Why there some logs in files.log that not contains the sha1 or md5 value ?
For example :
Jun 8 11:32:39 127.0.0.1 bro_files: 1496910758.272740|FIMpTB242jcRsKCCYj|x.x.x.x|x.x.x.x|CAuOUv3lwBwigjH7mk|SMB|0|MD5,SHA1|-|test\test111\bro\go.pdf|0.021820|F|F|581600|1040352|458752|65536|F|-|-|-|-|-
Your file had a content gap (458752 bytes missing). Since the file was transferred over SMB, it’s very possible that only part of the file was actually transferred due to offset reads or writes. It’s one of the downsides of monitoring file system protocols since it’s very common for software to only read or write a portion of a file after seeking. The reason that no hashes are provided in that case is that the hash wouldn’t mean anything since it would just be a hash of some fairly arbitrary portion of the file.