Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 10:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Reworked how the logs-to-elasticsearch scripts works to stop abusing the logging framework.

Browse source 
- New variable in logging framework Log::active_streams to indicate
  Log:ID enums which are currently active.
This commit is contained in:
Seth Hall 2012-07-27 15:31:10 -04:00
parent 76520645bb
commit 596f07e505
2 changed files with 17 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

9
scripts/base/frameworks/logging/main.bro
View file

@ -327,6 +327,11 @@ export {
## Log::default_rotation_postprocessor_cmd ## Log::default_rotation_postprocessor_cmd
## Log::default_rotation_postprocessors ## Log::default_rotation_postprocessors
global run_rotation_postprocessor_cmd: function(info: RotationInfo, npath: string) : bool; global run_rotation_postprocessor_cmd: function(info: RotationInfo, npath: string) : bool;
## The streams which are currently active and not disabled.
## This set is not meant to be modified by users! Only use it for
## examining which streams are active.
global active_streams: set[ID] = set();
} }
# We keep a script-level copy of all filters so that we can manipulate them. # We keep a script-level copy of all filters so that we can manipulate them.
@ -412,11 +417,15 @@ function create_stream(id: ID, stream: Stream) : bool
if ( ! __create_stream(id, stream) ) if ( ! __create_stream(id, stream) )
return F; return F;
add active_streams[id];
return add_default_filter(id); return add_default_filter(id);
} }
function disable_stream(id: ID) : bool function disable_stream(id: ID) : bool
{ {
delete active_streams[id];
return __disable_stream(id); return __disable_stream(id);
} }

28
scripts/policy/tuning/logs-to-elasticsearch.bro
View file

@ -4,7 +4,7 @@ module LogElasticSearch;
export { export {
## An elasticsearch specific rotation interval. ## An elasticsearch specific rotation interval.
const rotation_interval = 24hr &redef; const rotation_interval = 3hr &redef;
## Optionally ignore any :bro:type:`Log::ID` from being sent to ## Optionally ignore any :bro:type:`Log::ID` from being sent to
## ElasticSearch with this script. ## ElasticSearch with this script.
@ -17,29 +17,17 @@ export {
const send_logs: set[string] = set() &redef; const send_logs: set[string] = set() &redef;
} }
module Log;
event bro_init() &priority=-5 event bro_init() &priority=-5
{ {
local my_filters: table[ID, string] of Filter = table(); for ( stream_id in Log::active_streams )
for ( [id, name] in filters )
{ {
local filter = filters[id, name]; if ( fmt("%s", stream_id) in excluded_log_ids ||
if ( fmt("%s", id) in LogElasticSearch::excluded_log_ids || (|send_logs| > 0 && fmt("%s", stream_id) !in send_logs) )
(|LogElasticSearch::send_logs| > 0 && fmt("%s", id) !in LogElasticSearch::send_logs) )
next; next;
filter$name = cat(name, "-es"); local filter: Log::Filter = [$name = "default-es",
filter$writer = Log::WRITER_ELASTICSEARCH; $writer = Log::WRITER_ELASTICSEARCH,
filter$interv = LogElasticSearch::rotation_interval; $interv = LogElasticSearch::rotation_interval];
my_filters[id, name] = filter; Log::add_filter(stream_id, filter);
}
# This had to be done separately to avoid an ever growing filters list
# where the for loop would never end.
for ( [id, name] in my_filters )
{
Log::add_filter(id, filter);
} }
} }