOnly set if :zeek:id:`use_conn_size_analyzer` = T.", "$ref": "#/$defs/count"},
"ts": {"description":"This is the time of the first packet.", "$ref": "#/$defs/time"},
"tunnel_parents": {"description":"If this connection was over a tunnel, indicate the\n*uid* values for any encapsulating parent connections\nused over the lifetime of this inner connection.", "type": "array", "items": {"type": "string"}, "uniqueItems": true},
"history": {"description":"Records the state history of connections as a string of\nletters. The meaning of those letters is:\n\n====== ====================================================\nLetter Meaning\n====== ====================================================\ns a SYN w/o the ACK bit set\nh a SYN+ACK (\"handshake\")\na a pure ACK\nd packet with payload (\"data\")\nf packet with FIN bit set\nr packet with RST bit set\nc packet with a bad checksum (applies to UDP too)\ng a content gap\nt packet with retransmitted payload\nw packet with a zero window advertisement\ni inconsistent packet (e.g. FIN+RST bits set)\nq multi-flag packet (SYN+FIN or SYN+RST bits set)\n^ connection direction was flipped by Zeek's heuristic\n====== ====================================================\n\nIf the event comes from the originator, the letter is in\nupper-case; if it comes from the responder, it's in\nlower-case. The 'a', 'd', 'i' and 'q' flags are\nrecorded a maximum of one time in either direction regardless\nof how many are actually seen. 'f', 'h', 'r' and\n's' can be recorded multiple times for either direction\nif the associated sequence number differs from the\nlast-seen packet of the same flag type.\n'c', 'g', 't' and 'w' are recorded in a logarithmic fashion:\nthe second instance represents that the event was seen\n(at least) 10 times; the third instance, 100 times; etc.", "type": "string"},
"orig_bytes": {"description":"The number of payload bytes the originator sent. For TCP\nthis is taken from sequence numbers and might be inaccurate\n(e.g., due to large connections).", "$ref": "#/$defs/count"},
"orig_cc": {"description":"The name of the node where this connection was analyzed.\nCountry code for GeoIP lookup of the originating IP address.", "type": "string"},
"orig_ip_bytes": {"description":"Number of IP level bytes that the originator sent (as seen on\nthe wire, taken from the IP total_length header field).\nOnly set if :zeek:id:`use_conn_size_analyzer` = T.", "$ref": "#/$defs/count"},
"resp_pkts": {"description":"Number of packets that the responder sent.\nOnly set if :zeek:id:`use_conn_size_analyzer` = T.", "$ref": "#/$defs/count"},
"local_orig": {"description":"If the connection is originated locally, this value will be T.\nIf it was originated remotely it will be F. In the case that\nthe :zeek:id:`Site::local_nets` variable is undefined, this\nfield will be left empty at all times.", "type": "boolean"},
"resp_bytes": {"description":"The number of payload bytes the responder sent. See\n*orig_bytes*.", "$ref": "#/$defs/count"},
"community_id": {"type": "string"},
"missed_bytes": {"description":"Indicates the number of bytes missed in content gaps, which\nis representative of packet loss. A value other than zero\nwill normally cause protocol analysis to fail but some\nanalysis may have been completed prior to the packet loss.", "$ref": "#/$defs/count"},
"suri_ids": {"type": "array", "items": {"type": "string"}, "uniqueItems": true}
},
"additionalProperties": false
},
{
"title": "packet_filter",
"description": "Definition of the packet_filter log for this installation",
"type": "object",
"properties": {
"_path": {"const": "packet_filter"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"The time at which the packet filter installation attempt was made.", "$ref": "#/$defs/time"},
"init": {"description":"Indicate if this is the filter set during initialization.", "type": "boolean"},
"filter": {"description":"The packet filter that is being set.", "type": "string"},
"node": {"description":"This is a string representation of the node that applied this\npacket filter. It's mostly useful in the context of\ndynamically changing filters on clusters.", "type": "string"},
"success": {"description":"Indicate if the filter was applied successfully.", "type": "boolean"}
},
"additionalProperties": false
},
{
"title": "http",
"description": "Definition of the http log for this installation",
"type": "object",
"properties": {
"_path": {"const": "http"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"method": {"description":"Verb used in the HTTP request (GET, POST, HEAD, etc.).", "type": "string"},
"orig_fuids": {"description":"An ordered vector of file unique IDs.\nLimited to :zeek:see:`HTTP::max_files_orig` entries.", "type": "array", "items": {"type": "string"}},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"request_body_len": {"description":"Actual uncompressed content size of the data transferred from\nthe client.", "$ref": "#/$defs/count"},
"tags": {"description":"A set of indicators of various attributes discovered and\nrelated to a particular request/response pair.", "type": "array", "items": {"type": "string"}, "uniqueItems": true},
"proxied": {"description":"All of the headers that may indicate if the request was proxied.", "type": "array", "items": {"type": "string"}, "uniqueItems": true},
"uid": {"description":"Unique ID for the connection.", "type": "string"},
"version": {"description":"Value of the version portion of the request.", "type": "string"},
"status_code": {"description":"Status code returned by the server.", "$ref": "#/$defs/count"},
"status_msg": {"description":"Status message returned by the server.", "type": "string"},
"resp_filenames": {"description":"An ordered vector of filenames from the server.\nLimited to :zeek:see:`HTTP::max_files_resp` entries.", "type": "array", "items": {"type": "string"}},
"orig_filenames": {"description":"An ordered vector of filenames from the client.\nLimited to :zeek:see:`HTTP::max_files_orig` entries.", "type": "array", "items": {"type": "string"}},
"resp_fuids": {"description":"An ordered vector of file unique IDs.\nLimited to :zeek:see:`HTTP::max_files_resp` entries.", "type": "array", "items": {"type": "string"}},
"post_body": {"type": "string"},
"host": {"description":"Value of the HOST header.", "type": "string"},
"uri": {"description":"URI used in the request.", "type": "string"},
"ts": {"description":"Timestamp for when the request happened.", "$ref": "#/$defs/time"},
"info_code": {"description":"Last seen 1xx informational reply code returned by the server.", "$ref": "#/$defs/count"},
"referrer": {"description":"Value of the \"referer\" header. The comment is deliberately\nmisspelled like the standard declares, but the name used here\nis \"referrer\" spelled correctly.", "type": "string"},
"password": {"description":"Password if basic-auth is performed for the request.", "type": "string"},
"origin": {"description":"Value of the Origin header from the client.", "type": "string"},
"info_msg": {"description":"Last seen 1xx informational reply message returned by the server.", "type": "string"},
"response_body_len": {"description":"Actual uncompressed content size of the data transferred from\nthe server.", "$ref": "#/$defs/count"},
"trans_depth": {"description":"Represents the pipelined depth into the connection of this\nrequest/response transaction.", "$ref": "#/$defs/count"},
"orig_mime_types": {"description":"An ordered vector of mime types.\nLimited to :zeek:see:`HTTP::max_files_orig` entries.", "type": "array", "items": {"type": "string"}},
"username": {"description":"Username if basic-auth is performed for the request.", "type": "string"},
"user_agent": {"description":"Value of the User-Agent header from the client.", "type": "string"},
"resp_mime_types": {"description":"An ordered vector of mime types.\nLimited to :zeek:see:`HTTP::max_files_resp` entries.", "type": "array", "items": {"type": "string"}}
},
"additionalProperties": false
},
{
"title": "kerberos",
"description": "Definition of the kerberos log for this installation",
"type": "object",
"properties": {
"_path": {"const": "kerberos"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"error_msg": {"description":"Error message", "type": "string"},
"client_cert_fuid": {"description":"File unique ID of client cert, if any", "type": "string"},
"client_cert_subject": {"description":"Subject of client certificate, if any", "type": "string"},
"renewable": {"description":"Renewable ticket requested", "type": "boolean"},
"server_cert_subject": {"description":"Subject of server certificate, if any", "type": "string"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"service": {"description":"Service", "type": "string"},
"server_cert_fuid": {"description":"File unique ID of server cert, if any", "type": "string"},
"uid": {"description":"Unique ID for the connection.", "type": "string"},
"client": {"description":"Client", "type": "string"},
"request_type": {"description":"Request type - Authentication Service (\"AS\") or\nTicket Granting Service (\"TGS\")", "type": "string"},
"ts": {"description":"Timestamp for when the event happened.", "$ref": "#/$defs/time"},
"success": {"description":"Request result", "type": "boolean"},
"till": {"description":"Ticket valid till", "$ref": "#/$defs/time"},
"forwardable": {"description":"Forwardable ticket requested", "type": "boolean"},
"cipher": {"description":"Ticket encryption type", "type": "string"},
"from": {"description":"Ticket valid from", "$ref": "#/$defs/time"}
},
"additionalProperties": false
},
{
"title": "ssh",
"description": "Definition of the ssh log for this installation",
"type": "object",
"properties": {
"_path": {"const": "ssh"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"remote_location.region": {"description":"The region.", "type": "string"},
"remote_location.latitude": {"description":"Latitude.", "type": "number"},
"remote_location.city": {"description":"The city.", "type": "string"},
"remote_location.longitude": {"description":"Longitude.", "type": "number"},
"remote_location.country_code": {"description":"The country code.", "type": "string"},
"host_key": {"description":"The server's key fingerprint", "type": "string"},
"auth_success": {"description":"Authentication result (T=success, F=failure, unset=unknown)", "type": "boolean"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"uid": {"description":"Unique ID for the connection.", "type": "string"},
"cshka": {"type": "string"},
"hasshServerAlgorithms": {"type": "string"},
"mac_alg": {"description":"The signing (MAC) algorithm in use", "type": "string"},
"version": {"description":"SSH major version (1 or 2)", "$ref": "#/$defs/count"},
"hasshServer": {"type": "string"},
"hasshVersion": {"type": "string"},
"compression_alg": {"description":"The compression algorithm in use", "type": "string"},
"cipher_alg": {"description":"The encryption algorithm in use", "type": "string"},
"direction": {"description":"Direction of the connection. If the client was a local host\nlogging into an external host, this would be OUTBOUND. INBOUND\nwould be set for the opposite situation.", "type": "string"},
"hasshAlgorithms": {"type": "string"},
"hassh": {"type": "string"},
"client": {"description":"The client's version string", "type": "string"},
"inferences": {"description":"Inferences from SOL analysis.", "type": "array", "items": {"type": "string"}, "uniqueItems": true},
"ts": {"description":"Time when the SSH connection began.", "$ref": "#/$defs/time"},
"kex_alg": {"description":"The key exchange algorithm in use", "type": "string"},
"host_key_alg": {"description":"The server host key's algorithm", "type": "string"},
"server": {"description":"The server's version string", "type": "string"},
"auth_attempts": {"description":"The number of authentication attemps we observed. There's always\nat least one, since some servers might support no authentication at all.\nIt's important to note that not all of these are failures, since\nsome servers require two-factor auth (e.g. password AND pubkey)", "$ref": "#/$defs/count"},
"sshka": {"type": "string"}
},
"additionalProperties": false
},
{
"title": "wireguard",
"description": "Definition of the wireguard log for this installation",
"type": "object",
"properties": {
"_path": {"const": "wireguard"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"$ref": "#/$defs/time"},
"uid": {"type": "string"},
"established": {"type": "boolean"},
"initiations": {"description":"Number of handshake initiation packets we have encountered during the connection", "$ref": "#/$defs/count"},
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/$defs/port"},
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/$defs/port"},
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/$defs/addr"},
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/$defs/addr"},
"responses": {"description":"Number of handshake response packets we have encountered during the connection", "$ref": "#/$defs/count"}
},
"additionalProperties": false
},
{
"title": "weird_stats",
"description": "Definition of the weird_stats log for this installation",
"type": "object",
"properties": {
"_path": {"const": "weird_stats"},
"_system_name": {"type": "string", "description": "kame of the system that generated the record."},
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/$defs/time"},
"_node": {"type": "string", "description": "Zeek process that generated the record."},
"ts": {"description":"Timestamp for the measurement.", "$ref": "#/$defs/time"},
"num_seen": {"description":"Number of times weird was seen since the last stats interval.", "$ref": "#/$defs/count"},
"name": {"description":"Name of the weird.", "type": "string"}
},
"additionalProperties": false
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment