> conn.log and known_services.log have a field named "service":
> sometimes this filed is empty in conn.log but in known_services.log is
> not…Why?

It’s due to what is actually being logged in both of those logs.  conn.log has information per-connection so you can imagine that someone might connect to a host and not actually speak the protocol that the server speaks and we don’t detect any protocol.  known_services.log is generally trying to figure out what protocol a host-port pair speaks and logs that.  If no protocol is detected, we try to delay logging the fact that the port is held open in the hopes that a better connection will happen later.

