Move EventMgr, EventHandler, and EventRegistry code to zeek namespace. Rename mgr to event_mgr.

auxil/bifcl

@@ -1 +1 @@
-Subproject commit 462ac3bd3a7ae0d30378e36ca2fe771c53a0a23e
+Subproject commit dd076490debfa2071861eaa24715432f14b9d801

src/Anon.cc

@@ -444,7 +444,7 @@ ipaddr32_t zeek::detail::anonymize_ip(ipaddr32_t ip, enum ip_addr_anonymization_
 void zeek::detail::log_anonymization_mapping(ipaddr32_t input, ipaddr32_t output)
 	{
 	if ( anonymization_mapping )
-		mgr.Enqueue(anonymization_mapping,
+		zeek::event_mgr.Enqueue(anonymization_mapping,
 		                        zeek::make_intrusive<zeek::AddrVal>(input),
 		                        zeek::make_intrusive<AddrVal>(output)
 		);

src/Conn.cc

@@ -253,7 +253,7 @@ bool Connection::ScaledHistoryEntry(char code, uint32_t& counter,
 	return false;
 	}
 
-void Connection::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
+void Connection::HistoryThresholdEvent(zeek::EventHandlerPtr e, bool is_orig,
                                        uint32_t threshold)
 	{
 	if ( ! e )
@@ -466,7 +466,7 @@ void Connection::RemovalEvent()
 		EnqueueEvent(successful_connection_remove, nullptr, ConnVal());
 	}
 
-void Connection::Event(EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer, const char* name)
+void Connection::Event(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer, const char* name)
 	{
 	if ( ! f )
 		return;
@@ -477,7 +477,7 @@ void Connection::Event(EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer, co
 		EnqueueEvent(f, analyzer, ConnVal());
 	}
 
-void Connection::Event(EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer, zeek::Val* v1, zeek::Val* v2)
+void Connection::Event(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer, zeek::Val* v1, zeek::Val* v2)
 	{
 	if ( ! f )
 		{
@@ -497,7 +497,7 @@ void Connection::Event(EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer, ze
 		             zeek::IntrusivePtr{zeek::AdoptRef{}, v1});
 	}
 
-void Connection::ConnectionEvent(EventHandlerPtr f, zeek::analyzer::Analyzer* a, val_list vl)
+void Connection::ConnectionEvent(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* a, val_list vl)
 	{
 	auto args = zeek::val_list_to_args(vl);
 
@@ -507,17 +507,17 @@ void Connection::ConnectionEvent(EventHandlerPtr f, zeek::analyzer::Analyzer* a,
 		return;
 
 	// "this" is passed as a cookie for the event
-	mgr.Enqueue(f, std::move(args), SOURCE_LOCAL, a ? a->GetID() : 0, this);
+	zeek::event_mgr.Enqueue(f, std::move(args), SOURCE_LOCAL, a ? a->GetID() : 0, this);
 	}
 
-void Connection::ConnectionEventFast(EventHandlerPtr f, zeek::analyzer::Analyzer* a, val_list vl)
+void Connection::ConnectionEventFast(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* a, val_list vl)
 	{
 	// "this" is passed as a cookie for the event
-	mgr.Enqueue(f, zeek::val_list_to_args(vl), SOURCE_LOCAL,
+	zeek::event_mgr.Enqueue(f, zeek::val_list_to_args(vl), SOURCE_LOCAL,
 	                        a ? a->GetID() : 0, this);
 	}
 
-void Connection::ConnectionEvent(EventHandlerPtr f, zeek::analyzer::Analyzer* a, val_list* vl)
+void Connection::ConnectionEvent(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* a, val_list* vl)
 	{
 	auto args = zeek::val_list_to_args(*vl);
 	delete vl;
@@ -526,11 +526,11 @@ void Connection::ConnectionEvent(EventHandlerPtr f, zeek::analyzer::Analyzer* a,
 		EnqueueEvent(f, a, std::move(args));
 	}
 
-void Connection::EnqueueEvent(EventHandlerPtr f, zeek::analyzer::Analyzer* a,
+void Connection::EnqueueEvent(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* a,
                               zeek::Args args)
 	{
 	// "this" is passed as a cookie for the event
-	mgr.Enqueue(f, std::move(args), SOURCE_LOCAL, a ? a->GetID() : 0, this);
+	zeek::event_mgr.Enqueue(f, std::move(args), SOURCE_LOCAL, a ? a->GetID() : 0, this);
 	}
 
 void Connection::Weird(const char* name, const char* addl)

src/Conn.h

@@ -191,20 +191,20 @@ public:
 	// given that event's first argument will be it, and it's second will be
 	// the connection value.  If 'name' is null, then the event's first
 	// argument is the connection value.
-	void Event(EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer, const char* name = nullptr);
+	void Event(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer, const char* name = nullptr);
 
 	// If a handler exists for 'f', an event will be generated.  In any case,
 	// 'v1' and 'v2' reference counts get decremented.  The event's first
 	// argument is the connection value, second argument is 'v1', and if 'v2'
 	// is given that will be it's third argument.
 	[[deprecated("Remove in v4.1.  Use EnqueueEvent() instead (note it doesn't automatically add the connection argument).")]]
-	void Event(EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer, zeek::Val* v1, zeek::Val* v2 = nullptr);
+	void Event(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer, zeek::Val* v1, zeek::Val* v2 = nullptr);
 
 	// If a handler exists for 'f', an event will be generated.  In any case,
 	// reference count for each element in the 'vl' list are decremented.  The
 	// arguments used for the event are whatevever is provided in 'vl'.
 	[[deprecated("Remove in v4.1.  Use EnqueueEvent() instead.")]]
-	void ConnectionEvent(EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer,
+	void ConnectionEvent(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer,
 				val_list vl);
 
 	// Same as ConnectionEvent, except taking the event's argument list via a
@@ -212,7 +212,7 @@ public:
 	// memory pointed to by 'vl' and also for decrementing the reference count
 	// of each of its elements.
 	[[deprecated("Remove in v4.1.  Use EnqueueEvent() instead.")]]
-	void ConnectionEvent(EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer,
+	void ConnectionEvent(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer,
 				val_list* vl);
 
 	// Queues an event without first checking if there's any available event
@@ -224,13 +224,13 @@ public:
 	// it would be a waste of effort to construct all the event arguments when
 	// there's no handlers to consume them).
 	[[deprecated("Remove in v4.1.  Use EnqueueEvent() instead.")]]
-	void ConnectionEventFast(EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer,
+	void ConnectionEventFast(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer,
 				val_list vl);
 
 	/**
 	 * Enqueues an event associated with this connection and given analyzer.
 	 */
-	void EnqueueEvent(EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer,
+	void EnqueueEvent(zeek::EventHandlerPtr f, zeek::analyzer::Analyzer* analyzer,
 	                  zeek::Args args);
 
 	/**
@@ -240,7 +240,7 @@ public:
 	std::enable_if_t<
 		std::is_convertible_v<
 			std::tuple_element_t<0, std::tuple<Args...>>, zeek::ValPtr>>
-	EnqueueEvent(EventHandlerPtr h, zeek::analyzer::Analyzer* analyzer, Args&&... args)
+	EnqueueEvent(zeek::EventHandlerPtr h, zeek::analyzer::Analyzer* analyzer, Args&&... args)
 		{ return EnqueueEvent(h, analyzer, zeek::Args{std::forward<Args>(args)...}); }
 
 	void Weird(const char* name, const char* addl = "");
@@ -296,7 +296,7 @@ public:
 	                        uint32_t& scaling_threshold,
 	                        uint32_t scaling_base = 10);
 
-	void HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
+	void HistoryThresholdEvent(zeek::EventHandlerPtr e, bool is_orig,
 	                           uint32_t threshold);
 
 	void AddHistory(char code)	{ history += code; }

src/DNS_Mgr.cc

@@ -696,7 +696,7 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm)
 	if ( ! e )
 		return;
 
-	mgr.Enqueue(e, BuildMappingVal(dm));
+	zeek::event_mgr.Enqueue(e, BuildMappingVal(dm));
 	}
 
 void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm,
@@ -705,7 +705,7 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm,
 	if ( ! e )
 		return;
 
-	mgr.Enqueue(e, BuildMappingVal(dm), l1->ToSetVal(), l2->ToSetVal());
+	zeek::event_mgr.Enqueue(e, BuildMappingVal(dm), l1->ToSetVal(), l2->ToSetVal());
 	}
 
 void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm)
@@ -713,7 +713,7 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm)
 	if ( ! e )
 		return;
 
-	mgr.Enqueue(e, BuildMappingVal(old_dm), BuildMappingVal(new_dm));
+	zeek::event_mgr.Enqueue(e, BuildMappingVal(old_dm), BuildMappingVal(new_dm));
 	}
 
 zeek::ValPtr DNS_Mgr::BuildMappingVal(DNS_Mapping* dm)

src/DNS_Mgr.h

@@ -13,8 +13,7 @@
 #include "IPAddr.h"
 #include "util.h"
 
-class EventHandler;
-
+ZEEK_FORWARD_DECLARE_NAMESPACED(EventHandler, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(DNS_Mgr_Request, zeek::detail);
 ZEEK_FORWARD_DECLARE_NAMESPACED(RecordType, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek);
@@ -106,10 +105,10 @@ protected:
 	friend class LookupCallback;
 	friend class DNS_Mgr_Request;
 
-	void Event(EventHandlerPtr e, DNS_Mapping* dm);
-	void Event(EventHandlerPtr e, DNS_Mapping* dm,
+	void Event(zeek::EventHandlerPtr e, DNS_Mapping* dm);
+	void Event(zeek::EventHandlerPtr e, DNS_Mapping* dm,
 	           zeek::ListValPtr l1, zeek::ListValPtr l2);
-	void Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm);
+	void Event(zeek::EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm);
 
 	zeek::ValPtr BuildMappingVal(DNS_Mapping* dm);
 

src/Event.cc

@@ -13,10 +13,10 @@
 #include "iosource/PktSrc.h"
 #include "Net.h"
 
-EventMgr mgr;
+zeek::EventMgr zeek::event_mgr;
+zeek::EventMgr& mgr = zeek::event_mgr;
 
-uint64_t num_events_queued = 0;
-uint64_t num_events_dispatched = 0;
+namespace zeek {
 
 Event::Event(EventHandlerPtr arg_handler, zeek::Args arg_args,
              SourceID arg_src, zeek::analyzer::ID arg_aid, Obj* arg_obj)
@@ -145,7 +145,7 @@ void EventMgr::QueueEvent(Event* event)
 		tail = event;
 		}
 
-	++num_events_queued;
+	++event_mgr.num_events_queued;
 	}
 
 void EventMgr::Dispatch(Event* event, bool no_remote)
@@ -188,7 +188,7 @@ void EventMgr::Drain()
 			current->Dispatch();
 			Unref(current);
 
-			++num_events_dispatched;
+			++event_mgr.num_events_dispatched;
 			current = next;
 			}
 		}
@@ -244,3 +244,5 @@ void EventMgr::InitPostScript()
 	if ( ! iosource_mgr->RegisterFd(queue_flare.FD(), this) )
 		zeek::reporter->FatalError("Failed to register event manager FD with iosource_mgr");
 	}
+
+} // namespace zeek

src/Event.h

@@ -12,7 +12,9 @@
 #include <tuple>
 #include <type_traits>
 
-class EventMgr;
+ZEEK_FORWARD_DECLARE_NAMESPACED(EventMgr, zeek);
+
+namespace zeek {
 
 class Event final : public zeek::Obj {
 public:
@@ -45,9 +47,6 @@ protected:
 	Event* next_event;
 };
 
-extern uint64_t num_events_queued;
-extern uint64_t num_events_dispatched;
-
 class EventMgr final : public zeek::Obj, public iosource::IOSource {
 public:
 	EventMgr();
@@ -136,6 +135,9 @@ public:
 	const char* Tag() override { return "EventManager"; }
 	void InitPostScript();
 
+	uint64_t num_events_queued = 0;
+	uint64_t num_events_dispatched = 0;
+
 protected:
 	void QueueEvent(Event* event);
 
@@ -148,4 +150,13 @@ protected:
 	zeek::detail::Flare queue_flare;
 };
 
-extern EventMgr mgr;
+extern EventMgr event_mgr;
+
+} // namespace zeek
+
+using Event [[deprecated("Remove in v4.1. Use zeek::Event.")]] = zeek::Event;
+using EventMgr [[deprecated("Remove in v4.1. Use zeek::EventMgr.")]] = zeek::EventMgr;
+extern zeek::EventMgr& mgr [[deprecated("Remove in v4.1. Use zeek::event_mgr")]];
+
+extern uint64_t& num_events_queued [[deprecated("Remove in v4.1. Use zeek::event_mgr.num_events_queued")]];
+extern uint64_t& num_events_dispatched [[deprecated("Remove in v4.1. Use zeek::event_mgr.num_events_dispatched")]];

src/EventHandler.cc

@@ -10,6 +10,8 @@
 #include "broker/Manager.h"
 #include "broker/Data.h"
 
+namespace zeek {
+
 EventHandler::EventHandler(std::string arg_name)
 	{
 	name = std::move(arg_name);
@@ -118,9 +120,11 @@ void EventHandler::NewEvent(zeek::Args* vl)
 
 	auto vargs = zeek::MakeCallArgumentVector(*vl, GetType()->Params());
 
-	Event* ev = new Event(new_event, {
+	auto ev = new zeek::Event(new_event, {
 			zeek::make_intrusive<zeek::StringVal>(name),
 			std::move(vargs),
 			});
-	mgr.Dispatch(ev);
+	zeek::event_mgr.Dispatch(ev);
 	}
+
+} // namespace zeek

src/EventHandler.h

@@ -10,9 +10,9 @@
 #include <string>
 
 ZEEK_FORWARD_DECLARE_NAMESPACED(Func, zeek);
+
 namespace zeek {
 using FuncPtr = zeek::IntrusivePtr<zeek::Func>;
-}
 
 class EventHandler {
 public:
@@ -104,3 +104,8 @@ public:
 private:
 	EventHandler* handler;
 };
+
+} // namespace zeek
+
+using EventHandler [[deprecated("Remove in v4.1. Use zeek::EventHandler.")]] = zeek::EventHandler;
+using EventHandlerPtr [[deprecated("Remove in v4.1. Use zeek::EventHandlerPtr.")]] = zeek::EventHandlerPtr;

src/EventRegistry.cc

@@ -4,14 +4,16 @@
 #include "RE.h"
 #include "Reporter.h"
 
+namespace zeek {
+
 EventRegistry::EventRegistry() = default;
 EventRegistry::~EventRegistry() noexcept = default;
 
-EventHandlerPtr EventRegistry::Register(std::string_view name)
+zeek::EventHandlerPtr EventRegistry::Register(std::string_view name)
 	{
 	// If there already is an entry in the registry, we have a
 	// local handler on the script layer.
-	EventHandler* h = event_registry->Lookup(name);
+	zeek::EventHandler* h = event_registry->Lookup(name);
 
 	if ( h )
 		{
@@ -19,7 +21,7 @@ EventHandlerPtr EventRegistry::Register(std::string_view name)
 		return h;
 		}
 
-	h = new EventHandler(std::string(name));
+	h = new zeek::EventHandler(std::string(name));
 	event_registry->Register(h);
 
 	h->SetUsed();
@@ -27,12 +29,12 @@ EventHandlerPtr EventRegistry::Register(std::string_view name)
 	return h;
 	}
 
-void EventRegistry::Register(EventHandlerPtr handler)
+void EventRegistry::Register(zeek::EventHandlerPtr handler)
 	{
-	handlers[std::string(handler->Name())] = std::unique_ptr<EventHandler>(handler.Ptr());
+	handlers[std::string(handler->Name())] = std::unique_ptr<zeek::EventHandler>(handler.Ptr());
 	}
 
-EventHandler* EventRegistry::Lookup(std::string_view name)
+zeek::EventHandler* EventRegistry::Lookup(std::string_view name)
 	{
 	auto it = handlers.find(name);
 	if ( it != handlers.end() )
@@ -47,7 +49,7 @@ EventRegistry::string_list EventRegistry::Match(zeek::RE_Matcher* pattern)
 
 	for ( const auto& entry : handlers )
 		{
-		EventHandler* v = entry.second.get();
+		zeek::EventHandler* v = entry.second.get();
 		if ( v->GetFunc() && pattern->MatchExactly(v->Name()) )
 			names.push_back(entry.first);
 		}
@@ -61,7 +63,7 @@ EventRegistry::string_list EventRegistry::UnusedHandlers()
 
 	for ( const auto& entry : handlers )
 		{
-		EventHandler* v = entry.second.get();
+		zeek::EventHandler* v = entry.second.get();
 		if ( v->GetFunc() && ! v->Used() )
 			names.push_back(entry.first);
 		}
@@ -75,7 +77,7 @@ EventRegistry::string_list EventRegistry::UsedHandlers()
 
 	for ( const auto& entry : handlers )
 		{
-		EventHandler* v = entry.second.get();
+		zeek::EventHandler* v = entry.second.get();
 		if ( v->GetFunc() && v->Used() )
 			names.push_back(entry.first);
 		}
@@ -99,7 +101,7 @@ void EventRegistry::PrintDebug()
 	{
 	for ( const auto& entry : handlers )
 		{
-		EventHandler* v = entry.second.get();
+		zeek::EventHandler* v = entry.second.get();
 		fprintf(stderr, "Registered event %s (%s handler / %s)\n", v->Name(),
 				v->GetFunc() ? "local" : "no",
 				*v ? "active" : "not active"
@@ -109,7 +111,7 @@ void EventRegistry::PrintDebug()
 
 void EventRegistry::SetErrorHandler(std::string_view name)
 	{
-	EventHandler* eh = Lookup(name);
+	zeek::EventHandler* eh = Lookup(name);
 
 	if ( eh )
 		{
@@ -120,3 +122,5 @@ void EventRegistry::SetErrorHandler(std::string_view name)
 	zeek::reporter->InternalWarning("unknown event handler '%s' in SetErrorHandler()",
 	                                std::string(name).c_str());
 	}
+
+} // namespace zeek

src/EventRegistry.h

@@ -10,10 +10,12 @@
 #include <string_view>
 #include <vector>
 
-class EventHandler;
-class EventHandlerPtr;
+ZEEK_FORWARD_DECLARE_NAMESPACED(EventHandler, zeek);
+ZEEK_FORWARD_DECLARE_NAMESPACED(EventHandlerPtr, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(RE_Matcher, zeek);
 
+namespace zeek {
+
 // The registry keeps track of all events that we provide or handle.
 class EventRegistry {
 public:
@@ -26,12 +28,12 @@ public:
 	 * @param name  The name of the event handler to lookup/register.
 	 * @return  The event handler.
 	 */
-	EventHandlerPtr Register(std::string_view name);
+	zeek::EventHandlerPtr Register(std::string_view name);
 
-	void Register(EventHandlerPtr handler);
+	void Register(zeek::EventHandlerPtr handler);
 
 	// Return nil if unknown.
-	EventHandler* Lookup(std::string_view name);
+	zeek::EventHandler* Lookup(std::string_view name);
 
 	// Returns a list of all local handlers that match the given pattern.
 	// Passes ownership of list.
@@ -50,7 +52,12 @@ public:
 	void PrintDebug();
 
 private:
-	std::map<std::string, std::unique_ptr<EventHandler>, std::less<>> handlers;
+	std::map<std::string, std::unique_ptr<zeek::EventHandler>, std::less<>> handlers;
 };
 
 extern EventRegistry* event_registry;
+
+} // namespace zeek
+
+using EventRegistry [[deprecated("Remove in v4.1. Use zeek::EventRegistry.")]] = zeek::EventRegistry;
+extern zeek::EventRegistry*& event_registry;

src/Expr.cc

@@ -273,7 +273,7 @@ NameExpr::NameExpr(zeek::detail::IDPtr arg_id, bool const_init)
 	else
 		SetType(id->GetType());
 
-	EventHandler* h = event_registry->Lookup(id->Name());
+	EventHandler* h = zeek::event_registry->Lookup(id->Name());
 	if ( h )
 		h->SetUsed();
 	}
@@ -3839,7 +3839,7 @@ ScheduleTimer::~ScheduleTimer()
 void ScheduleTimer::Dispatch(double /* t */, bool /* is_expire */)
 	{
 	if ( event )
-		mgr.Enqueue(event, std::move(args));
+		zeek::event_mgr.Enqueue(event, std::move(args));
 	}
 
 ScheduleExpr::ScheduleExpr(ExprPtr arg_when, EventExprPtr arg_event)
@@ -4310,12 +4310,12 @@ TraversalCode LambdaExpr::Traverse(TraversalCallback* cb) const
 EventExpr::EventExpr(const char* arg_name, ListExprPtr arg_args)
 	: Expr(EXPR_EVENT), name(arg_name), args(std::move(arg_args))
 	{
-	EventHandler* h = event_registry->Lookup(name);
+	EventHandler* h = zeek::event_registry->Lookup(name);
 
 	if ( ! h )
 		{
 		h = new EventHandler(name.c_str());
-		event_registry->Register(h);
+		zeek::event_registry->Register(h);
 		}
 
 	h->SetUsed();
@@ -4357,7 +4357,7 @@ ValPtr EventExpr::Eval(Frame* f) const
 	auto v = eval_list(f, args.get());
 
 	if ( handler )
-		mgr.Enqueue(handler, std::move(*v));
+		zeek::event_mgr.Enqueue(handler, std::move(*v));
 
 	return nullptr;
 	}

src/File.cc

@@ -331,8 +331,8 @@ void File::RaiseOpenEvent()
 		return;
 
 	FilePtr bf{zeek::NewRef{}, this};
-	Event* event = new ::Event(::file_opened, {zeek::make_intrusive<zeek::Val>(std::move(bf))});
-	mgr.Dispatch(event, true);
+	auto* event = new zeek::Event(::file_opened, {zeek::make_intrusive<zeek::Val>(std::move(bf))});
+	zeek::event_mgr.Dispatch(event, true);
 	}
 
 double File::Size()

src/ID.cc

@@ -159,12 +159,12 @@ void ID::SetVal(zeek::ValPtr v)
 	     type->Tag() == TYPE_FUNC &&
 	     type->AsFuncType()->Flavor() == FUNC_FLAVOR_EVENT )
 		{
-		EventHandler* handler = event_registry->Lookup(name);
+		EventHandler* handler = zeek::event_registry->Lookup(name);
 		if ( ! handler )
 			{
 			handler = new EventHandler(name);
 			handler->SetFunc(val->AsFuncPtr());
-			event_registry->Register(handler);
+			zeek::event_registry->Register(handler);
 			}
 		else
 			{
@@ -250,7 +250,7 @@ void ID::UpdateValAttrs()
 		const auto& attr = attrs->Find(ATTR_ERROR_HANDLER);
 
 		if ( attr )
-			event_registry->SetErrorHandler(Name());
+			zeek::event_registry->SetErrorHandler(Name());
 		}
 
 	if ( GetType()->Tag() == TYPE_RECORD )

src/Net.cc

@@ -227,7 +227,7 @@ void net_packet_dispatch(double t, const Packet* pkt, iosource::PktSrc* src_ps)
 		bro_start_network_time = t;
 
 		if ( network_time_init )
-			mgr.Enqueue(network_time_init, zeek::Args{});
+			zeek::event_mgr.Enqueue(network_time_init, zeek::Args{});
 		}
 
 	// network_time never goes back.
@@ -252,7 +252,7 @@ void net_packet_dispatch(double t, const Packet* pkt, iosource::PktSrc* src_ps)
 			{
 			// Drain the queued timer events so they're not
 			// charged against this sample.
-			mgr.Drain();
+			zeek::event_mgr.Drain();
 
 			sample_logger = new SampleLogger();
 			sp = new SegmentProfiler(sample_logger, "load-samp");
@@ -260,7 +260,7 @@ void net_packet_dispatch(double t, const Packet* pkt, iosource::PktSrc* src_ps)
 		}
 
 	sessions->NextPacket(t, pkt);
-	mgr.Drain();
+	zeek::event_mgr.Drain();
 
 	if ( sp )
 		{
@@ -325,7 +325,7 @@ void net_run()
 			expire_timers();
 			}
 
-		mgr.Drain();
+		zeek::event_mgr.Drain();
 
 		processing_start_time = 0.0;	// = "we're not processing now"
 		current_dispatched = 0;
@@ -387,7 +387,7 @@ void net_finish(int drain_events)
 		if ( sessions )
 			sessions->Drain();
 
-		mgr.Drain();
+		zeek::event_mgr.Drain();
 
 		if ( sessions )
 			sessions->Done();

src/Reporter.cc

@@ -579,7 +579,7 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
 		if ( conn )
 			conn->EnqueueEvent(event, nullptr, std::move(vl));
 		else
-			mgr.Enqueue(event, std::move(vl));
+			zeek::event_mgr.Enqueue(event, std::move(vl));
 		}
 	else
 		{

src/Reporter.h

@@ -18,7 +18,7 @@
 ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, analyzer);
 namespace file_analysis { class File; }
 class Connection;
-class EventHandlerPtr;
+ZEEK_FORWARD_DECLARE_NAMESPACED(EventHandlerPtr, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(StringVal, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Location, zeek::detail);
@@ -259,13 +259,13 @@ public:
 		{ after_zeek_init = true; }
 
 private:
-	void DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
+	void DoLog(const char* prefix, zeek::EventHandlerPtr event, FILE* out,
 		   Connection* conn, val_list* addl, bool location, bool time,
 		   const char* postfix, const char* fmt, va_list ap) __attribute__((format(printf, 10, 0)));
 
 	// WeirdHelper doesn't really have to be variadic, but it calls DoLog
 	// and that takes va_list anyway.
-	void WeirdHelper(EventHandlerPtr event, val_list vl, const char* fmt_name, ...) __attribute__((format(printf, 4, 5)));;
+	void WeirdHelper(zeek::EventHandlerPtr event, val_list vl, const char* fmt_name, ...) __attribute__((format(printf, 4, 5)));;
 	void UpdateWeirdStats(const char* name);
 	inline bool WeirdOnSamplingWhiteList(const char* name)
 		{ return weird_sampling_whitelist.find(name) != weird_sampling_whitelist.end(); }

src/RuleAction.cc

@@ -23,7 +23,8 @@ void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state,
                                const u_char* data, int len)
 	{
 	if ( signature_match )
-		mgr.Enqueue(signature_match,
+		zeek::event_mgr.Enqueue(
+			signature_match,
 			zeek::IntrusivePtr{zeek::AdoptRef{}, rule_matcher->BuildRuleStateValue(parent, state)},
 			zeek::make_intrusive<zeek::StringVal>(msg),
 			data ? zeek::make_intrusive<zeek::StringVal>(len, (const char*)data) : zeek::val_mgr->EmptyString()

src/Sessions.cc

@@ -124,7 +124,7 @@ void NetSessions::NextPacket(double t, const Packet* pkt)
 	SegmentProfiler prof(segment_logger, "dispatching-packet");
 
 	if ( raw_packet )
-		mgr.Enqueue(raw_packet, pkt->ToRawPktHdrVal());
+		zeek::event_mgr.Enqueue(raw_packet, pkt->ToRawPktHdrVal());
 
 	if ( pkt_profiler )
 		pkt_profiler->ProfilePkt(t, pkt->cap_len);
@@ -328,7 +328,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const zeek::IP_Hdr*
 		{
 		dump_this_packet = true;
 		if ( esp_packet )
-			mgr.Enqueue(esp_packet, ip_hdr->ToPktHdrVal());
+			zeek::event_mgr.Enqueue(esp_packet, ip_hdr->ToPktHdrVal());
 
 		// Can't do more since upper-layer payloads are going to be encrypted.
 		return;
@@ -348,7 +348,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const zeek::IP_Hdr*
 			}
 
 		if ( mobile_ipv6_message )
-			mgr.Enqueue(mobile_ipv6_message, ip_hdr->ToPktHdrVal());
+			zeek::event_mgr.Enqueue(mobile_ipv6_message, ip_hdr->ToPktHdrVal());
 
 		if ( ip_hdr->NextProto() != IPPROTO_NONE )
 			Weird("mobility_piggyback", pkt, encapsulation);

src/Stats.cc

@@ -312,7 +312,7 @@ void ProfileLogger::Log()
 	// (and for consistency we dispatch it *now*)
 	if ( profiling_update )
 		{
-		mgr.Dispatch(new Event(profiling_update, {
+		zeek::event_mgr.Dispatch(new zeek::Event(profiling_update, {
 					zeek::make_intrusive<zeek::Val>(zeek::IntrusivePtr{zeek::NewRef{}, file}),
 					zeek::val_mgr->Bool(expensive),
 					}));
@@ -369,7 +369,7 @@ void SampleLogger::SegmentProfile(const char* /* name */,
                                   double dtime, int dmem)
 	{
 	if ( load_sample )
-		mgr.Enqueue(load_sample,
+		zeek::event_mgr.Enqueue(load_sample,
 		                        zeek::IntrusivePtr{zeek::NewRef{}, load_samples},
 		                        zeek::make_intrusive<zeek::IntervalVal>(dtime, Seconds),
 		                        zeek::val_mgr->Int(dmem)

src/Stmt.cc

@@ -982,7 +982,7 @@ ValPtr EventStmt::Exec(Frame* f, stmt_flow_type& flow) const
 	auto h = event_expr->Handler();
 
 	if ( args && h )
-		mgr.Enqueue(h, std::move(*args));
+		zeek::event_mgr.Enqueue(h, std::move(*args));
 
 	flow = FLOW_NEXT;
 	return nullptr;

src/Var.cc

@@ -857,7 +857,7 @@ zeek::Func* internal_func(const char* name)
 		return nullptr;
 	}
 
-EventHandlerPtr internal_handler(const char* name)
+zeek::EventHandlerPtr internal_handler(const char* name)
 	{
-	return event_registry->Register(name);
+	return zeek::event_registry->Register(name);
 	}

src/Var.h

@@ -6,8 +6,7 @@
 #include "ID.h"
 #include "Type.h"
 
-class EventHandlerPtr;
-
+ZEEK_FORWARD_DECLARE_NAMESPACED(EventHandlerPtr, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(StringVal, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(TableVal, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(ListVal, zeek);
@@ -88,5 +87,5 @@ extern zeek::Type* internal_type(const char* name);
 [[deprecated("Remove in v4.1.  Use zeek::id::find_func().")]]
 extern zeek::Func* internal_func(const char* name);
 
-[[deprecated("Remove in v4.1.  Use event_registry->Register().")]]
-extern EventHandlerPtr internal_handler(const char* name);
+[[deprecated("Remove in v4.1.  Use zeek::event_registry->Register().")]]
+extern zeek::EventHandlerPtr internal_handler(const char* name);

src/analyzer/Analyzer.cc

@@ -702,7 +702,7 @@ void Analyzer::ProtocolConfirmation(Tag arg_tag)
 		return;
 
 	const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal();
-	mgr.Enqueue(protocol_confirmation, ConnVal(), tval, zeek::val_mgr->Count(id));
+	zeek::event_mgr.Enqueue(protocol_confirmation, ConnVal(), tval, zeek::val_mgr->Count(id));
 	}
 
 void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
@@ -724,7 +724,7 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
 		r = zeek::make_intrusive<zeek::StringVal>(reason);
 
 	const auto& tval = tag.AsVal();
-	mgr.Enqueue(protocol_violation, ConnVal(), tval, zeek::val_mgr->Count(id), std::move(r));
+	zeek::event_mgr.Enqueue(protocol_violation, ConnVal(), tval, zeek::val_mgr->Count(id), std::move(r));
 	}
 
 void Analyzer::AddTimer(analyzer_timer_func timer, double t,

src/analyzer/protocol/arp/ARP.cc

@@ -191,13 +191,12 @@ void ARP_Analyzer::BadARP(const struct arp_pkthdr* hdr, const char* msg)
 	if ( ! bad_arp )
 		return;
 
-	mgr.Enqueue(bad_arp,
+	zeek::event_mgr.Enqueue(bad_arp,
 	                        ToAddrVal(ar_spa(hdr)),
 	                        ToEthAddrStr((const u_char*) ar_sha(hdr)),
 	                        ToAddrVal(ar_tpa(hdr)),
 	                        ToEthAddrStr((const u_char*) ar_tha(hdr)),
-		zeek::make_intrusive<zeek::StringVal>(msg)
-	);
+	                        zeek::make_intrusive<zeek::StringVal>(msg));
 	}
 
 void ARP_Analyzer::Corrupted(const char* msg)
@@ -205,7 +204,7 @@ void ARP_Analyzer::Corrupted(const char* msg)
 	zeek::reporter->Weird(msg);
 	}
 
-void ARP_Analyzer::RREvent(EventHandlerPtr e,
+void ARP_Analyzer::RREvent(zeek::EventHandlerPtr e,
                            const u_char* src, const u_char *dst,
                            const char* spa, const char* sha,
                            const char* tpa, const char* tha)
@@ -213,14 +212,13 @@ void ARP_Analyzer::RREvent(EventHandlerPtr e,
 	if ( ! e )
 		return;
 
-	mgr.Enqueue(e,
+	zeek::event_mgr.Enqueue(e,
 	                        ToEthAddrStr(src),
 	                        ToEthAddrStr(dst),
 	                        ToAddrVal(spa),
 	                        ToEthAddrStr((const u_char*) sha),
 	                        ToAddrVal(tpa),
-		ToEthAddrStr((const u_char*) tha)
-	);
+	                        ToEthAddrStr((const u_char*) tha));
 	}
 
 zeek::AddrVal* ARP_Analyzer::ConstructAddrVal(const void* addr)

src/analyzer/protocol/arp/ARP.h

@@ -40,7 +40,7 @@ public:
 	void NextPacket(double t, const Packet* pkt);
 
 	void Describe(ODesc* d) const override;
-	void RREvent(EventHandlerPtr e, const u_char* src, const u_char* dst,
+	void RREvent(zeek::EventHandlerPtr e, const u_char* src, const u_char* dst,
 	             const char* spa, const char* sha,
 	             const char* tpa, const char* tha);
 

src/analyzer/protocol/conn-size/ConnSize.cc

@@ -45,7 +45,7 @@ void ConnSize_Analyzer::Done()
 	Analyzer::Done();
 	}
 
-void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bool is_orig)
+void ConnSize_Analyzer::ThresholdEvent(zeek::EventHandlerPtr f, uint64_t threshold, bool is_orig)
 	{
 	if ( ! f )
 		return;

src/analyzer/protocol/conn-size/ConnSize.h

@@ -34,7 +34,7 @@ protected:
 					   uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
 	void CheckThresholds(bool is_orig);
 
-	void ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bool is_orig);
+	void ThresholdEvent(zeek::EventHandlerPtr f, uint64_t threshold, bool is_orig);
 
 	uint64_t orig_bytes;
 	uint64_t resp_bytes;

src/analyzer/protocol/dns/DNS.cc

@@ -181,7 +181,7 @@ bool DNS_Interpreter::ParseQuestion(DNS_MsgInfo* msg,
 		return false;
 		}
 
-	EventHandlerPtr dns_event = nullptr;
+	zeek::EventHandlerPtr dns_event = nullptr;
 
 	if ( msg->QR == 0 )
 		dns_event = dns_request;
@@ -536,7 +536,7 @@ bool DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg,
 		analyzer->Weird("DNS_RR_length_mismatch");
 		}
 
-	EventHandlerPtr reply_event;
+	zeek::EventHandlerPtr reply_event;
 	switch ( msg->atype ) {
 		case TYPE_NS:
 			reply_event = dns_NS_reply;
@@ -1298,7 +1298,7 @@ bool DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
 			}
 		}
 
-	EventHandlerPtr event;
+	zeek::EventHandlerPtr event;
 	if ( msg->atype == TYPE_AAAA )
 		event = dns_AAAA_reply;
 	else
@@ -1467,7 +1467,7 @@ bool DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
 
 
 void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
-						EventHandlerPtr event,
+                                             zeek::EventHandlerPtr event,
                                              const u_char*& data, int& len,
                                              zeek::String* question_name,
                                              zeek::String* original_name)

src/analyzer/protocol/dns/DNS.h

@@ -338,7 +338,7 @@ protected:
 	bool ParseRR_DS(DNS_MsgInfo* msg,
 				const u_char*& data, int& len, int rdlength,
 				const u_char* msg_start);
-	void SendReplyOrRejectEvent(DNS_MsgInfo* msg, EventHandlerPtr event,
+	void SendReplyOrRejectEvent(DNS_MsgInfo* msg, zeek::EventHandlerPtr event,
 	                            const u_char*& data, int& len,
 	                            zeek::String* question_name,
 	                            zeek::String* original_name);

src/analyzer/protocol/ftp/FTP.cc

@@ -77,7 +77,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 
 	zeek::Args vl;
 
-	EventHandlerPtr f;
+	zeek::EventHandlerPtr f;
 	if ( orig )
 		{
 		int cmd_len;

src/analyzer/protocol/http/functions.bif

@@ -12,7 +12,7 @@
 ## .. zeek:see:: skip_smtp_data
 function skip_http_entity_data%(c: connection, is_orig: bool%): any
 	%{
-	analyzer::ID id = mgr.CurrentAnalyzer();
+	analyzer::ID id = zeek::event_mgr.CurrentAnalyzer();
 	if ( id )
 		{
 		zeek::analyzer::Analyzer* ha = c->FindAnalyzer(id);

src/analyzer/protocol/icmp/ICMP.cc

@@ -515,7 +515,7 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
 					 int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
 	{
 	// For handling all Echo related ICMP messages
-	EventHandlerPtr f = nullptr;
+	zeek::EventHandlerPtr f = nullptr;
 
 	if ( ip_hdr->NextProto() == IPPROTO_ICMPV6 )
 		f = (icmpp->icmp_type == ICMP6_ECHO_REQUEST)
@@ -546,7 +546,7 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
 void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
 			 int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
 	{
-	EventHandlerPtr f = icmp_router_advertisement;
+	zeek::EventHandlerPtr f = icmp_router_advertisement;
 
 	if ( ! f )
 		return;
@@ -583,7 +583,7 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
 void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
 			 int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
 	{
-	EventHandlerPtr f = icmp_neighbor_advertisement;
+	zeek::EventHandlerPtr f = icmp_neighbor_advertisement;
 
 	if ( ! f )
 		return;
@@ -611,7 +611,7 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
 void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
 			 int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
 	{
-	EventHandlerPtr f = icmp_neighbor_solicitation;
+	zeek::EventHandlerPtr f = icmp_neighbor_solicitation;
 
 	if ( ! f )
 		return;
@@ -636,7 +636,7 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
 void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
 			 int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
 	{
-	EventHandlerPtr f = icmp_redirect;
+	zeek::EventHandlerPtr f = icmp_redirect;
 
 	if ( ! f )
 		return;
@@ -665,7 +665,7 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
 void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
 			 int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
 	{
-	EventHandlerPtr f = icmp_router_solicitation;
+	zeek::EventHandlerPtr f = icmp_router_solicitation;
 
 	if ( ! f )
 		return;
@@ -682,7 +682,7 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
 void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
 		int len, int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
 	{
-	EventHandlerPtr f = nullptr;
+	zeek::EventHandlerPtr f = nullptr;
 
 	switch ( icmpp->icmp_type )
 		{
@@ -709,7 +709,7 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
 void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
 		int len, int caplen, const u_char*& data, const zeek::IP_Hdr* ip_hdr)
 	{
-	EventHandlerPtr f = nullptr;
+	zeek::EventHandlerPtr f = nullptr;
 
 	switch ( icmpp->icmp_type )
 		{

src/analyzer/protocol/login/Login.cc

@@ -373,7 +373,7 @@ void Login_Analyzer::EndpointEOF(bool orig)
 		}
 	}
 
-void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line,
+void Login_Analyzer::LoginEvent(zeek::EventHandlerPtr f, const char* line,
 	bool no_user_okay)
 	{
 	if ( ! f )
@@ -446,7 +446,7 @@ const char* Login_Analyzer::GetUsername(const char* line) const
 	return line;
 	}
 
-void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line)
+void Login_Analyzer::LineEvent(zeek::EventHandlerPtr f, const char* line)
 	{
 	if ( ! f )
 		return;

src/analyzer/protocol/login/Login.h

@@ -38,9 +38,9 @@ protected:
 	void NewLine(bool orig, char* line);
 	void AuthenticationDialog(bool orig, char* line);
 
-	void LoginEvent(EventHandlerPtr f, const char* line, bool no_user_okay=false);
+	void LoginEvent(zeek::EventHandlerPtr f, const char* line, bool no_user_okay=false);
 	const char* GetUsername(const char* line) const;
-	void LineEvent(EventHandlerPtr f, const char* line);
+	void LineEvent(zeek::EventHandlerPtr f, const char* line);
 	void Confused(const char* msg, const char* addl);
 	void ConfusionText(const char* line);
 

src/analyzer/protocol/ncp/NCP.cc

@@ -58,7 +58,7 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
 			}
 		}
 
-	EventHandlerPtr f = frame->is_orig() ? ncp_request : ncp_reply;
+	zeek::EventHandlerPtr f = frame->is_orig() ? ncp_request : ncp_reply;
 	if ( f )
 		{
 		if ( frame->is_orig() )

src/analyzer/protocol/netbios/NetbiosSSN.cc

@@ -314,7 +314,7 @@ void NetbiosSSN_Interpreter::ParseKeepAlive(const u_char* data, int len,
 	Event(netbios_session_keepalive, data, len);
 	}
 
-void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data,
+void NetbiosSSN_Interpreter::Event(zeek::EventHandlerPtr event, const u_char* data,
                                    int len, int is_orig)
 	{
 	if ( ! event )

src/analyzer/protocol/netbios/NetbiosSSN.h

@@ -88,7 +88,7 @@ protected:
 
 	void ParseSambaMsg(const u_char* data, int len, bool is_query);
 
-	void Event(EventHandlerPtr event, const u_char* data, int len,
+	void Event(zeek::EventHandlerPtr event, const u_char* data, int len,
 	           int is_orig = -1);
 
 	// Pass in name/length, returns in xname/xlen the converted

src/analyzer/protocol/pia/PIA.cc

@@ -160,7 +160,7 @@ void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
 				tag = GetAnalyzerTag();
 
 			const auto& tval = tag.AsVal();
-			mgr.Enqueue(protocol_late_match, ConnVal(), tval);
+			zeek::event_mgr.Enqueue(protocol_late_match, ConnVal(), tval);
 			}
 
 		pkt_buffer.state = dpd_late_match_stop ? SKIPPING : MATCHING_ONLY;
@@ -307,7 +307,7 @@ void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
 				tag = GetAnalyzerTag();
 
 			const auto& tval = tag.AsVal();
-			mgr.Enqueue(protocol_late_match, ConnVal(), tval);
+			zeek::event_mgr.Enqueue(protocol_late_match, ConnVal(), tval);
 			}
 
 		stream_buffer.state = dpd_late_match_stop ? SKIPPING : MATCHING_ONLY;

src/analyzer/protocol/pop3/POP3.cc

@@ -910,7 +910,7 @@ std::vector<std::string> POP3_Analyzer::TokenizeLine(const std::string& input, c
 	return tokens;
 	}
 
-void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig,
+void POP3_Analyzer::POP3Event(zeek::EventHandlerPtr event, bool is_orig,
                               const char* arg1, const char* arg2)
 	{
 	if ( ! event )

src/analyzer/protocol/pop3/POP3.h

@@ -102,7 +102,7 @@ protected:
 	std::vector<std::string> TokenizeLine(const std::string& input, char split);
 	int ParseCmd(std::string cmd);
 	void AuthSuccessfull();
-	void POP3Event(EventHandlerPtr event, bool is_orig,
+	void POP3Event(zeek::EventHandlerPtr event, bool is_orig,
 	               const char* arg1 = nullptr, const char* arg2 = nullptr);
 
 	mime::MIME_Mail* mail;

src/analyzer/protocol/rpc/MOUNT.cc

@@ -68,7 +68,7 @@ bool MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_statu
 			       const u_char*& buf, int& n, double start_time,
 			       double last_time, int reply_len)
 	{
-	EventHandlerPtr event = nullptr;
+	zeek::EventHandlerPtr event = nullptr;
 	zeek::ValPtr reply;
 	BifEnum::MOUNT3::status_t mount_status = BifEnum::MOUNT3::MNT3_OK;
 	bool rpc_success = ( rpc_status == BifEnum::RPC_SUCCESS );

src/analyzer/protocol/rpc/NFS.cc

@@ -123,7 +123,7 @@ bool NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 			       const u_char*& buf, int& n, double start_time,
 			       double last_time, int reply_len)
 	{
-	EventHandlerPtr event = nullptr;
+	zeek::EventHandlerPtr event = nullptr;
 	zeek::ValPtr reply;
 	BifEnum::NFS3::status_t nfs_status = BifEnum::NFS3::NFS3ERR_OK;
 	bool rpc_success = ( rpc_status == BifEnum::RPC_SUCCESS );

src/analyzer/protocol/rpc/Portmap.cc

@@ -78,7 +78,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
 				     double start_time, double last_time,
 				     int reply_len)
 	{
-	EventHandlerPtr event;
+	zeek::EventHandlerPtr event;
 	zeek::ValPtr reply;
 	int success = (status == BifEnum::RPC_SUCCESS);
 
@@ -262,7 +262,7 @@ uint32_t PortmapperInterp::CheckPort(uint32_t port)
 	return port;
 	}
 
-void PortmapperInterp::Event(EventHandlerPtr f, zeek::ValPtr request, BifEnum::rpc_status status, zeek::ValPtr reply)
+void PortmapperInterp::Event(zeek::EventHandlerPtr f, zeek::ValPtr request, BifEnum::rpc_status status, zeek::ValPtr reply)
 	{
 	if ( ! f )
 		return;

src/analyzer/protocol/rpc/Portmap.h

@@ -17,7 +17,7 @@ protected:
 			   double last_time, int reply_len) override;
 	uint32_t CheckPort(uint32_t port);
 
-	void Event(EventHandlerPtr f, zeek::ValPtr request, BifEnum::rpc_status status, zeek::ValPtr reply);
+	void Event(zeek::EventHandlerPtr f, zeek::ValPtr request, BifEnum::rpc_status status, zeek::ValPtr reply);
 
 	zeek::ValPtr ExtractMapping(const u_char*& buf, int& len);
 	zeek::ValPtr ExtractPortRequest(const u_char*& buf, int& len);

src/analyzer/protocol/stepping-stone/SteppingStone.cc

@@ -129,7 +129,7 @@ bool SteppingStoneEndpoint::DataSent(double t, uint64_t seq, int len, int caplen
 	return true;
 	}
 
-void SteppingStoneEndpoint::Event(EventHandlerPtr f, int id1, int id2)
+void SteppingStoneEndpoint::Event(zeek::EventHandlerPtr f, int id1, int id2)
 	{
 	if ( ! f )
 		return;

src/analyzer/protocol/stepping-stone/SteppingStone.h

@@ -22,7 +22,7 @@ public:
 		     const zeek::IP_Hdr* ip, const struct tcphdr* tp);
 
 protected:
-	void Event(EventHandlerPtr f, int id1, int id2 = -1);
+	void Event(zeek::EventHandlerPtr f, int id1, int id2 = -1);
 	void CreateEndpEvent(bool is_orig);
 
 	tcp::TCP_Endpoint* endp;

src/broker/Manager.cc

@@ -703,7 +703,7 @@ bool Manager::AutoPublishEvent(string topic, zeek::Val* event)
 		return false;
 		}
 
-	auto handler = event_registry->Lookup(event_val->Name());
+	auto handler = zeek::event_registry->Lookup(event_val->Name());
 	if ( ! handler )
 		{
 		Error("Broker::auto_publish failed to lookup event '%s'",
@@ -733,7 +733,7 @@ bool Manager::AutoUnpublishEvent(const string& topic, zeek::Val* event)
 		return false;
 		}
 
-	auto handler = event_registry->Lookup(event_val->Name());
+	auto handler = zeek::event_registry->Lookup(event_val->Name());
 
 	if ( ! handler )
 		{
@@ -1153,7 +1153,7 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::zeek::Event ev)
 	DBG_LOG(DBG_BROKER, "Process event: %s %s",
 			name.data(), RenderMessage(args).data());
 	++statistics.num_events_incoming;
-	auto handler = event_registry->Lookup(name);
+	auto handler = zeek::event_registry->Lookup(name);
 
 	if ( ! handler )
 		return;
@@ -1216,7 +1216,7 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::zeek::Event ev)
 		}
 
 	if ( vl.size() == args.size() )
-		mgr.Enqueue(handler, std::move(vl), SOURCE_BROKER);
+		zeek::event_mgr.Enqueue(handler, std::move(vl), SOURCE_BROKER);
 	}
 
 bool bro_broker::Manager::ProcessLogCreate(broker::zeek::LogCreate lc)
@@ -1410,7 +1410,7 @@ void Manager::ProcessStatus(broker::status stat)
 
 	auto ctx = stat.context<broker::endpoint_info>();
 
-	EventHandlerPtr event;
+	zeek::EventHandlerPtr event;
 	switch (stat.code()) {
 	case broker::sc::unspecified:
 		event = Broker::status;
@@ -1469,7 +1469,7 @@ void Manager::ProcessStatus(broker::status stat)
 	auto str = stat.message();
 	auto msg = zeek::make_intrusive<zeek::StringVal>(str ? *str : "");
 
-	mgr.Enqueue(event, std::move(endpoint_info), std::move(msg));
+	zeek::event_mgr.Enqueue(event, std::move(endpoint_info), std::move(msg));
 	}
 
 void Manager::ProcessError(broker::error err)
@@ -1502,10 +1502,9 @@ void Manager::ProcessError(broker::error err)
 		msg = fmt("[%s] %s", caf::to_string(err.category()).c_str(), caf::to_string(err.context()).c_str());
 		}
 
-	mgr.Enqueue(Broker::error,
+	zeek::event_mgr.Enqueue(Broker::error,
 	                        zeek::BifType::Enum::Broker::ErrorCode->GetEnumVal(ec),
-	            zeek::make_intrusive<zeek::StringVal>(msg)
-	);
+	                        zeek::make_intrusive<zeek::StringVal>(msg));
 	}
 
 void Manager::ProcessStoreResponse(StoreHandleVal* s, broker::store::response response)

src/file_analysis/File.cc

@@ -612,12 +612,12 @@ void File::Gap(uint64_t offset, uint64_t len)
 	IncrementByteCount(len, missing_bytes_idx);
 	}
 
-bool File::FileEventAvailable(EventHandlerPtr h)
+bool File::FileEventAvailable(zeek::EventHandlerPtr h)
 	{
 	return h && ! file_mgr->IsIgnored(id);
 	}
 
-void File::FileEvent(EventHandlerPtr h)
+void File::FileEvent(zeek::EventHandlerPtr h)
 	{
 	if ( ! FileEventAvailable(h) )
 		return;
@@ -625,27 +625,27 @@ void File::FileEvent(EventHandlerPtr h)
 	FileEvent(h, zeek::Args{val});
 	}
 
-void File::FileEvent(EventHandlerPtr h, val_list* vl)
+void File::FileEvent(zeek::EventHandlerPtr h, val_list* vl)
 	{
 	FileEvent(h, zeek::val_list_to_args(*vl));
 	delete vl;
 	}
 
-void File::FileEvent(EventHandlerPtr h, val_list vl)
+void File::FileEvent(zeek::EventHandlerPtr h, val_list vl)
 	{
 	FileEvent(h, zeek::val_list_to_args(vl));
 	}
 
-void File::FileEvent(EventHandlerPtr h, zeek::Args args)
+void File::FileEvent(zeek::EventHandlerPtr h, zeek::Args args)
 	{
-	mgr.Enqueue(h, std::move(args));
+	zeek::event_mgr.Enqueue(h, std::move(args));
 
 	if ( h == file_new || h == file_over_new_connection ||
 	     h == file_sniff ||
 	     h == file_timeout || h == file_extraction_limit )
 		{
 		// immediate feedback is required for these events.
-		mgr.Drain();
+		zeek::event_mgr.Drain();
 		analyzers.DrainModifications();
 		}
 	}

src/file_analysis/File.h

@@ -14,8 +14,8 @@
 #include "WeirdState.h"
 
 class Connection;
-class EventHandlerPtr;
 
+ZEEK_FORWARD_DECLARE_NAMESPACED(EventHandlerPtr, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(RecordType, zeek);
 namespace zeek {
@@ -179,14 +179,14 @@ public:
 	 * @param h pointer to an event handler.
 	 * @return true if event has a handler and the file isn't ignored.
 	 */
-	bool FileEventAvailable(EventHandlerPtr h);
+	bool FileEventAvailable(zeek::EventHandlerPtr h);
 
 	/**
 	 * Raises an event related to the file's life-cycle, the only parameter
 	 * to that event is the \c fa_file record..
 	 * @param h pointer to an event handler.
 	 */
-	void FileEvent(EventHandlerPtr h);
+	void FileEvent(zeek::EventHandlerPtr h);
 
 	/**
 	 * Raises an event related to the file's life-cycle.
@@ -194,7 +194,7 @@ public:
 	 * @param vl list of argument values to pass to event call.
 	 */
 	[[deprecated("Remove in v4.1. Use zeek::Args overload instead.")]]
-	void FileEvent(EventHandlerPtr h, val_list* vl);
+	void FileEvent(zeek::EventHandlerPtr h, val_list* vl);
 
 	/**
 	 * Raises an event related to the file's life-cycle.
@@ -202,14 +202,14 @@ public:
 	 * @param vl list of argument values to pass to event call.
 	 */
 	[[deprecated("Remove in v4.1. Use zeek::Args overload instead.")]]
-	void FileEvent(EventHandlerPtr h, val_list vl);
+	void FileEvent(zeek::EventHandlerPtr h, val_list vl);
 
 	/**
 	 * Raises an event related to the file's life-cycle.
 	 * @param h pointer to an event handler.
 	 * @param args list of argument values to pass to event call.
 	 */
-	void FileEvent(EventHandlerPtr h, zeek::Args args);
+	void FileEvent(zeek::EventHandlerPtr h, zeek::Args args);
 
 	/**
 	 * Sets the MIME type for a file to a specific value.

src/file_analysis/Manager.cc

@@ -61,7 +61,7 @@ void Manager::Terminate()
 	for ( const string& key : keys )
 		Timeout(key, true);
 
-	mgr.Drain();
+	zeek::event_mgr.Drain();
 	}
 
 string Manager::HashHandle(const string& handle) const
@@ -435,8 +435,8 @@ string Manager::GetFileID(const zeek::analyzer::Tag& tag, Connection* c, bool is
 
 	const auto& tagval = tag.AsVal();
 
-	mgr.Enqueue(get_file_handle, tagval, c->ConnVal(), zeek::val_mgr->Bool(is_orig));
-	mgr.Drain(); // need file handle immediately so we don't have to buffer data
+	zeek::event_mgr.Enqueue(get_file_handle, tagval, c->ConnVal(), zeek::val_mgr->Bool(is_orig));
+	zeek::event_mgr.Drain(); // need file handle immediately so we don't have to buffer data
 	return current_file_id;
 	}
 

src/file_analysis/analyzer/data_event/DataEvent.cc

@@ -12,7 +12,7 @@
 using namespace file_analysis;
 
 DataEvent::DataEvent(zeek::RecordValPtr args, File* file,
-                     EventHandlerPtr ce, EventHandlerPtr se)
+                     zeek::EventHandlerPtr ce, zeek::EventHandlerPtr se)
     : file_analysis::Analyzer(file_mgr->GetComponentTag("DATA_EVENT"),
 	                          std::move(args), file),
 	chunk_event(ce), stream_event(se)
@@ -27,14 +27,14 @@ file_analysis::Analyzer* DataEvent::Instantiate(zeek::RecordValPtr args,
 
 	if ( ! chunk_val && ! stream_val ) return nullptr;
 
-	EventHandlerPtr chunk;
-	EventHandlerPtr stream;
+	zeek::EventHandlerPtr chunk;
+	zeek::EventHandlerPtr stream;
 
 	if ( chunk_val )
-		chunk = event_registry->Lookup(chunk_val->AsFunc()->Name());
+		chunk = zeek::event_registry->Lookup(chunk_val->AsFunc()->Name());
 
 	if ( stream_val )
-		stream = event_registry->Lookup(stream_val->AsFunc()->Name());
+		stream = zeek::event_registry->Lookup(stream_val->AsFunc()->Name());
 
 	return new DataEvent(std::move(args), file, chunk, stream);
 	}
@@ -43,7 +43,7 @@ bool DataEvent::DeliverChunk(const u_char* data, uint64_t len, uint64_t offset)
 	{
 	if ( ! chunk_event ) return true;
 
-	mgr.Enqueue(chunk_event,
+	zeek::event_mgr.Enqueue(chunk_event,
 	                        GetFile()->ToVal(),
 	                        zeek::make_intrusive<zeek::StringVal>(new zeek::String(data, len, false)),
 	                        zeek::val_mgr->Count(offset)
@@ -56,7 +56,7 @@ bool DataEvent::DeliverStream(const u_char* data, uint64_t len)
 	{
 	if ( ! stream_event ) return true;
 
-	mgr.Enqueue(stream_event,
+	zeek::event_mgr.Enqueue(stream_event,
 	                        GetFile()->ToVal(),
 	                        zeek::make_intrusive<zeek::StringVal>(new zeek::String(data, len, false))
 	);

src/file_analysis/analyzer/data_event/DataEvent.h

@@ -58,11 +58,11 @@ protected:
 	 *        sequential file data.
 	 */
 	DataEvent(zeek::RecordValPtr args, File* file,
-	          EventHandlerPtr ce, EventHandlerPtr se);
+	          zeek::EventHandlerPtr ce, zeek::EventHandlerPtr se);
 
 private:
-	EventHandlerPtr chunk_event;
-	EventHandlerPtr stream_event;
+	zeek::EventHandlerPtr chunk_event;
+	zeek::EventHandlerPtr stream_event;
 };
 
 } // namespace file_analysis

src/file_analysis/analyzer/entropy/Entropy.cc

@@ -70,7 +70,7 @@ void Entropy::Finalize()
 	ent_result->Assign<zeek::DoubleVal>(3, montepi);
 	ent_result->Assign<zeek::DoubleVal>(4, scc);
 
-	mgr.Enqueue(file_entropy,
+	zeek::event_mgr.Enqueue(file_entropy,
 	                        GetFile()->ToVal(),
 	                        std::move(ent_result)
 	);

src/file_analysis/analyzer/hash/Hash.cc

@@ -53,7 +53,7 @@ void Hash::Finalize()
 	if ( ! file_hash )
 		return;
 
-	mgr.Enqueue(file_hash,
+	zeek::event_mgr.Enqueue(file_hash,
 	                        GetFile()->ToVal(),
 	                        zeek::make_intrusive<zeek::StringVal>(kind),
 	                        hash->Get()

src/file_analysis/analyzer/pe/pe-analyzer.pac

@@ -65,7 +65,7 @@ refine flow File += {
 			dh->Assign(15, zeek::val_mgr->Count(${h.OEMinfo}));
 			dh->Assign(16, zeek::val_mgr->Count(${h.AddressOfNewExeHeader}));
 
-			mgr.Enqueue(pe_dos_header,
+			zeek::event_mgr.Enqueue(pe_dos_header,
 			    connection()->bro_analyzer()->GetFile()->ToVal(),
 			    std::move(dh));
 			}
@@ -75,7 +75,7 @@ refine flow File += {
 	function proc_dos_code(code: bytestring): bool
 		%{
 		if ( pe_dos_code )
-			mgr.Enqueue(pe_dos_code,
+			zeek::event_mgr.Enqueue(pe_dos_code,
 			    connection()->bro_analyzer()->GetFile()->ToVal(),
 			    zeek::make_intrusive<zeek::StringVal>(code.length(), (const char*) code.data())
 			    );
@@ -104,7 +104,7 @@ refine flow File += {
 			fh->Assign(4, zeek::val_mgr->Count(${h.SizeOfOptionalHeader}));
 			fh->Assign(5, characteristics_to_bro(${h.Characteristics}, 16));
 
-			mgr.Enqueue(pe_file_header,
+			zeek::event_mgr.Enqueue(pe_file_header,
 			    connection()->bro_analyzer()->GetFile()->ToVal(),
 			    std::move(fh));
 			}
@@ -155,7 +155,7 @@ refine flow File += {
 
 			oh->Assign(23, process_rvas(${h.rvas}));
 
-			mgr.Enqueue(pe_optional_header,
+			zeek::event_mgr.Enqueue(pe_optional_header,
 			    connection()->bro_analyzer()->GetFile()->ToVal(),
 			    std::move(oh));
 			}
@@ -187,7 +187,7 @@ refine flow File += {
 			section_header->Assign(8, zeek::val_mgr->Count(${h.non_used_num_of_line_nums}));
 			section_header->Assign(9, characteristics_to_bro(${h.characteristics}, 32));
 
-			mgr.Enqueue(pe_section_header,
+			zeek::event_mgr.Enqueue(pe_section_header,
 			    connection()->bro_analyzer()->GetFile()->ToVal(),
 			    std::move(section_header)
 			    );

src/file_analysis/analyzer/unified2/unified2-analyzer.pac

@@ -86,7 +86,7 @@ refine flow Flow += {
 			ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol}));
 			ids_event->Assign(17, zeek::val_mgr->Count(${ev.packet_action}));
 
-			mgr.Enqueue(::unified2_event,
+			zeek::event_mgr.Enqueue(::unified2_event,
 					connection()->bro_analyzer()->GetFile()->ToVal(),
 					std::move(ids_event));
 			}
@@ -116,7 +116,7 @@ refine flow Flow += {
 			ids_event->Assign(15, zeek::val_mgr->Count(${ev.mpls_label}));
 			ids_event->Assign(16, zeek::val_mgr->Count(${ev.vlan_id}));
 
-			mgr.Enqueue(::unified2_event,
+			zeek::event_mgr.Enqueue(::unified2_event,
 					connection()->bro_analyzer()->GetFile()->ToVal(),
 					std::move(ids_event));
 			}
@@ -136,7 +136,7 @@ refine flow Flow += {
 			packet->Assign(4, zeek::val_mgr->Count(${pkt.link_type}));
 			packet->Assign(5, to_stringval(${pkt.packet_data}));
 
-			mgr.Enqueue(::unified2_packet,
+			zeek::event_mgr.Enqueue(::unified2_packet,
 					connection()->bro_analyzer()->GetFile()->ToVal(),
 					std::move(packet));
 			}

src/file_analysis/analyzer/x509/OCSP.cc

@@ -415,7 +415,7 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req)
 #endif
 
 	if ( ocsp_request )
-		mgr.Enqueue(ocsp_request,
+		zeek::event_mgr.Enqueue(ocsp_request,
 		                        GetFile()->ToVal(),
 		                        zeek::val_mgr->Count(version)
 		);
@@ -435,7 +435,7 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req)
 		ocsp_add_cert_id(cert_id, &rvl, bio);
 
 		if ( ocsp_request_certificate )
-			mgr.Enqueue(ocsp_request_certificate, std::move(rvl));
+			zeek::event_mgr.Enqueue(ocsp_request_certificate, std::move(rvl));
 		}
 
 	BIO_free(bio);
@@ -461,7 +461,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 	auto status_val = zeek::make_intrusive<zeek::StringVal>(strlen(status_str), status_str);
 
 	if ( ocsp_response_status )
-		mgr.Enqueue(ocsp_response_status, GetFile()->ToVal(), status_val);
+		zeek::event_mgr.Enqueue(ocsp_response_status, GetFile()->ToVal(), status_val);
 
 	//if (!resp_bytes)
 	//	{
@@ -592,7 +592,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 			rvl.emplace_back(zeek::make_intrusive<zeek::TimeVal>(0.0));
 
 		if ( ocsp_response_certificate )
-			mgr.Enqueue(ocsp_response_certificate, std::move(rvl));
+			zeek::event_mgr.Enqueue(ocsp_response_certificate, std::move(rvl));
 
 		num_ext = OCSP_SINGLERESP_get_ext_count(single_resp);
 		for ( int k = 0; k < num_ext; ++k )
@@ -643,7 +643,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 	  }
 
 	if ( ocsp_response_bytes )
-		mgr.Enqueue(ocsp_response_bytes, std::move(vl));
+		zeek::event_mgr.Enqueue(ocsp_response_bytes, std::move(vl));
 
 	// ok, now that we are done with the actual certificate - let's parse extensions :)
 	num_ext = OCSP_BASICRESP_get_ext_count(basic_resp);

src/file_analysis/analyzer/x509/X509.cc

@@ -86,7 +86,7 @@ bool file_analysis::X509::EndOfFile()
 
 	// and send the record on to scriptland
 	if ( x509_certificate )
-		mgr.Enqueue(x509_certificate,
+		zeek::event_mgr.Enqueue(x509_certificate,
 		                        GetFile()->ToVal(),
 		                        zeek::IntrusivePtr{zeek::NewRef{}, cert_val},
 		                        cert_record);
@@ -296,7 +296,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 			if ( constr->pathlen )
 				pBasicConstraint->Assign(1, zeek::val_mgr->Count((int32_t) ASN1_INTEGER_get(constr->pathlen)));
 
-			mgr.Enqueue(x509_ext_basic_constraints,
+			zeek::event_mgr.Enqueue(x509_ext_basic_constraints,
 			                        GetFile()->ToVal(),
 			                        std::move(pBasicConstraint)
 			);
@@ -437,7 +437,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 
 		sanExt->Assign(4, zeek::val_mgr->Bool(otherfields));
 
-		mgr.Enqueue(x509_ext_subject_alternative_name,
+		zeek::event_mgr.Enqueue(x509_ext_subject_alternative_name,
 		                        GetFile()->ToVal(),
 		                        std::move(sanExt));
 	GENERAL_NAMES_free(altname);

src/file_analysis/analyzer/x509/X509Common.cc

@@ -231,7 +231,7 @@ void file_analysis::X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION*
 	delete conn;
 	}
 
-void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const EventHandlerPtr& h, bool global)
+void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr& h, bool global)
 	{
 	char name[256];
 	char oid[256];
@@ -288,11 +288,11 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const EventHa
 	// but I am not sure if there is a better way to do it...
 
 	if ( h == ocsp_extension )
-		mgr.Enqueue(h, GetFile()->ToVal(),
+		zeek::event_mgr.Enqueue(h, GetFile()->ToVal(),
 		                        std::move(pX509Ext),
 		                        zeek::val_mgr->Bool(global));
 	else
-		mgr.Enqueue(h, GetFile()->ToVal(), std::move(pX509Ext));
+		zeek::event_mgr.Enqueue(h, GetFile()->ToVal(), std::move(pX509Ext));
 
 	// let individual analyzers parse more.
 	ParseExtensionsSpecific(ex, global, ext_asn, oid);

src/file_analysis/analyzer/x509/X509Common.h

@@ -10,8 +10,7 @@
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
 
-class EventHandlerPtr;
-
+ZEEK_FORWARD_DECLARE_NAMESPACED(EventHandlerPtr, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Reporter, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(StringVal, zeek);
 
@@ -48,7 +47,7 @@ protected:
 	X509Common(const file_analysis::Tag& arg_tag,
 	           zeek::RecordValPtr arg_args, File* arg_file);
 
-	void ParseExtension(X509_EXTENSION* ex, const EventHandlerPtr& h, bool global);
+	void ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr& h, bool global);
 	void ParseSignedCertificateTimestamps(X509_EXTENSION* ext);
 	virtual void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) = 0;
 };

src/file_analysis/analyzer/x509/x509-extension.pac

@@ -38,7 +38,7 @@ refine connection MockConnection += {
 		if ( ! x509_ocsp_ext_signed_certificate_timestamp )
 			return true;
 
-		mgr.Enqueue(x509_ocsp_ext_signed_certificate_timestamp,
+		zeek::event_mgr.Enqueue(x509_ocsp_ext_signed_certificate_timestamp,
 			bro_analyzer()->GetFile()->ToVal(),
 			zeek::val_mgr->Count(version),
 			zeek::make_intrusive<zeek::StringVal>(logid.length(), reinterpret_cast<const char*>(logid.begin())),

src/fuzzers/fuzzer-setup.h

@@ -54,9 +54,9 @@ void fuzzer_cleanup_one_input()
 	file_mgr->Terminate();
 	timer_mgr->Expire();
 
-	mgr.Drain();
+	zeek::event_mgr.Drain();
 	sessions->Drain();
-	mgr.Drain();
+	zeek::event_mgr.Drain();
 	sessions->Clear();
 	terminating = false;
 	}

src/fuzzers/packet-fuzzer.cc

@@ -39,7 +39,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
 			}
 
 		chunk = {};
-		mgr.Drain();
+		zeek::event_mgr.Drain();
 		}
 
 	zeek::detail::fuzzer_cleanup_one_input();

src/fuzzers/pop3-fuzzer.cc

@@ -69,7 +69,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
 			}
 
 		chunk = {};
-		mgr.Drain();
+		zeek::event_mgr.Drain();
 		}
 
 	zeek::detail::fuzzer_cleanup_one_input();

src/input/Manager.cc

@@ -64,7 +64,7 @@ public:
 	zeek::EnumVal* type;
 	ReaderFrontend* reader;
 	zeek::TableVal* config;
-	EventHandlerPtr error_event;
+	zeek::EventHandlerPtr error_event;
 
 	zeek::RecordVal* description;
 
@@ -104,7 +104,7 @@ public:
 
 	zeek::Func* pred;
 
-	EventHandlerPtr event;
+	zeek::EventHandlerPtr event;
 
 	TableStream();
 	~TableStream() override;
@@ -112,7 +112,7 @@ public:
 
 class Manager::EventStream final : public Manager::Stream {
 public:
-	EventHandlerPtr event;
+	zeek::EventHandlerPtr event;
 
 	zeek::RecordType* fields;
 	unsigned int num_fields;
@@ -185,7 +185,7 @@ Manager::AnalysisStream::~AnalysisStream()
 Manager::Manager()
 	: plugin::ComponentManager<input::Tag, input::Component>("Input", "Reader")
 	{
-	end_of_data = event_registry->Register("Input::end_of_data");
+	end_of_data = zeek::event_registry->Register("Input::end_of_data");
 	}
 
 Manager::~Manager()
@@ -441,8 +441,8 @@ bool Manager::CreateEventStream(zeek::RecordVal* fval)
 
 	stream->num_fields = fieldsV.size();
 	stream->fields = fields->Ref()->AsRecordType();
-	stream->event = event_registry->Lookup(event->Name());
-	stream->error_event = error_event ? event_registry->Lookup(error_event->Name()) : nullptr;
+	stream->event = zeek::event_registry->Lookup(event->Name());
+	stream->error_event = error_event ? zeek::event_registry->Lookup(error_event->Name()) : nullptr;
 	stream->want_record = ( want_record->InternalInt() == 1 );
 
 	assert(stream->reader);
@@ -694,8 +694,8 @@ bool Manager::CreateTableStream(zeek::RecordVal* fval)
 	stream->tab = dst.release()->AsTableVal();
 	stream->rtype = val.release();
 	stream->itype = idx->Ref()->AsRecordType();
-	stream->event = event ? event_registry->Lookup(event->Name()) : nullptr;
-	stream->error_event = error_event ? event_registry->Lookup(error_event->Name()) : nullptr;
+	stream->event = event ? zeek::event_registry->Lookup(event->Name()) : nullptr;
+	stream->error_event = error_event ? zeek::event_registry->Lookup(error_event->Name()) : nullptr;
 	stream->currDict = new zeek::PDict<InputHash>;
 	stream->currDict->SetDeleteFunc(input_hash_delete_func);
 	stream->lastDict = new zeek::PDict<InputHash>;
@@ -1810,7 +1810,7 @@ bool Manager::CallPred(zeek::Func* pred_func, const int numvals, ...) const
 	return result;
 	}
 
-void Manager::SendEvent(EventHandlerPtr ev, const int numvals, ...) const
+void Manager::SendEvent(zeek::EventHandlerPtr ev, const int numvals, ...) const
 	{
 	zeek::Args vl;
 	vl.reserve(numvals);
@@ -1828,10 +1828,10 @@ void Manager::SendEvent(EventHandlerPtr ev, const int numvals, ...) const
 	va_end(lP);
 
 	if ( ev )
-		mgr.Enqueue(ev, std::move(vl), SOURCE_LOCAL);
+		zeek::event_mgr.Enqueue(ev, std::move(vl), SOURCE_LOCAL);
 	}
 
-void Manager::SendEvent(EventHandlerPtr ev, list<zeek::Val*> events) const
+void Manager::SendEvent(zeek::EventHandlerPtr ev, list<zeek::Val*> events) const
 	{
 	zeek::Args vl;
 	vl.reserve(events.size());
@@ -1845,7 +1845,7 @@ void Manager::SendEvent(EventHandlerPtr ev, list<zeek::Val*> events) const
 		vl.emplace_back(zeek::AdoptRef{}, *i);
 
 	if ( ev )
-		mgr.Enqueue(ev, std::move(vl), SOURCE_LOCAL);
+		zeek::event_mgr.Enqueue(ev, std::move(vl), SOURCE_LOCAL);
 	}
 
 // Convert a bro list value to a bro record value.

src/input/Manager.h

@@ -202,8 +202,8 @@ private:
 	bool UnrollRecordType(std::vector<threading::Field*> *fields, const zeek::RecordType *rec, const std::string& nameprepend, bool allow_file_func) const;
 
 	// Send events
-	void SendEvent(EventHandlerPtr ev, const int numvals, ...) const;
-	void SendEvent(EventHandlerPtr ev, std::list<zeek::Val*> events) const;
+	void SendEvent(zeek::EventHandlerPtr ev, const int numvals, ...) const;
+	void SendEvent(zeek::EventHandlerPtr ev, std::list<zeek::Val*> events) const;
 
 	// Implementation of SendEndOfData (send end_of_data event).
 	void SendEndOfData(const Stream *i);
@@ -253,7 +253,7 @@ private:
 
 	std::map<ReaderFrontend*, Stream*> readers;
 
-	EventHandlerPtr end_of_data;
+	zeek::EventHandlerPtr end_of_data;
 };
 
 

src/iosource/pcap/Source.cc

@@ -47,7 +47,7 @@ void PcapSource::Close()
 	Closed();
 
 	if ( Pcap::file_done )
-		mgr.Enqueue(Pcap::file_done, zeek::make_intrusive<zeek::StringVal>(props.path));
+		zeek::event_mgr.Enqueue(Pcap::file_done, zeek::make_intrusive<zeek::StringVal>(props.path));
 	}
 
 void PcapSource::OpenLive()

src/logging/Manager.cc

@@ -79,7 +79,7 @@ struct Manager::Stream {
 	bool enabled;
 	string name;
 	zeek::RecordType* columns;
-	EventHandlerPtr event;
+	zeek::EventHandlerPtr event;
 	list<Filter*> filters;
 
 	typedef pair<int, string> WriterPathPair;
@@ -314,7 +314,7 @@ bool Manager::CreateStream(zeek::EnumVal* id, zeek::RecordVal* sval)
 	streams[idx]->id = id->Ref()->AsEnumVal();
 	streams[idx]->enabled = true;
 	streams[idx]->name = id->GetType()->AsEnumType()->Lookup(idx);
-	streams[idx]->event = event ? event_registry->Lookup(event->Name()) : nullptr;
+	streams[idx]->event = event ? zeek::event_registry->Lookup(event->Name()) : nullptr;
 	streams[idx]->columns = columns->Ref()->AsRecordType();
 
 	streams[idx]->enable_remote = zeek::id::find_val("Log::enable_remote_logging")->AsBool();
@@ -711,7 +711,7 @@ bool Manager::Write(zeek::EnumVal* id, zeek::RecordVal* columns_arg)
 
 	// Raise the log event.
 	if ( stream->event )
-		mgr.Enqueue(stream->event, columns);
+		zeek::event_mgr.Enqueue(stream->event, columns);
 
 	// Send to each of our filters.
 	for ( list<Filter*>::iterator i = stream->filters.begin();

src/plugin/Plugin.h

@@ -17,8 +17,8 @@
 #define BRO_PLUGIN_BRO_VERSION BRO_VERSION_FUNCTION
 
 class ODesc;
-class Event;
 
+ZEEK_FORWARD_DECLARE_NAMESPACED(Event, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Func, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Frame, zeek::detail);
 

src/stats.bif

@@ -193,8 +193,8 @@ function get_event_stats%(%): EventStats
 	auto r = zeek::make_intrusive<zeek::RecordVal>(EventStats);
 	int n = 0;
 
-	r->Assign(n++, zeek::val_mgr->Count(num_events_queued));
-	r->Assign(n++, zeek::val_mgr->Count(num_events_dispatched));
+	r->Assign(n++, zeek::val_mgr->Count(event_mgr.num_events_queued));
+	r->Assign(n++, zeek::val_mgr->Count(event_mgr.num_events_dispatched));
 
 	return r;
 	%}

src/threading/Manager.cc

@@ -135,7 +135,7 @@ void Manager::StartHeartbeatTimer()
 // one reporter message.
 bool Manager::SendEvent(MsgThread* thread, const std::string& name, const int num_vals, Value* *vals) const
 	{
-	EventHandler* handler = event_registry->Lookup(name);
+	zeek::EventHandler* handler = zeek::event_registry->Lookup(name);
 	if ( handler == nullptr )
 		{
 		zeek::reporter->Warning("Thread %s: Event %s not found", thread->Name(), name.c_str());
@@ -179,7 +179,7 @@ bool Manager::SendEvent(MsgThread* thread, const std::string& name, const int nu
 	if ( convert_error )
 		return false;
 	else if ( handler )
-		mgr.Enqueue(handler, std::move(vl), SOURCE_LOCAL);
+		zeek::event_mgr.Enqueue(handler, std::move(vl), SOURCE_LOCAL);
 
 	return true;
 	}

src/zeek-setup.cc

@@ -114,7 +114,8 @@ zeek::detail::trigger::Manager* trigger_mgr = nullptr;
 
 std::vector<std::string> zeek_script_prefixes;
 zeek::detail::Stmt* stmts;
-EventRegistry* event_registry = nullptr;
+zeek::EventRegistry* zeek::event_registry = nullptr;
+zeek::EventRegistry*& event_registry = zeek::event_registry;
 ProfileLogger* profiling_logger = nullptr;
 ProfileLogger* segment_logger = nullptr;
 SampleLogger* sample_logger = nullptr;
@@ -228,10 +229,10 @@ void done_with_network()
 
 	if ( net_done )
 		{
-		mgr.Drain();
+		zeek::event_mgr.Drain();
 		// Don't propagate this event to remote clients.
-		mgr.Dispatch(new Event(net_done,
-		                       {zeek::make_intrusive<zeek::TimeVal>(zeek::detail::timer_mgr->Time())}),
+		zeek::event_mgr.Dispatch(
+			new zeek::Event(net_done, {zeek::make_intrusive<zeek::TimeVal>(zeek::detail::timer_mgr->Time())}),
 			true);
 		}
 
@@ -243,8 +244,8 @@ void done_with_network()
 	zeek::analyzer_mgr->Done();
 	zeek::detail::timer_mgr->Expire();
 	zeek::detail::dns_mgr->Flush();
-	mgr.Drain();
-	mgr.Drain();
+	zeek::event_mgr.Drain();
+	zeek::event_mgr.Drain();
 
 	net_finish(1);
 
@@ -281,10 +282,10 @@ void terminate_bro()
         zeek::detail::brofiler.WriteStats();
 
 	if ( zeek_done )
-		mgr.Enqueue(zeek_done, zeek::Args{});
+		zeek::event_mgr.Enqueue(zeek_done, zeek::Args{});
 
 	zeek::detail::timer_mgr->Expire();
-	mgr.Drain();
+	zeek::event_mgr.Drain();
 
 	if ( profiling_logger )
 		{
@@ -296,7 +297,7 @@ void terminate_bro()
 		delete profiling_logger;
 		}
 
-	mgr.Drain();
+	zeek::event_mgr.Drain();
 
 	notifier::registry.Terminate();
 	log_mgr->Terminate();
@@ -305,7 +306,7 @@ void terminate_bro()
 	broker_mgr->Terminate();
 	zeek::detail::dns_mgr->Terminate();
 
-	mgr.Drain();
+	zeek::event_mgr.Drain();
 
 	zeek::plugin_mgr->FinishPlugins();
 
@@ -314,7 +315,7 @@ void terminate_bro()
 	delete file_mgr;
 	// broker_mgr, timer_mgr, and supervisor are deleted via iosource_mgr
 	delete iosource_mgr;
-	delete event_registry;
+	delete zeek::event_registry;
 	delete log_mgr;
 	delete zeek::reporter;
 	delete zeek::plugin_mgr;
@@ -658,7 +659,7 @@ zeek::detail::SetupResult zeek::detail::setup(int argc, char** argv,
 	zeekygen_mgr->InitPostScript();
 	broker_mgr->InitPostScript();
 	zeek::detail::timer_mgr->InitPostScript();
-	mgr.InitPostScript();
+	zeek::event_mgr.InitPostScript();
 
 	if ( zeek::supervisor_mgr )
 		zeek::supervisor_mgr->InitPostScript();
@@ -769,7 +770,7 @@ zeek::detail::SetupResult zeek::detail::setup(int argc, char** argv,
 		if ( ! zeek::detail::dns_mgr->Save() )
 			zeek::reporter->FatalError("can't update DNS cache");
 
-		mgr.Drain();
+		zeek::event_mgr.Drain();
 		delete zeek::detail::dns_mgr;
 		exit(0);
 		}
@@ -806,7 +807,7 @@ zeek::detail::SetupResult zeek::detail::setup(int argc, char** argv,
 		net_update_time(current_time());
 
 	if ( zeek_init )
-		mgr.Enqueue(zeek_init, zeek::Args{});
+		zeek::event_mgr.Enqueue(zeek_init, zeek::Args{});
 
 	EventRegistry::string_list dead_handlers =
 		event_registry->UnusedHandlers();
@@ -853,7 +854,7 @@ zeek::detail::SetupResult zeek::detail::setup(int argc, char** argv,
 			if ( i->skipped )
 				continue;
 
-			mgr.Enqueue(zeek_script_loaded,
+			zeek::event_mgr.Enqueue(zeek_script_loaded,
 			                        zeek::make_intrusive<zeek::StringVal>(i->name.c_str()),
 			                        zeek::val_mgr->Count(i->include_level));
 			}
@@ -862,7 +863,7 @@ zeek::detail::SetupResult zeek::detail::setup(int argc, char** argv,
 	zeek::reporter->ReportViaEvents(true);
 
 	// Drain the event queue here to support the protocols framework configuring DPM
-	mgr.Drain();
+	zeek::event_mgr.Drain();
 
 	if ( zeek::reporter->Errors() > 0 && ! zeekenv("ZEEK_ALLOW_INIT_ERRORS") )
 		zeek::reporter->FatalError("errors occurred while initializing");

src/zeek.bif

@@ -1792,7 +1792,7 @@ function log10%(d: double%): double
 ##          none.
 function current_analyzer%(%) : count
 	%{
-	return zeek::val_mgr->Count(mgr.CurrentAnalyzer());
+	return zeek::val_mgr->Count(zeek::event_mgr.CurrentAnalyzer());
 	%}
 
 ## Returns Zeek's process ID.
@@ -4997,7 +4997,7 @@ function uninstall_dst_net_filter%(snet: subnet%) : bool
 ## Returns: True if the last raised event came from a remote peer.
 function is_remote_event%(%) : bool
 	%{
-	return zeek::val_mgr->Bool(mgr.CurrentSource() != SOURCE_LOCAL);
+	return zeek::val_mgr->Bool(zeek::event_mgr.CurrentSource() != SOURCE_LOCAL);
 	%}
 
 ## Stops Zeek's packet processing. This function is used to synchronize

testing/btest/plugins/file-plugin/src/Foo.cc

@@ -25,4 +25,3 @@ bool Foo::DeliverStream(const u_char* data, uint64 len)
 	mgr.QueueEvent(foo_piece, args);
     return true;
     }
-