Partners
          Get Started
          Get Started

          Discover Zeek data

          Complete, coherent, interconnected

          For decades, the world's best defenders have relied on Zeek network data because it's impressively rich and highly flexible. Dig into these Zeek logs from Corelight to learn how they speed response, amplify hunting, and more.

          Discover Zeek data

          conn.log

          Zeek's conn.log provides foundational data about every connection on your network — the who, what, when, and where of your packets. It allows network and security teams to find things like unusual flows, unexpected protocols, and policy-prohibited connections, and comes with a UID that lets analysts pivot straight into the Layer 7 details for deeper investigation.

          conn log

          Zeek's conn.log provides foundational data about every connection on your network — the who, what, when, and where of your packets. It allows network and security teams to find things like unusual flows, unexpected protocols, and policy-prohibited connections, and comes with a UID that lets analysts pivot straight into the Layer 7 details for deeper investigation.

          uid
          A unique identifier created on a per-connection basis that serves as a pivot key directly into all associated Layer 7 logs

          service
          The Layer 7 protocol detected on the connection — based on packet payload instead of port mappings

          orig_bytes/resp_bytes
          How much data was sent and received on the connection

          duration
          How long the connection remained alive

          dns.log

          Zeek's dns.log dives deeper than the DNS logs most administrators are used to — providing not just the query string and type, but also the returned addresses and server status code. That level of detail allows for easy follow-up on suspicious queries, without the hassle of pivoting to a different data set.

          dns log

          Zeek's dns.log dives deeper than the DNS logs most administrators are used to — providing not just the query string and type, but also the returned addresses and server status code. That level of detail allows for easy follow-up on suspicious queries, without the hassle of pivoting to a different data set.

          answers
          A list of all domain names and/or IP addresses sent back by the DNS server

          qtype_name
          Type of query being issued - IPv4, IPv6, mail, CNAME, etc

          query
          The name being looked up by your monitored device

          rcode_name
          Human-readable server respose codes, like NXDOMAIN or NOERROR

          corelight_suricata.log

          The corelight_suricata.log gives you a full breakdown of IDS signatures that alert in your environment. They're directly integrated with Zeek metadata by way of the UID, which allows analysts to get all the evidence they need to evaluate alerts in a single pivot.

          corelight log

          The corelight_suricata.log gives you a full breakdown of IDS signatures that alert in your environment. They're directly integrated with Zeek metadata by way of the UID, which allows analysts to get all the evidence they need to evaluate alerts in a single pivot.

          alert_signature
          Description of what the signature is detecting

          alert.metadata
          Details about the signature, including age, deployment recommendations, impacted software, etc

          alert.category
          Type of activity being detected, such as administrator account compromise, known malware, or policy violation

          alert.signature_id
          Numeric ID to identify the source of the signature and pivot to its detection criteria for validation

          ssl.log

          Zeek's ssl.log is a deep parsing of SSL connections, with details on certificates, ciphers, and protocol versions. In conjunction with the linked x509.log, it gives you every detail you need about an encrypted connection, with no decryption necessary.

          ssl log

          Zeek's ssl.log is a deep parsing of SSL connections, with details on certificates, ciphers, and protocol versions. In conjunction with the linked x509.log, it gives you every detail you need about an encrypted connection, with no decryption necessary.

          subject
          The name of the organization providing the encrypted service

          ja3
          A popular, open source connection fingerprinting mechanism for secure servers/clients

          validation_status
          Calls out self-signed, expired, or brand-new certificates, as well as issues with the certificate trust chain

          version
          TLS/SSL version data for locating deprecated encryption implementations

          Free Zeek cheatsheets

          A selection of our most popular log cheatsheets

          Free Zeek cheatsheets
          Free Zeek cheatsheets