Rename all scripts to have ".zeek" file extension

scripts/base/protocols/syslog/main.zeek

@@ -0,0 +1,60 @@
+##! Core script support for logging syslog messages.  This script represents 
+##! one syslog message as one logged record.
+
+@load ./consts
+
+module Syslog;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	## The record type which contains the fields of the syslog log.
+	type Info: record {
+		## Timestamp when the syslog message was seen.
+		ts:        time            &log;
+		## Unique ID for the connection.
+		uid:       string          &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id:        conn_id         &log;
+		## Protocol over which the message was seen.
+		proto:     transport_proto &log;
+		## Syslog facility for the message.
+		facility:  string          &log;
+		## Syslog severity for the message.
+		severity:  string          &log;
+		## The plain text message.
+		message:   string          &log;
+	};
+}
+
+redef record connection += {
+	syslog: Info &optional;
+};
+
+const ports = { 514/udp };
+redef likely_server_ports += { ports };
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Syslog::LOG, [$columns=Info, $path="syslog"]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, ports);
+	}
+
+event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5
+	{
+	local info: Info;
+	info$ts=network_time();
+	info$uid=c$uid;
+	info$id=c$id;
+	info$proto=get_port_transport_proto(c$id$resp_p);
+	info$facility=facility_codes[facility];
+	info$severity=severity_codes[severity];
+	info$message=msg;
+	
+	c$syslog = info;
+	}
+
+event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=-5
+	{
+	Log::write(Syslog::LOG, c$syslog);
+	}