# Zeek 로그 ## 개요 Panther는 일반적인 방법으로 Zeek 로그를 수집하는 것을 지원합니다 [데이터 전송](/ko/data-onboarding/data-transports.md) 옵션: Amazon Web Services(AWS) S3 및 SQS. ## Zeek 로그를 Panther에 온보딩하는 방법 이 로그를 Panther로 가져오려면: 1. Panther Console의 왼쪽 탐색 모음에서 **구성하세요.** > **로그 소스**. 2. 을 클릭한 다음 **새로 만들기**. 3. 온보딩하려는 로그 유형을 검색한 다음 해당 타일을 클릭합니다. 4. 이 통합에 사용할 데이터 전송 방법을 선택한 다음, 해당 방법을 구성하기 위한 Panther의 지침을 따르세요: 1. [AWS SQS](/ko/data-onboarding/data-transports/aws/sqs.md) 2. [AWS S3 버킷](/ko/data-onboarding/data-transports/aws/s3.md) 5. Zeek를 구성하여 로그를 Data Transport 소스로 푸시합니다. * 선택한 Data Transport 소스로 로그를 푸시하는 방법은 Zeek 문서를 참조하세요. ## 지원되는 로그 유형 ### Zeek.CaptureLoss Zeek CaptureLoss는 패킷 캡처 프로세스가 측정 손실을 겪는 정도에 대한 근거를 기록합니다. 참조: [Capture Loss](https://docs.zeek.org/en/master/scripts/policy/misc/capture-loss.zeek.html) ```yaml schema: Zeek.CaptureLoss description: Zeek CaptureLoss. 패킷 캡처 프로세스가 측정 손실을 겪는 정도에 대한 근거를 기록합니다 referenceURL: https://docs.zeek.org/en/master/scripts/policy/misc/capture-loss.zeek.html fields: - name: acks required: true type: bigint - name: gaps required: true type: bigint - name: peer required: true type: string - name: percent_lost required: true type: float - name: ts required: true type: timestamp timeFormats: - unix isEventTime: true - name: ts_delta required: true type: float ``` ### Zeek.Conn 참조: [conn.log](https://docs.zeek.org/en/master/logs/conn.html) ```yaml schema: Zeek.Conn description: Zeek Conn referenceURL: https://docs.zeek.org/en/master/logs/conn.html fields: - 이름: service type: string - name: duration type: float - name: orig_bytes type: bigint - name: resp_bytes type: bigint - name: history type: string - name: conn_state required: true type: string - name: id.orig_h required: true type: string indicators: - ip - name: id.orig_p required: true type: bigint - name: id.resp_h required: true type: string indicators: - ip - name: id.resp_p required: true type: bigint - name: local_orig required: true type: boolean - name: local_resp required: true type: boolean - name: missed_bytes required: true type: bigint - name: orig_ip_bytes required: true type: bigint - name: orig_pkts required: true type: bigint - 이름: proto required: true type: string - name: resp_ip_bytes required: true type: bigint - name: resp_pkts required: true type: bigint - name: ts required: true type: timestamp timeFormats: - unix isEventTime: true - 이름: uid required: true type: string indicators: - trace_id - name: uid2 type: string indicators: - trace_id ``` ### Zeek.DHCP 참조: [dhcp.log](https://docs.zeek.org/en/master/logs/dhcp.html) ```yaml schema: Zeek.DHCP description: Zeek DHCP referenceURL: https://docs.zeek.org/en/master/logs/dhcp.html fields: - name: host_name type: string indicators: - 도메인 - name: requested_addr type: string indicators: - ip - name: duration required: true type: float - name: mac required: true type: string indicators: - mac - name: msg_types required: true type: array element: type: string - name: ts required: true type: timestamp timeFormats: - unix isEventTime: true - name: uids required: true type: array element: type: string indicators: - trace_id ``` ### Zeek.DNS Zeek DNS 활동 참조: [Zeek 문서 - DNS::info](https://docs.zeek.org/en/current/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info) ```yaml schema: Zeek.DNS description: Zeek DNS 활동 referenceURL: https://docs.zeek.org/en/current/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info fields: - name: ts required: true description: 연결된 연결을 통해 DNS 프로토콜 메시지가 관찰되는 가장 이른 시각. type: timestamp timeFormats: - unix isEventTime: true - 이름: uid required: true description: DNS 메시지가 전송되는 연결의 고유 식별자. type: string - name: id.orig_h required: true description: 발신자의 IP 주소. type: string indicators: - ip - name: id.orig_p required: true description: 발신자의 포트 번호. 유형: int - name: id.resp_h required: true description: 응답자의 IP 주소. type: string indicators: - ip - name: id.resp_p required: true description: 응답자의 포트 번호. 유형: int - 이름: proto required: true description: 연결의 전송 계층 프로토콜. type: string - name: trans_id description: DNS 쿼리를 생성한 프로그램이 할당한 16비트 식별자. 응답에서도 진행 중인 쿼리에 대한 응답을 대응시키는 데 사용됨. 유형: int - 이름: query description: DNS 쿼리의 대상이 되는 도메인 이름. type: string indicators: - 도메인 - name: qclass description: 쿼리의 클래스를 지정하는 QCLASS 값. type: bigint - name: qclass_name description: 쿼리 클래스의 설명적인 이름. type: string - name: qtype description: 쿼리의 유형을 지정하는 QTYPE 값. type: bigint - name: qtype_name description: 쿼리 유형의 설명적인 이름. type: string - name: rcode description: DNS 응답 메시지의 응답 코드 값. type: bigint - name: rcode_name description: 응답 코드 값의 설명적인 이름. type: string - name: AA description: 응답 메시지의 Authoritative Answer 비트는 응답하는 이름 서버가 질문 섹션의 도메인 이름에 대한 권한자임을 지정합니다. type: boolean - name: TC description: Truncation 비트는 메시지가 잘렸음을 지정합니다. type: boolean - name: RD description: 요청 메시지의 Recursion Desired 비트는 클라이언트가 이 쿼리에 대해 재귀 서비스를 원함을 나타냅니다. type: boolean - name: RA description: 응답 메시지의 Recursion Available 비트는 이름 서버가 재귀 쿼리를 지원함을 나타냅니다. type: boolean - name: Z description: 일반적으로 쿼리와 응답에서 0인 예약 필드. type: bigint - name: answers description: 쿼리 응답의 리소스 설명 집합. type: array element: type: string indicators: - hostname - name: TTLs description: answers 필드에 설명된 관련 RR의 캐시 간격(초 단위). type: array element: type: float - name: rejected description: DNS 쿼리가 서버에 의해 거부됨. type: boolean ``` ### Zeek.DPD Zeek 동적 프로토콜 디택션. 참조: [dpd.log](https://docs.zeek.org/en/master/logs/dpd.html) ```yaml schema: Zeek.DPD description: Zeek 동적 프로토콜 디택션 referenceURL: https://docs.zeek.org/en/master/logs/dpd.html fields: - name: analyzer required: true type: string - name: failure_reason required: true type: string - name: id.orig_h required: true type: string indicators: - ip - name: id.orig_p required: true type: bigint - name: id.resp_h required: true type: string indicators: - ip - name: id.resp_p required: true type: bigint - 이름: proto required: true type: string - name: ts required: true type: timestamp timeFormats: - unix isEventTime: true - 이름: uid required: true type: string indicators: - trace_id ``` ### Zeek.Files 참조: [files.log](https://docs.zeek.org/en/master/logs/files.html) ```yaml schema: Zeek.Files description: Zeek Files referenceURL: https://docs.zeek.org/en/master/logs/files.html fields: - name: analyzers required: true type: array element: type: string - name: conn_uids required: true type: array element: type: string indicators: - trace_id - name: depth required: true type: bigint - name: duration required: true type: float - name: fuid required: true type: string indicators: - trace_id - name: is_orig required: true type: boolean - name: local_orig required: true type: boolean - name: md5 required: true type: string indicators: - md5 - name: mime_type type: string - name: missing_bytes required: true type: bigint - name: overflow_bytes required: true type: bigint - name: rx_hosts required: true type: array element: type: string indicators: - ip - name: seen_bytes required: true type: bigint - name: sha1 required: true type: string indicators: - sha1 - name: source required: true type: string - name: timedout required: true type: boolean - name: ts required: true type: timestamp timeFormats: - unix isEventTime: true - name: tx_hosts required: true type: array element: type: string indicators: - ip ``` ### Zeek.HTTP 참조: [http.log](https://docs.zeek.org/en/master/logs/http.html) ```yaml schema: Zeek.HTTP description: Zeek HTTP 활동 referenceURL: https://docs.zeek.org/en/master/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info fields: - name: ts required: true type: timestamp timeFormats: - unix isEventTime: true - 이름: uid required: true type: string indicators: - trace_id - name: id.orig_h required: true type: string indicators: - ip - name: id.orig_p required: true type: bigint - name: id.resp_h required: true type: string indicators: - ip - name: id.resp_p required: true type: bigint - name: trans_depth required: true type: bigint - 이름: method type: string - 이름: host type: string indicators: - 도메인 - name: uri type: string - name: referrer type: string - 이름: version type: string - 이름: user_agent type: string - name: origin type: string - name: request_body_len type: bigint - name: response_body_len type: bigint - 이름: status_code type: bigint - name: status_msg type: string - name: info_code type: bigint - name: info_msg type: string - name: tags required: true type: json - 이름: username type: string - name: password type: string - name: capture_password type: boolean - name: proxied type: array element: type: string - name: range_request type: boolean - name: orig_fuids type: array element: type: string indicators: - trace_id - name: orig_filenames type: array element: type: string - name: orig_mime_types type: array element: type: string - name: resp_fuids type: array element: type: string indicators: - trace_id - name: resp_filenames type: array element: type: string - name: resp_mime_types type: array element: type: string - name: current_entity type: json - name: orig_mime_depth type: bigint - name: resp_mime_depth type: bigint - name: client_header_names type: array element: type: string - name: server_header_names type: array element: type: string - name: omniture type: boolean - name: flash_version type: string - name: cookie_vars type: array element: type: string - name: uri_vars type: array element: type: string ``` ### Zeek.KnownHosts Zeek Known Hosts - TCP 연결을 완료한 호스트를 추적합니다. 참조: [known-hosts.log](https://docs.zeek.org/en/master/scripts/policy/protocols/conn/known-hosts.zeek.html) ```yaml schema: Zeek.KnownHosts description: Zeek Known Hosts - TCP 연결을 완료한 호스트를 추적합니다 referenceURL: https://docs.zeek.org/en/master/scripts/policy/protocols/conn/known-hosts.zeek.html fields: - name: ts required: true description: 호스트가 탐지된 시각. type: timestamp timeFormats: - unix isEventTime: true - 이름: host required: true description: TCP 연결의 발신 또는 응답으로 탐지된 주소. type: string indicators: - ip ``` ### Zeek.KnownServices known-services 로그의 열 필드를 포함하는 레코드 유형. 참조: [known-services.log](https://docs.zeek.org/en/master/scripts/policy/protocols/conn/known-services.zeek.html) ```yaml schema: Zeek.KnownServices description: known-services 로그의 열 필드를 포함하는 레코드 유형 referenceURL: https://docs.zeek.org/en/master/scripts/policy/protocols/conn/known-services.zeek.html fields: - name: ts required: true description: 서비스가 관찰된 시각 type: timestamp timeFormats: - unix isEventTime: true - 이름: host required: true description: 서비스를 제공하는 시스템의 IP 주소 type: string indicators: - ip - name: port_num required: true description: 서비스가 실행 중인 포트 번호 type: bigint - name: port_proto required: true description: 서비스가 사용하는 전송 계층 프로토콜 type: string - 이름: service required: true description: 서비스의 연결 페이로드와 일치하는 프로토콜 집합 type: array element: type: string ``` ### Zeek.Notice 참조: [notice.log](https://docs.zeek.org/en/master/frameworks/notice.html) ```yaml schema: Zeek.Notice description: Zeek Notice 활동 referenceURL: https://docs.zeek.org/en/master/frameworks/notice.html fields: - name: actions required: true type: array element: type: string - name: email_dest type: array element: type: string - name: dst type: string indicators: - ip - name: fuid type: string indicators: - trace_id - name: id.orig_h type: string indicators: - ip - name: id.orig_p type: bigint - name: id.resp_h type: string indicators: - ip - name: id.resp_p type: bigint - name: msg required: true type: string - name: note required: true type: string - name: p type: bigint - 이름: proto type: string - name: src type: string indicators: - ip - name: sub type: string - name: suppress_for required: true type: float - name: ts required: true type: timestamp timeFormats: - unix isEventTime: true - 이름: uid type: string indicators: - trace_id ``` ### Zeek.NTP 참조: [ntp.log](ttps://docs.zeek.org/en/master/logs/ntp.html) ```yaml schema: Zeek.NTP description: Zeek 네트워크 시간 프로토콜 활동 referenceURL: https://docs.zeek.org/en/master/logs/ntp.html fields: - name: id.orig_h required: true type: string indicators: - ip - name: id.orig_p required: true type: bigint - name: id.resp_h required: true type: string indicators: - ip - name: id.resp_p required: true type: bigint - name: mode required: true type: bigint - name: num_exts required: true type: bigint - name: org_time required: true type: float - name: poll required: true type: float - name: precision required: true type: float - name: rec_time required: true type: float - name: ref_id required: true type: string - name: ref_time required: true type: float - name: root_delay required: true type: float - name: root_disp required: true type: float - name: stratum required: true type: bigint - name: ts required: true type: timestamp timeFormats: - unix isEventTime: true - 이름: uid required: true type: string indicators: - trace_id - 이름: version required: true type: bigint - name: xmt_time required: true type: float ``` ### Zeek.OCSP 참조: [ocsp.log](https://docs.zeek.org/en/master/scripts/base/files/x509/log-ocsp.zeek.html) ```yaml schema: Zeek.OCSP description: Zeek 온라인 인증서 상태 프로토콜 활동 referenceURL: https://docs.zeek.org/en/v4.0.0/scripts/policy/files/x509/log-ocsp.zeek.html fields: - name: certStatus required: true type: string - name: hashAlgorithm required: true type: string - name: id required: true type: string - name: issuerKeyHash required: true type: string - name: issuerNameHash required: true type: string - name: nextUpdate required: true type: timestamp timeFormats: - unix - name: serialNumber required: true type: string - name: revoketime type: timestamp timeFormats: - unix - name: revokereason type: string - name: thisUpdate required: true type: timestamp timeFormats: - unix - name: ts required: true type: timestamp timeFormats: - unix isEventTime: true ``` ### Zeek.Reporter Zeek 내부 경고 및 오류. 참조: [reporter.log](https://docs.zeek.org/en/master/logs/capture-loss-and-reporter.html) ```yaml schema: Zeek.Reporter description: Zeek 내부 경고 및 오류 referenceURL: https://docs.zeek.org/en/master/logs/capture-loss-and-reporter.html fields: - name: level required: true type: string - name: location required: true type: string - name: message required: true type: string - name: ts required: true type: timestamp timeFormats: - unix isEventTime: true ``` ### Zeek.SIP 이 스키마는 Zeek SIP 분석 로그를 나타냅니다. 참조: [sip.log](https://docs.zeek.org/en/master/scripts/base/protocols/sip/main.zeek.html#id2) ```yaml schema: Zeek.SIP description: Zeek SIP 분석 referenceURL: https://docs.zeek.org/en/master/scripts/base/protocols/sip/main.zeek.html#id2 fields: - name: ts required: true type: timestamp timeFormats: - unix - 이름: uid required: true type: string indicators: - trace_id - name: id.orig_h required: true type: string indicators: - ip - name: id.orig_p required: true type: bigint - name: id.resp_h required: true type: string indicators: - ip - name: id.resp_p required: true type: bigint - name: trans_depth required: true type: bigint - 이름: method type: string - name: uri type: string - name: date type: string - name: request_from type: string - name: request_to type: string - name: response_from type: string - name: response_to type: string - name: reply_to type: string - name: call_id type: string - name: seq type: string - name: subject type: string - 이름: request_path type: array element: type: string - name: response_path type: array element: type: string - 이름: user_agent type: string - 이름: status_code type: bigint - name: status_msg type: string - name: warning type: string - name: request_body_len type: bigint - name: response_body_len type: bigint - name: content_type type: string ``` ### Zeek.Software 참조: [software.log](https://docs.zeek.org/en/master/logs/known-and-software.html#software-log) ```yaml schema: Zeek.Software description: Zeek Software 활동 referenceURL: https://docs.zeek.org/en/master/logs/known-and-software.html#software-log fields: - name: host_p description: host_p type: bigint - name: version.addl description: version.addl type: string - name: version.minor2 description: version.minor2 type: string - name: version.minor3 description: version.minor3 type: string - name: version.minor description: version.minor type: string - 이름: host required: true description: host type: string indicators: - ip - 이름: name required: true description: name type: string - name: software_type required: true description: software_type type: string - name: ts required: true description: ts type: timestamp timeFormat: unix isEventTime: true - name: unparsed_version required: true description: unparsed_version type: string - name: version.major description: version.major type: bigint ``` ### Zeek.SSH 참조: [ssh.log](https://docs.zeek.org/en/master/logs/ssh.html) ```yaml schema: Zeek.Ssh description: Zeek ssh 활동 referenceURL: https://docs.zeek.org/en/current/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info fields: - name: ts required: true type: timestamp timeFormats: - unix isEventTime: true - 이름: uid required: true type: string indicators: - trace_id - name: id.orig_h required: true type: string indicators: - ip - name: id.orig_p required: true type: bigint - name: id.resp_h required: true type: string indicators: - ip - name: id.resp_p required: true type: bigint - 이름: version type: string - name: auth_success type: boolean - name: auth_attempts type: bigint - 이름: direction type: string - name: client type: string - name: server type: string - name: cipher_alg type: string - name: mac_alg type: string - name: compression_alg type: string - name: kex_alg type: string - name: host_key_alg type: string - name: host_key type: string ``` ### Zeek.SSL 참조: [ssl.log](https://docs.zeek.org/en/master/logs/ssl.html) ````yaml schema: Zeek.Ssl description: Zeek SSL 활동 referenceURL: https://docs.zeek.org/en/master/logs/ssl.html fields: - name: next_protocol type: string - name: cert_chain_fps type: array element: type: string - name: sni_matches_cert type: boolean - name: validation_status type: string - name: curve type: string - name: cipher type: string - name: established required: true type: boolean - name: id.orig_h required: true type: string indicators: - ip - name: id.orig_p required: true type: bigint - name: id.resp_h required: true type: string indicators: - ip - name: id.resp_p required: true type: bigint - name: resumed required: true type: boolean - name: server_name type: string indicators: - 도메인 - name: ssl_history required: true type: string - name: ts required: true type: timestamp timeFormats: - unix isEventTime: true - 이름: uid required: true type: string indicators: - trace_id - 이름: version type: string ``` ```` ### Zeek.Stats 참조: [stats.log](https://docs.zeek.org/en/master/scripts/policy/misc/stats.zeek.html) ```yaml schema: Zeek.Stats description: Zeek 로그 메모리/패킷/지연 통계. referenceURL: https://docs.zeek.org/en/master/scripts/policy/misc/stats.zeek.html fields: - name: active_dns_requests required: true type: bigint - name: active_files required: true type: bigint - name: active_icmp_conns required: true type: bigint - name: active_tcp_conns required: true type: bigint - name: active_timers required: true type: bigint - name: active_udp_conns required: true type: bigint - name: bytes_recv required: true type: bigint - name: dns_requests required: true type: bigint - name: events_proc required: true type: bigint - name: events_queued required: true type: bigint - name: files required: true type: bigint - name: icmp_conns required: true type: bigint - name: mem required: true type: bigint - name: peer required: true type: string - name: pkt_lag required: true type: float - name: pkts_dropped required: true type: bigint - name: pkts_link required: true type: bigint - name: pkts_proc required: true type: bigint - name: reassem_file_size required: true type: bigint - name: reassem_frag_size required: true type: bigint - name: reassem_tcp_size required: true type: bigint - name: reassem_unknown_size required: true type: bigint - name: tcp_conns required: true type: bigint - name: timers required: true type: bigint - name: ts required: true type: timestamp timeFormats: - unix isEventTime: true - name: udp_conns required: true type: bigint ``` ### Zeek.Telemetry 카운터 및 게이지 메트릭을 기록하는 데 사용되는 레코드 유형. 참조: [telemetry.log](https://docs.zeek.org/en/master/scripts/policy/frameworks/telemetry/log.zeek.html) ```yaml schema: Zeek.Telemetry description: 카운터 및 게이지 메트릭을 기록하는 데 사용되는 레코드 유형 referenceURL: https://docs.zeek.org/en/master/scripts/policy/frameworks/telemetry/log.zeek.html fields: - name: ts required: true description: 보고 시각 type: timestamp timeFormats: - unix isEventTime: true - name: peer required: true description: 이 로그를 생성한 Peer(메트릭이 발생한 클러스터 노드를 식별함) type: string - name: metric_type required: true description: 기본 메트릭 유형에 따라 "counter" 또는 "gauge" 값을 포함함 type: string - 이름: name required: true description: 메트릭의 이름 type: string - name: labels required: true description: 개별 레이블의 이름 type: array element: type: string - name: label_values required: true description: labels에 나열된 레이블의 값 type: array element: type: string - 이름: value required: true description: 이 메트릭의 값 type: float ``` ### Zeek.Tunnel Zeek의 tunnel.log의 목적은 캡슐화된 트래픽을 식별하는 것입니다. 참조: [tunnel.log](https://docs.zeek.org/en/master/logs/tunnel.html) ```yaml schema: Zeek.Tunnel description: Zeek의 tunnel.log의 목적은 캡슐화된 트래픽을 식별하는 것입니다. referenceURL: https://docs.zeek.org/en/master/logs/tunnel.html fields: - 이름: 동작 required: true type: string - name: id.orig_h required: true type: string indicators: - ip - name: id.orig_p required: true type: bigint - name: id.resp_h required: true type: string indicators: - ip - name: id.resp_p required: true type: bigint - name: ts required: true type: timestamp timeFormats: - unix isEventTime: true - name: tunnel_type required: true type: string ``` ### Zeek.Weird 참조: [weird.log](https://docs.zeek.org/en/master/logs/weird-and-notice.html) ```yaml schema: Zeek.Weird description: Zeek Weird 활동 referenceURL: https://docs.zeek.org/en/master/logs/weird-and-notice.html fields: - name: source type: string - name: id.orig_h required: true type: string indicators: - ip - name: id.orig_p required: true type: bigint - name: id.resp_h required: true type: string indicators: - ip - name: id.resp_p required: true type: bigint - 이름: name required: true type: string - name: notice required: true type: boolean - name: peer required: true type: string - name: ts required: true type: timestamp timeFormats: - unix isEventTime: true - 이름: uid required: true type: string indicators: - trace_id ``` ### Zeek.X509 참조: [x509.log](https://docs.zeek.org/en/master/logs/x509.html) ```yaml schema: Zeek.X509 description: Zeek X509 referenceURL: https://docs.zeek.org/en/master/logs/x509.html fields: - name: certificate.curve type: string - name: certificate.exponent type: bigint - name: basic_constraints.ca required: true type: boolean - name: certificate.issuer required: true type: string - name: certificate.key_alg required: true type: string - name: certificate.key_length required: true type: bigint - name: certificate.key_type required: true type: string - name: certificate.not_valid_after required: true type: timestamp timeFormats: - unix - name: certificate.not_valid_before required: true type: timestamp timeFormats: - unix - name: certificate.serial required: true type: string - name: certificate.sig_alg required: true type: string - name: certificate.subject required: true type: string - name: certificate.version required: true type: string - name: client_cert required: true type: boolean - name: fingerprint required: true type: string - name: host_cert required: true type: boolean - name: san.dns required: true type: array element: type: string - name: ts required: true type: timestamp timeFormats: - unix isEventTime: true ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/ko/data-onboarding/supported-logs/zeek.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.