Sometimes you want to quickly know the format of a Zeek log file. Check out this web page that links to all the native Zeek log record definitions:
https://docs.zeek.org/en/master/script-reference/log-files.html
Clicking on “Conn:Info” will send you to the conn.log format specification, for example. Now you can quickly see all the possible values of “conn_state” or decipher the meaning behind the “history” field.
This is much faster than looking at Zeek script to find record definitions!
Transcript:
00:00:00:00 – 00:00:20:24
Keith
Hey, welcome. My name is Keith Jones, and I’m going to walk you through a cheat sheet that I use to find the format of Zeek default logs. Now, what I’m going to do is put this website that I have on your screen right now, I’m going to put this in the description so that way you can go directly to it.
00:00:20:26 – 00:00:45:27
Keith
Now, what this is, is it’s a web page on the Zeek Documentation website and it outlines all the different default logs that Zeek can log. If you just install vanilla Zeek. Now, as you scroll down this list, you can see it’s pretty long. I mean, there’s a lot of things it supports in here by default, but what you might not know is you can click on this right here column.
00:00:45:28 – 00:01:11:05
Keith
So for instance, they conn log, which is the most popular log, has some fields in it, like can state or history. I always forget what they are, so I need to go look them up in glossary of sorts and this is where you can find it. So if you just click on there, that field description, you can see now we have all the fields to the conn log.
00:01:11:08 – 00:01:34:20
Keith
And like I said earlier, if you’re interested in conn state, I’ll scroll down here for you and you can see it’s right there. And here’s all the different kind states you could see there. Pretty cool. Human language, too. And if you’re interested in history, I can never remember what the tokens are here. Scroll down. You got the history field, and here’s all the different letters and what they mean.
00:01:34:22 – 00:01:39:22
Keith
So that way you can decipher a history field, a lot faster than before, hopefully.
00:01:39:22 – 00:02:04:06
Keith
And again, I’ll take this website and I’ll put it in the description so that way you can just get to this very quickly. So with that, it was just a very, very fast update of a website I wanted to share because this is a website that I use sometimes daily, but definitely several times a week when I have to look up things and I wanted to pass it along since I use it so much.
00:02:04:12 – 00:02:11:14
Keith
So I’ll be appreciate it and I hope you’ll join me on one of my other Zeek videos soon. Thanks. Bye.
Leave a Reply