diff --git a/src/LogMgr.cc b/src/LogMgr.cc index 14637f3978..bd14cf17db 100644 --- a/src/LogMgr.cc +++ b/src/LogMgr.cc @@ -553,8 +553,6 @@ bool LogMgr::TraverseRecord(Stream* stream, Filter* filter, RecordType* rt, Tabl else new_path = path + "." + rt->FieldName(i); - StringVal* new_path_val = new StringVal(path.c_str()); - if ( t->InternalType() == TYPE_INTERNAL_OTHER ) { if ( t->Tag() == TYPE_RECORD ) @@ -585,15 +583,25 @@ bool LogMgr::TraverseRecord(Stream* stream, Filter* filter, RecordType* rt, Tabl // If include fields are specified, only include if explicitly listed. if ( include ) { - if ( ! include->Lookup(new_path_val) ) - return true; + StringVal* new_path_val = new StringVal(new_path.c_str()); + bool result = include->Lookup(new_path_val); + + Unref(new_path_val); + + if ( ! result ) + continue; } // If exclude fields are specified, do not only include if listed. if ( exclude ) { - if ( exclude->Lookup(new_path_val) ) - return true; + StringVal* new_path_val = new StringVal(new_path.c_str()); + bool result = exclude->Lookup(new_path_val); + + Unref(new_path_val); + + if ( result ) + continue; } // Alright, we want this field. diff --git a/testing/btest/Baseline/logging.exclude/ssh.log b/testing/btest/Baseline/logging.exclude/ssh.log new file mode 100644 index 0000000000..4defa5ced1 --- /dev/null +++ b/testing/btest/Baseline/logging.exclude/ssh.log @@ -0,0 +1,6 @@ +# id.orig_p id.resp_h id.resp_p status country +1234 2.3.4.5 80 success unknown +1234 2.3.4.5 80 failure US +1234 2.3.4.5 80 failure UK +1234 2.3.4.5 80 success BR +1234 2.3.4.5 80 failure MX diff --git a/testing/btest/Baseline/logging.include/ssh.log b/testing/btest/Baseline/logging.include/ssh.log new file mode 100644 index 0000000000..881704257e --- /dev/null +++ b/testing/btest/Baseline/logging.include/ssh.log @@ -0,0 +1,6 @@ +# t id.orig_h +1303064007.48299 1.2.3.4 +1303064007.48299 1.2.3.4 +1303064007.48299 1.2.3.4 +1303064007.48299 1.2.3.4 +1303064007.48299 1.2.3.4 diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg index 6a5cf94b86..3f79ae0e59 100644 --- a/testing/btest/btest.cfg +++ b/testing/btest/btest.cfg @@ -1,6 +1,6 @@ [btest] -TestDirs = logging +TestDirs = logging language TmpDir = %(testbase)s/.tmp BaselineDir = %(testbase)s/Baseline IgnoreDirs = .svn CVS .tmp diff --git a/testing/btest/logging/exclude.bro b/testing/btest/logging/exclude.bro new file mode 100644 index 0000000000..46603d3202 --- /dev/null +++ b/testing/btest/logging/exclude.bro @@ -0,0 +1,34 @@ +# +# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: btest-diff ssh.log + +module SSH; + +export { + redef enum Log::ID += { SSH }; + + type Log: record { + t: time; + id: conn_id; # Will be rolled out into individual columns. + status: string &optional; + country: string &default="unknown"; + } &log; +} + +event bro_init() +{ + Log::create_stream(SSH, [$columns=Log]); + + Log::remove_default_filter(SSH); + Log::add_filter(SSH, [$name="f1", $exclude=set("t", "id.orig_h")]); + + local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; + + Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]); + Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); + Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]); + Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); + +} + diff --git a/testing/btest/logging/include.bro b/testing/btest/logging/include.bro new file mode 100644 index 0000000000..f1fac64bbd --- /dev/null +++ b/testing/btest/logging/include.bro @@ -0,0 +1,34 @@ +# +# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: btest-diff ssh.log + +module SSH; + +export { + redef enum Log::ID += { SSH }; + + type Log: record { + t: time; + id: conn_id; # Will be rolled out into individual columns. + status: string &optional; + country: string &default="unknown"; + } &log; +} + +event bro_init() +{ + Log::create_stream(SSH, [$columns=Log]); + + Log::remove_default_filter(SSH); + Log::add_filter(SSH, [$name="default", $include=set("t", "id.orig_h")]); + + local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; + + Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]); + Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]); + Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); + Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]); + Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]); + +} +