English
Deutsch
Español
Español – América Latina
Français
Indonesia
Italiano
Português
Português – Brasil
中文 – 简体
中文 – 繁體
日本語
한국어

Contact Us Start free

Collect Zeek (Bro) logs

Supported in:

Google secops SIEM

This document describes how you can deploy Zeek (formerly Bro) and NXLog with Google Security Operations to collect Zeek logs in JSON format. This document also explains how Zeek log fields map to Google Security Operations Unified Data Model (UDM) fields.

For an overview about Google Security Operations data ingestion, see Data ingestion to Google Security Operations .

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the BRO_JSON ingestion label.

Before you begin

To understand the components deployed to collect Zeek logs, review the deployment architecture. Each customer deployment might differ from this representation and might be more complex. The following diagram shows how you can configure a NXLog agent and a Google Security Operations forwarder on a Linux server and forward log data to Google Security Operations.
Verify the Zeek versions that the Google Security Operations parser supports. The Google Security Operations parser supports the following Zeek versions:
- Zeek 4.1.0
- Zeek 4.0.1
- Zeek 5.2.0
- Zeek 6.0.0
Before you use the Zeek parser, review the changes in field mappings between the previous parser and the current Zeek parser . As part of the migration, ensure that the rules, searches, dashboards, or other processes that depend on the original fields use the updated fields.

For example, in the previous parser version, the server_name field is mapped to the target.hostname UDM field. In the current Zeek parser, the server_name field is mapped to the network.tls.client.server_name UDM field. If you migrate to the current Zeek parser and use the server_name field in your rules, you need to modify the rules to use the network.tls.client.server_name UDM field of the current parser.
Verify the Zeek log types that the Google Security Operations parser supports. The following table lists the Zeek log types that the Google Security Operations parser supports:

Log type	Description
Network protocols	Includes log files of network protocols, such as Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS).
Files	Includes the following log files: File analysis results, Online Certificate Status Protocol (OCSP), Portable Executable (PE), and X.509 certificate.
NetControl	Includes log files of NetControl actions and OpenFlow debug logs.
Detection	Includes log files of intelligence data matches, Zeek notices, alarm stream, signature matches, and traceroute detection.
Network observations	Includes log files of SSL certificates, hosts that have completed TCP handshakes, Modbus primary and replica, services running on hosts, and software used on the network.

If you have not done so already, install and configure Zeek. For more information, see Zeek installation .
Collect Zeek logs in JSON format. For more information, see Output Zeek logs to JSON .
Ensure that all systems in the deployment architecture are configured with the UTC time zone.

Configure NXLog and Google Security Operations forwarder

Download and install NXLog Community Edition on the Linux machine on which Google Security Operations forwarder runs.
- For more information on downloading NXLog Community Edition, see NXLog documentation .
- For more information on installing the required NXLog packages and dependencies, see installing NXLog on a Linux system .
Create a configuration file for each NXLog instance.

Use the NXLog im_file module to read from the file and parse the lines into fields. Here is an example NXLog configuration:

 LogFile /var/log/nxlog/nxlog.log
LogLevel INFO

define ZEEK_OUTPUT_DESTINATION_ADDRESS <hostname>
define ZEEK_OUTPUT_DESTINATION_PORT <port>

<Input conn>
   Module      im_file
   File        '/opt/zeek/logs/current/conn.log'
   Exec $raw_event= "conn" + ' - ' + $raw_event;;
</Input>

<Input dce_rpc>
  Module      im_file
  File        '/opt/zeek/logs/current/dce_rpc.log'
  Exec $raw_event= "dce_rpc" + ' - ' + $raw_event;;
</Input>

<Output out_chronicle>
  Module  om_tcp
  Host    %ZEEK_OUTPUT_DESTINATION_ADDRESS%
  Port    %ZEEK_OUTPUT_DESTINATION_PORT%
</Output>

<Route zeek_to_chronicle>
  Path conn, dce_rpc => out_chronicle
</Route>

To use the preceding example configuration, do the following:

Replace <hostname> and <port> values with information about the destination Linux server.
Add input, output, and route elements for each Zeek log type that you want to collect.

Configure Google Security Operations forwarder to send logs to Google Security Operations. For more information, see Installing and configuring the forwarder on Linux . Here is an example forwarder configuration.

 output:
  url: URL 
identity:
  identity:
  collector_id: COLLECTOR_ID 
customer_id: CUSTOMER_ID 
secret_key: |

  {
  "type": "service_account",
  "project_id": "malachite-projectname",
  "private_key_id": ` PRIVATE_KEY_ID 
`,
  "private_key": ` PRIVATE_KEY 
`,
  "client_email":"` SERVICE_ACCOUNT_NAME 
`@malachite-` PROJECT_ID 
`.` SERVICE_ACCOUNT_DOMAIN 
`",
  "client_id": ` CLIENT_ID 
`,
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/` SERVICSERVICE_ACCOUNT_NAME 
`%40malachite-` PROJECT_ID 
`.` SERVICE_ACCOUNT_DOMAIN 
`",
  }

  collectors:
  - syslog:
      common:
        enabled: true
        data_type: BRO_JSON
        batch_n_seconds: 10
        batch_n_bytes: 1048576
      tcp_address: 0.0.0.0:10518
      connection_timeout_sec: 60

Replace the PRIVATE_KEY_ID , PRIVATE_KEY SERVICSERVICE_ACCOUNT_NAME , PROJECT_ID , CLIENT_ID , SERVICE_ACCOUNT_DOMAIN CUSTOMER_ID , URL , COLLECTOR_ID and CUSTOMER_ID with the respective values from the service account JSON file which you can download from Google Cloud Platform.
Start the NXLog service.

Forward Logs to Google SecOps using Bindplane agent

Install and set up a Linux Virtual Machine.
Install and configure the Bindplane agent on Linux to forward logs to Google SecOps. For more information about how to install and configure the Bindplane agent, see the Bindplane agent installation and configuration instructions .

If you encounter issues when you create feeds, contact Google SecOps support .

Supported Zeek (Bro) log formats

The Zeek (Bro) parser supports logs in JSON and SYSLOG+JSON format.

Supported Zeek (Bro) sample logs

JOSN

 {
  "insertId": "1pvsdy2f8v21o8",
  "jsonPayload": {
    "message": "Jun 14 07:46:10 dummyhostname systemd[1]: Stopping System Logging Service..."
  },
  "resource": {
    "type": "gce_instance",
    "labels": {
      "project_id": "cl-tpt-dis-awkc-con17-p-922a",
      "zone": "us-central1-a",
      "instance_id": "4136884722753789246"
    }
  },
  "timestamp": "2024-09-03T19:31:32.353129233Z",
  "labels": {
    "compute.googleapis.com/resource_name": "dummyostname"
  },
  "logName": "projects/cl-tpt-dis-awkc-con17-p-922a/logs/syslog",
  "receiveTimestamp": "2024-09-03T19:31:33.388651657Z"
}

SYSLOG + JSON

 <13>1 2021-12-21T23: 51: 25-08: 00 ia-cs-vubro-089 bro_http - - - {
  "ts": 1640159484.694295,
  "uid": "CTgT3z1adxn1EMPbmj",
  "id.orig_h": "198.51.100.27",
  "id.orig_p": 58729,
  "id.resp_h": "198.51.100.28",
  "id.resp_p": 8088,
  "trans_depth": 2284,
  "method": "POST",
  "host": "198.51.100.8",
  "uri": "/system/gateway",
  "version": "1.1",
  "user_agent": "Java/11.0.11",
  "request_body_len": 304,
  "response_body_len": 203,
  "status_code": 200,
  "status_msg": "OK",
  "tags": [],
  "orig_fuids": [
    "FefIdu4i8dzFTUONb5"
  ],
  "orig_mime_types": [
    "application/xml"
  ],
  "resp_fuids": [
    "Flqz7L3yyQR1eSN4Kf"
  ],
  "resp_mime_types": [
    "application/xml"
  ]
}

Field mapping reference: Zeek logs fields to UDM fields

To understand how the Google Security Operations parser maps Zeek log fields to Google Security Operations UDM event fields for each Zeek log type, refer to the following sections:

Network protocols
Files
Netcontrol
Detection
Network observations

Network protocols

The following table lists the log fields of the network protocols log type and their corresponding UDM fields.

Original log field

Log type

UDM field

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

proto

network.ip_protocol

service

In case of exact match, service is mapped to network.application_protocol. In case of multiple values, service is mapped to additional.fields.key/value.

duration

network.session_duration

orig_bytes

network.sent_bytes

resp_bytes

network.received_bytes

conn_state

metadata.description

local_orig

additional.fields.key/value

local_resp

additional.fields.key/value

missed_bytes

additional.fields.key/value

history

additional.fields.key/value

orig_pkts

additional.fields.key/value

orig_ip_bytes

additional.fields.key/value

resp_pkts

additional.fields.key/value

resp_ip_bytes

additional.fields.key/value

tunnel_parents

additional.fields.key/value

orig_l2_addr

additional.fields.key/value

resp_l2_addr

additional.fields.key/value

vlan

additional.fields.key/value

inner_vlan

additional.fields.key/value

speculative_service

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

rtt

additional.fields.key/value

named_pipe

target.resource.name

Also, target.resource.resource_type is set to "PIPE".

endpoint

additional.fields.key/value

operation

additional.fields.key/value

ts

metadata.event_timestamp

uids

additional.fields.key/value

client_addr

target.ip

server_addr

principal.ip

client_port

target.port

server_port

principal.port

mac

principal.mac

Machine ID is required for parsing NETWORK_DHCP events.

host_name

network.dhcp.client_hostname

client_fqdn

target.hostname

domain

target.administrative_domain

requested_addr

network.dhcp.requested_address

assigned_addr

network.dhcp.yiaddr

lease_time

network.dhcp.lease_time_seconds

client_message

additional.fields.key/value

server_message

additional.fields.key/value

msg_types

additional.fields.key/value

The log that Zeek produces is a collection of DORA messages in a single log.

duration

network.dhcp.seconds

client_chaddr

network.dhcp.chaddr

msg_orig

additional.fields.key/value

client_software

additional.fields.key/value

server_software

additional.fields.key/value

circuit_id

additional.fields.key/value

agent_remote_id

additional.fields.key/value

subscriber_id

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

fc_request

additional.fields.key/value

fc_reply

additional.fields.key/value

iin

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

proto

network.ip_protocol

trans_id

network.dns.id

rtt

additional.fields.key/value

query

network.dns.questions.name

qclass

network.dns.questions.class

qclass_name

additional.fields.key/value

qtype

network.dns.questions.type

qtype_name

additional.fields.key/value

rcode

network,dns.response_code

rcode_name

additional.fields.key/value

AA

network.dns.authoritative

TC

network.dns.truncated

RD

network.dns.recursion_desired

RA

network.dns.recursion_available

Z

additional.fields.key/value

answers

network.dns.answers.data

TTLs

network.dns.answers.ttl

rejected

additional.fields.key/value

total_answers

additional.fields.key/value

total_replies

additional.fields.key/value

saw_query

additional.fields.key/value

saw_reply

additional.fields.key/value

auth

network.dns.authority.data

addl

network.dns.additional.data

original_query

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

user

principal.user.userid

command

network.ftp.command

arg

additional.fields.key/value

mime_type

src.file.mime_type

file_size

src.file.size

reply_code

additional.fields.key/value

reply_msg

additional.fields.key/value

data_channel.passive

additional.fields.key/value

data_channel.orig_h

additional.fields.key/value

data_channel.resp_h

additional.fields.key/value

data_channel.resp_p

additional.fields.key/value

cwd

src.file.full_path

cmdarg.ts

additional.fields.key/value

cmdarg.cmd

additional.fields.key/value

cmdarg.arg

additional.fields.key/value

cmdarg.seq

additional.fields.key/value

pending_commands

additional.fields.key/value

passive

additional.fields.key/value

capture_password

additional.fields.key/value

fuid

additional.fields.key/value

last_auth_requested

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

trans_depth

additional.fields.key/value

method

network.http.method

host

target.hostname

uri

target.url is set to "%{host}%{uri}"

referrer

network.http.referral_url

version

additional.fields.key/value

user_agent

network.http.user_agent

origin

additional.fields.key/value

request_body_len

additional.fields.key/value

response_body_len

additional.fields.key/value

status_code

network.http.response_code

status_msg

additional.fields.key/value

info_code

additional.fields.key/value

info_msg

additional.fields.key/value

tags

additional.fields.key/value

username

principal.user.userid

capture_password

additional.fields.key/value

proxied

additional.fields.key/value

range_request

additional.fields.key/value

orig_fuids

additional.fields.key/value

orig_filenames

additional.fields.key/value

orig_mime_types

additional.fields.key/value

resp_fuids

additional.fields.key/value

resp_filenames

additional.fields.key/value

resp_mime_types

additional.fields.key/value

current_entity

additional.fields.key/value

orig_mime_depth

additional.fields.key/value

resp_mime_depth

additional.fields.key/value

client_header_names

additional.fields.key/value

server_header_names

additional.fields.key/value

omniture

additional.fields.key/value

flash_version

additional.fields.key/value

cookie_vars

additional.fields.key/value

uri_vars

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

nick

additional.fields.key/value

user

principal.user.userid

command

principal.process.command_line

value

additional.fields.key/value

addl

additional.fields.key/value

dcc_file_name

additional.fields.key/value

dcc_file_size

src.file.size

dcc_mime_type

src.file.mime_type

fuid

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

request_type

additional.fields.key/value

client

additional.fields.key/value

service

additional.fields.key/value

success

additional.fields.key/value

error_code

additional.fields.key/value

error_msg

metadata.description is set to "KERBEROS: %{error_msg}"

from

additional.fields.key/value

till

additional.fields.key/value

cipher

network.tls.cipher

forwardable

additional.fields.key/value

renewable

additional.fields.key/value

logged

additional.fields.key/value

client_cert.ts

additional.fields.key/value

client_cert.fuid

additional.fields.key/value

client_cert.tx_hosts

additional.fields.key/value

client_cert.rx_hosts

additional.fields.key/value

client_cert.conn_uids

additional.fields.key/value

client_cert.source

additional.fields.key/value

client_cert.depth

additional.fields.key/value

client_cert.analyzers

additional.fields.key/value

client_cert.mime_type

additional.fields.key/value

client_cert.filename

additional.fields.key/value

client_cert.duration

additional.fields.key/value

client_cert.local_orig

additional.fields.key/value

client_cert.is_orig

additional.fields.key/value

client_cert.seen_bytes

additional.fields.key/value

client_cert.total_bytes

additional.fields.key/value

client_cert.missing_bytes

additional.fields.key/value

client_cert.overflow_bytes

additional.fields.key/value

client_cert.timedout

additional.fields.key/value

client_cert.parent_fuid

additional.fields.key/value

client_cert.md5

network.tls.client.certificate.md5

client_cert.sha1

network.tls.client.certificate.sha1

client_cert.sha256

network.tls.client.certificate.sha256

client_cert.x509.ts

additional.fields.key/value

client_cert.x509.fingerprint

additional.fields.key/value

client_cert.x509.certificate.version

network.tls.client.certificate.version

client_cert.x509.certificate.serial

network.tls.client.certificate.serial

client_cert.x509.certificate.subject

additional.fields.key/value

client_cert.x509.certificate.issuer

network.tls.client.certificate.issuer

client_cert.x509.certificate.cn

additional.fields.key/value

client_cert.x509.certificate.not_valid_before

additional.fields.key/value

client_cert.x509.certificate.not_valid_after

additional.fields.key/value

client_cert.x509.certificate.key_alg

additional.fields.key/value

client_cert.x509.certificate.sig_alg

additional.fields.key/value

client_cert.x509.certificate.key_type

additional.fields.key/value

client_cert.x509.certificate.key_length

additional.fields.key/value

client_cert.x509.certificate.exponent

additional.fields.key/value

client_cert.x509.certificate.curve

additional.fields.key/value

client_cert.x509.handle

additional.fields.key/value

client_cert.x509.extensions.name

additional.fields.key/value

client_cert.x509.extensions.short_name

additional.fields.key/value

client_cert.x509.extensions.oid

additional.fields.key/value

client_cert.x509.extensions.critical

additional.fields.key/value

client_cert.x509.extensions.value

additional.fields.key/value

client_cert.x509.san.dns

additional.fields.key/value

client_cert.x509.san.uri

additional.fields.key/value

client_cert.x509.san.email

additional.fields.key/value

client_cert.x509.san.ip

additional.fields.key/value

client_cert.x509.san.other_fields

additional.fields.key/value

client_cert.x509.basic_constraints.ca

additional.fields.key/value

client_cert.x509.basic_constraints.path_len

additional.fields.key/value

client_cert.x509.extensions_cache

additional.fields.key/value

client_cert.x509.host_cert

additional.fields.key/value

client_cert.x509.client_cert

additional.fields.key/value

client_cert.x509.deduplication_index.fingerprint

additional.fields.key/value

client_cert.x509.deduplication_index.host_cert

additional.fields.key/value

client_cert.x509.deduplication_index.client_cert

additional.fields.key/value

client_cert.x509.always_raise_x509_events

additional.fields.key/value

client_cert.x509.cert

additional.fields.key/value

client_cert.extracted

additional.fields.key/value

client_cert.extracted_cutoff

additional.fields.key/value

client_cert.extracted_size

additional.fields.key/value

client_cert.entropy

additional.fields.key/value

client_cert_subject

network.tls.client.certificate.subject

client_cert_fuid

additional.fields.key/value

server_cert.ts

additional.fields.key/value

server_cert.fuid

additional.fields.key/value

server_cert.tx_hosts

additional.fields.key/value

server_cert.rx_hosts

additional.fields.key/value

server_cert.conn_uids

additional.fields.key/value

server_cert.source

additional.fields.key/value

server_cert.depth

additional.fields.key/value

server_cert.analyzers

additional.fields.key/value

server_cert.mime_type

additional.fields.key/value

server_cert.filename

additional.fields.key/value

server_cert.duration

additional.fields.key/value

server_cert.local_orig

additional.fields.key/value

server_cert.is_orig

additional.fields.key/value

server_cert.seen_bytes

additional.fields.key/value

server_cert.total_bytes

additional.fields.key/value

server_cert.missing_bytes

additional.fields.key/value

server_cert.overflow_bytes

additional.fields.key/value

server_cert.timedout

additional.fields.key/value

server_cert.parent_fuid

additional.fields.key/value

server_cert.md5

network.tls.server.certificate.md5

server_cert.sha1

network.tls.server.certificate.sha1

server_cert.sha256

network.tls.server.certificate.sha256

server_cert.x509.ts

additional.fields.key/value

server_cert.x509.fingerprint

additional.fields.key/value

server_cert.x509.certificate.version

network.tls.server.certificate.version

server_cert.x509.certificate.serial

network.tls.server.certificate.serial

server_cert.x509.certificate.subject

additional.fields.key/value

server_cert.x509.certificate.issuer

network.tls.server.certificate.issuer

server_cert.x509.certificate.cn

additional.fields.key/value

server_cert.x509.certificate.not_valid_before

additional.fields.key/value

server_cert.x509.certificate.not_valid_after

additional.fields.key/value

server_cert.x509.certificate.key_alg

additional.fields.key/value

server_cert.x509.certificate.sig_alg

additional.fields.key/value

server_cert.x509.certificate.key_type

additional.fields.key/value

server_cert.x509.certificate.key_length

additional.fields.key/value

server_cert.x509.certificate.exponent

additional.fields.key/value

server_cert.x509.certificate.curve

additional.fields.key/value

server_cert.x509.handle

additional.fields.key/value

server_cert.x509.extensions.name

additional.fields.key/value

server_cert.x509.extensions.short_name

additional.fields.key/value

server_cert.x509.extensions.oid

additional.fields.key/value

server_cert.x509.extensions.critical

additional.fields.key/value

server_cert.x509.extensions.value

additional.fields.key/value

server_cert.x509.san.dns

additional.fields.key/value

server_cert.x509.san.uri

additional.fields.key/value

server_cert.x509.san.email

additional.fields.key/value

server_cert.x509.san.ip

additional.fields.key/value

server_cert.x509.san.other_fields

additional.fields.key/value

server_cert.x509.basic_constraints.ca

additional.fields.key/value

server_cert.x509.basic_constraints.path_len

additional.fields.key/value

server_cert.x509.extensions_cache

additional.fields.key/value

server_cert.x509.host_cert

additional.fields.key/value

server_cert.x509.client_cert

additional.fields.key/value

server_cert.x509.deduplication_index.fingerprint

additional.fields.key/value

server_cert.x509.deduplication_index.host_cert

additional.fields.key/value

server_cert.x509.deduplication_index.client_cert

additional.fields.key/value

server_cert.x509.always_raise_x509_events

additional.fields.key/value

server_cert.x509.cert

additional.fields.key/value

server_cert.extracted

additional.fields.key/value

server_cert.extracted_cutoff

additional.fields.key/value

server_cert.extracted_size

additional.fields.key/value

server_cert.entropy

additional.fields.key/value

server_cert_subject

network.tls.server.certificate.subject

server_cert_fuid

additional.fields.key/value

auth_ticket

additional.fields.key/value

new_ticket

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

func

additional.fields.key/value

exception

additional.fields.key/value

track_address

additional.fields.key/value

ts

modbus_register_change.log

metadata.event_timestamp

uid

modbus_register_change.log

network.session_id

id.orig_h

modbus_register_change.log

principal.ip

id.orig_p

modbus_register_change.log

principal.port

id.resp_h

modbus_register_change.log

target.ip

id.resp_p

modbus_register_change.log

target.port

register

modbus_register_change.log

additional.fields.key/value

old_val

modbus_register_change.log

additional.fields.key/value

new_val

modbus_register_change.log

additional.fields.key/value

delta

modbus_register_change.log

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

cmd

metadata.description

arg

principal.process.command_line

success

If the value of success is "T" or "true," security_result.action is set to "ALLOW" and security_result.summary is set to "Query successfully executed."

If the value of success is not "T" or "true," security_result.action is set to "BLOCK" and security_result.summary is set to "Query execution failed."

rows

security_result.description is set to "Affected rows: %{rows}". If the log type is "mysql.log", the additional field security_result.severity is set to "INFORMATIONAL".

response

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

username

principal.user.userid

hostname

principal.hostname

domainname

principal.administrative_domain

server_nb_computer_name

additional.fields.key/value

server_dns_computer_name

target.hostname

server_tree_name

additional.fields.key/value

success

If the value of success is "T" or "true", security_result.action is set to "ALLOW" and security_result.summary is set to "Query successfully executed".

If the value of success is not "T" or "true", security_result.action is set to "BLOCK" and security_result.summary is set to "Query execution failed".

done

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

version

additional.fields.key/value

mode

additional.fields.key/value

stratum

additional.fields.key/value

poll

additional.fields.key/value

precision

additional.fields.key/value

root_delay

additional.fields.key/value

root_disp

additional.fields.key/value

ref_id

additional.fields.key/value

ref_time

additional.fields.key/value

org_time

additional.fields.key/value

rec_time

additional.fields.key/value

xmt_time

additional.fields.key/value

num_exts

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

username

principal.user.userid

mac

principal.mac

framed_addr

additional.fields.key/value

tunnel_client

additional.fields.key/value

connect_info

additional.fields.key/value

reply_msg

additional.fields.key/value

result

If the log type is "radius.log", the following fields are set:

extensions.auth.type is set to "MACHINE".

metadata.description is set to "RADIUS authentication attempts %{result}".

security_result.action

security_result.summary

If the value of the "result" field is "success", security_result.action is set to "ALLOW" and security_result.summary is set to "User login successful".

If the value of "result" field is "failed", security_result.action is set to "BLOCK" and security_result.summary is set to "User login failed".

ttl

additional.fields.key/value

logged

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

cookie

principal.user.userid

result

security_result.severity is set to "INFORMATIONAL". security_result.description is set to "%{result} connection with security protocol %{security_protocol}".

security_protocol

security_result.description is set to "%{result} connection with security protocol %{security_protocol}".

client_channels

additional.fields.key/value

keyboard_layout

additional.fields.key/value

client_build

principal.asset.platform_software.platform_version

client_name

additional.fields.key/value

client_dig_product_id

principal.asset.asset_id

desktop_width

additional.fields.key/value

desktop_height

additional.fields.key/value

requested_color_depth

additional.fields.key/value

cert_type

additional.fields.key/value

cert_count

additional.fields.key/value

cert_permanent

additional.fields.key/value

encryption_level

additional.fields.key/value

encryption_method

additional.fields.key/value

analyzer_id

additional.fields.key/value

done

additional.fields.key/value

ssl

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

client_major_version

additional.fields.key/value

client_minor_version

additional.fields.key/value

server_major_version

additional.fields.key/value

server_minor_version

additional.fields.key/value

authentication_method

additional.fields.key/value

auth

additional.fields.key/value

share_flag

additional.fields.key/value

desktop_name

target.asset.hostname

width

additional.fields.key/value

height

additional.fields.key/value

done

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

Also, network.application_protocol is set to "SIP".

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

trans_depth

additional.fields.key/value

method

metadata.description

uri

about.url

date

additional.fields.key/value

request_from

principal.user.userid and principal.user.user_display_name

request_to

target.user.userid and target.user.user_display_name

response_from

additional.fields.key/value

response_to

additional.fields.key/value

reply_to

additional.fields.key/value

call_id

network.session_id

seq

additional.fields.key/value

subject

additional.fields.key/value

request_path

additional.fields.key/value

response_path

additional.fields.key/value

user_agent

additional.fields.key/value

status_code

security_result.summary is set to "Status Code: %{status_code}".

status_msg

security_result.description

warning

additional.fields.key/value

request_body_len

network.sent_bytes

response_body_len

network.received_bytes

content_type

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

command

principal.process.command_line

sub_command

additional.fields.key/value

argument

additional.fields.key/value

status

additional.fields.key/value

rtt

additional.fields.key/value

version

metadata.product_version

username

principal.user.userid

tree

additional.fields.key/value

tree_service

additional.fields.key/value

smb1_offered_dialects

additional.fields.key/value

smb2_offered_dialects

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

fuid

additional.fields.key/value

action

metadata.description is set to "action: %{action} on: %{name}".

path

target.file.full_path

name

additional.fields.key/value

size

target.file.size

prev_name

additional.fields.key/value

times.modified

additional.fields.key/value

times.modified_raw

additional.fields.key/value

times.accessed

additional.fields.key/value

times.accessed_raw

additional.fields.key/value

times.created

additional.fields.key/value

times.created_raw

additional.fields.key/value

times.changed

additional.fields.key/value

times.changed_raw

additional.fields.key/value

fid

additional.fields.key/value

uuid

additional.fields.key/value

ts

smb_mapping.log

metadata.event_timestamp

uid

smb_mapping.log

network.session_id

id.orig_h

smb_mapping.log

principal.ip

id.orig_p

smb_mapping.log

principal.port

id.resp_h

smb_mapping.log

target.ip

id.resp_p

smb_mapping.log

target.port

path

smb_mapping.log

target.file.full_path

service

smb_mapping.log

target.application

native_file_system

smb_mapping.log

additional.fields.key/value

share_type

smb_mapping.log

target.resource.resource_type

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

trans_depth

additional.fields.key/value

helo

additional.fields.key/value

mailfrom

additional.fields.key/value

rcptto

additional.fields.key/value

date

additional.fields.key/value

from

network.email.from

to

email.to

cc

network.email.cc

reply_to

email.reply_to

msg_id

email.mail_id

in_reply_to

additional.fields.key/value

subject

email.subject

x_originating_ip

additional.fields.key/value

first_received

additional.fields.key/value

second_received

additional.fields.key/value

last_reply

additional.fields.key/value

path

additional.fields.key/value

user_agent

additional.fields.key/value

tls

network.tls.established

process_received_from

additional.fields.key/value

has_client_activity

additional.fields.key/value

process_smtp_headers

additional.fields.key/value

entity.filename

additional.fields.key/value

entity.excerpt

additional.fields.key/value

fuids

additional.fields.key/value

is_webmail

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

duration

network.session_duration

version

metadata.product_version

community

network.community_id

get_requests

additional.fields.key/value

get_bulk_requests

additional.fields.key/value

get_responses

additional.fields.key/value

set_requests

additional.fields.key/value

display_string

metadata.description

up_since

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

version

additional.fields.key/value

user

principal.user.userid

status

additional.fields.key/value

request.host

principal.hostname

request.name

additional.fields.key/value

request_p

additional.fields.key/value

bound.host

additional.fields.key/value

bound.name

additional.fields.key/value

bound_p

additional.fields.key/value

capture_password

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

version

metadata.product_version

auth_success

additional.fields.key/value

auth_attempts

security_result.description is set to "%{auth_attempts} successful SSH authentication attempts were observed".

direction

network.direction

client

principal.platform_version

server

target.platform_version

cipher_alg

additional.fields.key/value

mac_alg

additional.fields.key/value

compression_alg

additional.fields.key/value

kex_alg

additional.fields.key/value

host_key_alg

additional.fields.key/value

host_key

additional.fields.key/value

logged

additional.fields.key/value

capabilities.kex_algorithms

additional.fields.key/value

capabilities.server_host_key_algorithms

additional.fields.key/value

capabilities.encryption_algorithms

additional.fields.key/value

capabilities.mac_algorithms

additional.fields.key/value

capabilities.compression_algorithms

additional.fields.key/value

capabilities.languages.client_to_server

additional.fields.key/value

capabilities.languages.server_to_client

additional.fields.key/value

capabilities.is_server

additional.fields.key/value

analyzer_id

additional.fields.key/value

remote_location.country_code

additional.fields.key/value

remote_location.region

target.asset.location.country_or_region

remote_location.city

target.asset.location.city

remote_location.latitude

additional.fields.key/value

remote_location.longitude

additional.fields.key/value

ts

metadata.event_timestamp

uid

metadata.product_log_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

version_num

additional.fields.key/value

version

network.tls.version

cipher

network.tls.cipher

curve

network.tls.curve

server_name

network.tls.client.server_name

session_id

network.session_id

resumed

network.tls.resumed

client_ticket_empty_session_seen

additional.fields.key/value

client_key_exchange_seen

additional.fields.key/value

client_psk_seen

additional.fields.key/value

last_alert

additional.fields.key/value

next_protocol

network.tls.next_protocol

analyzer_id

additional.fields.key/value

established

network.tls.established

logged

additional.fields.key/value

ssl_history

additional.fields.key/value

cert_chain_fps

additional.fields.key/value

client_cert_chain_fps

additional.fields.key/value

subject

network.tls.server.certificate.subject

issuer

network.tls.server.certificate.issuer

client_subject

network.tls.client.certificate.subject

client_issuer

network.tls.client.certificate.issuer

sni_matches_cert

additional.fields.key/value

server_depth

additional.fields.key/value

client_depth

additional.fields.key/value

always_raise_x509_events

additional.fields.key/value

last_originator_heartbeat_request_size

additional.fields.key/value

last_responder_heartbeat_request_size

additional.fields.key/value

originator_heartbeats

additional.fields.key/value

responder_heartbeats

additional.fields.key/value

heartbleed_detected

additional.fields.key/value

enc_appdata_packages

additional.fields.key/value

enc_appdata_bytes

additional.fields.key/value

server_version

additional.fields.key/value

client_version

additional.fields.key/value

client_ciphers

network.tls.client.supported_ciphers

ssl_client_exts

additional.fields.key/value

ssl_server_exts

additional.fields.key/value

ticket_lifetime_hint

additional.fields.key/value

dh_param_size

additional.fields.key/value

point_formats

additional.fields.key/value

client_curves

additional.fields.key/value

orig_alpn

additional.fields.key/value

client_supported_versions

additional.fields.key/value

server_supported_version

additional.fields.key/value

psk_key_exchange_modes

additional.fields.key/value

client_key_share_groups

additional.fields.key/value

server_key_share_group

additional.fields.key/value

client_comp_methods

additional.fields.key/value

comp_method

additional.fields.key/value

sigalgs

additional.fields.key/value

hashalgs

additional.fields.key/value

validation_status

additional.fields.key/value

validation_code

additional.fields.key/value

valid_chain

additional.fields.key/value

ocsp_status

additional.fields.key/value

ocsp_response

additional.fields.key/value

valid_scts

additional.fields.key/value

invalid_scts

additional.fields.key/value

valid_ct_logs

additional.fields.key/value

valid_ct_operators

additional.fields.key/value

valid_ct_operators_list

additional.fields.key/value

ct_proofs

additional.fields.key/value

notary.first_seen

additional.fields.key/value

notary.last_seen

additional.fields.key/value

notary.times_seen

additional.fields.key/value

notary.valid

additional.fields.key/value

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

proto

network.ip_protocol

facility

additional.fields.key/value

severity

security_result.severity_details

message

metadata.description

ts

metadata.event_timestamp

uid

network.session_id

id.orig_h

principal.ip

id.orig_p

principal.port

id.resp_h

target.ip

id.resp_p

target.port

tunnel_type

security_result.description is set to "action %{action} on tunnel type {tunnel_type}".

action

security_result.description is set to "action %{action} on tunnel type {tunnel_type}".

Files

The following table lists the log fields of the files log type and their corresponding UDM fields.

Original log field	Log type	UDM field
ts	files.log	metadata.event_timestamp
fuid	files.log	metadata.product_log_id
tx_hosts	files.log	principal.ip
rx_hosts	files.log	target.ip
conn_uids	files.log	additional.fields.key/value
source	files.log	network.application_protocol target.file.full_path
depth	files.log	additional.fields.key/value
analyzers	files.log	additional.fields.key/value
mime_type	files.log	target.file.mime_type
filename	files.log	target.file.full_path
duration	files.log	additional.fields.key/value
local_orig	files.log	additional.fields.key/value
is_orig	files.log	additional.fields.key/value
seen_bytes	files.log	target.file.size
total_bytes	files.log	additional.fields.key/value
missing_bytes	files.log	additional.fields.key/value
overflow_bytes	files.log	additional.fields.key/value
timedout	files.log	additional.fields.key/value
parent_fuid	files.log	additional.fields.key/value
md5	files.log	target.file.md5
sha1	files.log	target.file.sha1
sha256	files.log	target.file.sha256
md5	files.log	network.tls.client.certificate.md5
sha1	files.log	network.tls.client.certificate.sha1
sha256	files.log	network.tls.client.certificate.sha256
md5	files.log	network.tls.server.certificate.md5
sha1	files.log	network.tls.server.certificate.sha1
sha256	files.log	network.tls.server.certificate.sha256
x509	files.log	additional.fields.key/value This field is a nested field.
extracted	files.log	additional.fields.key/value
extracted_cutoff	files.log	additional.fields.key/value
extracted_size	files.log	additional.fields.key/value
entropy	files.log	additional.fields.key/value
ts	ocsp.log	metadata.event_timestamp
id	ocsp.log	metadata.product_log_id
hashAlgorithm	ocsp.log	additional.fields.key/value
issuerNameHash	ocsp.log	additional.fields.key/value
issuerKeyHash	ocsp.log	additional.fields.key/value
serialNumber	ocsp.log	tls.server.certificate.serial
certStatus	ocsp.log	additional.fields.key/value
revoketime	ocsp.log	network.tls.server.certificate.not_after
revokereason	ocsp.log	security_result.summary
thisUpdate	ocsp.log	additional.fields.key/value
nextUpdate	ocsp.log	additional.fields.key/value
ts	pe.log	metadata.event_timestamp
id	pe.log	metadata.product_log_id
machine	pe.log	target.resource.resource_subtype
compile_ts	pe.log	additional.fields.key/value
os	pe.log	target.platform_version target.resource.resource_type is set to "DEVICE".
subsystem	pe.log	target.application
is_exe	pe.log	additional.fields.key/value
is_64bit	pe.log	additional.fields.key/value
uses_aslr	pe.log	additional.fields.key/value
uses_dep	pe.log	additional.fields.key/value
uses_code_integrity	pe.log	additional.fields.key/value
uses_seh	pe.log	additional.fields.key/value
has_import_table	pe.log	additional.fields.key/value
has_export_table	pe.log	additional.fields.key/value
has_cert_table	pe.log	additional.fields.key/value
has_debug_data	pe.log	additional.fields.key/value
section_names	pe.log	additional.fields.key/value
ts	x509.log	metadata.event_timestamp Also, target.application is set to "x509".
fingerprint	x509.log	additional.fields.key/value
certificate.version	x509.log	network.tls.server.certificate.version
certificate.serial	x509.log	network.tls.server.certificate.serial
certificate.subject	x509.log	network.tls.server.certificate.subject
certificate.issuer	x509.log	network.tls.server.certificate.issuer
certificate.cn	x509.log	target.hostname
certificate.not_valid_before	x509.log	network.tls.server.certificate.not_before
certificate.not_valid_after	x509.log	network.tls.server.certificate.not_after
certificate.key_alg	x509.log	additional.fields.key/value
certificate.sig_alg	x509.log	additional.fields.key/value
certificate.key_type	x509.log	additional.fields.key/value
certificate.key_length	x509.log	additional.fields.key/value
certificate.exponent	x509.log	additional.fields.key/value
certificate.curve	x509.log	network.tls.curve
handle	x509.log	additional.fields.key/value
extensions.name	x509.log	additional.fields.key/value
extensions.short_name	x509.log	additional.fields.key/value
extensions.oid	x509.log	additional.fields.key/value
extensions.critical	x509.log	additional.fields.key/value
extensions.value	x509.log	additional.fields.key/value
san.dns	x509.log	additional.fields.key/value
san.uri	x509.log	additional.fields.key/value
san.email	x509.log	additional.fields.key/value
san.ip	x509.log	additional.fields.key/value
san.other_fields	x509.log	additional.fields.key/value
basic_constraints.ca	x509.log	additional.fields.key/value
basic_constraints.path_len	x509.log	additional.fields.key/value
extensions_cache	x509.log	additional.fields.key/value
host_cert	x509.log	additional.fields.key/value
client_cert	x509.log	additional.fields.key/value
deduplication_index.fingerprint	x509.log	additional.fields.key/value
deduplication_index.host_cert	x509.log	additional.fields.key/value
deduplication_index.client_cert	x509.log	additional.fields.key/value
always_raise_x509_events	x509.log	additional.fields.key/value
cert	x509.log	additional.fields.key/value

Netcontrol

The following table lists the log fields of the netcontrol log type and their corresponding UDM fields.

Original log field	Log type	UDM field
ts	netcontrol.log	metadata.event_timestamp
rule_id	netcontrol.log	security_result.rule_id
category	netcontrol.log	security_result.category_details
cmd	netcontrol.log	additional.fields.key/value
state	netcontrol.log	additional.fields.key/value
action	netcontrol.log	security_result.action_details
target	netcontrol.log	additional.fields.key/value
entity_type	netcontrol.log	additional.fields.key/value
entity	netcontrol.log	security_result.summary
mod	netcontrol.log	additional.fields.key/value
msg	netcontrol.log	security_result.description
priority	netcontrol.log	security_result.priority_details
expire	netcontrol.log	additional.fields.key/value
location	netcontrol.log	additional.fields.key/value
plugin	netcontrol.log	additional.fields.key/value
ts	netcontrol_drop.log	metadata.event_timestamp
rule_id	netcontrol_drop.log	security_result.rule_id
orig_h	netcontrol_drop.log	principal.ip
orig_p	netcontrol_drop.log	principal.port
resp_h	netcontrol_drop.log	target.ip
resp_p	netcontrol_drop.log	target.port
expire	netcontrol_drop.log	additional.fields.key/value
location	netcontrol_drop.log	additional.fields.key/value
ts	netcontrol_shunt.log	metadata.event_timestamp
rule_id	netcontrol_shunt.log	security_result.rule_id
f.src_h	netcontrol_shunt.log	principal.ip
f.src_p	netcontrol_shunt.log	principal.port
f.dst_h	netcontrol_shunt.log	target.ip
f.dst_p	netcontrol_shunt.log	target.port
expire	netcontrol_shunt.log	additional.fields.key/value
location	netcontrol_shunt.log	additional.fields.key/value
ts	netcontrol_catch_release.log	metadata.event_timestamp
rule_id	netcontrol_catch_release.log	security_result.rule_id
ip	netcontrol_catch_release.log	target.ip
action	netcontrol_catch_release.log	security_result.action_details
block_interval	netcontrol_catch_release.log	additional.fields.key/value
watch_interval	netcontrol_catch_release.log	additional.fields.key/value
blocked_until	netcontrol_catch_release.log	additional.fields.key/value
watched_until	netcontrol_catch_release.log	additional.fields.key/value
num_blocked	netcontrol_catch_release.log	additional.fields.key/value
location	netcontrol_catch_release.log	additional.fields.key/value
message	netcontrol_catch_release.log	security_result.description
ts	openflow.log	metadata.event_timestamp
dpid	openflow.log	additional.fields.key/value
match.in_port	openflow.log	additional.fields.key/value
match.dl_src	openflow.log	additional.fields.key/value
match.dl_dst	openflow.log	additional.fields.key/value
match.dl_vlan	openflow.log	additional.fields.key/value
match.dl_vlan_pcp	openflow.log	additional.fields.key/value
match.dl_type	openflow.log	additional.fields.key/value
match.nw_tos	openflow.log	additional.fields.key/value
match.nw_proto	openflow.log	additional.fields.key/value
match.nw_src	openflow.log	additional.fields.key/value
match.nw_dst	openflow.log	additional.fields.key/value
match.tp_src	openflow.log	additional.fields.key/value
match.tp_dst	openflow.log	additional.fields.key/value
flow_mod.cookie	openflow.log	additional.fields.key/value
flow_mod.table_id	openflow.log	additional.fields.key/value
flow_mod.command	openflow.log	additional.fields.key/value
flow_mod.idle_timeout	openflow.log	additional.fields.key/value
flow_mod.hard_timeout	openflow.log	additional.fields.key/value
flow_mod.priority	openflow.log	additional.fields.key/value
flow_mod.out_port	openflow.log	additional.fields.key/value
flow_mod.flags	openflow.log	additional.fields.key/value
flow_mod.actions.out_ports	openflow.log	additional.fields.key/value
flow_mod.actions.vlan_vid	openflow.log	additional.fields.key/value
flow_mod.actions.vlan_pcp	openflow.log	additional.fields.key/value
flow_mod.actions.vlan_strip	openflow.log	additional.fields.key/value
flow_mod.actions.dl_src	openflow.log	additional.fields.key/value
flow_mod.actions.dl_dst	openflow.log	additional.fields.key/value
flow_mod.actions.nw_tos	openflow.log	additional.fields.key/value
flow_mod.actions.nw_src	openflow.log	additional.fields.key/value
flow_mod.actions.nw_dst	openflow.log	additional.fields.key/value
flow_mod.actions.tp_src	openflow.log	additional.fields.key/value
flow_mod.actions.tp_dst	openflow.log	additional.fields.key/value

Detection

The following table lists the log fields of the detection log type and their corresponding UDM fields.

Original log field	Log type	UDM field
ts	intel.log	metadata.event_timestamp
uid	intel.log	network.session_id
id.orig_h	intel.log	principal.ip
id.orig_p	intel.log	principal.port
id.resp_h	intel.log	target.ip
id.resp_p	intel.log	target.port
seen.indicator	intel.log	additional.fields.key/value
seen.indicator_type	intel.log	additional.fields.key/value
seen.host	intel.log	additional.fields.key/value
seen.where	intel.log	additional.fields.key/value
seen.node	intel.log	additional.fields.key/value
seen.conn.id.orig_h	intel.log	additional.fields.key/value
seen.conn.id.orig_p	intel.log	additional.fields.key/value
seen.conn.id.resp_h	intel.log	additional.fields.key/value
seen.conn.id.resp_p	intel.log	additional.fields.key/value
seen.conn.orig.size	intel.log	network.sent_bytes
seen.conn.orig.state	intel.log	additional.fields.key/value
seen.conn.orig.num_pkts	intel.log	additional.fields.key/value
seen.conn.orig.num_bytes_ip	intel.log	additional.fields.key/value
seen.conn.orig.flow_label	intel.log	additional.fields.key/value
seen.conn.orig.l2_addr	intel.log	additional.fields.key/value
seen.conn.resp.size	intel.log	network.received_bytes
seen.conn.resp.state	intel.log	additional.fields.key/value
seen.conn.resp.num_pkts	intel.log	additional.fields.key/value
seen.conn.resp.num_bytes_ip	intel.log	additional.fields.key/value
seen.conn.resp.flow_label	intel.log	additional.fields.key/value
seen.conn.resp.l2_addr	intel.log	additional.fields.key/value
seen.conn.start_time	intel.log	additional.fields.key/value
seen.conn.duration	intel.log	network.session_duration
seen.conn.service	intel.log	additional.fields.key/value
seen.conn.history	intel.log	metadata.description
seen.conn.uid	intel.log	network.session_id
seen.conn.tunnel.queued	intel.log	additional.fields.key/value
seen.conn.tunnel.dispatched	intel.log	additional.fields.key/value
seen.conn.vlan	intel.log	additional.fields.key/value
seen.conn.inner_vlan	intel.log	additional.fields.key/value
seen.conn.dpd_state	intel.log	additional.fields.key/value
seen.conn.removal_hooks	intel.log	additional.fields.key/value
seen.conn.extract_orig	intel.log	additional.fields.key/value
seen.conn.extract_resp	intel.log	additional.fields.key/value
seen.conn.thresholds.orig_byte	intel.log	additional.fields.key/value
seen.conn.thresholds.resp_byte	intel.log	additional.fields.key/value
seen.conn.thresholds.orig_packet	intel.log	additional.fields.key/value
seen.conn.thresholds.resp_packet	intel.log	additional.fields.key/value
seen.conn.thresholds.duration	intel.log	additional.fields.key/value
seen.conn.dce_rpc_state.uuid	intel.log	additional.fields.key/value
seen.conn.dce_rpc_state.named_pipe	intel.log	additional.fields.key/value
seen.conn.dce_rpc_state.ctx_to_uuid	intel.log	additional.fields.key/value
seen.conn.dce_rpc_backing	intel.log	additional.fields.key/value
seen.conn.dns_state.pending_query	intel.log	additional.fields.key/value
seen.conn.dns_state.pending_queries	intel.log	additional.fields.key/value
seen.conn.dns_state.pending_replies	intel.log	additional.fields.key/value
seen.conn.ftp_data_reuse	intel.log	additional.fields.key/value
seen.conn.http_state.pending	intel.log	additional.fields.key/value
seen.conn.http_state.current_request	intel.log	additional.fields.key/value
seen.conn.http_state.current_response	intel.log	additional.fields.key/value
seen.conn.http_state.trans_depth	intel.log	additional.fields.key/value
seen.conn.sip_state.pending	intel.log	additional.fields.key/value
seen.conn.sip_state.current_request	intel.log	additional.fields.key/value
seen.conn.sip_state.current_response	intel.log	additional.fields.key/value
seen.conn.smb_state.current_cmd	intel.log	additional.fields.key/value
seen.conn.smb_state.current_file	intel.log	additional.fields.key/value
seen.conn.smb_state.current_tree	intel.log	additional.fields.key/value
seen.conn.smb_state.pending_cmds	intel.log	additional.fields.key/value
seen.conn.smb_state.fid_map	intel.log	additional.fields.key/value
seen.conn.smb_state.tid_map	intel.log	additional.fields.key/value
seen.conn.smb_state.uid_map	intel.log	additional.fields.key/value
seen.conn.smb_state.pipe_map	intel.log	additional.fields.key/value
seen.conn.smb_state.recent_files	intel.log	additional.fields.key/value
seen.conn.smtp_state.messages_transferred	intel.log	additional.fields.key/value
seen.conn.smtp_state.mime_depth	intel.log	additional.fields.key/value
seen.conn.known_services_done	intel.log	additional.fields.key/value
seen.conn.mqtt_state.publish	intel.log	additional.fields.key/value
seen.conn.mqtt_state.subscribe	intel.log	additional.fields.key/value
seen.conn.speculative_service	intel.log	additional.fields.key/value
seen.uid	intel.log	additional.fields.key/value
seen.f.id	intel.log	additional.fields.key/value
seen.f.parent_id	intel.log	additional.fields.key/value
seen.f.source	intel.log	target.file.full_path
seen.f.is_orig	intel.log	additional.fields.key/value
seen.f.conns	intel.log	additional.fields.key/value
seen.f.last_active	intel.log	additional.fields.key/value
seen.f.seen_bytes	intel.log	additional.fields.key/value
seen.f.total_bytes	intel.log	additional.fields.key/value
seen.f.missing_bytes	intel.log	additional.fields.key/value
seen.f.overflow_bytes	intel.log	additional.fields.key/value
seen.f.timeout_interval	intel.log	additional.fields.key/value
seen.f.bof_buffer_size	intel.log	additional.fields.key/value
seen.f.bof_buffer	intel.log	additional.fields.key/value
seen.f.u2_events	intel.log	additional.fields.key/value
seen.fuid	intel.log	additional.fields.key/value
matched	intel.log	additional.fields.key/value
sources	intel.log	additional.fields.key/value
fuid	intel.log	additional.fields.key/value
file_mime_type	intel.log	target.file.mime_type
file_desc	intel.log	additional.fields.key/value
cif.tags	intel.log	additional.fields.key/value
cif.confidence	intel.log	additional.fields.key/value
cif.source	intel.log	additional.fields.key/value
cif.description	intel.log	additional.fields.key/value
cif.firstseen	intel.log	additional.fields.key/value
cif.lastseen	intel.log	additional.fields.key/value
ts	notice.log notice_alarm.log	metadata.event_timestamp
uid	notice.log notice_alarm.log	network.session_id
id.orig_h	notice.log notice_alarm.log	principal.ip
id.orig_p	notice.log notice_alarm.log	principal.port
id.resp_h	notice.log notice_alarm.log	target.ip
id.resp_p	notice.log notice_alarm.log	target.port
conn.id.orig_h	notice.log notice_alarm.log	additional.fields.key/value
conn.id.orig_p	notice.log notice_alarm.log	additional.fields.key/value
conn.id.resp_h	notice.log notice_alarm.log	additional.fields.key/value
conn.id.resp_p	notice.log notice_alarm.log	additional.fields.key/value
conn.orig.size	notice.log notice_alarm.log	network.sent_bytes
conn.orig.state	notice.log notice_alarm.log	additional.fields.key/value
conn.orig.num_pkts	notice.log notice_alarm.log	additional.fields.key/value
conn.orig.num_bytes_ip	notice.log notice_alarm.log	additional.fields.key/value
conn.orig.flow_label	notice.log notice_alarm.log	additional.fields.key/value
conn.orig.l2_addr	notice.log notice_alarm.log	additional.fields.key/value
conn.resp.size	notice.log notice_alarm.log	network.received_bytes
conn.resp.state	notice.log notice_alarm.log	additional.fields.key/value
conn.resp.num_pkts	notice.log notice_alarm.log	additional.fields.key/value
conn.resp.num_bytes_ip	notice.log notice_alarm.log	additional.fields.key/value
conn.resp.flow_label	notice.log notice_alarm.log	additional.fields.key/value
conn.resp.l2_addr	notice.log notice_alarm.log	additional.fields.key/value
conn.start_time	notice.log notice_alarm.log	additional.fields.key/value
conn.duration	notice.log notice_alarm.log	network.session_duration
conn.service	notice.log notice_alarm.log	additional.fields.key/value
conn.history	notice.log notice_alarm.log	metadata.description
conn.uid	notice.log notice_alarm.log	network.session_id
conn.tunnel.queued	notice.log notice_alarm.log	additional.fields.key/value
conn.tunnel.dispatched	notice.log notice_alarm.log	additional.fields.key/value
conn.vlan	notice.log notice_alarm.log	additional.fields.key/value
conn.inner_vlan	notice.log notice_alarm.log	additional.fields.key/value
conn.dpd_state.violations	notice.log notice_alarm.log	additional.fields.key/value
conn.removal_hooks	notice.log notice_alarm.log	additional.fields.key/value
conn.extract_orig	notice.log notice_alarm.log	additional.fields.key/value
conn.extract_resp	notice.log notice_alarm.log	additional.fields.key/value
conn.thresholds.orig_byte	notice.log notice_alarm.log	additional.fields.key/value
conn.thresholds.resp_byte	notice.log notice_alarm.log	additional.fields.key/value
conn.thresholds.orig_packet	notice.log notice_alarm.log	additional.fields.key/value
conn.thresholds.resp_packet	notice.log notice_alarm.log	additional.fields.key/value
conn.thresholds.duration	notice.log notice_alarm.log	additional.fields.key/value
conn.dce_rpc_state.uuid	notice.log notice_alarm.log	additional.fields.key/value
conn.dce_rpc_state.named_pipe	notice.log notice_alarm.log	additional.fields.key/value
conn.dce_rpc_state.ctx_to_uuid	notice.log notice_alarm.log	additional.fields.key/value
conn.dce_rpc_backing	notice.log notice_alarm.log	additional.fields.key/value
conn.dns_state.pending_query	notice.log notice_alarm.log	additional.fields.key/value
conn.dns_state.pending_queries	notice.log notice_alarm.log	additional.fields.key/value
conn.dns_state.pending_replies	notice.log notice_alarm.log	additional.fields.key/value
conn.ftp_data_reuse	notice.log notice_alarm.log	additional.fields.key/value
conn.http_state.pending	notice.log notice_alarm.log	additional.fields.key/value
conn.http_state.current_request	notice.log notice_alarm.log	additional.fields.key/value
conn.http_state.current_response	notice.log notice_alarm.log	additional.fields.key/value
conn.http_state.trans_depth	notice.log notice_alarm.log	additional.fields.key/value
conn.sip_state.pending	notice.log notice_alarm.log	additional.fields.key/value
conn.sip_state.current_request	notice.log notice_alarm.log	additional.fields.key/value
conn.sip_state.current_response	notice.log notice_alarm.log	additional.fields.key/value
conn.smb_state.pending_cmds	notice.log notice_alarm.log	additional.fields.key/value
conn.smb_state.fid_map	notice.log notice_alarm.log	additional.fields.key/value
conn.smb_state.tid_map	notice.log notice_alarm.log	additional.fields.key/value
conn.smb_state.uid_map	notice.log notice_alarm.log	additional.fields.key/value
conn.smb_state.pipe_map	notice.log notice_alarm.log	additional.fields.key/value
conn.smb_state.recent_files	notice.log notice_alarm.log	additional.fields.key/value
conn.smtp_state.messages_transferred	notice.log notice_alarm.log	additional.fields.key/value
conn.smtp_state.mime_depth	notice.log notice_alarm.log	additional.fields.key/value
conn.known_services_done	notice.log notice_alarm.log	additional.fields.key/value
mqtt.ts	notice.log notice_alarm.log	additional.fields.key/value
mqtt.uid	notice.log notice_alarm.log	additional.fields.key/value
mqtt.id	notice.log notice_alarm.log	additional.fields.key/value
mqtt.proto_name	notice.log notice_alarm.log	additional.fields.key/value
mqtt.proto_version	notice.log notice_alarm.log	additional.fields.key/value
mqtt.client_id	notice.log notice_alarm.log	additional.fields.key/value
mqtt.connect_status	notice.log notice_alarm.log	additional.fields.key/value
mqtt.will_topic	notice.log notice_alarm.log	additional.fields.key/value
mqtt.will_payload	notice.log notice_alarm.log	additional.fields.key/value
conn.mqtt_state.publish	notice.log notice_alarm.log	additional.fields.key/value
conn.mqtt_state.subscribe	notice.log notice_alarm.log	additional.fields.key/value
conn.speculative_service	notice.log notice_alarm.log	additional.fields.key/value
iconn.orig_h	notice.log notice_alarm.log	additional.fields.key/value
iconn.resp_h	notice.log notice_alarm.log	additional.fields.key/value
iconn.itype	notice.log notice_alarm.log	additional.fields.key/value
iconn.icode	notice.log notice_alarm.log	additional.fields.key/value
iconn.len	notice.log notice_alarm.log	additional.fields.key/value
iconn.hlim	notice.log notice_alarm.log	additional.fields.key/value
iconn.v6	notice.log notice_alarm.log	additional.fields.key/value
f.id	notice.log notice_alarm.log	additional.fields.key/value
f.parent_id	notice.log notice_alarm.log	additional.fields.key/value
f.source	notice.log notice_alarm.log	target.file.full_path
f.is_orig	notice.log notice_alarm.log	additional.fields.key/value
f.conns	notice.log notice_alarm.log	additional.fields.key/value
f.last_active	notice.log notice_alarm.log	additional.fields.key/value
f.seen_bytes	notice.log notice_alarm.log	additional.fields.key/value
f.total_bytes	notice.log notice_alarm.log	additional.fields.key/value
f.missing_bytes	notice.log notice_alarm.log	additional.fields.key/value
f.overflow_bytes	notice.log notice_alarm.log	additional.fields.key/value
f.timeout_interval	notice.log notice_alarm.log	additional.fields.key/value
f.bof_buffer_size	notice.log notice_alarm.log	additional.fields.key/value
f.bof_buffer	notice.log notice_alarm.log	additional.fields.key/value
f.u2_events	notice.log notice_alarm.log	additional.fields.key/value
fuid	notice.log notice_alarm.log	additional.fields.key/value
file_mime_type	notice.log notice_alarm.log	target.file.mime_type
file_desc	notice.log notice_alarm.log	additional.fields.key/value
proto	notice.log notice_alarm.log	network.ip_protocol
note	notice.log notice_alarm.log	security_result.description
msg	notice.log notice_alarm.log	security_result.summary
sub	notice.log notice_alarm.log	additional.fields.key/value
src	notice.log notice_alarm.log	principal.ip
dst	notice.log notice_alarm.log	target.ip
p	notice.log notice_alarm.log	target.port
n	notice.log notice_alarm.log	additional.fields.key/value
peer_name	notice.log notice_alarm.log	additional.fields.key/value
peer_descr	notice.log notice_alarm.log	additional.fields.key/value
actions	notice.log notice_alarm.log	security_result.action_details
email_dest	notice.log notice_alarm.log	network.email.to (repeated)
email_body_sections	notice.log notice_alarm.log	network.email.subject (repeated)
email_delay_tokens	notice.log notice_alarm.log	additional.fields.key/value
identifier	notice.log notice_alarm.log	additional.fields.key/value
suppress_for	notice.log notice_alarm.log	additional.fields.key/value
remote_location.country_code	notice.log notice_alarm.log	additional.fields.key/value
remote_location.region	notice.log notice_alarm.log	principal.asset.location.country_or_region
remote_location.city	notice.log notice_alarm.log	principal.asset.location.city
remote_location.latitude	notice.log notice_alarm.log	additional.fields.key/value
remote_location.longitude	notice.log notice_alarm.log	additional.fields.key/value
dropped	notice.log notice_alarm.log	security_result.action_details
ts	signatures.log	metadata.event_timestamp
uid	signatures.log	network.session_id
src_addr	signatures.log	principal.ip
src_port	signatures.log	principal.port
dst_addr	signatures.log	target.ip
dst_port	signatures.log	target.port
note	signatures.log	security_result.summary
sig_id	signatures.log	additional.fields.key/value
event_msg	signatures.log	metadata.description
sub_msg	signatures.log	additional.fields.key/value
sig_count	signatures.log	additional.fields.key/value
host_count	signatures.log	additional.fields.key/value
ts	traceroute.log	metadata.event_timestamp
src	traceroute.log	principal.ip
dst	traceroute.log	target.ip
proto	traceroute.log	network.ip_protocol

Network Observations

The following table lists the log fields of the network observations log type and their corresponding UDM fields.

Original log field	Log type	UDM field
ts	known_certs.log	metadata.event_timestamp
host	known_certs.log	principal.ip
port_num	known_certs.log	principal.port
subject	known_certs.log	network.tls.client.certificate.subject
issuer_subject	known_certs.log	network.tls.client.certificate.issuer
serial	known_certs.log	network.tls.client.certificate.serial
ts	known_hosts.log	metadata.event_timestamp
host	known_hosts.log	principal.ip
ts	known_modbus.log	metadata.event_timestamp
host	known_modbus.log	principal.ip
device_type	known_modbus.log	target.resource.name target.resource.resource_type = "DEVICE"
ts	known_services.log	metadata.event_timestamp
host	known_services.log	principal.ip
port_num	known_services.log	principal.port
port_proto	known_services.log	network.ip_protocol
service	known_services.log	target.application
ts	software.log	metadata.event_timestamp
host	software.log	principal.ip
host_p	software.log	principal.port
software_type	software.log	principal.resource.resource_subtype
name	software.log	principal.resource.name
version.major	software.log	additional.fields.key/value
version.minor	software.log	additional.fields.key/value
version.minor2	software.log	additional.fields.key/value
version.minor3	software.log	additional.fields.key/value
version.addl	software.log	additional.fields.key/value
unparsed_version	software.log	additional.fields.key/value
force_log	software.log	additional.fields.key/value
url	software.log	metadata.url_back_to_product

Field mapping reference: Event ID to UDM event type

To understand how the parser maps log names to UDM event types, refer to the following sections:

Network protocols
Files
Netcontrol
Detection
Network observations

Network protocols

The following table lists the log names of the network protocols log type and their corresponding UDM event types.

Log name	Description	UDM event type
conn.log	TCP/UDP/ICMP connections	NETWORK_CONNECTION
dce_rpc.log	Distributed Computing Environment/RPC	NETWORK_CONNECTION
dhcp.log	DHCP leases	NETWORK_DHCP
dnp3.log	DNP3 (Distributed Network Protocol 3) requests and replies	NETWORK_CONNECTION
dns.log	DNS activity	NETWORK_DNS
ftp.log	FTP (File Transfer Protocol) activity	NETWORK_FTP
http.log	HTTP requests and replies	NETWORK_HTTP
irc.log	IRC (Internet Relay Chat) commands and responses	NETWORK_CONNECTION
kerberos.log	Kerberos	NETWORK_CONNECTION
modbus.log	Modbus commands and responses	NETWORK_CONNECTION
modbus_register_change.log	Tracks changes to Modbus holding registers	GENERIC_EVENT
mysql.log	MySQL	NETWORK_UNCATEGORIZED
ntlm.log	NT LAN Manager (NTLM)	NETWORK_CONNECTION
ntp.log	Network Time Protocol	NETWORK_CONNECTION
radius.log	RADIUS authentication attempts	USER_LOGIN
rdp.log	Remote Desktop Protocol (RDP)	NETWORK_CONNECTION
rfb.log	Remote Framebuffer (RFB)	NETWORK_CONNECTION
sip.log	Session Initiation Protocol (SIP)	NETWORK_UNCATEGORIZED
smb_cmd.log	SMB (Server Message Block) commands	NETWORK_CONNECTION
smb_files.log	SMB (Server Message Block) files	NETWORK_UNCATEGORIZED
smb_mapping.log	SMB (Server Message Block) trees	NETWORK_CONNECTION
smtp.log	SMTP (Simple Mail Transfer Protocol) transactions	NETWORK_SMTP
snmp.log	SNMP (Simple Network Management Protocol) messages	NETWORK_UNCATEGORIZED
socks.log	SOCKS proxy requests	NETWORK_CONNECTION
ssh.log	SSH (Secure Shell) connections	NETWORK_UNCATEGORIZED
ssl.log	SSL(Secure Sockets Layer)/TLS(Transport Layer Security) handshake info	NETWORK_HTTP NETWORK_CONNECTION
syslog.log	Syslog messages	NETWORK_CONNECTION
tunnel.log	Tunneling protocol events	NETWORK_CONNECTION

Files

The following table lists the log names of the files log type and their corresponding UDM event types.

Log name	Description	UDM event type
files.log	File analysis results	NETWORK_UNCATEGORIZED
ocsp.log	If policy script is loaded, the Online Certificate Status Protocol (OCSP) log is created.	GENERIC_EVENT
pe.log	Portable Executable (PE)	GENERIC_EVENT
x509.log	X.509 certificate info	GENERIC_EVENT

Netcontrol

The following table lists the log names of the netcontrol log type and their corresponding UDM event types.

Log name	Description	UDM event type
netcontrol.log	NetControl actions	GENERIC_EVENT
netcontrol_drop.log	NetControl actions	STATUS_UPDATE
netcontrol_shunt.log	NetControl shunt actions	STATUS_UPDATE
netcontrol_catch_release.log	NetControl catch and release actions	GENERIC_EVENT
openflow.log	OpenFlow debug log	GENERIC_EVENT

Detection

The following table lists the log names of the detection log type and their corresponding UDM event types.

Log name	Description	UDM event type
intel.log	Intelligence data matches	GENERIC_EVENT
notice.log	Zeek notices	NETWORK_CONNECTION
notice_alarm.log	The alarm stream	NETWORK_CONNECTION
signatures.log	Signature matches	GENERIC_EVENT
traceroute.log	Traceroute detection	NETWORK_UNCATEGORIZED

Network observations

The following table lists the log names of the network observations log type and their corresponding UDM event types.

Log name	Description	UDM event type
known_certs.log	SSL certificates	GENERIC_EVENT
known_hosts.log	Hosts that completed TCP handshakes	GENERIC_EVENT
known_modbus.log	Modbus master and secondary	GENERIC_EVENT
known_services.log	Services running on hosts	GENERIC_EVENT
software.log	Software used on the network	GENERIC_EVENT

What's next

Data ingestion to Google Security Operations

Need more help? Get answers from Community members and Google SecOps professionals.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-09-04 UTC.

Design a Mobile Site

View Site in Mobile | Classic

Share by: