Hook into Broker logs via its new API

The new Broker API allows us to provide a custom logger to Broker that pulls previously unattainable context information out of Broker to put them into broker.log for users of Zeek. Since Broker log events happen asynchronously, we cache them in a queue and use a flare to notify Zeek of activity. Furthermore, the Broker manager now implements the `ProcessFd` function to avoid unnecessary polling of the new log queue. As a side effect, data stores are polled less as well.
2025-10-02 06:38:20 +00:00 · 2024-09-29 14:59:35 +02:00 · 2024-09-29 14:59:35 +02:00 · 30615f425e
commit 30615f425e
parent b7b31ebce5
7 changed files with 245 additions and 20 deletions
--- a/scripts/base/frameworks/broker/log.zeek
+++ b/scripts/base/frameworks/broker/log.zeek
@ -14,7 +14,19 @@ export {
 		## An informational status update.
 		STATUS,
 		## An error situation.
-		ERROR
+		ERROR,
+		## Fatal event, normal operation has most likely broken down.
+		CRITICAL_EVENT,
+		## Unrecoverable event that imparts at least part of the system.
+		ERROR_EVENT,
+		## Unespected or conspicuous event that may still be recoverable.
+		WARNING_EVENT,
+		## Noteworthy event during normal operation.
+		INFO_EVENT,
+		## Information that might be relevant for a user to understand system behavior.
+		VERBOSE_EVENT,
+		## An event that is relevant only for troubleshooting and debugging.
+		DEBUG_EVENT,
 	};

 	## A record type containing the column fields of the Broker log.
--- a/scripts/base/frameworks/broker/main.zeek
+++ b/scripts/base/frameworks/broker/main.zeek
@ -176,6 +176,28 @@ export {
 	##          will be sent.
 	const log_topic: function(id: Log::ID, path: string): string = default_log_topic &redef;

+	## The possible log event severity levels for Broker.
+	type LogSeverityLevel: enum {
+		## Fatal event, normal operation has most likely broken down.
+		LOG_CRITICAL,
+		## Unrecoverable event that imparts at least part of the system.
+		LOG_ERROR,
+		## Unespected or conspicuous event that may still be recoverable.
+		LOG_WARNING,
+		## Noteworthy event during normal operation.
+		LOG_INFO,
+		## Information that might be relevant for a user to understand system behavior.
+		LOG_VERBOSE,
+		## An event that is relevant only for troubleshooting and debugging.
+		LOG_DEBUG,
+	};
+
+	## The log event severity level for the Broker log output.
+	const log_severity_level = LOG_WARNING &redef;
+
+	## Event severity level for also printing the Broker log output to stderr.
+	const log_stderr_severity_level = LOG_CRITICAL &redef;
+
 	type ErrorCode: enum {
 		## The unspecified default error code.
 		UNSPECIFIED = 1,