diff --git a/CMakeLists.txt b/CMakeLists.txt
index e6d3ed2d88..1c43720d18 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -547,14 +547,17 @@ else ()
 endif ()
 
 if ( NOT DISABLE_SPICY )
+    set(USE_SPICY_ANALYZERS yes)
+
     if ( NOT SPICY_ROOT_DIR )
+        set(HAVE_SPICY yes) # evaluated by Spicy plugin build
+
         add_subdirectory(auxil/spicy)
 
         # Set variables used by the spicy-plugin build since we are building Spicy
         # as part of Zeek so spicy-plugin cannot use `spicy-config` at configure
         # time to set these.
         set(SPICY_CONFIG "<builtin>")
-        set(HAVE_SPICY "YES")
         set(SPICY_HAVE_TOOLCHAIN "YES")
         set(SPICY_INCLUDE_DIRS_RUNTIME
             ${PROJECT_SOURCE_DIR}/auxil/spicy/spicy/hilti/runtime/include
@@ -564,6 +567,10 @@ if ( NOT DISABLE_SPICY )
             ${PROJECT_SOURCE_DIR}/auxil/spicy/spicy/hilti/toolchain/include
             ${PROJECT_SOURCE_DIR}/auxil/spicy/spicy/spicy/toolchain/include)
         set(SPICY_LIBRARY spicy)
+        set(HILTI_LIBRARY_RT hilti-rt)
+        set(HILTI_LIBRARY_RT_DEBUG hilti-rt-debug)
+        set(SPICY_LIBRARY_RT spicy-rt)
+        set(SPICY_LIBRARY_RT_DEBUG spicy-rt-debug)
 
         # Needed only for logging from CMake configure phase.
         get_directory_property(
@@ -586,12 +593,20 @@ if ( NOT DISABLE_SPICY )
     endif ()
 
     if ( NOT SPICY_PLUGIN_PATH )
+        set(_spicy_plugin "included")
         set(SPICY_PLUGIN_PATH ${CMAKE_SOURCE_DIR}/auxil/spicy-plugin)
     endif ()
 
+    set(SPICY_PLUGIN_BINARY_PATH ${CMAKE_BINARY_DIR}/src/builtin-plugins/spicy-plugin)
     string(APPEND ZEEK_INCLUDE_PLUGINS ";${SPICY_PLUGIN_PATH}")
+else ()
+    set(HAVE_SPICY no) # evaluated by Spicy plugin build
+    set(USE_SPICY_ANALYZERS no)
 endif ()
 
+set(USE_SPICY_ANALYZERS "${USE_SPICY_ANALYZERS}" CACHE BOOL "Use built-in Spicy analyzers")
+include(BuiltInSpicyAnalyzer)
+
 include_directories(BEFORE
                     ${PCAP_INCLUDE_DIR}
                     ${BIND_INCLUDE_DIR}
@@ -866,26 +881,6 @@ if ( NOT DISABLE_SPICY )
     add_dependencies(zeek spicyz)
 
     if ( NOT SPICY_ROOT_DIR )
-        list(APPEND _spicy_rt_libs spicy-rt hilti-rt)
-
-        # Use the debug runtime libraries if we are building a debug Zeek.
-        if ( SPICY_BUILD_MODE STREQUAL "Debug" )
-            list(TRANSFORM _spicy_rt_libs APPEND "-debug")
-        endif ()
-
-        # If we build spicy-plugin into Zeek we also need to build the Spicy
-        # runtime dependencies into Zeek. Since no matter how Spicy itself was
-        # linked this is always a static library, link the object files so we
-        # get all symbols and can resolve all potential dependencies of
-        # HLTO files at runtime.
-        #
-        # TODO(bbannier): Conceptually cleaner would be linking the runtime
-        # objects into spicy-plugin and then inherit that up to zeek, but it
-        # seems this does not work reliable (due incomplete support for object
-        # libraries in CMake?).
-        list(TRANSFORM _spicy_rt_libs APPEND "-objects")
-        target_link_libraries(zeek ${_spicy_rt_libs})
-
         # Make sure we build targets of spicy-plugin after the `spicy` target.
         add_dependencies(plugin-Zeek-Spicy spicy)
         add_dependencies(spicyz spicy)
@@ -959,6 +954,33 @@ if ( GEN_ZAM_EXE_PATH )
     set(_gen_zam_exe_path ${GEN_ZAM_EXE_PATH})
 endif ()
 
+set(_spicy "included")
+if ( DISABLE_SPICY )
+    set(_spicy "disabled")
+elseif ( SPICY_ROOT_DIR )
+    set(_spicy "external (${SPICY_ROOT_DIR})")
+endif ()
+
+if ( DISABLE_SPICY )
+    set(_spicy_plugin "disabled")
+elseif ( "${_spicy_plugin}" STREQUAL "" )
+    set(_spicy_plugin "external (${SPICY_PLUGIN_PATH})")
+endif ()
+
+if ( ZEEK_LEGACY_ANALYZERS )
+    list(JOIN ZEEK_LEGACY_ANALYZERS ", " _legacy_analyzers)
+    set(_legacy_analyzers  "\n          - Using unmaintained legacy analyzers for: ${_legacy_analyzers}")
+endif ()
+
+if ( ZEEK_SKIPPED_ANALYZERS )
+    list(JOIN ZEEK_SKIPPED_ANALYZERS ", " _skipped_analyzers)
+    set(_skipped_analyzers "\n          - Skipping analyzers: ${_skipped_analyzers}")
+endif ()
+
+if ( ZEEK_LEGACY_ANALYZERS OR ZEEK_SKIPPED_ANALYZERS )
+    set(_analyzer_warning "\n\n[Warning] Some analyzers are not available due to lack of Spicy:${_legacy_analyzers}${_skipped_analyzers}")
+endif ()
+
 message(
     "\n====================|  Zeek Build Summary  |===================="
     "\n"
@@ -993,6 +1015,9 @@ message(
     "\nBTest tooling:     ${_install_btest_tools_msg}"
     "\nGen-ZAM:           ${_gen_zam_exe_path}"
     "\nzkg:               ${INSTALL_ZKG}"
+    "\nSpicy:             ${_spicy}"
+    "\nSpicy plugin:      ${_spicy_plugin}"
+    "\nSpicy analyzers:   ${USE_SPICY_ANALYZERS}"
     "\n"
     "\nlibmaxminddb:      ${USE_GEOIP}"
     "\nKerberos:          ${USE_KRB5}"
@@ -1003,6 +1028,7 @@ message(
     "\n"
     "\nFuzz Targets:      ${ZEEK_ENABLE_FUZZERS}"
     "\nFuzz Engine:       ${ZEEK_FUZZING_ENGINE}"
+    "${_analyzer_warning}"
     "\n"
     "\n================================================================\n"
 )
diff --git a/auxil/spicy-plugin b/auxil/spicy-plugin
index 9480a7dc8f..bd5a32f5c7 160000
--- a/auxil/spicy-plugin
+++ b/auxil/spicy-plugin
@@ -1 +1 @@
-Subproject commit 9480a7dc8f9049c46f42069b415e1c18a44aa51b
+Subproject commit bd5a32f5c78e1cc1d60b8f010797fe3fb5a6c3aa
diff --git a/auxil/spicy/spicy b/auxil/spicy/spicy
index 8c5f9466c5..1e074f8db5 160000
--- a/auxil/spicy/spicy
+++ b/auxil/spicy/spicy
@@ -1 +1 @@
-Subproject commit 8c5f9466c5f87a237451438af82dbb8dcf743d5d
+Subproject commit 1e074f8db5f2ccc4a946f66634410bcc7d94dcef
diff --git a/cmake b/cmake
index f69e08247e..9f05362a5c 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit f69e08247ed4d7e36258157df6328bad3c81269d
+Subproject commit 9f05362a5c33ed11dab37d2dedf74206d59d8f6d
diff --git a/scripts/base/init-default.zeek b/scripts/base/init-default.zeek
index 2c628b958e..5a11969e4e 100644
--- a/scripts/base/init-default.zeek
+++ b/scripts/base/init-default.zeek
@@ -49,6 +49,7 @@
 @load base/protocols/dhcp
 @load base/protocols/dnp3
 @load base/protocols/dns
+@load base/protocols/finger
 @load base/protocols/ftp
 @load base/protocols/http
 @load base/protocols/imap
diff --git a/scripts/base/protocols/finger/__load__.zeek b/scripts/base/protocols/finger/__load__.zeek
new file mode 100644
index 0000000000..7d68518851
--- /dev/null
+++ b/scripts/base/protocols/finger/__load__.zeek
@@ -0,0 +1,2 @@
+@load ./spicy-events
+@load ./main
diff --git a/scripts/base/protocols/finger/main.zeek b/scripts/base/protocols/finger/main.zeek
new file mode 100644
index 0000000000..8f8842418f
--- /dev/null
+++ b/scripts/base/protocols/finger/main.zeek
@@ -0,0 +1,14 @@
+##! Implements base functionality for Finger analysis. We currently do not generate
+##! a log file, but just configure the analyzer.
+
+module Finger;
+
+export {
+	const ports = { 79/tcp };
+	redef likely_server_ports += { ports };
+}
+
+event zeek_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_FINGER, ports);
+	}
diff --git a/scripts/base/protocols/finger/spicy-events.zeek b/scripts/base/protocols/finger/spicy-events.zeek
new file mode 100644
index 0000000000..0e956683e5
--- /dev/null
+++ b/scripts/base/protocols/finger/spicy-events.zeek
@@ -0,0 +1,33 @@
+##! Events generated by the Finger analyzer.
+
+@ifdef ( Spicy::available ) # must not be used with legacy analyzer
+
+## Generated for Finger requests.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
+## information about the Finger protocol.
+##
+## c: The connection.
+##
+## full: True if verbose information is requested (``/W`` switch).
+##
+## username: The request's user name.
+##
+## hostname: The request's host name.
+##
+## .. zeek:see:: finger_reply
+global finger_request: event(c: connection, full: bool, username: string, hostname: string);
+
+## Generated for Finger replies.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
+## information about the Finger protocol.
+##
+## c: The connection.
+##
+## reply_line: The reply as returned by the server
+##
+## .. zeek:see:: finger_request
+global finger_reply: event(c: connection, reply_line: string);
+
+@endif
diff --git a/scripts/base/protocols/syslog/__load__.zeek b/scripts/base/protocols/syslog/__load__.zeek
index 0098b81a7a..2dd0f53bf8 100644
--- a/scripts/base/protocols/syslog/__load__.zeek
+++ b/scripts/base/protocols/syslog/__load__.zeek
@@ -1,2 +1,3 @@
+@load ./spicy-events
 @load ./consts
-@load ./main
\ No newline at end of file
+@load ./main
diff --git a/scripts/base/protocols/syslog/spicy-events.zeek b/scripts/base/protocols/syslog/spicy-events.zeek
new file mode 100644
index 0000000000..060a481688
--- /dev/null
+++ b/scripts/base/protocols/syslog/spicy-events.zeek
@@ -0,0 +1,21 @@
+##! Events generated by the Syslog analyzer.
+
+@ifdef ( Spicy::available ) # must not be used with legacy analyzer
+
+## Generated for monitored Syslog messages.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Syslog>`__ for more
+## information about the Syslog protocol.
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## facility: The "facility" included in the message.
+##
+## severity: The "severity" included in the message.
+##
+## msg: The message logged.
+##
+## .. note:: Zeek currently parses only UDP syslog traffic.
+global syslog_message: event(c: connection, facility: count, severity: count, msg: string);
+
+@endif
diff --git a/src/analyzer/protocol/finger/CMakeLists.txt b/src/analyzer/protocol/finger/CMakeLists.txt
index e89f268a8a..056a5f93e2 100644
--- a/src/analyzer/protocol/finger/CMakeLists.txt
+++ b/src/analyzer/protocol/finger/CMakeLists.txt
@@ -1,9 +1,9 @@
-
-include(ZeekPlugin)
-
-include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
-
-zeek_plugin_begin(Zeek Finger)
-zeek_plugin_cc(Finger.cc Plugin.cc)
-zeek_plugin_bif(events.bif)
-zeek_plugin_end()
+spicy_add_analyzer(
+  NAME
+    Finger
+  SOURCES
+    finger.spicy
+    finger.evt
+  LEGACY
+    legacy
+)
diff --git a/src/analyzer/protocol/finger/finger.evt b/src/analyzer/protocol/finger/finger.evt
new file mode 100644
index 0000000000..49c8199b4c
--- /dev/null
+++ b/src/analyzer/protocol/finger/finger.evt
@@ -0,0 +1,10 @@
+# Copyright (c) 2022 by the Zeek Project. See LICENSE for details.
+
+protocol analyzer Finger over TCP:
+    parse originator with Finger::Request,
+    parse responder with Finger::Reply;
+
+import Finger;
+
+on Finger::Request -> event finger_request($conn, self.whois, self.user, self.host);
+on Finger::ReplyLine if ( |self.data| != 0 ) -> event finger_reply($conn, self.data);
diff --git a/src/analyzer/protocol/finger/finger.spicy b/src/analyzer/protocol/finger/finger.spicy
new file mode 100644
index 0000000000..dd07dbb7c3
--- /dev/null
+++ b/src/analyzer/protocol/finger/finger.spicy
@@ -0,0 +1,54 @@
+# Copyright (c) 2022 by the Zeek Project. See LICENSE for details.
+#
+# Giving the rare number of instances of this protocol these days, we err on the side of
+# rejecting sessions if they don't parse well.
+
+module Finger;
+
+import spicy;
+
+const OptionalWhiteSpace = /[ \t]*/;
+const NewLine    = /\r?\n/;
+
+public type Request  = unit {
+    : OptionalWhiteSpace;
+
+    switch {
+        -> : /\/W/ { self.whois = True; }
+        -> void;
+    };
+
+    : OptionalWhiteSpace;
+
+    arg: /[^\r\n]*/ &convert=$$.strip().split1(b"@") {
+        # We require valid UTF-8 to weed out binary data.
+        self.user = self.arg[0].decode();
+
+        if ( |self.arg[1]| > 0 )
+            self.host = self.arg[1].decode();
+    }
+
+    on %done  {
+        if ( |self.arg[0]| > 0 || self.whois )
+            spicy::accept_input();
+    }
+
+    var user: string;
+    var host: string;
+    var whois: bool = False;
+};
+
+type ReplyLine = unit {
+    data: /[^\r\n]*/ &convert=$$.decode(); # Require valid UTF-8 here as well.
+    : NewLine;
+
+    on %done {
+        if ( |self.data| > 10 )
+            # Require some non-trivial output to accept.
+            spicy::accept_input();
+    }
+};
+
+public type Reply  = unit {
+    : ReplyLine[];
+};
diff --git a/src/analyzer/protocol/finger/legacy/CMakeLists.txt b/src/analyzer/protocol/finger/legacy/CMakeLists.txt
new file mode 100644
index 0000000000..e89f268a8a
--- /dev/null
+++ b/src/analyzer/protocol/finger/legacy/CMakeLists.txt
@@ -0,0 +1,9 @@
+
+include(ZeekPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+zeek_plugin_begin(Zeek Finger)
+zeek_plugin_cc(Finger.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/finger/Finger.cc b/src/analyzer/protocol/finger/legacy/Finger.cc
similarity index 95%
rename from src/analyzer/protocol/finger/Finger.cc
rename to src/analyzer/protocol/finger/legacy/Finger.cc
index f0306fd174..44138d9fde 100644
--- a/src/analyzer/protocol/finger/Finger.cc
+++ b/src/analyzer/protocol/finger/legacy/Finger.cc
@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "zeek/analyzer/protocol/finger/Finger.h"
+#include "zeek/analyzer/protocol/finger/legacy/Finger.h"
 
 #include "zeek/zeek-config.h"
 
@@ -8,7 +8,7 @@
 
 #include "zeek/Event.h"
 #include "zeek/NetVar.h"
-#include "zeek/analyzer/protocol/finger/events.bif.h"
+#include "zeek/analyzer/protocol/finger/legacy/events.bif.h"
 #include "zeek/analyzer/protocol/tcp/ContentLine.h"
 
 namespace zeek::analyzer::finger
diff --git a/src/analyzer/protocol/finger/Finger.h b/src/analyzer/protocol/finger/legacy/Finger.h
similarity index 100%
rename from src/analyzer/protocol/finger/Finger.h
rename to src/analyzer/protocol/finger/legacy/Finger.h
diff --git a/src/analyzer/protocol/finger/Plugin.cc b/src/analyzer/protocol/finger/legacy/Plugin.cc
similarity index 91%
rename from src/analyzer/protocol/finger/Plugin.cc
rename to src/analyzer/protocol/finger/legacy/Plugin.cc
index b4ec617568..6398b4729d 100644
--- a/src/analyzer/protocol/finger/Plugin.cc
+++ b/src/analyzer/protocol/finger/legacy/Plugin.cc
@@ -3,7 +3,7 @@
 #include "zeek/plugin/Plugin.h"
 
 #include "zeek/analyzer/Component.h"
-#include "zeek/analyzer/protocol/finger/Finger.h"
+#include "zeek/analyzer/protocol/finger/legacy/Finger.h"
 
 namespace zeek::plugin::detail::Zeek_Finger
 	{
diff --git a/src/analyzer/protocol/finger/events.bif b/src/analyzer/protocol/finger/legacy/events.bif
similarity index 100%
rename from src/analyzer/protocol/finger/events.bif
rename to src/analyzer/protocol/finger/legacy/events.bif
diff --git a/src/analyzer/protocol/syslog/CMakeLists.txt b/src/analyzer/protocol/syslog/CMakeLists.txt
index 5e1fca87ad..c80aefeb32 100644
--- a/src/analyzer/protocol/syslog/CMakeLists.txt
+++ b/src/analyzer/protocol/syslog/CMakeLists.txt
@@ -1,10 +1,9 @@
-
-include(ZeekPlugin)
-
-include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
-
-zeek_plugin_begin(Zeek Syslog)
-zeek_plugin_cc(Syslog.cc Plugin.cc)
-zeek_plugin_bif(events.bif)
-zeek_plugin_pac(syslog.pac syslog-analyzer.pac syslog-protocol.pac)
-zeek_plugin_end()
+spicy_add_analyzer(
+  NAME
+    Syslog
+  SOURCES
+    syslog.spicy
+    syslog.evt
+  LEGACY
+    legacy
+)
diff --git a/src/analyzer/protocol/syslog/legacy/CMakeLists.txt b/src/analyzer/protocol/syslog/legacy/CMakeLists.txt
new file mode 100644
index 0000000000..5e1fca87ad
--- /dev/null
+++ b/src/analyzer/protocol/syslog/legacy/CMakeLists.txt
@@ -0,0 +1,10 @@
+
+include(ZeekPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+zeek_plugin_begin(Zeek Syslog)
+zeek_plugin_cc(Syslog.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_pac(syslog.pac syslog-analyzer.pac syslog-protocol.pac)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/syslog/Plugin.cc b/src/analyzer/protocol/syslog/legacy/Plugin.cc
similarity index 91%
rename from src/analyzer/protocol/syslog/Plugin.cc
rename to src/analyzer/protocol/syslog/legacy/Plugin.cc
index 8cb8c5b572..1bbcbc5893 100644
--- a/src/analyzer/protocol/syslog/Plugin.cc
+++ b/src/analyzer/protocol/syslog/legacy/Plugin.cc
@@ -3,7 +3,7 @@
 #include "zeek/plugin/Plugin.h"
 
 #include "zeek/analyzer/Component.h"
-#include "zeek/analyzer/protocol/syslog/Syslog.h"
+#include "zeek/analyzer/protocol/syslog/legacy/Syslog.h"
 
 namespace zeek::plugin::detail::Zeek_Syslog
 	{
diff --git a/src/analyzer/protocol/syslog/Syslog.cc b/src/analyzer/protocol/syslog/legacy/Syslog.cc
similarity index 95%
rename from src/analyzer/protocol/syslog/Syslog.cc
rename to src/analyzer/protocol/syslog/legacy/Syslog.cc
index 8dfd5ab52c..26ba71eecd 100644
--- a/src/analyzer/protocol/syslog/Syslog.cc
+++ b/src/analyzer/protocol/syslog/legacy/Syslog.cc
@@ -1,6 +1,6 @@
-#include "zeek/analyzer/protocol/syslog/Syslog.h"
+#include "zeek/analyzer/protocol/syslog/legacy/Syslog.h"
 
-#include "zeek/analyzer/protocol/syslog/events.bif.h"
+#include "zeek/analyzer/protocol/syslog/legacy/events.bif.h"
 #include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h"
 
 namespace zeek::analyzer::syslog
diff --git a/src/analyzer/protocol/syslog/Syslog.h b/src/analyzer/protocol/syslog/legacy/Syslog.h
similarity index 95%
rename from src/analyzer/protocol/syslog/Syslog.h
rename to src/analyzer/protocol/syslog/legacy/Syslog.h
index db6b078525..f01fe56007 100644
--- a/src/analyzer/protocol/syslog/Syslog.h
+++ b/src/analyzer/protocol/syslog/legacy/Syslog.h
@@ -2,7 +2,7 @@
 
 #include "zeek/analyzer/protocol/tcp/TCP.h"
 
-#include "analyzer/protocol/syslog/syslog_pac.h"
+#include "analyzer/protocol/syslog/legacy/syslog_pac.h"
 
 namespace zeek::analyzer::syslog
 	{
diff --git a/src/analyzer/protocol/syslog/events.bif b/src/analyzer/protocol/syslog/legacy/events.bif
similarity index 100%
rename from src/analyzer/protocol/syslog/events.bif
rename to src/analyzer/protocol/syslog/legacy/events.bif
diff --git a/src/analyzer/protocol/syslog/syslog-analyzer.pac b/src/analyzer/protocol/syslog/legacy/syslog-analyzer.pac
similarity index 100%
rename from src/analyzer/protocol/syslog/syslog-analyzer.pac
rename to src/analyzer/protocol/syslog/legacy/syslog-analyzer.pac
diff --git a/src/analyzer/protocol/syslog/syslog-protocol.pac b/src/analyzer/protocol/syslog/legacy/syslog-protocol.pac
similarity index 100%
rename from src/analyzer/protocol/syslog/syslog-protocol.pac
rename to src/analyzer/protocol/syslog/legacy/syslog-protocol.pac
diff --git a/src/analyzer/protocol/syslog/syslog.pac b/src/analyzer/protocol/syslog/legacy/syslog.pac
similarity index 75%
rename from src/analyzer/protocol/syslog/syslog.pac
rename to src/analyzer/protocol/syslog/legacy/syslog.pac
index 4a5dfe2ede..159c6d6dd4 100644
--- a/src/analyzer/protocol/syslog/syslog.pac
+++ b/src/analyzer/protocol/syslog/legacy/syslog.pac
@@ -3,7 +3,7 @@
 %include zeek.pac
 
 %extern{
-#include "zeek/analyzer/protocol/syslog/events.bif.h"
+#include "zeek/analyzer/protocol/syslog/legacy/events.bif.h"
 %}
 
 analyzer Syslog withcontext {
diff --git a/src/analyzer/protocol/syslog/syslog.evt b/src/analyzer/protocol/syslog/syslog.evt
new file mode 100644
index 0000000000..22120ba8d4
--- /dev/null
+++ b/src/analyzer/protocol/syslog/syslog.evt
@@ -0,0 +1,8 @@
+# Copyright (c) 2022 by the Zeek Project. See LICENSE for details.
+
+protocol analyzer Syslog over UDP:
+    parse with Syslog::Message;
+
+import Syslog;
+
+on Syslog::Message -> event syslog_message($conn, self.facility, self.severity, self.msg);
diff --git a/src/analyzer/protocol/syslog/syslog.spicy b/src/analyzer/protocol/syslog/syslog.spicy
new file mode 100644
index 0000000000..fd4c845870
--- /dev/null
+++ b/src/analyzer/protocol/syslog/syslog.spicy
@@ -0,0 +1,32 @@
+# Copyright (c) 2022 by the Zeek Project. See LICENSE for details.
+
+module Syslog;
+
+import spicy;
+
+public type Message = unit {
+    switch {
+        -> prio: Priority;
+        -> void;
+    };
+
+    msg: bytes &eod;
+
+    on %done {
+        spicy::accept_input();
+
+        if ( self?.prio ) {
+            self.severity = (self.prio.value & 0x07);
+            self.facility = (self.prio.value & 0x03f8) >> 3;
+        }
+    }
+
+    var severity: uint64 = 999; # default per legacy analyzer
+    var facility: uint64 = 999; # default per legacy analyzer
+};
+
+type Priority = unit {
+    : b"<";
+    value: /[[:digit:]]+/ &convert=$$.to_uint();
+    : b">";
+};
diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2
index e5e7f829be..939abe6f39 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/output2
+++ b/testing/btest/Baseline/core.print-bpf-filters/output2
@@ -48,6 +48,7 @@
 1 6669
 1 67
 1 68
+1 79
 1 80
 1 8000
 1 8080
@@ -59,8 +60,8 @@
 1 992
 1 993
 1 995
-66 and
-65 or
-66 port
-43 tcp
+67 and
+66 or
+67 port
+44 tcp
 23 udp
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index bb6062a732..a17f305bf9 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -151,7 +151,6 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_File.events.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Finger.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek
@@ -227,7 +226,6 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Syslog.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 2724600cd8..c69a7110bb 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -151,7 +151,6 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_File.events.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Finger.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek
@@ -227,7 +226,6 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Syslog.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek
@@ -359,6 +357,9 @@ scripts/base/init-default.zeek
   scripts/base/protocols/dns/__load__.zeek
     scripts/base/protocols/dns/consts.zeek
     scripts/base/protocols/dns/main.zeek
+  scripts/base/protocols/finger/__load__.zeek
+    scripts/base/protocols/finger/spicy-events.zeek
+    scripts/base/protocols/finger/main.zeek
   scripts/base/protocols/ftp/__load__.zeek
     scripts/base/protocols/ftp/utils-commands.zeek
     scripts/base/protocols/ftp/info.zeek
@@ -438,6 +439,7 @@ scripts/base/init-default.zeek
   scripts/base/protocols/ssh/__load__.zeek
     scripts/base/protocols/ssh/main.zeek
   scripts/base/protocols/syslog/__load__.zeek
+    scripts/base/protocols/syslog/spicy-events.zeek
     scripts/base/protocols/syslog/consts.zeek
     scripts/base/protocols/syslog/main.zeek
   scripts/base/protocols/tunnels/__load__.zeek
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 3ab46934ae..16854bc82e 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -12,6 +12,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5353/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5355/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FINGER, 79/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <no result>
@@ -73,6 +74,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5353/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5355/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FINGER, 79/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <no result>
@@ -126,6 +128,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNS, {5353<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DTLS, {443/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FINGER, {79/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {80<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp})) -> <no result>
@@ -807,7 +810,6 @@
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek) -> -1
@@ -895,7 +897,6 @@
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Spicy.consts.bif.zeek, <...>/Zeek_Spicy.consts.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Spicy.events.bif.zeek, <...>/Zeek_Spicy.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Spicy.functions.bif.zeek, <...>/Zeek_Spicy.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> -1
@@ -977,6 +978,7 @@
 0.000000   MetaHookPost  LoadFile(0, ./site, <...>/site.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./smb1-main, <...>/smb1-main.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./smb2-main, <...>/smb2-main.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./spicy-events, <...>/spicy-events.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./stats.bif.zeek, <...>/stats.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./std-dev, <...>/std-dev.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./store, <...>/store.zeek) -> -1
@@ -1058,6 +1060,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/files, <...>/files.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/finger, <...>/finger) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ftp, <...>/ftp) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/geneve, <...>/geneve) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> -1
@@ -1194,7 +1197,6 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek) -> (-1, <no content>)
-0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek) -> (-1, <no content>)
@@ -1282,7 +1284,6 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Spicy.consts.bif.zeek, <...>/Zeek_Spicy.consts.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Spicy.events.bif.zeek, <...>/Zeek_Spicy.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Spicy.functions.bif.zeek, <...>/Zeek_Spicy.functions.bif.zeek) -> (-1, <no content>)
-0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> (-1, <no content>)
@@ -1364,6 +1365,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./site, <...>/site.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./smb1-main, <...>/smb1-main.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./smb2-main, <...>/smb2-main.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./spicy-events, <...>/spicy-events.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./stats.bif.zeek, <...>/stats.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./std-dev, <...>/std-dev.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./store, <...>/store.zeek) -> (-1, <no content>)
@@ -1445,6 +1447,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/files, <...>/files.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/finger, <...>/finger) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ftp, <...>/ftp) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/geneve, <...>/geneve) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> (-1, <no content>)
@@ -1573,6 +1576,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5353/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5355/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FINGER, 79/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp))
@@ -1634,6 +1638,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5353/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5355/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FINGER, 79/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp))
@@ -1687,6 +1692,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNS, {5353<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DTLS, {443/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FINGER, {79/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {80<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp}))
@@ -2368,7 +2374,6 @@
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek)
@@ -2456,7 +2461,6 @@
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Spicy.consts.bif.zeek, <...>/Zeek_Spicy.consts.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Spicy.events.bif.zeek, <...>/Zeek_Spicy.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Spicy.functions.bif.zeek, <...>/Zeek_Spicy.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek)
@@ -2538,6 +2542,7 @@
 0.000000   MetaHookPre   LoadFile(0, ./site, <...>/site.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./smb1-main, <...>/smb1-main.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./smb2-main, <...>/smb2-main.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./spicy-events, <...>/spicy-events.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./stats.bif.zeek, <...>/stats.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./std-dev, <...>/std-dev.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./store, <...>/store.zeek)
@@ -2619,6 +2624,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/files, <...>/files.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek)
+0.000000   MetaHookPre   LoadFile(0, base<...>/finger, <...>/finger)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ftp, <...>/ftp)
 0.000000   MetaHookPre   LoadFile(0, base<...>/geneve, <...>/geneve)
 0.000000   MetaHookPre   LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek)
@@ -2755,7 +2761,6 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek)
-0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek)
@@ -2843,7 +2848,6 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Spicy.consts.bif.zeek, <...>/Zeek_Spicy.consts.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Spicy.events.bif.zeek, <...>/Zeek_Spicy.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Spicy.functions.bif.zeek, <...>/Zeek_Spicy.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek)
@@ -2925,6 +2929,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./site, <...>/site.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./smb1-main, <...>/smb1-main.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./smb2-main, <...>/smb2-main.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./spicy-events, <...>/spicy-events.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./stats.bif.zeek, <...>/stats.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./std-dev, <...>/std-dev.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./store, <...>/store.zeek)
@@ -3006,6 +3011,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/files, <...>/files.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/finger, <...>/finger)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ftp, <...>/ftp)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/geneve, <...>/geneve)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek)
@@ -3134,6 +3140,7 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 5353/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 5355/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DTLS, 443/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FINGER, 79/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 21/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp)
@@ -3195,6 +3202,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 5353/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 5355/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DTLS, 443/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FINGER, 79/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 21/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp)
@@ -3248,6 +3256,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, {5353<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, {443/udp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FINGER, {79/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, {80<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, {143/tcp})
@@ -3928,7 +3937,6 @@
 0.000000 | HookLoadFile  ./Zeek_FileExtract.events.bif.zeek <...>/Zeek_FileExtract.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_FileExtract.functions.bif.zeek <...>/Zeek_FileExtract.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_FileHash.events.bif.zeek <...>/Zeek_FileHash.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_GTPv1.functions.bif.zeek <...>/Zeek_GTPv1.functions.bif.zeek
@@ -4016,7 +4024,6 @@
 0.000000 | HookLoadFile  ./Zeek_Spicy.consts.bif.zeek <...>/Zeek_Spicy.consts.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Spicy.events.bif.zeek <...>/Zeek_Spicy.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Spicy.functions.bif.zeek <...>/Zeek_Spicy.functions.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_Syslog.events.bif.zeek <...>/Zeek_Syslog.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek
@@ -4109,6 +4116,7 @@
 0.000000 | HookLoadFile  ./site <...>/site.zeek
 0.000000 | HookLoadFile  ./smb1-main <...>/smb1-main.zeek
 0.000000 | HookLoadFile  ./smb2-main <...>/smb2-main.zeek
+0.000000 | HookLoadFile  ./spicy-events <...>/spicy-events.zeek
 0.000000 | HookLoadFile  ./stats.bif.zeek <...>/stats.bif.zeek
 0.000000 | HookLoadFile  ./std-dev <...>/std-dev.zeek
 0.000000 | HookLoadFile  ./store <...>/store.zeek
@@ -4191,6 +4199,7 @@
 0.000000 | HookLoadFile  base<...>/files <...>/files.zeek
 0.000000 | HookLoadFile  base<...>/find-checksum-offloading <...>/find-checksum-offloading.zeek
 0.000000 | HookLoadFile  base<...>/find-filtered-trace <...>/find-filtered-trace.zeek
+0.000000 | HookLoadFile  base<...>/finger <...>/finger
 0.000000 | HookLoadFile  base<...>/ftp <...>/ftp
 0.000000 | HookLoadFile  base<...>/geneve <...>/geneve
 0.000000 | HookLoadFile  base<...>/geoip-distance <...>/geoip-distance.zeek
@@ -4315,7 +4324,6 @@
 0.000000 | HookLoadFileExtended ./Zeek_FileExtract.events.bif.zeek <...>/Zeek_FileExtract.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_FileExtract.functions.bif.zeek <...>/Zeek_FileExtract.functions.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_FileHash.events.bif.zeek <...>/Zeek_FileHash.events.bif.zeek
-0.000000 | HookLoadFileExtended ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_GTPv1.functions.bif.zeek <...>/Zeek_GTPv1.functions.bif.zeek
@@ -4403,7 +4411,6 @@
 0.000000 | HookLoadFileExtended ./Zeek_Spicy.consts.bif.zeek <...>/Zeek_Spicy.consts.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_Spicy.events.bif.zeek <...>/Zeek_Spicy.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_Spicy.functions.bif.zeek <...>/Zeek_Spicy.functions.bif.zeek
-0.000000 | HookLoadFileExtended ./Zeek_Syslog.events.bif.zeek <...>/Zeek_Syslog.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek
@@ -4496,6 +4503,7 @@
 0.000000 | HookLoadFileExtended ./site <...>/site.zeek
 0.000000 | HookLoadFileExtended ./smb1-main <...>/smb1-main.zeek
 0.000000 | HookLoadFileExtended ./smb2-main <...>/smb2-main.zeek
+0.000000 | HookLoadFileExtended ./spicy-events <...>/spicy-events.zeek
 0.000000 | HookLoadFileExtended ./stats.bif.zeek <...>/stats.bif.zeek
 0.000000 | HookLoadFileExtended ./std-dev <...>/std-dev.zeek
 0.000000 | HookLoadFileExtended ./store <...>/store.zeek
@@ -4578,6 +4586,7 @@
 0.000000 | HookLoadFileExtended base<...>/files <...>/files.zeek
 0.000000 | HookLoadFileExtended base<...>/find-checksum-offloading <...>/find-checksum-offloading.zeek
 0.000000 | HookLoadFileExtended base<...>/find-filtered-trace <...>/find-filtered-trace.zeek
+0.000000 | HookLoadFileExtended base<...>/finger <...>/finger
 0.000000 | HookLoadFileExtended base<...>/ftp <...>/ftp
 0.000000 | HookLoadFileExtended base<...>/geneve <...>/geneve
 0.000000 | HookLoadFileExtended base<...>/geoip-distance <...>/geoip-distance.zeek
diff --git a/testing/btest/Baseline/scripts.base.protocols.finger.events/output b/testing/btest/Baseline/scripts.base.protocols.finger.events/output
new file mode 100644
index 0000000000..1f5d247c00
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.finger.events/output
@@ -0,0 +1,8 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+request, [orig_h=192.168.7.216, orig_p=56149/tcp, resp_h=95.179.238.241, resp_p=79/tcp], F, julien, 
+response, [orig_h=192.168.7.216, orig_p=56149/tcp, resp_h=95.179.238.241, resp_p=79/tcp], Login: julien\x09\x09\x09\x09Name: 
+response, [orig_h=192.168.7.216, orig_p=56149/tcp, resp_h=95.179.238.241, resp_p=79/tcp], Directory: /home/julien\x09\x09\x09Shell: /bin/sh
+response, [orig_h=192.168.7.216, orig_p=56149/tcp, resp_h=95.179.238.241, resp_p=79/tcp], Logged: no
+response, [orig_h=192.168.7.216, orig_p=56149/tcp, resp_h=95.179.238.241, resp_p=79/tcp], Project:
+request, [orig_h=192.168.7.216, orig_p=56750/tcp, resp_h=95.179.238.241, resp_p=79/tcp], T, julien, 
+response, [orig_h=192.168.7.216, orig_p=56750/tcp, resp_h=95.179.238.241, resp_p=79/tcp], Are you lost?
diff --git a/testing/btest/Baseline/spicy.spicyz-jit/output b/testing/btest/Baseline/spicy.spicyz-jit/output
deleted file mode 100644
index e7ad0949ae..0000000000
--- a/testing/btest/Baseline/spicy.spicyz-jit/output
+++ /dev/null
@@ -1,5 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-8, [$data=[b"POST /post HTTP/1.1", b"User-Agent: curl/7.29.0", b"Host: httpbin.org", b"Accept: */*", b"Content-Length: 11", b"Content-Type: application/x-www-form-urlencoded", b"", b"hello world"]]
-Event:, [POST /post HTTP/1.1, User-Agent: curl/7.29.0, Host: httpbin.org, Accept: */*, Content-Length: 11, Content-Type: application/x-www-form-urlencoded, , hello world]
-8, [$data=[b"HTTP/1.1 200 OK", b"Server: gunicorn/0.16.1", b"Date: Tue, 19 Mar 2013 16:05:11 GMT", b"Content-Type: application/json", b"Content-Length: 366", b"Connection: close", b"", b"{\x0a  \"origin\": \"10.142.133.148\",\x0a  \"files\": {},\x0a  \"form\": null,\x0a  \"url\": \"http://httpbin.org/post\",\x0a  \"args\": {},\x0a  \"headers\": {\x0a    \"Content-Length\": \"11\",\x0a    \"Connection\": \"close\",\x0a    \"Accept\": \"*/*\",\x0a    \"User-Agent\": \"curl/7.29.0\",\x0a    \"Host\": \"httpbin.org\",\x0a    \"Content-Type\": \"application/x-www-form-urlencoded\"\x0a  },\x0a  \"json\": null,\x0a  \"data\": \"hello world\"\x0a}"]]
-Event:, [HTTP/1.1 200 OK, Server: gunicorn/0.16.1, Date: Tue, 19 Mar 2013 16:05:11 GMT, Content-Type: application/json, Content-Length: 366, Connection: close, , {\x0a  "origin": "10.142.133.148",\x0a  "files": {},\x0a  "form": null,\x0a  "url": "http://httpbin.org/post",\x0a  "args": {},\x0a  "headers": {\x0a    "Content-Length": "11",\x0a    "Connection": "close",\x0a    "Accept": "*/*",\x0a    "User-Agent": "curl/7.29.0",\x0a    "Host": "httpbin.org",\x0a    "Content-Type": "application/x-www-form-urlencoded"\x0a  },\x0a  "json": null,\x0a  "data": "hello world"\x0a}]
diff --git a/testing/btest/Baseline/spicy.spicyz-aot/output b/testing/btest/Baseline/spicy.spicyz/output
similarity index 100%
rename from testing/btest/Baseline/spicy.spicyz-aot/output
rename to testing/btest/Baseline/spicy.spicyz/output
diff --git a/testing/btest/Traces/finger/standard.pcap b/testing/btest/Traces/finger/standard.pcap
new file mode 100644
index 0000000000..d5288e8b46
Binary files /dev/null and b/testing/btest/Traces/finger/standard.pcap differ
diff --git a/testing/btest/Traces/finger/verbose.pcap b/testing/btest/Traces/finger/verbose.pcap
new file mode 100644
index 0000000000..28c218848c
Binary files /dev/null and b/testing/btest/Traces/finger/verbose.pcap differ
diff --git a/testing/btest/coverage/default-load-baseline.test b/testing/btest/coverage/default-load-baseline.test
index 3f7d656158..b94172cbc7 100644
--- a/testing/btest/coverage/default-load-baseline.test
+++ b/testing/btest/coverage/default-load-baseline.test
@@ -7,7 +7,7 @@
 # prefix to make the test work everywhere. That's what the sed magic
 # below does. Don't ask. :-)
 
-# @TEST-REQUIRES: test -x ${BUILD}/auxil/spicy/spicy/bin/spicy-config
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
 # @TEST-EXEC: zeek misc/loaded-scripts
 # @TEST-EXEC: test -e loaded_scripts.log
 # @TEST-EXEC: cat loaded_scripts.log | grep -E -v '#' | sed 's/ //g' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix
diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-invalid.zeek b/testing/btest/scripts/base/frameworks/logging/field-extension-invalid.zeek
index fd74e42002..e547833052 100644
--- a/testing/btest/scripts/base/frameworks/logging/field-extension-invalid.zeek
+++ b/testing/btest/scripts/base/frameworks/logging/field-extension-invalid.zeek
@@ -1,4 +1,4 @@
-# @TEST-REQUIRES: test -x ${BUILD}/auxil/spicy/spicy/bin/spicy-config
+# @TEST-REQUIRES: $SCRIPTS/have-spicy
 # @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff .stderr
diff --git a/testing/btest/scripts/base/protocols/finger/events.zeek b/testing/btest/scripts/base/protocols/finger/events.zeek
new file mode 100644
index 0000000000..b005bafdb9
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/finger/events.zeek
@@ -0,0 +1,18 @@
+# @TEST-EXEC: zeek -r $TRACES/finger/standard.pcap %INPUT >>output
+# @TEST-EXEC: zeek -r $TRACES/finger/verbose.pcap %INPUT >>output
+# @TEST-EXEC: btest-diff output
+
+global resp_lines = 0;
+
+event finger_request(c: connection, full: bool, username: string, hostname: string)
+	{
+	print "request", c$id, full, username, hostname;
+	}
+
+event finger_reply(c: connection, reply_line: string)
+	{
+	if ( ++resp_lines >= 5 )
+		return;
+
+	print "response", c$id, reply_line;
+	}
diff --git a/testing/btest/spicy/spicyz-jit.test b/testing/btest/spicy/spicyz-jit.test
deleted file mode 100644
index 514bec8990..0000000000
--- a/testing/btest/spicy/spicyz-jit.test
+++ /dev/null
@@ -1,39 +0,0 @@
-# @TEST-DOC: Smoke test for a custom Spicy analyzer hooked into Zeek with JIT via Zeek itself.
-#
-# @TEST-REQUIRES: $SCRIPTS/have-spicy
-
-# Use a script here to prevent spicy from outputting warnings during compilation. If the build is
-# failing, the script can be modified to not redirect the output.
-# @TEST-EXEC: HILTI_CXX=$SCRIPTS/hilti-ignore-cxx-errors zeek -NN test.zeek test.spicy test.evt | grep -q ANALYZER_SPICY_TEST
-# @TEST-EXEC: HILTI_CXX=$SCRIPTS/hilti-ignore-cxx-errors zeek -r ${TRACES}/http/post.trace test.spicy test.evt test.zeek "Spicy::enable_print = T;" >>output 2>&1
-# @TEST-EXEC: btest-diff output
-
-# @TEST-START-FILE test.spicy
-module test;
-
-import zeek;
-
-public type Dummy = unit {
-    # Consume all data. We split data into lines and log the number of lines and the lines when done.
-    data: bytes &eod &convert=$$.split(b"\r\n");
-
-    on %done { print |self.data|, self; }
-};
-# @TEST-END-FILE
-
-# @TEST-START-FILE test.evt
-protocol analyzer spicy::Test over TCP:
-    parse with test::Dummy,
-    port 80/tcp;
-
-on test::Dummy -> event test::dummy(self.data);
-# @TEST-END-FILE
-
-# @TEST-START-FILE test.zeek
-module test;
-
-event test::dummy(data: vector of string)
-{
-	print "Event:", data;
-}
-# @TEST-END-FILE
diff --git a/testing/btest/spicy/spicyz-aot.test b/testing/btest/spicy/spicyz.test
similarity index 100%
rename from testing/btest/spicy/spicyz-aot.test
rename to testing/btest/spicy/spicyz.test
diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private
index 6b8aef994d..aaaa01bdc4 100644
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@@ -1 +1 @@
-c901e5a69c1d8496973e18d6475b7af7ca5e9fcc
+7bbcd06c50dc5bcae3533842c302c617ac5f1852
diff --git a/testing/scripts/diff-canonifier-external b/testing/scripts/diff-canonifier-external
index 43d2182fbd..d139420564 100755
--- a/testing/scripts/diff-canonifier-external
+++ b/testing/scripts/diff-canonifier-external
@@ -25,5 +25,6 @@ $(dirname $0)/diff-remove-timestamps |
     $(dirname $0)/diff-remove-x509-names |
     $(dirname $0)/diff-sort-conn-service |
     $(dirname $0)/diff-sort-set-elements |
+    $(dirname $0)/diff-remove-spicy-abspath |
     $(dirname $0)/diff-sort |
     eval $addl
diff --git a/testing/scripts/diff-remove-spicy-abspath b/testing/scripts/diff-remove-spicy-abspath
new file mode 100755
index 0000000000..d70fc00b31
--- /dev/null
+++ b/testing/scripts/diff-remove-spicy-abspath
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+#
+# Replace absolute paths in Spicy error message with the basename. This is more
+# restrictive than diff-remove-abspath to avoid catching other stuff.
+
+if [ $(uname) == "Linux" ]; then
+    sed="sed -r"
+else
+    sed="sed -E"
+fi
+
+$sed 's#/([^:/]{1,}/){1,}([^:/]{1,}\.spicy[:,])#<...>/\2#g'
diff --git a/testing/scripts/have-spicy b/testing/scripts/have-spicy
index d520e7438d..987542dac0 100755
--- a/testing/scripts/have-spicy
+++ b/testing/scripts/have-spicy
@@ -1,6 +1,2 @@
 #!/bin/sh
-if grep -q "DISABLE_SPICY:BOOL=true" "${BUILD}"/CMakeCache.txt; then
-    return 1
-else
-    true
-fi
+"${BUILD}/zeek-config" --have-spicy-analyzers >/dev/null
diff --git a/zeek-config.in b/zeek-config.in
index e6ac279c3b..5b08d8fcde 100755
--- a/zeek-config.in
+++ b/zeek-config.in
@@ -6,6 +6,7 @@ btest_tools_dir=@ZEEK_CONFIG_BTEST_TOOLS_DIR@
 build_type=@CMAKE_BUILD_TYPE_LOWER@
 cmake_dir=@CMAKE_INSTALL_PREFIX@/share/zeek/cmake
 config_dir=@ZEEK_ETC_INSTALL_DIR@
+have_spicy=@USE_SPICY_ANALYZERS@
 include_dir=@CMAKE_INSTALL_PREFIX@/include
 lib_dir=@CMAKE_INSTALL_FULL_LIBDIR@
 plugin_dir=@BRO_PLUGIN_INSTALL_PATH@
@@ -64,6 +65,10 @@ Toplevel installation directories for third-party components:
 
   --binpac_root         BinPAC compiler
   --broker_root         Broker communication framework
+
+Feature tests:
+
+  --have-spicy-analyzers  Prints 'yes' if built-in Spicy analyzers are available; exit code reflects result
 "
 }
 
@@ -103,6 +108,15 @@ while [ $# -ne 0 ]; do
         --config_dir)
             echo $config_dir
             ;;
+        --have-spicy-analyzers)
+            if [ "$have_spicy" = "yes" ]; then
+                echo "yes"
+                exit 0
+            else
+                echo "no"
+                exit 1
+            fi
+            ;;
         --include_dir)
             echo $include_dir
             ;;