Add a weird that gets emitted when strings/containers are over the limits

2025-10-02 06:38:20 +00:00 · 2025-07-31 13:16:16 -07:00 · 2025-07-31 13:16:16 -07:00 · 339d46ae26
commit 339d46ae26
parent 837fde1a08
14 changed files with 107 additions and 14 deletions
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-2/.stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-2/.stdout
@ -1,3 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Telemetry::COUNTER, zeek, zeek_log_writer_truncated_string_fields_total, [filter_name, module, path, stream, writer], [default, Weird, weird, Weird::LOG, Log::WRITER_ASCII], 0.0
 Telemetry::COUNTER, zeek, zeek_log_writer_truncated_string_fields_total, [filter_name, module, path, stream, writer], [default, Test, test, Test::LOG, Log::WRITER_ASCII], 9.0
+Telemetry::COUNTER, zeek, zeek_log_writer_truncated_containers_total, [filter_name, module, path, stream, writer], [default, Weird, weird, Weird::LOG, Log::WRITER_ASCII], 0.0
 Telemetry::COUNTER, zeek, zeek_log_writer_truncated_containers_total, [filter_name, module, path, stream, writer], [default, Test, test, Test::LOG, Log::WRITER_ASCII], 0.0
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-2/weird.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-2/weird.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	log_string_field_truncated	Test::LOG	F	zeek	-
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-3/.stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-3/.stdout
@ -1,3 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Telemetry::COUNTER, zeek, zeek_log_writer_truncated_string_fields_total, [filter_name, module, path, stream, writer], [default, Weird, weird, Weird::LOG, Log::WRITER_ASCII], 0.0
 Telemetry::COUNTER, zeek, zeek_log_writer_truncated_string_fields_total, [filter_name, module, path, stream, writer], [default, Test, test, Test::LOG, Log::WRITER_ASCII], 12.0
+Telemetry::COUNTER, zeek, zeek_log_writer_truncated_containers_total, [filter_name, module, path, stream, writer], [default, Weird, weird, Weird::LOG, Log::WRITER_ASCII], 0.0
 Telemetry::COUNTER, zeek, zeek_log_writer_truncated_containers_total, [filter_name, module, path, stream, writer], [default, Test, test, Test::LOG, Log::WRITER_ASCII], 0.0
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-3/weird.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-3/weird.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	log_string_field_truncated	Test::LOG	F	zeek	-
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-4/.stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-4/.stdout
@ -1,3 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Telemetry::COUNTER, zeek, zeek_log_writer_truncated_string_fields_total, [filter_name, module, path, stream, writer], [default, Weird, weird, Weird::LOG, Log::WRITER_ASCII], 0.0
 Telemetry::COUNTER, zeek, zeek_log_writer_truncated_string_fields_total, [filter_name, module, path, stream, writer], [default, Test, test, Test::LOG, Log::WRITER_ASCII], 0.0
+Telemetry::COUNTER, zeek, zeek_log_writer_truncated_containers_total, [filter_name, module, path, stream, writer], [default, Weird, weird, Weird::LOG, Log::WRITER_ASCII], 0.0
 Telemetry::COUNTER, zeek, zeek_log_writer_truncated_containers_total, [filter_name, module, path, stream, writer], [default, Test, test, Test::LOG, Log::WRITER_ASCII], 2.0
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-4/weird.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-4/weird.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	log_container_field_truncated	Test::LOG	F	zeek	-
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-5/.stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-5/.stdout
@ -1,3 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Telemetry::COUNTER, zeek, zeek_log_writer_truncated_string_fields_total, [filter_name, module, path, stream, writer], [default, Weird, weird, Weird::LOG, Log::WRITER_ASCII], 0.0
 Telemetry::COUNTER, zeek, zeek_log_writer_truncated_string_fields_total, [filter_name, module, path, stream, writer], [default, Test, test, Test::LOG, Log::WRITER_ASCII], 0.0
+Telemetry::COUNTER, zeek, zeek_log_writer_truncated_containers_total, [filter_name, module, path, stream, writer], [default, Weird, weird, Weird::LOG, Log::WRITER_ASCII], 0.0
 Telemetry::COUNTER, zeek, zeek_log_writer_truncated_containers_total, [filter_name, module, path, stream, writer], [default, Test, test, Test::LOG, Log::WRITER_ASCII], 1.0
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-5/weird.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-5/weird.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	log_container_field_truncated	Test::LOG	F	zeek	-
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-6/.stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-6/.stdout
@ -1,3 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Telemetry::COUNTER, zeek, zeek_log_writer_truncated_string_fields_total, [filter_name, module, path, stream, writer], [default, Weird, weird, Weird::LOG, Log::WRITER_ASCII], 0.0
 Telemetry::COUNTER, zeek, zeek_log_writer_truncated_string_fields_total, [filter_name, module, path, stream, writer], [default, Test, test, Test::LOG, Log::WRITER_ASCII], 0.0
+Telemetry::COUNTER, zeek, zeek_log_writer_truncated_containers_total, [filter_name, module, path, stream, writer], [default, Weird, weird, Weird::LOG, Log::WRITER_ASCII], 0.0
 Telemetry::COUNTER, zeek, zeek_log_writer_truncated_containers_total, [filter_name, module, path, stream, writer], [default, Test, test, Test::LOG, Log::WRITER_ASCII], 2.0
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-6/weird.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting-6/weird.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	log_container_field_truncated	Test::LOG	F	zeek	-
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting/.stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting/.stdout
@ -1,3 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Telemetry::COUNTER, zeek, zeek_log_writer_truncated_string_fields_total, [filter_name, module, path, stream, writer], [default, Weird, weird, Weird::LOG, Log::WRITER_ASCII], 2.0
 Telemetry::COUNTER, zeek, zeek_log_writer_truncated_string_fields_total, [filter_name, module, path, stream, writer], [default, Test, test, Test::LOG, Log::WRITER_ASCII], 20.0
+Telemetry::COUNTER, zeek, zeek_log_writer_truncated_containers_total, [filter_name, module, path, stream, writer], [default, Weird, weird, Weird::LOG, Log::WRITER_ASCII], 0.0
 Telemetry::COUNTER, zeek, zeek_log_writer_truncated_containers_total, [filter_name, module, path, stream, writer], [default, Test, test, Test::LOG, Log::WRITER_ASCII], 0.0
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting/weird.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-length-limiting/weird.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	log_s	Test:	F	zeek	-
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/scripts/base/frameworks/logging/field-length-limiting.zeek
+++ b/testing/btest/scripts/base/frameworks/logging/field-length-limiting.zeek
@ -3,10 +3,12 @@
 # @TEST-EXEC: zeek -b test.zeek %INPUT
 # @TEST-EXEC: btest-diff test.log
 # @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff weird.log

 # @TEST-START-FILE test.zeek

@load base/frameworks/telemetry
+@load base/frameworks/notice/weird

 module Test;

@ -19,6 +21,16 @@ export {
 	};
 }

+event log_telemetry()
+	{
+	local storage_metrics = Telemetry::collect_metrics("zeek", "log_writer_truncated*");
+	for (i in storage_metrics)
+		{
+		local m = storage_metrics[i];
+		print m$opts$metric_type, m$opts$prefix, m$opts$name, m$label_names, m$label_values, m$value;
+		}
+	}
+
 event zeek_init()
 	{
 	Log::create_stream(LOG, [$columns=Info, $path="test"]);
@ -36,19 +48,17 @@ event zeek_init()

 	Log::write(Test::LOG, rec);

-	local storage_metrics = Telemetry::collect_metrics("zeek", "log_writer_truncated*");
-	for (i in storage_metrics)
-		{
-		local m = storage_metrics[i];
-		print m$opts$metric_type, m$opts$prefix, m$opts$name, m$label_names, m$label_values, m$value;
-		}
+	# Do this as a separate event so the weirds get processed before we log the
+	# telemetry outout. See the comment below for the first test as to why.
+	event log_telemetry();
 	}

-
 # @TEST-END-FILE test.zeek

 # Limit the individual fields to 5 bytes, but keep the total maximum large enough that it
-# will write all of the fields.
+# will write all of the fields. The weird test for this one will be off since it will
+# limit the name of the weird. It will pass, but the fields in the log will get truncated
+# like they're supposed to.
 redef Log::max_field_string_bytes = 5;

 # @TEST-START-NEXT