Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

analyzer: Add analyzer.log for logging violations/confirmations

Browse source 
By default this only logs all the violations, regardless of the
confirmation state (for which there's still dpd.log). It includes
packet, protocol and file analyzers.

This uses options, change handlers and event groups for toggling
the functionality at runtime.

Closes #2031
This commit is contained in:
Arne Welzel 2022-12-15 17:27:10 +01:00
parent e12baf08a7
commit 17d0ade26a
15 changed files with 372 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

1
scripts/base/frameworks/analyzer/__load__.zeek
View file

@ -1,2 +1,3 @@
@load ./main
@load ./dpd
@load ./logging

182
scripts/base/frameworks/analyzer/logging.zeek Normal file
View file

@ -0,0 +1,182 @@
##! Logging analyzer confirmations and violations into analyzer.log
@load base/frameworks/config
@load base/frameworks/logging
@load ./main
module Analyzer::Logging;
export {
## Add the analyzer logging stream identifier.
redef enum Log::ID += { LOG };
## A default logging policy hook for the stream.
global log_policy: Log::PolicyHook;
## The record type defining the columns to log in the analyzer logging stream.
type Info: record {
## Timestamp of confirmation or violation.
ts: time &log;
## What caused this log entry to be produced. This can
## currently be "violation" or "confirmation".
cause: string &log;
## The kind of analyzer involved. Currently "packet", "file"
## or "protocol".
analyzer_kind: string &log;
## The name of the analyzer as produced by :zeek:see:`Analyzer::name`
## for the analyzer's tag.
analyzer_name: string &log;
## Connection UID if available.
uid: string &log &optional;
## File UID if available.
fuid: string &log &optional;
## Connection identifier if available
id: conn_id &log &optional;
## Failure or violation reason, if available.
failure_reason: string &log &optional;
## Data causing failure or violation if available. Truncated
## to :zeek:see:`Analyzer::Logging::failure_data_max_size`.
failure_data: string &log &optional;
};
## Enable logging of analyzer violations and optionally confirmations
## when :zeek::see:`Analyzer::Logging::include_confirmations` is set.
option enable = T;
## Enable analyzer_confirmation. They are usually less interesting
## outside of development of analyzers or troubleshooting scenarios.
## Setting this option may also generated multiple log entries per
## connection, minimally one for each conn.log entry with a populated
## service field.
option include_confirmations = F;
## If a violation contains information about the data causing it,
## include at most this many bytes of it in the log.
option failure_data_max_size = 40;
## Set of analyzers for which to not log confirmations or violations.
option ignore_analyzers: set[AllAnalyzers::Tag] = set();
}
event zeek_init() &priority=5
{
Log::create_stream(LOG, [$columns=Info, $path="analyzer", $policy=log_policy,
$event_groups=set("Analyzer::Logging")]);
local enable_handler = function(id: string, new_value: bool): bool {
if ( new_value )
Log::enable_stream(LOG);
else
Log::disable_stream(LOG);
return new_value;
};
Option::set_change_handler("Analyzer::Logging::enable", enable_handler);
local include_confirmations_handler = function(id: string, new_value: bool): bool {
if ( new_value )
enable_event_group("Analyzer::Logging::include_confirmations");
else
disable_event_group("Analyzer::Logging::include_confirmations");
return new_value;
};
Option::set_change_handler("Analyzer::Logging::include_confirmations",
include_confirmations_handler);
# Call the handlers directly with the current values to avoid config
# framework interactions like creating entries in config.log.
enable_handler("Analyzer::Logging::enable", Analyzer::Logging::enable);
include_confirmations_handler("Analyzer::Logging::include_confirmations",
Analyzer::Logging::include_confirmations);
}
function analyzer_kind(atype: AllAnalyzers::Tag): string
{
if ( is_protocol_analyzer(atype) )
return "protocol";
else if ( is_packet_analyzer(atype) )
return "packet";
else if ( is_file_analyzer(atype) )
return "file";
Reporter::warning(fmt("Unknown kind of analyzer %s", atype));
return "unknown";
}
function populate_from_conn(rec: Info, c: connection)
{
rec$id = c$id;
rec$uid = c$uid;
}
function populate_from_file(rec: Info, f: fa_file)
{
rec$fuid = f$id;
# If the confirmation didn't have a connection, but the
# fa_file object has has exactly one, use it.
if ( ! rec?$uid && f?$conns && |f$conns| == 1 )
{
for ( _, c in f$conns )
{
rec$id = c$id;
rec$uid = c$uid;
}
}
}
event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &group="Analyzer::Logging::include_confirmations"
{
if ( atype in ignore_analyzers )
return;
local rec = Info(
$ts=network_time(),
$cause="confirmation",
$analyzer_kind=analyzer_kind(atype),
$analyzer_name=Analyzer::name(atype),
);
if ( info?$c )
populate_from_conn(rec, info$c);
if ( info?$f )
populate_from_file(rec, info$f);
Log::write(LOG, rec);
}
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
{
if ( atype in ignore_analyzers )
return;
local rec = Info(
$ts=network_time(),
$cause="violation",
$analyzer_kind=analyzer_kind(atype),
$analyzer_name=Analyzer::name(atype),
$failure_reason=info$reason,
);
if ( info?$c )
populate_from_conn(rec, info$c);
if ( info?$f )
populate_from_file(rec, info$f);
if ( info?$data )
{
if ( failure_data_max_size > 0 )
rec$failure_data = info$data[0:failure_data_max_size];
else
rec$failure_data = info$data;
}
Log::write(LOG, rec);
}

2
scripts/base/init-frameworks-and-bifs.zeek
View file

@ -7,6 +7,8 @@
@load base/frameworks/broker
@load base/frameworks/supervisor
@load base/frameworks/input
@load base/frameworks/cluster
@load base/frameworks/config
@load base/frameworks/analyzer
@load base/frameworks/files

12
testing/btest/Baseline/core.check-unused-event-handlers/.stderr
View file

@ -1,6 +1,17 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
### NOTE: This file has been sorted with diff-sort.
warning in <...>/check-unused-event-handlers.test, line 7: handler for non-existing event cannot be invoked (this_is_never_used)
warning in <params>, line 1: event handler never invoked: Control::configuration_update
warning in <params>, line 1: event handler never invoked: Control::configuration_update_request
warning in <params>, line 1: event handler never invoked: Control::configuration_update_response
warning in <params>, line 1: event handler never invoked: Control::id_value_request
warning in <params>, line 1: event handler never invoked: Control::id_value_response
warning in <params>, line 1: event handler never invoked: Control::net_stats_request
warning in <params>, line 1: event handler never invoked: Control::net_stats_response
warning in <params>, line 1: event handler never invoked: Control::peer_status_request
warning in <params>, line 1: event handler never invoked: Control::peer_status_response
warning in <params>, line 1: event handler never invoked: Control::shutdown_request
warning in <params>, line 1: event handler never invoked: Control::shutdown_response
warning in <params>, line 1: event handler never invoked: InputConfig::new_value
warning in <params>, line 1: event handler never invoked: InputRaw::process_finished
warning in <params>, line 1: event handler never invoked: Supervisor::node_status
@ -10,4 +21,5 @@ warning in <params>, line 1: event handler never invoked: SupervisorControl::res
warning in <params>, line 1: event handler never invoked: SupervisorControl::status_request
warning in <params>, line 1: event handler never invoked: SupervisorControl::stop_request
warning in <params>, line 1: event handler never invoked: spicy_analyzer_for_mime_type
warning in <params>, line 1: event handler never invoked: terminate_event
warning in <params>, line 1: event handler never invoked: this_is_never_used

11
testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
View file

@ -114,8 +114,19 @@ scripts/base/init-frameworks-and-bifs.zeek
scripts/base/frameworks/input/readers/binary.zeek
scripts/base/frameworks/input/readers/config.zeek
scripts/base/frameworks/input/readers/sqlite.zeek
scripts/base/frameworks/cluster/__load__.zeek
scripts/base/frameworks/cluster/main.zeek
scripts/base/frameworks/control/__load__.zeek
scripts/base/frameworks/control/main.zeek
scripts/base/frameworks/cluster/pools.zeek
scripts/base/utils/hash_hrw.zeek
scripts/base/frameworks/config/__load__.zeek
scripts/base/frameworks/config/main.zeek
scripts/base/frameworks/config/input.zeek
scripts/base/frameworks/config/weird.zeek
scripts/base/frameworks/analyzer/__load__.zeek
scripts/base/frameworks/analyzer/dpd.zeek
scripts/base/frameworks/analyzer/logging.zeek
scripts/base/frameworks/files/__load__.zeek
scripts/base/frameworks/files/main.zeek
scripts/base/utils/site.zeek

21
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
View file

@ -114,8 +114,19 @@ scripts/base/init-frameworks-and-bifs.zeek
scripts/base/frameworks/input/readers/binary.zeek
scripts/base/frameworks/input/readers/config.zeek
scripts/base/frameworks/input/readers/sqlite.zeek
scripts/base/frameworks/cluster/__load__.zeek
scripts/base/frameworks/cluster/main.zeek
scripts/base/frameworks/control/__load__.zeek
scripts/base/frameworks/control/main.zeek
scripts/base/frameworks/cluster/pools.zeek
scripts/base/utils/hash_hrw.zeek
scripts/base/frameworks/config/__load__.zeek
scripts/base/frameworks/config/main.zeek
scripts/base/frameworks/config/input.zeek
scripts/base/frameworks/config/weird.zeek
scripts/base/frameworks/analyzer/__load__.zeek
scripts/base/frameworks/analyzer/dpd.zeek
scripts/base/frameworks/analyzer/logging.zeek
scripts/base/frameworks/files/__load__.zeek
scripts/base/frameworks/files/main.zeek
scripts/base/utils/site.zeek
@ -263,7 +274,6 @@ scripts/base/init-default.zeek
scripts/base/utils/email.zeek
scripts/base/utils/files.zeek
scripts/base/utils/geoip-distance.zeek
scripts/base/utils/hash_hrw.zeek
scripts/base/utils/numbers.zeek
scripts/base/utils/queue.zeek
scripts/base/utils/strings.zeek
@ -272,11 +282,6 @@ scripts/base/init-default.zeek
scripts/base/utils/urls.zeek
scripts/base/frameworks/notice/__load__.zeek
scripts/base/frameworks/notice/main.zeek
scripts/base/frameworks/cluster/__load__.zeek
scripts/base/frameworks/cluster/main.zeek
scripts/base/frameworks/control/__load__.zeek
scripts/base/frameworks/control/main.zeek
scripts/base/frameworks/cluster/pools.zeek
scripts/base/frameworks/notice/weird.zeek
scripts/base/frameworks/notice/actions/email_admin.zeek
scripts/base/frameworks/notice/actions/page.zeek
@ -293,10 +298,6 @@ scripts/base/init-default.zeek
scripts/base/frameworks/intel/main.zeek
scripts/base/frameworks/intel/files.zeek
scripts/base/frameworks/intel/input.zeek
scripts/base/frameworks/config/__load__.zeek
scripts/base/frameworks/config/main.zeek
scripts/base/frameworks/config/input.zeek
scripts/base/frameworks/config/weird.zeek
scripts/base/frameworks/sumstats/__load__.zeek
scripts/base/frameworks/sumstats/main.zeek
scripts/base/frameworks/sumstats/plugins/__load__.zeek

1
testing/btest/Baseline/coverage.find-bro-logs/out
View file

@ -1,4 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
analyzer
broker
capture_loss
cluster

66
testing/btest/Baseline/plugins.hooks/output
View file

@ -192,6 +192,7 @@
0.000000 MetaHookPost CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::_] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> <no result>
0.000000 MetaHookPost CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::_] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> <no result>
0.000000 MetaHookPost CallFunction(FilteredTraceDetection::should_detect, <null>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__add_filter, <frame>, (Analyzer::Logging::LOG, [name=default, writer=Log::WRITER_ASCII, path=analyzer, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__add_filter, <frame>, (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, path=broker, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__add_filter, <frame>, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, path=cluster, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__add_filter, <frame>, (Config::LOG, [name=default, writer=Log::WRITER_ASCII, path=config, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
@ -242,6 +243,7 @@
0.000000 MetaHookPost CallFunction(Log::__add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=weird, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, path=x509, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, path=mysql, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (Analyzer::Logging::LOG, [columns=Analyzer::Logging::Info, ev=<uninitialized>, path=analyzer, policy=Analyzer::Logging::log_policy, event_groups={Analyzer::Logging}])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy, event_groups={}])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy, event_groups={}])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}])) -> <no result>
@ -291,7 +293,9 @@
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__enable_stream, <frame>, (Analyzer::Logging::LOG)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Analyzer::Logging::LOG)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@ -341,6 +345,7 @@
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Weird::LOG)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (X509::LOG)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (mysql::LOG)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_filter, <frame>, (Analyzer::Logging::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_filter, <frame>, (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_filter, <frame>, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_filter, <frame>, (Config::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
@ -391,6 +396,7 @@
0.000000 MetaHookPost CallFunction(Log::add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Analyzer::Logging::LOG, default)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Broker::LOG, default)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Cluster::LOG, default)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Config::LOG, default)) -> <no result>
@ -440,6 +446,7 @@
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Weird::LOG, default)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (X509::LOG, default)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (mysql::LOG, default)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (Analyzer::Logging::LOG, [columns=Analyzer::Logging::Info, ev=<uninitialized>, path=analyzer, policy=Analyzer::Logging::log_policy, event_groups={Analyzer::Logging}])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy, event_groups={}])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy, event_groups={}])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}])) -> <no result>
@ -489,6 +496,7 @@
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::enable_stream, <frame>, (Analyzer::Logging::LOG)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::get_filter, <frame>, (SSL::LOG, default)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>], PacketFilter::LOG)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>])) -> <no result>
@ -497,6 +505,12 @@
0.000000 MetaHookPost CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (ActiveHTTP::default_max_time, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (ActiveHTTP::default_method, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::enable, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::enable, lambda_<2645182068207650863>{ if (Analyzer::Logging::new_value) Log::enable_stream(Analyzer::Logging::LOG)elseLog::disable_stream(Analyzer::Logging::LOG)return (Analyzer::Logging::new_value)}, 0)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::failure_data_max_size, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::ignore_analyzers, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_confirmations, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_confirmations, lambda_<15261139872714441626>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_confirmations)elsedisable_event_group(Analyzer::Logging::include_confirmations)return (Analyzer::Logging::new_value)}, 0)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_endpoint_name, Broker::update_metrics_export_endpoint_name{ Broker::__set_metrics_export_endpoint_name(Broker::val)return (Broker::val)}, 0)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_endpoint_name, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_interval, Broker::update_metrics_export_interval{ Broker::__set_metrics_export_interval(Broker::val)return (Broker::val)}, 0)) -> <no result>
@ -733,13 +747,19 @@
0.000000 MetaHookPost CallFunction(bare_mode, <null>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(cat, ..., ...) -> <no result>
0.000000 MetaHookPost CallFunction(current_time, <frame>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(disable_event_group, <frame>, (Analyzer::Logging::include_confirmations)) -> <no result>
0.000000 MetaHookPost CallFunction(enable_module_events, <frame>, (Analyzer::Logging)) -> <no result>
0.000000 MetaHookPost CallFunction(filter_change_tracking, <null>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(getenv, <null>, (CLUSTER_NODE)) -> <no result>
0.000000 MetaHookPost CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> <no result>
0.000000 MetaHookPost CallFunction(global_options, <frame>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(gsub, ..., ...) -> <no result>
0.000000 MetaHookPost CallFunction(has_event_group, <frame>, (Analyzer::Logging)) -> <no result>
0.000000 MetaHookPost CallFunction(has_module_events, <frame>, (Analyzer::Logging)) -> <no result>
0.000000 MetaHookPost CallFunction(is_file_analyzer, <frame>, (AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS)) -> <no result>
0.000000 MetaHookPost CallFunction(is_packet_analyzer, <frame>, (AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS)) -> <no result>
0.000000 MetaHookPost CallFunction(lambda_<15261139872714441626>, <frame>, (Analyzer::Logging::include_confirmations, F)) -> <no result>
0.000000 MetaHookPost CallFunction(lambda_<2645182068207650863>, <frame>, (Analyzer::Logging::enable, T)) -> <no result>
0.000000 MetaHookPost CallFunction(lstrip, ..., ...) -> <no result>
0.000000 MetaHookPost CallFunction(network_time, <frame>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(port_to_count, <frame>, (2123/udp)) -> <no result>
@ -925,6 +945,7 @@
0.000000 MetaHookPost LoadFile(0, ./last, <...>/last.zeek) -> -1
0.000000 MetaHookPost LoadFile(0, ./log, <...>/log.zeek) -> -1
0.000000 MetaHookPost LoadFile(0, ./log-ocsp, <...>/log-ocsp.zeek) -> -1
0.000000 MetaHookPost LoadFile(0, ./logging, <...>/logging.zeek) -> -1
0.000000 MetaHookPost LoadFile(0, ./logging.bif.zeek, <...>/logging.bif.zeek) -> -1
0.000000 MetaHookPost LoadFile(0, ./magic, <...>/magic) -> -1
0.000000 MetaHookPost LoadFile(0, ./main, <...>/main.zeek) -> -1
@ -1311,6 +1332,7 @@
0.000000 MetaHookPost LoadFileExtended(0, ./last, <...>/last.zeek) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, ./log, <...>/log.zeek) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, ./log-ocsp, <...>/log-ocsp.zeek) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, ./logging, <...>/logging.zeek) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, ./logging.bif.zeek, <...>/logging.bif.zeek) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, ./magic, <...>/magic) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, ./main, <...>/main.zeek) -> (-1, <no content>)
@ -1731,6 +1753,7 @@
0.000000 MetaHookPre CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::_] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}]))
0.000000 MetaHookPre CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::_] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
0.000000 MetaHookPre CallFunction(FilteredTraceDetection::should_detect, <null>, ())
0.000000 MetaHookPre CallFunction(Log::__add_filter, <frame>, (Analyzer::Logging::LOG, [name=default, writer=Log::WRITER_ASCII, path=analyzer, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, <frame>, (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, path=broker, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, <frame>, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, path=cluster, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, <frame>, (Config::LOG, [name=default, writer=Log::WRITER_ASCII, path=config, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
@ -1781,6 +1804,7 @@
0.000000 MetaHookPre CallFunction(Log::__add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=weird, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, path=x509, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, path=mysql, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (Analyzer::Logging::LOG, [columns=Analyzer::Logging::Info, ev=<uninitialized>, path=analyzer, policy=Analyzer::Logging::log_policy, event_groups={Analyzer::Logging}]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy, event_groups={}]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy, event_groups={}]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}]))
@ -1830,7 +1854,9 @@
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}]))
0.000000 MetaHookPre CallFunction(Log::__enable_stream, <frame>, (Analyzer::Logging::LOG))
0.000000 MetaHookPre CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>]))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Analyzer::Logging::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@ -1880,6 +1906,7 @@
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Weird::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (X509::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (mysql::LOG))
0.000000 MetaHookPre CallFunction(Log::add_filter, <frame>, (Analyzer::Logging::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
0.000000 MetaHookPre CallFunction(Log::add_filter, <frame>, (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
0.000000 MetaHookPre CallFunction(Log::add_filter, <frame>, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
0.000000 MetaHookPre CallFunction(Log::add_filter, <frame>, (Config::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
@ -1930,6 +1957,7 @@
0.000000 MetaHookPre CallFunction(Log::add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
0.000000 MetaHookPre CallFunction(Log::add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
0.000000 MetaHookPre CallFunction(Log::add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Analyzer::Logging::LOG, default))
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Broker::LOG, default))
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Cluster::LOG, default))
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Config::LOG, default))
@ -1979,6 +2007,7 @@
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Weird::LOG, default))
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (X509::LOG, default))
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (mysql::LOG, default))
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (Analyzer::Logging::LOG, [columns=Analyzer::Logging::Info, ev=<uninitialized>, path=analyzer, policy=Analyzer::Logging::log_policy, event_groups={Analyzer::Logging}]))
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy, event_groups={}]))
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy, event_groups={}]))
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}]))
@ -2028,6 +2057,7 @@
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}]))
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}]))
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}]))
0.000000 MetaHookPre CallFunction(Log::enable_stream, <frame>, (Analyzer::Logging::LOG))
0.000000 MetaHookPre CallFunction(Log::get_filter, <frame>, (SSL::LOG, default))
0.000000 MetaHookPre CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>], PacketFilter::LOG))
0.000000 MetaHookPre CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>]))
@ -2036,6 +2066,12 @@
0.000000 MetaHookPre CallFunction(Notice::want_pp, <frame>, ())
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (ActiveHTTP::default_max_time, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (ActiveHTTP::default_method, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::enable, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::enable, lambda_<2645182068207650863>{ if (Analyzer::Logging::new_value) Log::enable_stream(Analyzer::Logging::LOG)elseLog::disable_stream(Analyzer::Logging::LOG)return (Analyzer::Logging::new_value)}, 0))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::failure_data_max_size, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::ignore_analyzers, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_confirmations, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_confirmations, lambda_<15261139872714441626>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_confirmations)elsedisable_event_group(Analyzer::Logging::include_confirmations)return (Analyzer::Logging::new_value)}, 0))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_endpoint_name, Broker::update_metrics_export_endpoint_name{ Broker::__set_metrics_export_endpoint_name(Broker::val)return (Broker::val)}, 0))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_endpoint_name, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_interval, Broker::update_metrics_export_interval{ Broker::__set_metrics_export_interval(Broker::val)return (Broker::val)}, 0))
@ -2272,13 +2308,19 @@
0.000000 MetaHookPre CallFunction(bare_mode, <null>, ())
0.000000 MetaHookPre CallFunction(cat, ..., ...)
0.000000 MetaHookPre CallFunction(current_time, <frame>, ())
0.000000 MetaHookPre CallFunction(disable_event_group, <frame>, (Analyzer::Logging::include_confirmations))
0.000000 MetaHookPre CallFunction(enable_module_events, <frame>, (Analyzer::Logging))
0.000000 MetaHookPre CallFunction(filter_change_tracking, <null>, ())
0.000000 MetaHookPre CallFunction(getenv, <null>, (CLUSTER_NODE))
0.000000 MetaHookPre CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS))
0.000000 MetaHookPre CallFunction(global_options, <frame>, ())
0.000000 MetaHookPre CallFunction(gsub, ..., ...)
0.000000 MetaHookPre CallFunction(has_event_group, <frame>, (Analyzer::Logging))
0.000000 MetaHookPre CallFunction(has_module_events, <frame>, (Analyzer::Logging))
0.000000 MetaHookPre CallFunction(is_file_analyzer, <frame>, (AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS))
0.000000 MetaHookPre CallFunction(is_packet_analyzer, <frame>, (AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS))
0.000000 MetaHookPre CallFunction(lambda_<15261139872714441626>, <frame>, (Analyzer::Logging::include_confirmations, F))
0.000000 MetaHookPre CallFunction(lambda_<2645182068207650863>, <frame>, (Analyzer::Logging::enable, T))
0.000000 MetaHookPre CallFunction(lstrip, ..., ...)
0.000000 MetaHookPre CallFunction(network_time, <frame>, ())
0.000000 MetaHookPre CallFunction(port_to_count, <frame>, (2123/udp))
@ -2464,6 +2506,7 @@
0.000000 MetaHookPre LoadFile(0, ./last, <...>/last.zeek)
0.000000 MetaHookPre LoadFile(0, ./log, <...>/log.zeek)
0.000000 MetaHookPre LoadFile(0, ./log-ocsp, <...>/log-ocsp.zeek)
0.000000 MetaHookPre LoadFile(0, ./logging, <...>/logging.zeek)
0.000000 MetaHookPre LoadFile(0, ./logging.bif.zeek, <...>/logging.bif.zeek)
0.000000 MetaHookPre LoadFile(0, ./magic, <...>/magic)
0.000000 MetaHookPre LoadFile(0, ./main, <...>/main.zeek)
@ -2850,6 +2893,7 @@
0.000000 MetaHookPre LoadFileExtended(0, ./last, <...>/last.zeek)
0.000000 MetaHookPre LoadFileExtended(0, ./log, <...>/log.zeek)
0.000000 MetaHookPre LoadFileExtended(0, ./log-ocsp, <...>/log-ocsp.zeek)
0.000000 MetaHookPre LoadFileExtended(0, ./logging, <...>/logging.zeek)
0.000000 MetaHookPre LoadFileExtended(0, ./logging.bif.zeek, <...>/logging.bif.zeek)
0.000000 MetaHookPre LoadFileExtended(0, ./magic, <...>/magic)
0.000000 MetaHookPre LoadFileExtended(0, ./main, <...>/main.zeek)
@ -3269,6 +3313,7 @@
0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::_] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}])
0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::_] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])
0.000000 | HookCallFunction FilteredTraceDetection::should_detect()
0.000000 | HookCallFunction Log::__add_filter(Analyzer::Logging::LOG, [name=default, writer=Log::WRITER_ASCII, path=analyzer, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
0.000000 | HookCallFunction Log::__add_filter(Broker::LOG, [name=default, writer=Log::WRITER_ASCII, path=broker, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
0.000000 | HookCallFunction Log::__add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, path=cluster, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
0.000000 | HookCallFunction Log::__add_filter(Config::LOG, [name=default, writer=Log::WRITER_ASCII, path=config, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
@ -3319,6 +3364,7 @@
0.000000 | HookCallFunction Log::__add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=weird, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
0.000000 | HookCallFunction Log::__add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, path=x509, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
0.000000 | HookCallFunction Log::__add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, path=mysql, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
0.000000 | HookCallFunction Log::__create_stream(Analyzer::Logging::LOG, [columns=Analyzer::Logging::Info, ev=<uninitialized>, path=analyzer, policy=Analyzer::Logging::log_policy, event_groups={Analyzer::Logging}])
0.000000 | HookCallFunction Log::__create_stream(Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy, event_groups={}])
0.000000 | HookCallFunction Log::__create_stream(Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy, event_groups={}])
0.000000 | HookCallFunction Log::__create_stream(Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}])
@ -3368,7 +3414,9 @@
0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}])
0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}])
0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}])
0.000000 | HookCallFunction Log::__enable_stream(Analyzer::Logging::LOG)
0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>])
0.000000 | HookCallFunction Log::add_default_filter(Analyzer::Logging::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@ -3418,6 +3466,7 @@
0.000000 | HookCallFunction Log::add_default_filter(Weird::LOG)
0.000000 | HookCallFunction Log::add_default_filter(X509::LOG)
0.000000 | HookCallFunction Log::add_default_filter(mysql::LOG)
0.000000 | HookCallFunction Log::add_filter(Analyzer::Logging::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
0.000000 | HookCallFunction Log::add_filter(Broker::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
0.000000 | HookCallFunction Log::add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
0.000000 | HookCallFunction Log::add_filter(Config::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
@ -3468,6 +3517,7 @@
0.000000 | HookCallFunction Log::add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
0.000000 | HookCallFunction Log::add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
0.000000 | HookCallFunction Log::add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
0.000000 | HookCallFunction Log::add_stream_filters(Analyzer::Logging::LOG, default)
0.000000 | HookCallFunction Log::add_stream_filters(Broker::LOG, default)
0.000000 | HookCallFunction Log::add_stream_filters(Cluster::LOG, default)
0.000000 | HookCallFunction Log::add_stream_filters(Config::LOG, default)
@ -3517,6 +3567,7 @@
0.000000 | HookCallFunction Log::add_stream_filters(Weird::LOG, default)
0.000000 | HookCallFunction Log::add_stream_filters(X509::LOG, default)
0.000000 | HookCallFunction Log::add_stream_filters(mysql::LOG, default)
0.000000 | HookCallFunction Log::create_stream(Analyzer::Logging::LOG, [columns=Analyzer::Logging::Info, ev=<uninitialized>, path=analyzer, policy=Analyzer::Logging::log_policy, event_groups={Analyzer::Logging}])
0.000000 | HookCallFunction Log::create_stream(Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy, event_groups={}])
0.000000 | HookCallFunction Log::create_stream(Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy, event_groups={}])
0.000000 | HookCallFunction Log::create_stream(Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}])
@ -3566,6 +3617,7 @@
0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}])
0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}])
0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}])
0.000000 | HookCallFunction Log::enable_stream(Analyzer::Logging::LOG)
0.000000 | HookCallFunction Log::get_filter(SSL::LOG, default)
0.000000 | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>], PacketFilter::LOG)
0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>])
@ -3574,6 +3626,12 @@
0.000000 | HookCallFunction Notice::want_pp()
0.000000 | HookCallFunction Option::set_change_handler(ActiveHTTP::default_max_time, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(ActiveHTTP::default_method, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::enable, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::enable, lambda_<2645182068207650863>{ if (Analyzer::Logging::new_value) Log::enable_stream(Analyzer::Logging::LOG)elseLog::disable_stream(Analyzer::Logging::LOG)return (Analyzer::Logging::new_value)}, 0)
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::failure_data_max_size, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::ignore_analyzers, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::include_confirmations, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::include_confirmations, lambda_<15261139872714441626>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_confirmations)elsedisable_event_group(Analyzer::Logging::include_confirmations)return (Analyzer::Logging::new_value)}, 0)
0.000000 | HookCallFunction Option::set_change_handler(Broker::metrics_export_endpoint_name, Broker::update_metrics_export_endpoint_name{ Broker::__set_metrics_export_endpoint_name(Broker::val)return (Broker::val)}, 0)
0.000000 | HookCallFunction Option::set_change_handler(Broker::metrics_export_endpoint_name, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(Broker::metrics_export_interval, Broker::update_metrics_export_interval{ Broker::__set_metrics_export_interval(Broker::val)return (Broker::val)}, 0)
@ -3810,13 +3868,19 @@
0.000000 | HookCallFunction bare_mode()
0.000000 | HookCallFunction cat(...)
0.000000 | HookCallFunction current_time()
0.000000 | HookCallFunction disable_event_group(Analyzer::Logging::include_confirmations)
0.000000 | HookCallFunction enable_module_events(Analyzer::Logging)
0.000000 | HookCallFunction filter_change_tracking()
0.000000 | HookCallFunction getenv(CLUSTER_NODE)
0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS)
0.000000 | HookCallFunction global_options()
0.000000 | HookCallFunction gsub(...)
0.000000 | HookCallFunction has_event_group(Analyzer::Logging)
0.000000 | HookCallFunction has_module_events(Analyzer::Logging)
0.000000 | HookCallFunction is_file_analyzer(AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS)
0.000000 | HookCallFunction is_packet_analyzer(AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS)
0.000000 | HookCallFunction lambda_<15261139872714441626>(Analyzer::Logging::include_confirmations, F)
0.000000 | HookCallFunction lambda_<2645182068207650863>(Analyzer::Logging::enable, T)
0.000000 | HookCallFunction lstrip(...)
0.000000 | HookCallFunction network_time()
0.000000 | HookCallFunction port_to_count(2123/udp)
@ -4011,6 +4075,7 @@
0.000000 | HookLoadFile ./libmagic <...>/libmagic.sig
0.000000 | HookLoadFile ./log <...>/log.zeek
0.000000 | HookLoadFile ./log-ocsp <...>/log-ocsp.zeek
0.000000 | HookLoadFile ./logging <...>/logging.zeek
0.000000 | HookLoadFile ./logging.bif.zeek <...>/logging.bif.zeek
0.000000 | HookLoadFile ./magic <...>/magic
0.000000 | HookLoadFile ./main <...>/main.zeek
@ -4397,6 +4462,7 @@
0.000000 | HookLoadFileExtended ./libmagic <...>/libmagic.sig
0.000000 | HookLoadFileExtended ./log <...>/log.zeek
0.000000 | HookLoadFileExtended ./log-ocsp <...>/log-ocsp.zeek
0.000000 | HookLoadFileExtended ./logging <...>/logging.zeek
0.000000 | HookLoadFileExtended ./logging.bif.zeek <...>/logging.bif.zeek
0.000000 | HookLoadFileExtended ./magic <...>/magic
0.000000 | HookLoadFileExtended ./main <...>/main.zeek

8
testing/btest/Baseline/plugins.writer/output
View file

@ -3,6 +3,14 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0.0)
[Writer] Foo (Log::WRITER_FOO)
===
[analyzer] XXXXXXXXXX.XXXXXX|violation|protocol|DCE_RPC|ClEkJM2Vm5giqnMf4h|-|10.0.0.55|53994|60.190.189.214|8124|Binpac exception: binpac exception: out_of_bound: DCE_RPC_PDU:frag: -2665 > 31|-
[analyzer] XXXXXXXXXX.XXXXXX|violation|protocol|DCE_RPC|ClEkJM2Vm5giqnMf4h|-|10.0.0.55|53994|60.190.189.214|8124|Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers|-
[analyzer] XXXXXXXXXX.XXXXXX|violation|protocol|DCE_RPC|ClEkJM2Vm5giqnMf4h|-|10.0.0.55|53994|60.190.189.214|8124|Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers|-
[analyzer] XXXXXXXXXX.XXXXXX|violation|protocol|DCE_RPC|ClEkJM2Vm5giqnMf4h|-|10.0.0.55|53994|60.190.189.214|8124|Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers|-
[analyzer] XXXXXXXXXX.XXXXXX|violation|protocol|DCE_RPC|ClEkJM2Vm5giqnMf4h|-|10.0.0.55|53994|60.190.189.214|8124|Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers|-
[analyzer] XXXXXXXXXX.XXXXXX|violation|protocol|DCE_RPC|ClEkJM2Vm5giqnMf4h|-|10.0.0.55|53994|60.190.189.214|8124|Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers|-
[analyzer] XXXXXXXXXX.XXXXXX|violation|protocol|DCE_RPC|ClEkJM2Vm5giqnMf4h|-|10.0.0.55|53994|60.190.189.214|8124|Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers|-
[analyzer] XXXXXXXXXX.XXXXXX|violation|protocol|DCE_RPC|ClEkJM2Vm5giqnMf4h|-|10.0.0.55|53994|60.190.189.214|8124|Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers|-
[conn] XXXXXXXXXX.XXXXXX|CHhAvVGS1DHFjwGM9|10.0.0.55|53994|60.190.189.214|8124|tcp|-|4.314406|0|0|S0|-|-|0|S|5|320|0|0|-
[conn] XXXXXXXXXX.XXXXXX|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|tcp|http,socks|13.839419|3860|2934|SF|-|-|0|ShADadfF|23|5080|20|3986|-
[conn] XXXXXXXXXX.XXXXXX|C4J4Th3PJpwUYZZ6gc|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-

46
testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-include-confirmations Normal file
View file

@ -0,0 +1,46 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path analyzer
#open XXXX-XX-XX-XX-XX-XX
#fields ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data
#types time string string string string string addr port addr port string string
XXXXXXXXXX.XXXXXX violation packet TEREDO CHhAvVGS1DHFjwGM9 - 141.142.220.202 5353 224.0.0.251 5353 Bad Teredo encapsulation \x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x06gemini\x09_sftp-ssh\x04_tcp\x05lo
XXXXXXXXXX.XXXXXX confirmation protocol DNS CHhAvVGS1DHFjwGM9 - 141.142.220.202 5353 224.0.0.251 5353 - -
XXXXXXXXXX.XXXXXX violation packet TEREDO ClEkJM2Vm5giqnMf4h - fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 Bad Teredo encapsulation \x00\x00\x84\x00\x00\x00\x00\x01\x00\x00\x00\x04\x06gemini\x09_sftp-ssh\x04_tcp\x05local
XXXXXXXXXX.XXXXXX confirmation protocol DNS ClEkJM2Vm5giqnMf4h - fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 - -
XXXXXXXXXX.XXXXXX violation packet TEREDO C4J4Th3PJpwUYZZ6gc - 141.142.220.50 5353 224.0.0.251 5353 Bad Teredo encapsulation \x00\x00\x84\x00\x00\x00\x00\x01\x00\x00\x00\x04\x06gemini\x09_sftp-ssh\x04_tcp\x05local
XXXXXXXXXX.XXXXXX confirmation protocol DNS C4J4Th3PJpwUYZZ6gc - 141.142.220.50 5353 224.0.0.251 5353 - -
XXXXXXXXXX.XXXXXX confirmation protocol HTTP CUM0KZ3MLUfNB0cl11 - 141.142.220.118 48649 208.80.152.118 80 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS CmES5u32sYpV7JYN - 141.142.220.118 43927 141.142.2.2 53 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS CP5puj4I8PtEU4qzYg - 141.142.220.118 37676 141.142.2.2 53 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS C37jN32gN3y3AZzyf6 - 141.142.220.118 40526 141.142.2.2 53 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS C0LAHyvtKSQHyJxIl - 141.142.220.118 32902 141.142.2.2 53 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS CFLRIC3zaTU1loLGxh - 141.142.220.118 59816 141.142.2.2 53 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS C9rXSW3KSpTYvPrlI1 - 141.142.220.118 59714 141.142.2.2 53 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS C9mvWx3ezztgzcexV7 - 141.142.220.118 58206 141.142.2.2 53 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS CNnMIj2QSd84NKf7U3 - 141.142.220.118 38911 141.142.2.2 53 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS C7fIlMZDuRiqjpYbb - 141.142.220.118 59746 141.142.2.2 53 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS CpmdRlaUoJLN3uIRa - 141.142.220.118 45000 141.142.2.2 53 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS C1Xkzz2MaGtLrc1Tla - 141.142.220.118 48479 141.142.2.2 53 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS CqlVyW1YwZ15RhTBc4 - 141.142.220.118 48128 141.142.2.2 53 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS CBA8792iHmnhPLksKa - 141.142.220.118 56056 141.142.2.2 53 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS CGLPPc35OzDQij1XX8 - 141.142.220.118 55092 141.142.2.2 53 - -
XXXXXXXXXX.XXXXXX confirmation protocol HTTP CwjjYJ2WqgTbAqiHl6 - 141.142.220.118 49997 208.80.152.3 80 - -
XXXXXXXXXX.XXXXXX confirmation protocol HTTP C3eiCBGOLw3VtHfOj - 141.142.220.118 49996 208.80.152.3 80 - -
XXXXXXXXXX.XXXXXX confirmation protocol HTTP Ck51lg1bScffFj34Ri - 141.142.220.118 49998 208.80.152.3 80 - -
XXXXXXXXXX.XXXXXX confirmation protocol HTTP CykQaM33ztNt0csB9a - 141.142.220.118 49999 208.80.152.3 80 - -
XXXXXXXXXX.XXXXXX confirmation protocol HTTP CtxTCR2Yer0FR1tIBg - 141.142.220.118 50000 208.80.152.3 80 - -
XXXXXXXXXX.XXXXXX confirmation protocol HTTP CLNN1k2QMum1aexUK7 - 141.142.220.118 50001 208.80.152.3 80 - -
XXXXXXXXXX.XXXXXX confirmation protocol HTTP CiyBAq1bBLNaTiTAc - 141.142.220.118 35642 208.80.152.2 80 - -
XXXXXXXXXX.XXXXXX violation packet TEREDO Cipfzj1BEnhejw8cGf - 141.142.220.44 5353 224.0.0.251 5353 Bad Teredo encapsulation \x00\x00\x00\x00\x00\x01\x00\x01\x00\x00\x00\x00\x05gomez\x09_sftp-ssh\x04_tcp\x05local\x00
XXXXXXXXXX.XXXXXX confirmation protocol DNS Cipfzj1BEnhejw8cGf - 141.142.220.44 5353 224.0.0.251 5353 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS CV5WJ42jPYbNW9JNWf - 141.142.220.226 137 141.142.220.255 137 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS CPhDKt12KQPUVbQz06 - fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS CAnFrb2Cvxr5T7quOc - 141.142.220.226 55131 224.0.0.252 5355 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS C8rquZ3DjgNW06JGLl - fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS CzrZOtXqhwwndQva3 - 141.142.220.226 55671 224.0.0.252 5355 - -
XXXXXXXXXX.XXXXXX confirmation protocol DNS CaGCc13FffXe6RkQl9 - 141.142.220.238 56641 141.142.220.255 137 - -
#close XXXX-XX-XX-XX-XX-XX

14
testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-no-confirmations Normal file
View file

@ -0,0 +1,14 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path analyzer
#open XXXX-XX-XX-XX-XX-XX
#fields ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data
#types time string string string string string addr port addr port string string
XXXXXXXXXX.XXXXXX violation packet TEREDO CHhAvVGS1DHFjwGM9 - 141.142.220.202 5353 224.0.0.251 5353 Bad Teredo encapsulation \x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x06gemini\x09_sftp-ssh\x04_tcp\x05lo
XXXXXXXXXX.XXXXXX violation packet TEREDO ClEkJM2Vm5giqnMf4h - fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 Bad Teredo encapsulation \x00\x00\x84\x00\x00\x00\x00\x01\x00\x00\x00\x04\x06gemini\x09_sftp-ssh\x04_tcp\x05local
XXXXXXXXXX.XXXXXX violation packet TEREDO C4J4Th3PJpwUYZZ6gc - 141.142.220.50 5353 224.0.0.251 5353 Bad Teredo encapsulation \x00\x00\x84\x00\x00\x00\x00\x01\x00\x00\x00\x04\x06gemini\x09_sftp-ssh\x04_tcp\x05local
XXXXXXXXXX.XXXXXX violation packet TEREDO Cipfzj1BEnhejw8cGf - 141.142.220.44 5353 224.0.0.251 5353 Bad Teredo encapsulation \x00\x00\x00\x00\x00\x01\x00\x01\x00\x00\x00\x00\x05gomez\x09_sftp-ssh\x04_tcp\x05local\x00
#close XXXX-XX-XX-XX-XX-XX

11
testing/btest/scripts/base/frameworks/analyzer/logging.zeek Normal file
View file

@ -0,0 +1,11 @@
# @TEST-EXEC: zeek -b -r ${TRACES}/wikipedia.trace %INPUT
# @TEST-EXEC: mv analyzer.log analyzer.log-no-confirmations
# @TEST-EXEC: btest-diff analyzer.log-no-confirmations
# @TEST-EXEC: zeek -b -r ${TRACES}/wikipedia.trace %INPUT Analyzer::Logging::include_confirmations=T
# @TEST-EXEC: mv analyzer.log analyzer.log-include-confirmations
# @TEST-EXEC: btest-diff analyzer.log-include-confirmations
@load base/protocols/conn
@load base/protocols/dns
@load base/protocols/http

2
testing/external/commit-hash.zeek-testing vendored
View file

@ -1 +1 @@
12af5c4f227b99a8424e8ef00ae6611b8b767e4c
8a43279ceeee0564cbe80be7df1d07e3523de099

2
testing/external/commit-hash.zeek-testing-private vendored
View file

@ -1 +1 @@
c5baa53031ef55c986f3a691cdb29fb310afbccc
f0526cd3c476a0534b513b298a173d1e89acc7f7

5
testing/external/scripts/testing-setup.zeek vendored
View file

@ -22,3 +22,8 @@ hook Telemetry::log_policy(rec: Telemetry::Info, id: Log::ID, filter: Log::Filte
if ( rec$prefix == "zeek" && rec$name == "version_info" )
break;
}
# The IMAP analyzer includes absolute filenames in its error messages,
# exclude it for now from analyzer.log.
# https://github.com/zeek/zeek/issues/2659
redef Analyzer::Logging::ignore_analyzers += { Analyzer::ANALYZER_IMAP };