Updated header format (see #558)

src/LogWriterAscii.cc

@@ -6,6 +6,25 @@
 #include "LogWriterAscii.h"
 #include "NetVar.h"
 
+/**
+ * Takes a string, escapes each character into its equivalent hex code (\x##), and
+ * returns a string containing all escaped values.
+ *
+ * @param str string to escape
+ * @return A std::string containing a list of escaped hex values of the form \x##
+ */
+static string _GetEscapedString(const std::string str)
+{
+	char tbuf[128];
+	string esc = "";
+	for (size_t i = 0; i < str.length(); ++i)
+		{
+		snprintf(tbuf, 128, "\\x%02x", str[i]);
+		esc += tbuf;
+		}
+	return esc;
+}
+
 /**
  * Takes a LogField and returns a human-readable version of its type.  Used to output the type to the log file's
  * header.
@@ -118,40 +137,33 @@ bool LogWriterAscii::DoInit(string path, int num_fields,
 
 	if ( include_header )
 		{
-		if ( fwrite(header_prefix, header_prefix_len, 1, file) != 1 )
+		string wString = string(header_prefix, header_prefix_len) + "separator " + _GetEscapedString(string(separator, separator_len)) + "\n";
-			goto write_error;
-
-		for ( int i = 0; i < num_fields; i++ )
-			{
-			if ( i > 0 &&
-			     fwrite(separator, separator_len, 1, file) != 1 )
-				goto write_error;
-
-			const LogField* field = fields[i];
-
-			if ( fputs(field->name.c_str(), file) == EOF )
-				goto write_error;
-			}
-
-		if ( fputc('\n', file) == EOF )
-			goto write_error;
-		
-		string wString = string(header_prefix, header_prefix_len) + string("path:'") + path + string("'\n");
-		wString += string(header_prefix, header_prefix_len) + "separator:'" + string(separator, separator_len) + "'\n";
 		if(fwrite(wString.c_str(), wString.length(), 1, file) != 1)
 			goto write_error;
-
+		wString = string(header_prefix, header_prefix_len) + "fields" + string(separator, separator_len);
-		wString = string(header_prefix, header_prefix_len);
 		for ( int i = 0; i < num_fields; ++i )
 			{
 			const LogField* field = fields[i];
-			wString += ((i > 0) ? string(separator, separator_len) : string("")) + field->name + string("=") + _GetBroTypeString(field);
+			wString += ((i > 0) ? string(separator, separator_len) : string("")) + field->name.c_str();
 			}
 		if(fwrite(wString.c_str(), wString.length(), 1, file) != 1)
 			goto write_error;
 		if ( fputc('\n', file) == EOF )
 			goto write_error;
 		
+		wString = string(header_prefix, header_prefix_len) + "types" + string(separator, separator_len);
+		for ( int i = 0; i < num_fields; ++i )
+			{
+			const LogField* field = fields[i];
+			wString += ((i > 0) ? string(separator, separator_len) : string("")) + _GetBroTypeString(field);
+			}
+		if(fwrite(wString.c_str(), wString.length(), 1, file) != 1)
+			goto write_error;
+		if ( fputc('\n', file) == EOF )
+			goto write_error;
+		wString = string(header_prefix, header_prefix_len) + string("path") + string(separator, separator_len) + path + string("\n");
+		if(fwrite(wString.c_str(), wString.length(), 1, file) != 1)
+			goto write_error;
 		}
 
 	return true;

testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log

@@ -1,5 +1,5 @@
-# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history
+# separator \x09
-# path:'conn'
+# fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history
-# separator:'	'
+# types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string
-# ts=time	uid=string	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	proto=enum	service=string	duration=interval	orig_bytes=count	resp_bytes=count	conn_state=string	local_orig=bool	missed_bytes=count	history=string
+# path	conn
 1128727435.450898	UWkUyAuUGXf	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.73330307006836	98	9417	SF	-	0	ShADdFaf

testing/btest/Baseline/core.print-bpf-filters-ipv4/output

@@ -1,20 +1,20 @@
-# ts	node	filter	init	success
+# separator \x09
-# path:'packet_filter'
+# fields	ts	node	filter	init	success
-# separator:'	'
+# types	time	string	string	bool	bool
-# ts=time	node=string	filter=string	init=bool	success=bool
+# path	packet_filter
-1313294321.706635	-	not ip6	F	T
+1314727730.005834	-	not ip6	F	T
-# ts	node	filter	init	success
+# separator \x09
-# path:'packet_filter'
+# fields	ts	node	filter	init	success
-# separator:'	'
+# types	time	string	string	bool	bool
-# ts=time	node=string	filter=string	init=bool	success=bool
+# path	packet_filter
-1313294321.886625	-	(((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (udp and port 5353)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port smtp or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)) and (not ip6)	F	T
+1314727730.210660	-	(((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (udp and port 5353)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port smtp or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)) and (not ip6)	F	T
-# ts	node	filter	init	success
+# separator \x09
-# path:'packet_filter'
+# fields	ts	node	filter	init	success
-# separator:'	'
+# types	time	string	string	bool	bool
-# ts=time	node=string	filter=string	init=bool	success=bool
+# path	packet_filter
-1313294322.054107	-	port 42	F	T
+1314727730.391189	-	port 42	F	T
-# ts	node	filter	init	success
+# separator \x09
-# path:'packet_filter'
+# fields	ts	node	filter	init	success
-# separator:'	'
+# types	time	string	string	bool	bool
-# ts=time	node=string	filter=string	init=bool	success=bool
+# path	packet_filter
-1313294322.221475	-	port 56730	T	T
+1314727730.576036	-	port 56730	T	T

testing/btest/Baseline/core.vlan-mpls/conn.log

@@ -1,7 +1,7 @@
-# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history
+# separator \x09
-# path:'conn'
+# fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history
-# separator:'	'
+# types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string
-# ts=time	uid=string	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	proto=enum	service=string	duration=interval	orig_bytes=count	resp_bytes=count	conn_state=string	local_orig=bool	missed_bytes=count	history=string
+# path	conn
 952109346.874907	UWkUyAuUGXf	10.1.2.1	11001	10.34.0.1	23	tcp	-	2.10255992412567	25	0	SH	-	0	-
 1128727435.450898	56gKBmhBBB6	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.73330307006836	98	9417	SF	-	0	ShADdFaf
 1278600802.069419	50da4BEzauh	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.00415205955505371	9	3429	SF	-	0	ShADadfF

testing/btest/Baseline/istate.events-ssl/receiver.http.log

@@ -1,5 +1,5 @@
-# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	method	host	uri	referrer	user_agent	request_content_length	response_content_length	status_code	status_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+# separator \x09
-# path:'http'
+# fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	method	host	uri	referrer	user_agent	request_content_length	response_content_length	status_code	status_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
-# separator:'	'
+# types	time	string	addr	port	addr	port	string	string	string	string	string	count	count	count	string	string	table	string	string	table	string	string	file
-# ts=time	uid=string	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	method=string	host=string	uri=string	referrer=string	user_agent=string	request_content_length=count	response_content_length=count	status_code=count	status_msg=string	filename=string	tags=table	username=string	password=string	proxied=table	mime_type=string	md5=string	extraction_file=file
+# path	http
-1313294803.616197	56gKBmhBBB6	141.42.64.125	56730	125.190.109.199	80	GET	www.icir.org	/	-	Wget/1.10	-	9130	200	OK	-	-	-	-	-	text/html	-	-
+1314727981.131631	56gKBmhBBB6	141.42.64.125	56730	125.190.109.199	80	GET	www.icir.org	/	-	Wget/1.10	-	9130	200	OK	-	-	-	-	-	text/html	-	-

testing/btest/Baseline/istate.events-ssl/sender.http.log

@@ -1,5 +1,5 @@
-# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	method	host	uri	referrer	user_agent	request_content_length	response_content_length	status_code	status_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+# separator \x09
-# path:'http'
+# fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	method	host	uri	referrer	user_agent	request_content_length	response_content_length	status_code	status_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
-# separator:'	'
+# types	time	string	addr	port	addr	port	string	string	string	string	string	count	count	count	string	string	table	string	string	table	string	string	file
-# ts=time	uid=string	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	method=string	host=string	uri=string	referrer=string	user_agent=string	request_content_length=count	response_content_length=count	status_code=count	status_msg=string	filename=string	tags=table	username=string	password=string	proxied=table	mime_type=string	md5=string	extraction_file=file
+# path	http
-1313294803.616197	56gKBmhBBB6	141.42.64.125	56730	125.190.109.199	80	GET	www.icir.org	/	-	Wget/1.10	-	9130	200	OK	-	-	-	-	-	text/html	-	-
+1314727981.131631	56gKBmhBBB6	141.42.64.125	56730	125.190.109.199	80	GET	www.icir.org	/	-	Wget/1.10	-	9130	200	OK	-	-	-	-	-	text/html	-	-

testing/btest/Baseline/istate.events/receiver.http.log

@@ -1,5 +1,5 @@
-# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	method	host	uri	referrer	user_agent	request_content_length	response_content_length	status_code	status_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+# separator \x09
-# path:'http'
+# fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	method	host	uri	referrer	user_agent	request_content_length	response_content_length	status_code	status_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
-# separator:'	'
+# types	time	string	addr	port	addr	port	string	string	string	string	string	count	count	count	string	string	table	string	string	table	string	string	file
-# ts=time	uid=string	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	method=string	host=string	uri=string	referrer=string	user_agent=string	request_content_length=count	response_content_length=count	status_code=count	status_msg=string	filename=string	tags=table	username=string	password=string	proxied=table	mime_type=string	md5=string	extraction_file=file
+# path	http
-1313294821.853639	56gKBmhBBB6	141.42.64.125	56730	125.190.109.199	80	GET	www.icir.org	/	-	Wget/1.10	-	9130	200	OK	-	-	-	-	-	text/html	-	-
+1314727996.111318	56gKBmhBBB6	141.42.64.125	56730	125.190.109.199	80	GET	www.icir.org	/	-	Wget/1.10	-	9130	200	OK	-	-	-	-	-	text/html	-	-

testing/btest/Baseline/istate.events/sender.http.log

@@ -1,5 +1,5 @@
-# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	method	host	uri	referrer	user_agent	request_content_length	response_content_length	status_code	status_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+# separator \x09
-# path:'http'
+# fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	method	host	uri	referrer	user_agent	request_content_length	response_content_length	status_code	status_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
-# separator:'	'
+# types	time	string	addr	port	addr	port	string	string	string	string	string	count	count	count	string	string	table	string	string	table	string	string	file
-# ts=time	uid=string	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	method=string	host=string	uri=string	referrer=string	user_agent=string	request_content_length=count	response_content_length=count	status_code=count	status_msg=string	filename=string	tags=table	username=string	password=string	proxied=table	mime_type=string	md5=string	extraction_file=file
+# path	http
-1313294821.853639	56gKBmhBBB6	141.42.64.125	56730	125.190.109.199	80	GET	www.icir.org	/	-	Wget/1.10	-	9130	200	OK	-	-	-	-	-	text/html	-	-
+1314727996.111318	56gKBmhBBB6	141.42.64.125	56730	125.190.109.199	80	GET	www.icir.org	/	-	Wget/1.10	-	9130	200	OK	-	-	-	-	-	text/html	-	-

testing/btest/Baseline/policy.frameworks.logging.adapt-filter/ssh-new-default.log

@@ -1,6 +1,6 @@
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'ssh-new-default'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	time	addr	port	addr	port	string	string
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	ssh-new-default
-1313294629.401535	1.2.3.4	1234	2.3.4.5	80	success	unknown
+1314727872.290926	1.2.3.4	1234	2.3.4.5	80	success	unknown
-1313294629.401535	1.2.3.4	1234	2.3.4.5	80	failure	US
+1314727872.290926	1.2.3.4	1234	2.3.4.5	80	failure	US

testing/btest/Baseline/policy.frameworks.logging.ascii-empty/ssh.log

@@ -1,9 +1,9 @@
-PREFIX<>t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b
+PREFIX<>separator \x7c
-PREFIX<>path:'ssh'
+PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b
-PREFIX<>separator:'|'
+PREFIX<>types|time|addr|port|addr|port|string|string|bool
-PREFIX<>t=time|id.orig_h=addr|id.orig_p=port|id.resp_h=addr|id.resp_p=port|status=string|country=string|b=bool
+PREFIX<>path|ssh
-1313294759.195743|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET
+1314727948.493595|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET
-1313294759.195743|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET
+1314727948.493595|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET
-1313294759.195743|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET
+1314727948.493595|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET
-1313294759.195743|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET
+1314727948.493595|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET
-1313294759.195743|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T
+1314727948.493595|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T

testing/btest/Baseline/policy.frameworks.logging.ascii-timestamps/test.log

@@ -1,7 +1,7 @@
-# data
+# separator \x09
-# path:'test'
+# fields	data
-# separator:'	'
+# types	time
-# data=time
+# path	test
 1234567890.000000
 1234567890.000000
 1234567890.010000

testing/btest/Baseline/policy.frameworks.logging.attr-extend/ssh.log

@@ -1,5 +1,5 @@
-# status	country	a1	b1	b2
+# separator \x09
-# path:'ssh'
+# fields	status	country	a1	b1	b2
-# separator:'	'
+# types	string	string	count	count	count
-# status=string	country=string	a1=count	b1=count	b2=count
+# path	ssh
 success	unknown	1	3	4

testing/btest/Baseline/policy.frameworks.logging.attr/ssh.log

@@ -1,7 +1,7 @@
-# status	country
+# separator \x09
-# path:'ssh'
+# fields	status	country
-# separator:'	'
+# types	string	string
-# status=string	country=string
+# path	ssh
 success	unknown
 failure	US
 failure	UK

testing/btest/Baseline/policy.frameworks.logging.empty-event/ssh.log

@@ -1,9 +1,9 @@
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'ssh'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	time	addr	port	addr	port	string	string
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	ssh
-1313294569.495672	1.2.3.4	1234	2.3.4.5	80	success	unknown
+1314727852.730851	1.2.3.4	1234	2.3.4.5	80	success	unknown
-1313294569.495672	1.2.3.4	1234	2.3.4.5	80	failure	US
+1314727852.730851	1.2.3.4	1234	2.3.4.5	80	failure	US
-1313294569.495672	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1314727852.730851	1.2.3.4	1234	2.3.4.5	80	failure	UK
-1313294569.495672	1.2.3.4	1234	2.3.4.5	80	success	BR
+1314727852.730851	1.2.3.4	1234	2.3.4.5	80	success	BR
-1313294569.495672	1.2.3.4	1234	2.3.4.5	80	failure	MX
+1314727852.730851	1.2.3.4	1234	2.3.4.5	80	failure	MX

testing/btest/Baseline/policy.frameworks.logging.exclude/ssh.log

@@ -1,7 +1,7 @@
-# id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'ssh'
+# fields	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	port	addr	port	string	string
-# id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	ssh
 1234	2.3.4.5	80	success	unknown
 1234	2.3.4.5	80	failure	US
 1234	2.3.4.5	80	failure	UK

testing/btest/Baseline/policy.frameworks.logging.file/ssh.log

@@ -1,5 +1,5 @@
-# t	f
+# separator \x09
-# path:'ssh'
+# fields	t	f
-# separator:'	'
+# types	time	file
-# t=time	f=file
+# path	ssh
-1313294659.301877	Foo.log
+1314727892.880049	Foo.log

testing/btest/Baseline/policy.frameworks.logging.include/ssh.log

@@ -1,9 +1,9 @@
-# t	id.orig_h
+# separator \x09
-# path:'ssh'
+# fields	t	id.orig_h
-# separator:'	'
+# types	time	addr
-# t=time	id.orig_h=addr
+# path	ssh
-1313294779.446569	1.2.3.4
+1314727963.092660	1.2.3.4
-1313294779.446569	1.2.3.4
+1314727963.092660	1.2.3.4
-1313294779.446569	1.2.3.4
+1314727963.092660	1.2.3.4
-1313294779.446569	1.2.3.4
+1314727963.092660	1.2.3.4
-1313294779.446569	1.2.3.4
+1314727963.092660	1.2.3.4

testing/btest/Baseline/policy.frameworks.logging.path-func/output

@@ -5,38 +5,38 @@ static-prefix-1-MX.log
 static-prefix-1-US.log
 static-prefix-2-MX2.log
 static-prefix-2-UK.log
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'static-prefix-0-BR'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	time	addr	port	addr	port	string	string
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	static-prefix-0-BR
-1313294713.688145	1.2.3.4	1234	2.3.4.5	80	success	BR
+1314727918.882660	1.2.3.4	1234	2.3.4.5	80	success	BR
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'static-prefix-0-MX3'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	time	addr	port	addr	port	string	string
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	static-prefix-0-MX3
-1313294713.688145	1.2.3.4	1234	2.3.4.5	80	failure	MX3
+1314727918.882660	1.2.3.4	1234	2.3.4.5	80	failure	MX3
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'static-prefix-0-unknown'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	time	addr	port	addr	port	string	string
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	static-prefix-0-unknown
-1313294713.688145	1.2.3.4	1234	2.3.4.5	80	success	unknown
+1314727918.882660	1.2.3.4	1234	2.3.4.5	80	success	unknown
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'static-prefix-1-MX'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	time	addr	port	addr	port	string	string
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	static-prefix-1-MX
-1313294713.688145	1.2.3.4	1234	2.3.4.5	80	failure	MX
+1314727918.882660	1.2.3.4	1234	2.3.4.5	80	failure	MX
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'static-prefix-1-US'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	time	addr	port	addr	port	string	string
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	static-prefix-1-US
-1313294713.688145	1.2.3.4	1234	2.3.4.5	80	failure	US
+1314727918.882660	1.2.3.4	1234	2.3.4.5	80	failure	US
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'static-prefix-2-MX2'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	time	addr	port	addr	port	string	string
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	static-prefix-2-MX2
-1313294713.688145	1.2.3.4	1234	2.3.4.5	80	failure	MX2
+1314727918.882660	1.2.3.4	1234	2.3.4.5	80	failure	MX2
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'static-prefix-2-UK'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	time	addr	port	addr	port	string	string
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	static-prefix-2-UK
-1313294713.688145	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1314727918.882660	1.2.3.4	1234	2.3.4.5	80	failure	UK

testing/btest/Baseline/policy.frameworks.logging.pred/ssh.failure.log

@@ -1,5 +1,5 @@
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'ssh.failure'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	time	addr	port	addr	port	string	string
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	ssh.failure
-1313294637.607505	1.2.3.4	1234	2.3.4.5	80	failure	US
+1314727874.590133	1.2.3.4	1234	2.3.4.5	80	failure	US

testing/btest/Baseline/policy.frameworks.logging.pred/ssh.success.log

@@ -1,5 +1,5 @@
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'ssh.success'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	time	addr	port	addr	port	string	string
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	ssh.success
-1313294637.607505	1.2.3.4	1234	2.3.4.5	80	success	-
+1314727874.590133	1.2.3.4	1234	2.3.4.5	80	success	-

testing/btest/Baseline/policy.frameworks.logging.remote-types/receiver.test.log

@@ -1,5 +1,5 @@
-# b	i	e	c	p	sn	n	a	d	t	iv	s	sc	ss	se	vc	ve
+# separator \x09
-# path:'test'
+# fields	b	i	e	c	p	sn	n	a	d	t	iv	s	sc	ss	se	vc	ve
-# separator:'	'
+# types	bool	int	enum	count	port	subnet	net	addr	double	time	interval	string	table	table	table	vector	vector
-# b=bool	i=int	e=enum	c=count	p=port	sn=subnet	n=net	a=addr	d=double	t=time	iv=interval	s=string	sc=table	ss=table	se=table	vc=vector	ve=vector
+# path	test
-T	-42	Test::TEST	21	123	10.0.0.0/24	10.0.0.0	1.2.3.4	3.14	1313294605.568014	100.0	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY
+T	-42	Test::TEST	21	123	10.0.0.0/24	10.0.0.0	1.2.3.4	3.14	1314727862.540918	100.0	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY

testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.failure.log

@@ -1,7 +1,7 @@
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'test.failure'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	time	addr	port	addr	port	string	string
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	test.failure
-1313294726.669862	1.2.3.4	1234	2.3.4.5	80	failure	US
+1314727932.130262	1.2.3.4	1234	2.3.4.5	80	failure	US
-1313294726.669862	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1314727932.130262	1.2.3.4	1234	2.3.4.5	80	failure	UK
-1313294726.669862	1.2.3.4	1234	2.3.4.5	80	failure	MX
+1314727932.130262	1.2.3.4	1234	2.3.4.5	80	failure	MX

testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.log

@@ -1,9 +1,9 @@
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'test'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	time	addr	port	addr	port	string	string
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	test
-1313294726.669862	1.2.3.4	1234	2.3.4.5	80	success	-
+1314727932.130262	1.2.3.4	1234	2.3.4.5	80	success	-
-1313294726.669862	1.2.3.4	1234	2.3.4.5	80	failure	US
+1314727932.130262	1.2.3.4	1234	2.3.4.5	80	failure	US
-1313294726.669862	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1314727932.130262	1.2.3.4	1234	2.3.4.5	80	failure	UK
-1313294726.669862	1.2.3.4	1234	2.3.4.5	80	success	BR
+1314727932.130262	1.2.3.4	1234	2.3.4.5	80	success	BR
-1313294726.669862	1.2.3.4	1234	2.3.4.5	80	failure	MX
+1314727932.130262	1.2.3.4	1234	2.3.4.5	80	failure	MX

testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.success.log

@@ -1,6 +1,6 @@
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'test.success'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	time	addr	port	addr	port	string	string
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	test.success
-1313294726.669862	1.2.3.4	1234	2.3.4.5	80	success	-
+1314727932.130262	1.2.3.4	1234	2.3.4.5	80	success	-
-1313294726.669862	1.2.3.4	1234	2.3.4.5	80	success	BR
+1314727932.130262	1.2.3.4	1234	2.3.4.5	80	success	BR

testing/btest/Baseline/policy.frameworks.logging.remove/ssh.failure.log

@@ -1,6 +1,6 @@
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'ssh.failure'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	time	addr	port	addr	port	string	string
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	ssh.failure
-1313294785.141559	1.2.3.4	1234	2.3.4.5	80	failure	US
+1314727967.932172	1.2.3.4	1234	2.3.4.5	80	failure	US
-1313294785.141559	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1314727967.932172	1.2.3.4	1234	2.3.4.5	80	failure	UK

testing/btest/Baseline/policy.frameworks.logging.remove/ssh.log

@@ -1,7 +1,7 @@
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'ssh'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	time	addr	port	addr	port	string	string
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	ssh
-1313294785.141559	1.2.3.4	1234	2.3.4.5	80	failure	US
+1314727967.932172	1.2.3.4	1234	2.3.4.5	80	failure	US
-1313294785.141559	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1314727967.932172	1.2.3.4	1234	2.3.4.5	80	failure	UK
-1313294785.141559	1.2.3.4	1234	2.3.4.5	80	failure	BR
+1314727967.932172	1.2.3.4	1234	2.3.4.5	80	failure	BR

testing/btest/Baseline/policy.frameworks.logging.rotate-custom/out

@@ -28,11 +28,11 @@ custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_11.00.05.log, path=tes
 custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_11.59.55.log, path=test2, open=1299499195.0, close=1299499205.0, terminating=F]
 custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_12.00.05.log, path=test2, open=1299499205.0, close=1299502795.0, terminating=F]
 custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_12.59.55.log, path=test2, open=1299502795.0, close=1299502795.0, terminating=T]
-# path:'test'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
-# path:'test2'
+# path	test
-# separator:'	'
+# path	test2
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+# separator \x09
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port
+# types	time	addr	port	addr	port
 1299466805.000000	10.0.0.1	20	10.0.0.2	1024
 1299470395.000000	10.0.0.2	20	10.0.0.3	0
 1299470405.000000	10.0.0.1	20	10.0.0.2	1025

testing/btest/Baseline/policy.frameworks.logging.rotate/out

@@ -9,72 +9,72 @@ test.2011-03-07-10-00-05.log test 11-03-07_10.00.05 11-03-07_11.00.05 0
 test.2011-03-07-11-00-05.log test 11-03-07_11.00.05 11-03-07_12.00.05 0
 test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
 > test.2011-03-07-03-00-05.log
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+# separator \x09
-# path:'test'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
-# separator:'	'
+# types	time	addr	port	addr	port
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port
+# path	test
 1299466805.000000	10.0.0.1	20	10.0.0.2	1024
 1299470395.000000	10.0.0.2	20	10.0.0.3	0
 > test.2011-03-07-04-00-05.log
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+# separator \x09
-# path:'test'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
-# separator:'	'
+# types	time	addr	port	addr	port
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port
+# path	test
 1299470405.000000	10.0.0.1	20	10.0.0.2	1025
 1299473995.000000	10.0.0.2	20	10.0.0.3	1
 > test.2011-03-07-05-00-05.log
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+# separator \x09
-# path:'test'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
-# separator:'	'
+# types	time	addr	port	addr	port
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port
+# path	test
 1299474005.000000	10.0.0.1	20	10.0.0.2	1026
 1299477595.000000	10.0.0.2	20	10.0.0.3	2
 > test.2011-03-07-06-00-05.log
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+# separator \x09
-# path:'test'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
-# separator:'	'
+# types	time	addr	port	addr	port
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port
+# path	test
 1299477605.000000	10.0.0.1	20	10.0.0.2	1027
 1299481195.000000	10.0.0.2	20	10.0.0.3	3
 > test.2011-03-07-07-00-05.log
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+# separator \x09
-# path:'test'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
-# separator:'	'
+# types	time	addr	port	addr	port
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port
+# path	test
 1299481205.000000	10.0.0.1	20	10.0.0.2	1028
 1299484795.000000	10.0.0.2	20	10.0.0.3	4
 > test.2011-03-07-08-00-05.log
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+# separator \x09
-# path:'test'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
-# separator:'	'
+# types	time	addr	port	addr	port
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port
+# path	test
 1299484805.000000	10.0.0.1	20	10.0.0.2	1029
 1299488395.000000	10.0.0.2	20	10.0.0.3	5
 > test.2011-03-07-09-00-05.log
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+# separator \x09
-# path:'test'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
-# separator:'	'
+# types	time	addr	port	addr	port
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port
+# path	test
 1299488405.000000	10.0.0.1	20	10.0.0.2	1030
 1299491995.000000	10.0.0.2	20	10.0.0.3	6
 > test.2011-03-07-10-00-05.log
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+# separator \x09
-# path:'test'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
-# separator:'	'
+# types	time	addr	port	addr	port
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port
+# path	test
 1299492005.000000	10.0.0.1	20	10.0.0.2	1031
 1299495595.000000	10.0.0.2	20	10.0.0.3	7
 > test.2011-03-07-11-00-05.log
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+# separator \x09
-# path:'test'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
-# separator:'	'
+# types	time	addr	port	addr	port
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port
+# path	test
 1299495605.000000	10.0.0.1	20	10.0.0.2	1032
 1299499195.000000	10.0.0.2	20	10.0.0.3	8
 > test.2011-03-07-12-00-05.log
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+# separator \x09
-# path:'test'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
-# separator:'	'
+# types	time	addr	port	addr	port
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port
+# path	test
 1299499205.000000	10.0.0.1	20	10.0.0.2	1033
 1299502795.000000	10.0.0.2	20	10.0.0.3	9

testing/btest/Baseline/policy.frameworks.logging.stdout/output

@@ -1,9 +1,9 @@
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'/dev/stdout'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	time	addr	port	addr	port	string	string
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	/dev/stdout
-1313294620.928942	1.2.3.4	1234	2.3.4.5	80	success	unknown
+1314727869.880042	1.2.3.4	1234	2.3.4.5	80	success	unknown
-1313294620.928942	1.2.3.4	1234	2.3.4.5	80	failure	US
+1314727869.880042	1.2.3.4	1234	2.3.4.5	80	failure	US
-1313294620.928942	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1314727869.880042	1.2.3.4	1234	2.3.4.5	80	failure	UK
-1313294620.928942	1.2.3.4	1234	2.3.4.5	80	success	BR
+1314727869.880042	1.2.3.4	1234	2.3.4.5	80	success	BR
-1313294620.928942	1.2.3.4	1234	2.3.4.5	80	failure	MX
+1314727869.880042	1.2.3.4	1234	2.3.4.5	80	failure	MX

testing/btest/Baseline/policy.frameworks.logging.test-logging/ssh.log

@@ -1,9 +1,9 @@
-# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+# separator \x09
-# path:'ssh'
+# fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-# separator:'	'
+# types	time	addr	port	addr	port	string	string
-# t=time	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	status=string	country=string
+# path	ssh
-1313294707.543971	1.2.3.4	1234	2.3.4.5	80	success	unknown
+1314727916.553137	1.2.3.4	1234	2.3.4.5	80	success	unknown
-1313294707.543971	1.2.3.4	1234	2.3.4.5	80	failure	US
+1314727916.553137	1.2.3.4	1234	2.3.4.5	80	failure	US
-1313294707.543971	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1314727916.553137	1.2.3.4	1234	2.3.4.5	80	failure	UK
-1313294707.543971	1.2.3.4	1234	2.3.4.5	80	success	BR
+1314727916.553137	1.2.3.4	1234	2.3.4.5	80	success	BR
-1313294707.543971	1.2.3.4	1234	2.3.4.5	80	failure	MX
+1314727916.553137	1.2.3.4	1234	2.3.4.5	80	failure	MX

testing/btest/Baseline/policy.frameworks.logging.unset-record/testing.log

@@ -1,6 +1,6 @@
-# a.val1	a.val2	b
+# separator \x09
-# path:'testing'
+# fields	a.val1	a.val2	b
-# separator:'	'
+# types	count	count	count
-# a.val1=count	a.val2=count	b=count
+# path	testing
 -	-	6
 1	2	3

testing/btest/Baseline/policy.frameworks.logging.vec/ssh.log

@@ -1,5 +1,5 @@
-# vec
+# separator \x09
-# path:'ssh'
+# fields	vec
-# separator:'	'
+# types	vector
-# vec=vector
+# path	ssh
 -,2,-,-,5

testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-all.log

@@ -1,7 +1,7 @@
-# ts	host
+# separator \x09
-# path:'known_hosts'
+# fields	ts	host
-# separator:'	'
+# types	time	addr
-# ts=time	host=addr
+# path	known_hosts
 1300475168.783842	141.142.220.118
 1300475168.783842	208.80.152.118
 1300475168.915940	208.80.152.3

testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-local.log

@@ -1,5 +1,5 @@
-# ts	host
+# separator \x09
-# path:'known_hosts'
+# fields	ts	host
-# separator:'	'
+# types	time	addr
-# ts=time	host=addr
+# path	known_hosts
 1300475168.783842	141.142.220.118

testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-remote.log

@@ -1,7 +1,7 @@
-# ts	host
+# separator \x09
-# path:'known_hosts'
+# fields	ts	host
-# separator:'	'
+# types	time	addr
-# ts=time	host=addr
+# path	known_hosts
 1300475168.783842	208.80.152.118
 1300475168.915940	208.80.152.3
 1300475168.962628	208.80.152.2

testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-all.log

@@ -1,7 +1,7 @@
-# ts	host	port_num	port_proto	service
+# separator \x09
-# path:'known_services'
+# fields	ts	host	port_num	port_proto	service
-# separator:'	'
+# types	time	addr	port	enum	table
-# ts=time	host=addr	port_num=port	port_proto=enum	service=table
+# path	known_services
 1308930691.035044	172.16.238.131	22	tcp	SSH
 1308930694.548964	172.16.238.131	80	tcp	HTTP
 1308930716.457950	74.125.225.81	80	tcp	HTTP

testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-local.log

@@ -1,7 +1,7 @@
-# ts	host	port_num	port_proto	service
+# separator \x09
-# path:'known_services'
+# fields	ts	host	port_num	port_proto	service
-# separator:'	'
+# types	time	addr	port	enum	table
-# ts=time	host=addr	port_num=port	port_proto=enum	service=table
+# path	known_services
 1308930691.035044	172.16.238.131	22	tcp	SSH
 1308930694.548964	172.16.238.131	80	tcp	HTTP
 1308930703.068148	172.16.238.131	21	tcp	FTP

testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-remote.log

@@ -1,6 +1,6 @@
-# ts	host	port_num	port_proto	service
+# separator \x09
-# path:'known_services'
+# fields	ts	host	port_num	port_proto	service
-# separator:'	'
+# types	time	addr	port	enum	table
-# ts=time	host=addr	port_num=port	port_proto=enum	service=table
+# path	known_services
 1308930716.457950	74.125.225.81	80	tcp	HTTP
 1308930726.864150	141.142.192.39	22	tcp	SSH

testing/btest/Baseline/policy.protocols.dns.event-priority/dns.log

@@ -1,5 +1,5 @@
-# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	QR	AA	TC	RD	RA	Z	TTL	answers	auth	addl
+# separator \x09
-# path:'dns'
+# fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	QR	AA	TC	RD	RA	Z	TTL	answers	auth	addl
-# separator:'	'
+# types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	bool	count	interval	table	table	table
-# ts=time	uid=string	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	proto=enum	trans_id=count	query=string	qclass=count	qclass_name=string	qtype=count	qtype_name=string	rcode=count	rcode_name=string	QR=bool	AA=bool	TC=bool	RD=bool	RA=bool	Z=count	TTL=interval	answers=table	auth=table	addl=table
+# path	dns
 930613226.529070	UWkUyAuUGXf	212.180.42.100	25000	131.243.64.3	53	tcp	34798	-	-	-	-	-	0	NOERROR	F	F	F	F	T	0	31337.0	4.3.2.1	-	-

testing/btest/Baseline/policy.protocols.http.http-mime-and-md5/http.log

@@ -1,7 +1,7 @@
-# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	method	host	uri	referrer	user_agent	request_content_length	response_content_length	status_code	status_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+# separator \x09
-# path:'http'
+# fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	method	host	uri	referrer	user_agent	request_content_length	response_content_length	status_code	status_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
-# separator:'	'
+# types	time	string	addr	port	addr	port	string	string	string	string	string	count	count	count	string	string	table	string	string	table	string	string	file
-# ts=time	uid=string	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	method=string	host=string	uri=string	referrer=string	user_agent=string	request_content_length=count	response_content_length=count	status_code=count	status_msg=string	filename=string	tags=table	username=string	password=string	proxied=table	mime_type=string	md5=string	extraction_file=file
+# path	http
 1258577884.844956	UWkUyAuUGXf	192.168.1.104	1673	63.245.209.11	80	GET	www.mozilla.org	/style/enhanced.css	http://www.mozilla.org/projects/calendar/	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	-	946	200	OK	-	-	-	-	-	FAKE_MIME	-	-
 1258577884.960135	UWkUyAuUGXf	192.168.1.104	1673	63.245.209.11	80	GET	www.mozilla.org	/script/urchin.js	http://www.mozilla.org/projects/calendar/	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	-	6716	200	OK	-	-	-	-	-	FAKE_MIME	-	-
 1258577885.317160	UWkUyAuUGXf	192.168.1.104	1673	63.245.209.11	80	GET	www.mozilla.org	/images/template/screen/bullet_utility.png	http://www.mozilla.org/style/screen.css	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	-	94	200	OK	-	-	-	-	-	FAKE_MIME	-	-

testing/btest/Baseline/policy.protocols.http.http-pipelining/http.log

@@ -1,7 +1,7 @@
-# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	method	host	uri	referrer	user_agent	request_content_length	response_content_length	status_code	status_msg	filename	tags	username	password	proxied	md5	extraction_file
+# separator \x09
-# path:'http'
+# fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	method	host	uri	referrer	user_agent	request_content_length	response_content_length	status_code	status_msg	filename	tags	username	password	proxied	md5	extraction_file
-# separator:'	'
+# types	time	string	addr	port	addr	port	string	string	string	string	string	count	count	count	string	string	table	string	string	table	string	file
-# ts=time	uid=string	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	method=string	host=string	uri=string	referrer=string	user_agent=string	request_content_length=count	response_content_length=count	status_code=count	status_msg=string	filename=string	tags=table	username=string	password=string	proxied=table	md5=string	extraction_file=file
+# path	http
 1258577884.844956	UWkUyAuUGXf	192.168.1.104	1673	63.245.209.11	80	GET	www.mozilla.org	/style/enhanced.css	http://www.mozilla.org/projects/calendar/	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	-	946	200	OK	-	-	-	-	-	-	-
 1258577884.960135	UWkUyAuUGXf	192.168.1.104	1673	63.245.209.11	80	GET	www.mozilla.org	/script/urchin.js	http://www.mozilla.org/projects/calendar/	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	-	6716	200	OK	-	-	-	-	-	-	-
 1258577885.317160	UWkUyAuUGXf	192.168.1.104	1673	63.245.209.11	80	GET	www.mozilla.org	/images/template/screen/bullet_utility.png	http://www.mozilla.org/style/screen.css	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	-	94	200	OK	-	-	-	-	-	-	-

testing/btest/Baseline/policy.protocols.irc.basic/irc.log

@@ -1,7 +1,7 @@
-# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	nick	user	channels	command	value	addl	tags	dcc_file_name	dcc_file_size	extraction_file
+# separator \x09
-# path:'irc'
+# fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	nick	user	channels	command	value	addl	tags	dcc_file_name	dcc_file_size	extraction_file
-# separator:'	'
+# types	time	string	addr	port	addr	port	string	string	table	string	string	string	table	string	count	file
-# ts=time	uid=string	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	nick=string	user=string	channels=table	command=string	value=string	addl=string	tags=table	dcc_file_name=string	dcc_file_size=count	extraction_file=file
+# path	irc
 1311189164.119437	UWkUyAuUGXf	192.168.1.77	57640	66.198.80.67	6667	-	-	-	NICK	bloed	-	-	-	-	-
 1311189164.119437	UWkUyAuUGXf	192.168.1.77	57640	66.198.80.67	6667	bloed	-	-	USER	sdkfje	sdkfje Montreal.QC.CA.Undernet.org dkdkrwq	-	-	-	-
 1311189174.474127	UWkUyAuUGXf	192.168.1.77	57640	66.198.80.67	6667	bloed	sdkfje	-	JOIN	#easymovies	-	-	-	-	-

testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc.log

@@ -1,7 +1,7 @@
-# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	nick	user	channels	command	value	addl	tags	dcc_file_name	dcc_file_size	dcc_mime_type	extraction_file
+# separator \x09
-# path:'irc'
+# fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	nick	user	channels	command	value	addl	tags	dcc_file_name	dcc_file_size	dcc_mime_type	extraction_file
-# separator:'	'
+# types	time	string	addr	port	addr	port	string	string	table	string	string	string	table	string	count	string	file
-# ts=time	uid=string	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	nick=string	user=string	channels=table	command=string	value=string	addl=string	tags=table	dcc_file_name=string	dcc_file_size=count	dcc_mime_type=string	extraction_file=file
+# path	irc
 1311189164.119437	UWkUyAuUGXf	192.168.1.77	57640	66.198.80.67	6667	-	-	-	NICK	bloed	-	-	-	-	-	-
 1311189164.119437	UWkUyAuUGXf	192.168.1.77	57640	66.198.80.67	6667	bloed	-	-	USER	sdkfje	sdkfje Montreal.QC.CA.Undernet.org dkdkrwq	-	-	-	-	-
 1311189174.474127	UWkUyAuUGXf	192.168.1.77	57640	66.198.80.67	6667	bloed	sdkfje	-	JOIN	#easymovies	-	-	-	-	-	-

testing/btest/Baseline/policy.protocols.smtp.basic/smtp.log

@@ -1,5 +1,5 @@
-# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	mid	helo	mailfrom	rcptto	date	from	to	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent
+# separator \x09
-# path:'smtp'
+# fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	mid	helo	mailfrom	rcptto	date	from	to	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent
-# separator:'	'
+# types	time	string	addr	port	addr	port	string	string	string	table	string	string	table	string	string	string	string	addr	string	string	string	vector	string
-# ts=time	uid=string	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	mid=string	helo=string	mailfrom=string	rcptto=table	date=string	from=string	to=table	reply_to=string	msg_id=string	in_reply_to=string	subject=string	x_originating_ip=addr	first_received=string	second_received=string	last_reply=string	path=vector	user_agent=string
+# path	smtp
 1254722768.219663	56gKBmhBBB6	10.10.1.4	1470	74.53.140.153	25	@50da4BEzauh	GP	<gurpartap@patriots.in>	<raj_deol2002in@yahoo.co.in>	Mon, 5 Oct 2009 11:36:07 +0530	"Gurpartap Singh" <gurpartap@patriots.in>	<raj_deol2002in@yahoo.co.in>	-	<000301ca4581$ef9e57f0$cedb07d0$@in>	-	SMTP	-	-	-	250 OK id=1Mugho-0003Dg-Un	74.53.140.153,10.10.1.4	Microsoft Office Outlook 12.0

testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp_entities.log

@@ -1,7 +1,7 @@
-# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	mid	filename	content_len	mime_type	md5	extraction_file	excerpt
+# separator \x09
-# path:'smtp_entities'
+# fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	mid	filename	content_len	mime_type	md5	extraction_file	excerpt
-# separator:'	'
+# types	time	string	addr	port	addr	port	string	string	count	string	string	file	string
-# ts=time	uid=string	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	mid=string	filename=string	content_len=count	mime_type=string	md5=string	extraction_file=file	excerpt=string
+# path	smtp_entities
 1254722770.692743	56gKBmhBBB6	10.10.1.4	1470	74.53.140.153	25	@50da4BEzauh	-	79	FAKE_MIME	-	smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat	-
 1254722770.692743	56gKBmhBBB6	10.10.1.4	1470	74.53.140.153	25	@50da4BEzauh	-	1918	FAKE_MIME	-	-	-
 1254722770.692804	56gKBmhBBB6	10.10.1.4	1470	74.53.140.153	25	@50da4BEzauh	NEWS.txt	10823	FAKE_MIME	-	smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat	-

testing/btest/Baseline/policy.protocols.smtp.mime/smtp_entities.log

@@ -1,7 +1,7 @@
-# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	mid	filename	content_len	mime_type	md5	extraction_file	excerpt
+# separator \x09
-# path:'smtp_entities'
+# fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	mid	filename	content_len	mime_type	md5	extraction_file	excerpt
-# separator:'	'
+# types	time	string	addr	port	addr	port	string	string	count	string	string	file	string
-# ts=time	uid=string	id.orig_h=addr	id.orig_p=port	id.resp_h=addr	id.resp_p=port	mid=string	filename=string	content_len=count	mime_type=string	md5=string	extraction_file=file	excerpt=string
+# path	smtp_entities
 1254722770.692743	56gKBmhBBB6	10.10.1.4	1470	74.53.140.153	25	@50da4BEzauh	-	79	FAKE_MIME	92bca2e6cdcde73647125da7dccbdd07	-	-
 1254722770.692743	56gKBmhBBB6	10.10.1.4	1470	74.53.140.153	25	@50da4BEzauh	-	1918	FAKE_MIME	-	-	-
 1254722770.692804	56gKBmhBBB6	10.10.1.4	1470	74.53.140.153	25	@50da4BEzauh	NEWS.txt	10823	FAKE_MIME	a968bb0f9f9d95835b2e74c845877e87	-	-

testing/btest/btest.cfg

@@ -1,4 +1,5 @@
 [btest]
+ProfileDir 	= profiles
 TestDirs    = doc bifs language core policy istate
 TmpDir      = %(testbase)s/.tmp
 BaselineDir = %(testbase)s/Baseline

testing/btest/profiles/default/finish

@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+

testing/btest/profiles/default/setup

@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+

testing/btest/profiles/default/supported

@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+

testing/btest/profiles/default/transform

@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+