Fixing logging filter "include" and "exclude" options.

src/LogMgr.cc

@@ -553,8 +553,6 @@ bool LogMgr::TraverseRecord(Stream* stream, Filter* filter, RecordType* rt, Tabl
 		else
 			new_path = path + "." + rt->FieldName(i);
 
-		StringVal* new_path_val = new StringVal(path.c_str());
-
 		if ( t->InternalType() == TYPE_INTERNAL_OTHER )
 			{
 			if ( t->Tag() == TYPE_RECORD )
@@ -585,15 +583,25 @@ bool LogMgr::TraverseRecord(Stream* stream, Filter* filter, RecordType* rt, Tabl
 		// If include fields are specified, only include if explicitly listed.
 		if ( include )
 			{
-			if ( ! include->Lookup(new_path_val) )
+			StringVal* new_path_val = new StringVal(new_path.c_str());
-				return true;
+			bool result = include->Lookup(new_path_val);
+
+			Unref(new_path_val);
+
+			if ( ! result )
+				continue;
 			}
 
 		// If exclude fields are specified, do not only include if listed.
 		if ( exclude )
 			{
-			if ( exclude->Lookup(new_path_val) )
+			StringVal* new_path_val = new StringVal(new_path.c_str());
-				return true;
+			bool result = exclude->Lookup(new_path_val);
+
+			Unref(new_path_val);
+
+			if ( result )
+				continue;
 			}
 
 		// Alright, we want this field.

testing/btest/Baseline/logging.exclude/ssh.log

@@ -0,0 +1,6 @@
+# id.orig_p	id.resp_h	id.resp_p	status	country
+1234	2.3.4.5	80	success	unknown
+1234	2.3.4.5	80	failure	US
+1234	2.3.4.5	80	failure	UK
+1234	2.3.4.5	80	success	BR
+1234	2.3.4.5	80	failure	MX

testing/btest/Baseline/logging.include/ssh.log

@@ -0,0 +1,6 @@
+# t	id.orig_h
+1303064007.48299	1.2.3.4
+1303064007.48299	1.2.3.4
+1303064007.48299	1.2.3.4
+1303064007.48299	1.2.3.4
+1303064007.48299	1.2.3.4

testing/btest/btest.cfg

@@ -1,6 +1,6 @@
 
 [btest]
-TestDirs    = logging
+TestDirs    = logging language
 TmpDir      = %(testbase)s/.tmp
 BaselineDir = %(testbase)s/Baseline
 IgnoreDirs  = .svn CVS .tmp

testing/btest/logging/exclude.bro

@@ -0,0 +1,34 @@
+#
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+
+	Log::remove_default_filter(SSH);
+	Log::add_filter(SSH, [$name="f1", $exclude=set("t", "id.orig_h")]);
+
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+

testing/btest/logging/include.bro

@@ -0,0 +1,34 @@
+#
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+
+	Log::remove_default_filter(SSH);
+	Log::add_filter(SSH, [$name="default", $include=set("t", "id.orig_h")]);
+
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+