Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Remove deprecated log filter predicates for 4.1

Browse source 
Update the logging framework tests: since hooks operate
by name, they cannot be anonymous. I'm also dropping the &optional
attribute from the status field, since here know that the values are
actually defined, and access to an optional status field should
normally be guarded by the existence test operator.

Also includes baseline update for plugins.hooks, which picks up the
fact that the pred record field is now gone.
This commit is contained in:
Christian Kreibich 2021-01-25 17:00:25 -08:00 committed by Tim Wojtulewicz
parent 5f09793ce1
commit 4ce3bf3cd2
5 changed files with 302 additions and 316 deletions
Download patch file Download diff file Expand all files Collapse all files

10
scripts/base/frameworks/logging/main.zeek
View file

@ -210,16 +210,6 @@ export {
## The logging writer implementation to use. ## The logging writer implementation to use.
writer: Writer &default=default_writer; writer: Writer &default=default_writer;
## Indicates whether a log entry should be recorded.
## If not given, all entries are recorded.
##
## rec: An instance of the stream's ``columns`` type with its
## fields set to the values to be logged.
##
## Returns: True if the entry is to be recorded.
pred: function(rec: any): bool &optional
&deprecated="Remove in 4.1. PolicyHooks will replace the $pred function.";
## Output path for recording entries matching this ## Output path for recording entries matching this
## filter. ## filter.
## ##

16
src/logging/Manager.cc
View file

@ -37,7 +37,6 @@ struct Manager::Filter {
string name; string name;
EnumVal* id; EnumVal* id;
Func* policy; Func* policy;
Func* pred;
Func* path_func; Func* path_func;
string path; string path;
Val* path_val; Val* path_val;
@ -560,7 +559,6 @@ bool Manager::AddFilter(EnumVal* id, RecordVal* fval)
auto name = fval->GetFieldOrDefault("name"); auto name = fval->GetFieldOrDefault("name");
auto policy = fval->GetFieldOrDefault("policy"); auto policy = fval->GetFieldOrDefault("policy");
auto pred = fval->GetFieldOrDefault("pred");
auto path_func = fval->GetFieldOrDefault("path_func"); auto path_func = fval->GetFieldOrDefault("path_func");
auto log_local = fval->GetFieldOrDefault("log_local"); auto log_local = fval->GetFieldOrDefault("log_local");
auto log_remote = fval->GetFieldOrDefault("log_remote"); auto log_remote = fval->GetFieldOrDefault("log_remote");
@ -577,7 +575,6 @@ bool Manager::AddFilter(EnumVal* id, RecordVal* fval)
filter->name = name->AsString()->CheckString(); filter->name = name->AsString()->CheckString();
filter->id = id->Ref()->AsEnumVal(); filter->id = id->Ref()->AsEnumVal();
filter->policy = policy ? policy->AsFunc() : stream->policy; filter->policy = policy ? policy->AsFunc() : stream->policy;
filter->pred = pred ? pred->AsFunc() : nullptr;
filter->path_func = path_func ? path_func->AsFunc() : nullptr; filter->path_func = path_func ? path_func->AsFunc() : nullptr;
filter->writer = writer->Ref()->AsEnumVal(); filter->writer = writer->Ref()->AsEnumVal();
filter->local = log_local->AsBool(); filter->local = log_local->AsBool();
@ -660,7 +657,6 @@ bool Manager::AddFilter(EnumVal* id, RecordVal* fval)
DBG_LOG(DBG_LOGGING, " path : %s", filter->path.c_str()); DBG_LOG(DBG_LOGGING, " path : %s", filter->path.c_str());
DBG_LOG(DBG_LOGGING, " path_func : %s", (filter->path_func ? "set" : "not set")); DBG_LOG(DBG_LOGGING, " path_func : %s", (filter->path_func ? "set" : "not set"));
DBG_LOG(DBG_LOGGING, " policy : %s", (filter->policy ? "set" : "not set")); DBG_LOG(DBG_LOGGING, " policy : %s", (filter->policy ? "set" : "not set"));
DBG_LOG(DBG_LOGGING, " pred : %s", (filter->pred ? "set" : "not set"));
for ( int i = 0; i < filter->num_fields; i++ ) for ( int i = 0; i < filter->num_fields; i++ )
{ {
@ -747,18 +743,6 @@ bool Manager::Write(EnumVal* id, RecordVal* columns_arg)
continue; continue;
} }
// $pred is deprecated and will get removed in 4.1.
// This block can go when that time comes.
if ( filter->pred )
{
// See whether the predicate indicates that we want
// to log this record.
auto v = filter->pred->Invoke(columns);
if ( v && ! v->AsBool() )
continue;
}
if ( filter->path_func ) if ( filter->path_func )
{ {
ValPtr path_arg; ValPtr path_arg;

564
testing/btest/Baseline/plugins.hooks/output
View file

File diff suppressed because one or more lines are too long

18
testing/btest/scripts/base/frameworks/logging/pred.zeek
View file

@ -14,26 +14,32 @@ export {
type Log: record { type Log: record {
t: time; t: time;
id: conn_id; # Will be rolled out into individual columns. id: conn_id; # Will be rolled out into individual columns.
status: string &optional; status: string;
country: string &default="unknown"; country: string &default="unknown";
} &log; } &log;
} }
function fail(rec: Log): bool hook success(rec: Log, id: Log::ID, filter: Log::Filter)
{ {
return rec$status != "success"; if ( rec$status != "success" )
break;
}
hook fail(rec: Log, id: Log::ID, filter: Log::Filter)
{
if ( rec$status == "success" )
break;
} }
event zeek_init() event zeek_init()
{ {
Log::create_stream(Test::LOG, [$columns=Log]); Log::create_stream(Test::LOG, [$columns=Log]);
Log::remove_default_filter(Test::LOG); Log::remove_default_filter(Test::LOG);
Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]); Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $policy=success]);
Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $pred=fail]); Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $policy=fail]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
local r: Log = [$t=network_time(), $id=cid, $status="success"]; local r: Log = [$t=network_time(), $id=cid, $status="success"];
Log::write(Test::LOG, r); Log::write(Test::LOG, r);
Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]); Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
} }

10
testing/btest/scripts/base/frameworks/logging/remove.zeek
View file

@ -15,15 +15,21 @@ export {
type Log: record { type Log: record {
t: time; t: time;
id: conn_id; # Will be rolled out into individual columns. id: conn_id; # Will be rolled out into individual columns.
status: string &optional; status: string;
country: string &default="unknown"; country: string &default="unknown";
} &log; } &log;
} }
hook fail_only(rec: Log, id: Log::ID, filter: Log::Filter)
{
if ( rec$status != "failure" )
break;
}
event zeek_init() event zeek_init()
{ {
Log::create_stream(SSH::LOG, [$columns=Log]); Log::create_stream(SSH::LOG, [$columns=Log]);
Log::add_filter(SSH::LOG, [$name="f1", $path="ssh.failure", $pred=function(rec: Log): bool { return rec$status == "failure"; }]); Log::add_filter(SSH::LOG, [$name="f1", $path="ssh.failure", $policy=fail_only]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];