From 5e496e43b78e3d71aa9a1d7d5ae47d15568091e4 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 25 Mar 2020 18:36:58 -0700
Subject: [PATCH] Deprecate Analyzer::ConnectionEvent()

And update usages to Analyzer::EnqueueConnEvent()
---
 NEWS                                          |   4 +
 src/analyzer/Analyzer.h                       |  18 +-
 .../protocol/bittorrent/BitTorrent.cc         |  12 +-
 .../protocol/bittorrent/BitTorrentTracker.cc  |  46 +-
 src/analyzer/protocol/conn-size/ConnSize.cc   |  20 +-
 src/analyzer/protocol/dns/DNS.cc              | 277 +++++-----
 src/analyzer/protocol/file/File.cc            |  12 +-
 src/analyzer/protocol/finger/Finger.cc        |  22 +-
 src/analyzer/protocol/ftp/FTP.cc              |  22 +-
 src/analyzer/protocol/gnutella/Gnutella.cc    |  62 +--
 src/analyzer/protocol/http/HTTP.cc            | 146 +++--
 src/analyzer/protocol/icmp/ICMP.cc            | 146 +++--
 src/analyzer/protocol/ident/Ident.cc          |  36 +-
 src/analyzer/protocol/irc/IRC.cc              | 508 +++++++++---------
 src/analyzer/protocol/login/Login.cc          |  79 ++-
 src/analyzer/protocol/login/NVT.cc            |  10 +-
 src/analyzer/protocol/login/RSH.cc            |  28 +-
 src/analyzer/protocol/login/Rlogin.cc         |  10 +-
 src/analyzer/protocol/mime/MIME.cc            |  76 ++-
 src/analyzer/protocol/ncp/NCP.cc              |  33 +-
 src/analyzer/protocol/netbios/NetbiosSSN.cc   |  34 +-
 src/analyzer/protocol/pop3/POP3.cc            |  16 +-
 src/analyzer/protocol/rpc/MOUNT.cc            |  23 +-
 src/analyzer/protocol/rpc/MOUNT.h             |   4 +-
 src/analyzer/protocol/rpc/NFS.cc              |  23 +-
 src/analyzer/protocol/rpc/NFS.h               |   2 +-
 src/analyzer/protocol/rpc/Portmap.cc          |  23 +-
 src/analyzer/protocol/rpc/RPC.cc              |  54 +-
 src/analyzer/protocol/smtp/SMTP.cc            |  57 +-
 .../protocol/stepping-stone/SteppingStone.cc  |  16 +-
 src/analyzer/protocol/tcp/TCP.cc              |  90 ++--
 src/analyzer/protocol/tcp/TCP_Endpoint.cc     |  12 +-
 src/analyzer/protocol/tcp/TCP_Reassembler.cc  |  64 +--
 src/analyzer/protocol/udp/UDP.cc              |  12 +-
 34 files changed, 954 insertions(+), 1043 deletions(-)

diff --git a/NEWS b/NEWS
index 781b1534f7..3843fc92e3 100644
--- a/NEWS
+++ b/NEWS
@@ -63,6 +63,10 @@ Deprecated Functionality
   arguments are now deprecated, use the overload that takes a ``zeek::Args``
   instead.
 
+- The ``analyzer::Analyzer::ConnectionEvent()`` and
+  ``analyzer::Analyzer::ConectionEventFast()`` methods are deprecated, use
+  ``analyzer::Analyzer::EnqueueConnEvent()`` instead.
+
 Zeek 3.1.0
 ==========
 
diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h
index 96e51a2b25..e53caad475 100644
--- a/src/analyzer/Analyzer.h
+++ b/src/analyzer/Analyzer.h
@@ -10,6 +10,8 @@
 
 #include <list>
 #include <vector>
+#include <tuple>
+#include <type_traits>
 
 #include <sys/types.h> // for u_char
 
@@ -567,21 +569,21 @@ public:
 	 * Convenience function that forwards directly to
 	 * Connection::ConnectionEvent().
 	 */
-	// TODO: deprecate
+	[[deprecated("Remove in v4.1.  Use EnqueueConnEvent() instead.")]]
 	void ConnectionEvent(EventHandlerPtr f, val_list* vl);
 
 	/**
 	 * Convenience function that forwards directly to
 	 * Connection::ConnectionEvent().
 	 */
-	// TODO: deprecate
+	[[deprecated("Remove in v4.1.  Use EnqueueConnEvent() instead.")]]
 	void ConnectionEvent(EventHandlerPtr f, val_list vl);
 
 	/**
 	 * Convenience function that forwards directly to
 	 * Connection::ConnectionEventFast().
 	 */
-	// TODO: deprecate
+	[[deprecated("Remove in v4.1.  Use EnqueueConnEvent() instead.")]]
 	void ConnectionEventFast(EventHandlerPtr f, val_list vl);
 
 	/**
@@ -590,6 +592,16 @@ public:
 	 */
 	void EnqueueConnEvent(EventHandlerPtr f, zeek::Args args);
 
+	/**
+	 * A version of EnqueueConnEvent() taking a variable number of arguments.
+	 */
+	template <class... Args>
+	std::enable_if_t<
+	  std::is_convertible_v<
+	    std::tuple_element_t<0, std::tuple<Args...>>, IntrusivePtr<Val>>>
+	EnqueueConnEvent(EventHandlerPtr h, Args&&... args)
+		{ return EnqueueConnEvent(h, zeek::Args{std::forward<Args>(args)...}); }
+
 	/**
 	 * Convenience function that forwards directly to the corresponding
 	 * Connection::Weird().
diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.cc b/src/analyzer/protocol/bittorrent/BitTorrent.cc
index 57ef52550a..5a85b01660 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrent.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc
@@ -119,11 +119,9 @@ void BitTorrent_Analyzer::EndpointEOF(bool is_orig)
 void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
 	{
 	if ( bittorrent_peer_weird )
-		{
-		ConnectionEventFast(bittorrent_peer_weird, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(msg),
-		});
-		}
+		EnqueueConnEvent(bittorrent_peer_weird,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(msg)
+		);
 	}
diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
index 301f37eb6c..7b0d8aedbb 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
@@ -246,13 +246,11 @@ void BitTorrentTracker_Analyzer::InitBencParser(void)
 void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
 	{
 	if ( bt_tracker_weird )
-		{
-		ConnectionEventFast(bt_tracker_weird, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(msg),
-		});
-		}
+		EnqueueConnEvent(bt_tracker_weird,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(msg)
+		);
 	}
 
 bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
@@ -349,11 +347,11 @@ void BitTorrentTracker_Analyzer::EmitRequest(void)
 	ProtocolConfirmation();
 
 	if ( bt_tracker_request )
-		ConnectionEventFast(bt_tracker_request, {
-			BuildConnVal(),
-			req_val_uri,
-			req_val_headers,
-		});
+		EnqueueConnEvent(bt_tracker_request,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, req_val_uri},
+			IntrusivePtr{AdoptRef{}, req_val_headers}
+		);
 
 	req_val_uri = 0;
 	req_val_headers = 0;
@@ -403,11 +401,11 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
 			if ( res_status != 200 )
 				{
 				if ( bt_tracker_response_not_ok )
-					ConnectionEventFast(bt_tracker_response_not_ok, {
-						BuildConnVal(),
-						val_mgr->GetCount(res_status),
-						res_val_headers,
-					});
+					EnqueueConnEvent(bt_tracker_response_not_ok,
+						IntrusivePtr{AdoptRef{}, BuildConnVal()},
+						IntrusivePtr{AdoptRef{}, val_mgr->GetCount(res_status)},
+						IntrusivePtr{AdoptRef{}, res_val_headers}
+					);
 				res_val_headers = 0;
 				res_buf_pos = res_buf + res_buf_len;
 				res_state = BTT_RES_DONE;
@@ -790,13 +788,13 @@ void BitTorrentTracker_Analyzer::EmitResponse(void)
 	ProtocolConfirmation();
 
 	if ( bt_tracker_response )
-		ConnectionEventFast(bt_tracker_response, {
-			BuildConnVal(),
-			val_mgr->GetCount(res_status),
-			res_val_headers,
-			res_val_peers,
-			res_val_benc,
-		});
+		EnqueueConnEvent(bt_tracker_response,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(res_status)},
+			IntrusivePtr{AdoptRef{}, res_val_headers},
+			IntrusivePtr{AdoptRef{}, res_val_peers},
+			IntrusivePtr{AdoptRef{}, res_val_benc}
+		);
 
 	res_val_headers = 0;
 	res_val_peers = 0;
diff --git a/src/analyzer/protocol/conn-size/ConnSize.cc b/src/analyzer/protocol/conn-size/ConnSize.cc
index 58e8ccb857..cec1beed2c 100644
--- a/src/analyzer/protocol/conn-size/ConnSize.cc
+++ b/src/analyzer/protocol/conn-size/ConnSize.cc
@@ -50,11 +50,11 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bo
 	if ( ! f )
 		return;
 
-	ConnectionEventFast(f, {
-		BuildConnVal(),
-		val_mgr->GetCount(threshold),
-		val_mgr->GetBool(is_orig),
-	});
+	EnqueueConnEvent(f,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(threshold)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
+	);
 	}
 
 void ConnSize_Analyzer::CheckThresholds(bool is_orig)
@@ -92,11 +92,11 @@ void ConnSize_Analyzer::CheckThresholds(bool is_orig)
 		{
 		if ( duration_thresh > ( network_time - start_time ) && conn_duration_threshold_crossed )
 			{
-			ConnectionEventFast(conn_duration_threshold_crossed, {
-					BuildConnVal(),
-					new Val(duration_thresh, TYPE_INTERVAL),
-					val_mgr->GetBool(is_orig),
-			});
+			EnqueueConnEvent(conn_duration_threshold_crossed,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					make_intrusive<Val>(duration_thresh, TYPE_INTERVAL),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
+			);
 			duration_thresh = 0;
 			}
 		}
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index ac82a042ab..56276a7d55 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -48,14 +48,12 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
 	first_message = false;
 
 	if ( dns_message )
-		{
-		analyzer->ConnectionEventFast(dns_message, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetBool(is_query),
-			msg.BuildHdrVal(),
-			val_mgr->GetCount(len),
-		});
-		}
+		analyzer->EnqueueConnEvent(dns_message,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_query)},
+			IntrusivePtr{AdoptRef{}, msg.BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
+		);
 
 	// There is a great deal of non-DNS traffic that runs on port 53.
 	// This should weed out most of it.
@@ -136,10 +134,10 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
 int DNS_Interpreter::EndMessage(DNS_MsgInfo* msg)
 	{
 	if ( dns_end )
-		analyzer->ConnectionEventFast(dns_end, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-		});
+		analyzer->EnqueueConnEvent(dns_end,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}
+		);
 
 	return 1;
 	}
@@ -341,13 +339,11 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
 		default:
 
 			if ( dns_unknown_reply && ! msg->skip_event )
-				{
-				analyzer->ConnectionEventFast(dns_unknown_reply, {
-					analyzer->BuildConnVal(),
-					msg->BuildHdrVal(),
-					msg->BuildAnswerVal(),
-				});
-				}
+				analyzer->EnqueueConnEvent(dns_unknown_reply,
+					IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+					IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}
+				);
 
 			analyzer->Weird("DNS_RR_unknown_type", fmt("%d", msg->atype));
 			data += rdlength;
@@ -556,14 +552,12 @@ int DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg,
 	}
 
 	if ( reply_event && ! msg->skip_event )
-		{
-		analyzer->ConnectionEventFast(reply_event, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			new StringVal(new BroString(name, name_end - name, 1)),
-		});
-		}
+		analyzer->EnqueueConnEvent(reply_event,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			make_intrusive<StringVal>(new BroString(name, name_end - name, 1))
+		);
 
 	return 1;
 	}
@@ -602,7 +596,7 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
 
 	if ( dns_SOA_reply && ! msg->skip_event )
 		{
-		RecordVal* r = new RecordVal(dns_soa);
+		auto r = make_intrusive<RecordVal>(dns_soa);
 		r->Assign(0, make_intrusive<StringVal>(new BroString(mname, mname_end - mname, 1)));
 		r->Assign(1, make_intrusive<StringVal>(new BroString(rname, rname_end - rname, 1)));
 		r->Assign(2, val_mgr->GetCount(serial));
@@ -611,12 +605,12 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
 		r->Assign(5, make_intrusive<IntervalVal>(double(expire), Seconds));
 		r->Assign(6, make_intrusive<IntervalVal>(double(minimum), Seconds));
 
-		analyzer->ConnectionEventFast(dns_SOA_reply, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			r
-		});
+		analyzer->EnqueueConnEvent(dns_SOA_reply,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			std::move(r)
+		);
 		}
 
 	return 1;
@@ -641,15 +635,13 @@ int DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg,
 		analyzer->Weird("DNS_RR_length_mismatch");
 
 	if ( dns_MX_reply && ! msg->skip_event )
-		{
-		analyzer->ConnectionEventFast(dns_MX_reply, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			new StringVal(new BroString(name, name_end - name, 1)),
-			val_mgr->GetCount(preference),
-		});
-		}
+		analyzer->EnqueueConnEvent(dns_MX_reply,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			make_intrusive<StringVal>(new BroString(name, name_end - name, 1)),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(preference)}
+		);
 
 	return 1;
 	}
@@ -684,17 +676,15 @@ int DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg,
 		analyzer->Weird("DNS_RR_length_mismatch");
 
 	if ( dns_SRV_reply && ! msg->skip_event )
-		{
-		analyzer->ConnectionEventFast(dns_SRV_reply, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			new StringVal(new BroString(name, name_end - name, 1)),
-			val_mgr->GetCount(priority),
-			val_mgr->GetCount(weight),
-			val_mgr->GetCount(port),
-		});
-		}
+		analyzer->EnqueueConnEvent(dns_SRV_reply,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			make_intrusive<StringVal>(new BroString(name, name_end - name, 1)),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(priority)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(weight)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(port)}
+		);
 
 	return 1;
 	}
@@ -707,13 +697,11 @@ int DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg,
 	// out to the policy side of the house if rdlength > 0.
 
 	if ( dns_EDNS_addl && ! msg->skip_event )
-		{
-		analyzer->ConnectionEventFast(dns_EDNS_addl, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildEDNS_Val(),
-		});
-		}
+		analyzer->EnqueueConnEvent(dns_EDNS_addl,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildEDNS_Val()}
+		);
 
 	// Currently EDNS supports the movement of type:data pairs
 	// in the RR_DATA section.  Here's where we should put together
@@ -786,11 +774,11 @@ int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
 		tsig.orig_id = orig_id;
 		tsig.rr_error = rr_error;
 
-		analyzer->ConnectionEventFast(dns_TSIG_addl, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildTSIG_Val(&tsig),
-		});
+		analyzer->EnqueueConnEvent(dns_TSIG_addl,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildTSIG_Val(&tsig)}
+		);
 		}
 
 	return 1;
@@ -887,12 +875,12 @@ int DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
 		rrsig.signer_name = new BroString(name, name_end - name, 1);
 		rrsig.signature = sign;
 
-		analyzer->ConnectionEventFast(dns_RRSIG, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			msg->BuildRRSIG_Val(&rrsig),
-		});
+		analyzer->EnqueueConnEvent(dns_RRSIG,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildRRSIG_Val(&rrsig)}
+		);
 		}
 
 	return 1;
@@ -982,12 +970,12 @@ int DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
 		dnskey.dprotocol = dprotocol;
 		dnskey.public_key = key;
 
-		analyzer->ConnectionEventFast(dns_DNSKEY, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			msg->BuildDNSKEY_Val(&dnskey),
-		});
+		analyzer->EnqueueConnEvent(dns_DNSKEY,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildDNSKEY_Val(&dnskey)}
+		);
 		}
 
 	return 1;
@@ -1014,7 +1002,7 @@ int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
 
 	int typebitmaps_len = rdlength - (data - data_start);
 
-	VectorVal* char_strings = new VectorVal(string_vec);
+	auto char_strings = make_intrusive<VectorVal>(string_vec);
 
 	while ( typebitmaps_len > 0 && len > 0 )
 		{
@@ -1034,15 +1022,13 @@ int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
 		}
 
 	if ( dns_NSEC )
-		analyzer->ConnectionEventFast(dns_NSEC, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			new StringVal(new BroString(name, name_end - name, 1)),
-			char_strings,
-		});
-	else
-		Unref(char_strings);
+		analyzer->EnqueueConnEvent(dns_NSEC,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			make_intrusive<StringVal>(new BroString(name, name_end - name, 1)),
+			std::move(char_strings)
+		);
 
 	return 1;
 	}
@@ -1122,12 +1108,12 @@ int DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
 		nsec3.nsec_hash = hash_val;
 		nsec3.bitmaps = char_strings;
 
-		analyzer->ConnectionEventFast(dns_NSEC3, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			msg->BuildNSEC3_Val(&nsec3),
-		});
+		analyzer->EnqueueConnEvent(dns_NSEC3,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildNSEC3_Val(&nsec3)}
+		);
 		}
 	else
 		Unref(char_strings);
@@ -1182,12 +1168,12 @@ int DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg,
 		ds.digest_type = ds_dtype;
 		ds.digest_val = ds_digest;
 
-		analyzer->ConnectionEventFast(dns_DS, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			msg->BuildDS_Val(&ds),
-		});
+		analyzer->EnqueueConnEvent(dns_DS,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildDS_Val(&ds)}
+		);
 		}
 
 	return 1;
@@ -1205,14 +1191,12 @@ int DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg,
 	uint32_t addr = ExtractLong(data, len);
 
 	if ( dns_A_reply && ! msg->skip_event )
-		{
-		analyzer->ConnectionEventFast(dns_A_reply, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			new AddrVal(htonl(addr)),
-		});
-		}
+		analyzer->EnqueueConnEvent(dns_A_reply,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			make_intrusive<AddrVal>(htonl(addr))
+		);
 
 	return 1;
 	}
@@ -1241,15 +1225,14 @@ int DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
 		event = dns_AAAA_reply;
 	else
 		event = dns_A6_reply;
+
 	if ( event && ! msg->skip_event )
-		{
-		analyzer->ConnectionEventFast(event, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			new AddrVal(addr),
-		});
-		}
+		analyzer->EnqueueConnEvent(event,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			make_intrusive<AddrVal>(addr)
+		);
 
 	return 1;
 	}
@@ -1311,21 +1294,19 @@ int DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
 		return 1;
 		}
 
-	VectorVal* char_strings = new VectorVal(string_vec);
+	auto char_strings = make_intrusive<VectorVal>(string_vec);
 	StringVal* char_string;
 
 	while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
 		char_strings->Assign(char_strings->Size(), char_string);
 
 	if ( dns_TXT_reply )
-		analyzer->ConnectionEventFast(dns_TXT_reply, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			char_strings,
-		});
-	else
-		Unref(char_strings);
+		analyzer->EnqueueConnEvent(dns_TXT_reply,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			std::move(char_strings)
+		);
 
 	return rdlength == 0;
 	}
@@ -1341,21 +1322,19 @@ int DNS_Interpreter::ParseRR_SPF(DNS_MsgInfo* msg,
 		return 1;
 		}
 
-	VectorVal* char_strings = new VectorVal(string_vec);
+	auto char_strings = make_intrusive<VectorVal>(string_vec);
 	StringVal* char_string;
 
 	while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
 		char_strings->Assign(char_strings->Size(), char_string);
 
 	if ( dns_SPF_reply )
-		analyzer->ConnectionEventFast(dns_SPF_reply, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			char_strings,
-		});
-	else
-		Unref(char_strings);
+		analyzer->EnqueueConnEvent(dns_SPF_reply,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			std::move(char_strings)
+		);
 
 	return rdlength == 0;
 	}
@@ -1391,14 +1370,14 @@ int DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
 	rdlength -= value->Len();
 
 	if ( dns_CAA_reply )
-		analyzer->ConnectionEventFast(dns_CAA_reply, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			val_mgr->GetCount(flags),
-			new StringVal(tag),
-			new StringVal(value),
-		});
+		analyzer->EnqueueConnEvent(dns_CAA_reply,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flags)},
+			make_intrusive<StringVal>(tag),
+			make_intrusive<StringVal>(value)
+		);
 	else
 		{
 		delete tag;
@@ -1419,13 +1398,13 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
 
 	assert(event);
 
-	analyzer->ConnectionEventFast(event, {
-		analyzer->BuildConnVal(),
-		msg->BuildHdrVal(),
-		new StringVal(question_name),
-		val_mgr->GetCount(qtype),
-		val_mgr->GetCount(qclass),
-	});
+	analyzer->EnqueueConnEvent(event,
+		IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+		make_intrusive<StringVal>(question_name),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(qtype)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(qclass)}
+	);
 	}
 
 
diff --git a/src/analyzer/protocol/file/File.cc b/src/analyzer/protocol/file/File.cc
index 0d32f08ff0..7dca15c119 100644
--- a/src/analyzer/protocol/file/File.cc
+++ b/src/analyzer/protocol/file/File.cc
@@ -79,10 +79,10 @@ void File_Analyzer::Identify()
 	                               : *(matches.begin()->second.begin());
 
 	if ( file_transferred )
-		ConnectionEventFast(file_transferred, {
-			BuildConnVal(),
-			new StringVal(buffer_len, buffer),
-			new StringVal("<unknown>"),
-			new StringVal(match),
-		});
+		EnqueueConnEvent(file_transferred,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			make_intrusive<StringVal>(buffer_len, buffer),
+			make_intrusive<StringVal>("<unknown>"),
+			make_intrusive<StringVal>(match)
+		);
 	}
diff --git a/src/analyzer/protocol/finger/Finger.cc b/src/analyzer/protocol/finger/Finger.cc
index 127ab048e1..cbb1e94ce0 100644
--- a/src/analyzer/protocol/finger/Finger.cc
+++ b/src/analyzer/protocol/finger/Finger.cc
@@ -67,14 +67,12 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
 			host = at + 1;
 
 		if ( finger_request )
-			{
-			ConnectionEventFast(finger_request, {
-				BuildConnVal(),
-				val_mgr->GetBool(long_cnt),
-				new StringVal(at - line, line),
-				new StringVal(end_of_line - host, host),
-			});
-			}
+			EnqueueConnEvent(finger_request,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(long_cnt)},
+				make_intrusive<StringVal>(at - line, line),
+				make_intrusive<StringVal>(end_of_line - host, host)
+			);
 
 		Conn()->Match(Rule::FINGER, (const u_char *) line,
 			  end_of_line - line, true, true, 1, true);
@@ -87,9 +85,9 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
 		if ( ! finger_reply )
 			return;
 
-		ConnectionEventFast(finger_reply, {
-			BuildConnVal(),
-			new StringVal(end_of_line - line, line),
-		});
+		EnqueueConnEvent(finger_reply,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			make_intrusive<StringVal>(end_of_line - line, line)
+		);
 		}
 	}
diff --git a/src/analyzer/protocol/ftp/FTP.cc b/src/analyzer/protocol/ftp/FTP.cc
index 820a193958..a9b658e06b 100644
--- a/src/analyzer/protocol/ftp/FTP.cc
+++ b/src/analyzer/protocol/ftp/FTP.cc
@@ -75,7 +75,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 		// Could emit "ftp empty request/reply" weird, but maybe not worth it.
 		return;
 
-	val_list vl;
+	zeek::Args vl;
 
 	EventHandlerPtr f;
 	if ( orig )
@@ -96,10 +96,10 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 		else
 			cmd_str = (new StringVal(cmd_len, cmd))->ToUpper();
 
-		vl = val_list{
-			BuildConnVal(),
-			cmd_str,
-			new StringVal(end_of_line - line, line),
+		vl = {
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, cmd_str},
+			make_intrusive<StringVal>(end_of_line - line, line),
 		};
 
 		f = ftp_request;
@@ -175,17 +175,17 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 				}
 			}
 
-		vl = val_list{
-			BuildConnVal(),
-			val_mgr->GetCount(reply_code),
-			new StringVal(end_of_line - line, line),
-			val_mgr->GetBool(cont_resp),
+		vl = {
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
+			make_intrusive<StringVal>(end_of_line - line, line),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(cont_resp)}
 		};
 
 		f = ftp_reply;
 		}
 
-	ConnectionEvent(f, std::move(vl));
+	EnqueueConnEvent(f, std::move(vl));
 
 	ForwardStream(length, data, orig);
 	}
diff --git a/src/analyzer/protocol/gnutella/Gnutella.cc b/src/analyzer/protocol/gnutella/Gnutella.cc
index 7cc6285c8c..abb1bb892e 100644
--- a/src/analyzer/protocol/gnutella/Gnutella.cc
+++ b/src/analyzer/protocol/gnutella/Gnutella.cc
@@ -59,9 +59,9 @@ void Gnutella_Analyzer::Done()
 	if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
 		{
 		if ( Established() && gnutella_establish )
-			ConnectionEventFast(gnutella_establish, {BuildConnVal()});
+			EnqueueConnEvent(gnutella_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 		else if ( ! Established () && gnutella_not_establish )
-			ConnectionEventFast(gnutella_not_establish, {BuildConnVal()});
+			EnqueueConnEvent(gnutella_not_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 		}
 
 	if ( gnutella_partial_binary_msg )
@@ -71,14 +71,12 @@ void Gnutella_Analyzer::Done()
 		for ( int i = 0; i < 2; ++i, p = resp_msg_state )
 			{
 			if ( ! p->msg_sent && p->msg_pos )
-				{
-				ConnectionEventFast(gnutella_partial_binary_msg, {
-					BuildConnVal(),
-					new StringVal(p->msg),
-					val_mgr->GetBool((i == 0)),
-					val_mgr->GetCount(p->msg_pos),
-				});
-				}
+				EnqueueConnEvent(gnutella_partial_binary_msg,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					make_intrusive<StringVal>(p->msg),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool((i == 0))},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_pos)}
+				);
 
 			else if ( ! p->msg_sent && p->payload_left )
 				SendEvents(p, (i == 0));
@@ -120,9 +118,7 @@ int Gnutella_Analyzer::IsHTTP(string header)
 		return 0;
 
 	if ( gnutella_http_notify )
-		{
-		ConnectionEventFast(gnutella_http_notify, {BuildConnVal()});
-		}
+		EnqueueConnEvent(gnutella_http_notify, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 
 	analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn());
 
@@ -180,13 +176,11 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
 		else
 			{
 			if ( gnutella_text_msg )
-				{
-				ConnectionEventFast(gnutella_text_msg, {
-					BuildConnVal(),
-					val_mgr->GetBool(orig),
-					new StringVal(ms->headers.data()),
-				});
-				}
+				EnqueueConnEvent(gnutella_text_msg,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					make_intrusive<StringVal>(ms->headers.data())
+				);
 
 			ms->headers = "";
 			state |= new_state;
@@ -195,7 +189,7 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
 				{
 				sent_establish = 1;
 
-				ConnectionEventFast(gnutella_establish, {BuildConnVal()});
+				EnqueueConnEvent(gnutella_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 				}
 			}
 		}
@@ -220,20 +214,18 @@ void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig)
 		return;
 
 	if ( gnutella_binary_msg )
-		{
-		ConnectionEventFast(gnutella_binary_msg, {
-			BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-			val_mgr->GetCount(p->msg_type),
-			val_mgr->GetCount(p->msg_ttl),
-			val_mgr->GetCount(p->msg_hops),
-			val_mgr->GetCount(p->msg_len),
-			new StringVal(p->payload),
-			val_mgr->GetCount(p->payload_len),
-			val_mgr->GetBool((p->payload_len < min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))),
-			val_mgr->GetBool((p->payload_left == 0)),
-		});
-		}
+		EnqueueConnEvent(gnutella_binary_msg,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_type)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_ttl)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_hops)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_len)},
+			make_intrusive<StringVal>(p->payload),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->payload_len)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool((p->payload_len < min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD)))},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool((p->payload_left == 0))}
+		);
 	}
 
 
diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index 7c7190d936..afae705756 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -649,13 +649,11 @@ void HTTP_Message::Done(const int interrupted, const char* detail)
 		}
 
 	if ( http_message_done )
-		{
-		GetAnalyzer()->ConnectionEventFast(http_message_done, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-			BuildMessageStat(interrupted, detail),
-		});
-		}
+		GetAnalyzer()->EnqueueConnEvent(http_message_done,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			IntrusivePtr{AdoptRef{}, BuildMessageStat(interrupted, detail)}
+		);
 
 	MyHTTP_Analyzer()->HTTP_MessageDone(is_orig, this);
 	}
@@ -682,12 +680,10 @@ void HTTP_Message::BeginEntity(mime::MIME_Entity* entity)
 	current_entity = (HTTP_Entity*) entity;
 
 	if ( http_begin_entity )
-		{
-		analyzer->ConnectionEventFast(http_begin_entity, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-		});
-		}
+		analyzer->EnqueueConnEvent(http_begin_entity,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
+		);
 	}
 
 void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
@@ -699,12 +695,10 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
 	header_length += ((HTTP_Entity*) entity)->HeaderLength();
 
 	if ( http_end_entity )
-		{
-		analyzer->ConnectionEventFast(http_end_entity, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-		});
-		}
+		analyzer->EnqueueConnEvent(http_end_entity,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
+		);
 
 	current_entity = (HTTP_Entity*) entity->Parent();
 
@@ -740,27 +734,23 @@ void HTTP_Message::SubmitHeader(mime::MIME_Header* h)
 void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
 	{
 	if ( http_all_headers )
-		{
-		analyzer->ConnectionEventFast(http_all_headers, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-			BuildHeaderTable(hlist),
-		});
-		}
+		analyzer->EnqueueConnEvent(http_all_headers,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)}
+		);
 
 	if ( http_content_type )
 		{
 		StringVal* ty = current_entity->ContentType();
 		StringVal* subty = current_entity->ContentSubType();
-		ty->Ref();
-		subty->Ref();
 
-		analyzer->ConnectionEventFast(http_content_type, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-			ty,
-			subty,
-		});
+		analyzer->EnqueueConnEvent(http_content_type,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			IntrusivePtr{NewRef{}, ty},
+			IntrusivePtr{NewRef{}, subty}
+		);
 		}
 	}
 
@@ -1182,14 +1172,14 @@ void HTTP_Analyzer::GenStats()
 	{
 	if ( http_stats )
 		{
-		RecordVal* r = new RecordVal(http_stats_rec);
+		auto r = make_intrusive<RecordVal>(http_stats_rec);
 		r->Assign(0, val_mgr->GetCount(num_requests));
 		r->Assign(1, val_mgr->GetCount(num_replies));
 		r->Assign(2, make_intrusive<Val>(request_version.ToDouble(), TYPE_DOUBLE));
 		r->Assign(3, make_intrusive<Val>(reply_version.ToDouble(), TYPE_DOUBLE));
 
 		// DEBUG_MSG("%.6f http_stats\n", network_time);
-		ConnectionEventFast(http_stats, {BuildConnVal(), r});
+		EnqueueConnEvent(http_stats, IntrusivePtr{AdoptRef{}, BuildConnVal()}, std::move(r));
 		}
 	}
 
@@ -1387,16 +1377,14 @@ void HTTP_Analyzer::HTTP_Event(const char* category, const char* detail)
 void HTTP_Analyzer::HTTP_Event(const char* category, StringVal* detail)
 	{
 	if ( http_event )
-		{
 		// DEBUG_MSG("%.6f http_event\n", network_time);
-		ConnectionEventFast(http_event, {
-			BuildConnVal(),
-			new StringVal(category),
-			detail,
-		});
-		}
+		EnqueueConnEvent(http_event,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			make_intrusive<StringVal>(category),
+			IntrusivePtr{AdoptRef{}, detail}
+		);
 	else
-		delete detail;
+		Unref(detail);
 	}
 
 StringVal* HTTP_Analyzer::TruncateURI(StringVal* uri)
@@ -1428,33 +1416,27 @@ void HTTP_Analyzer::HTTP_Request()
 		connect_request = true;
 
 	if ( http_request )
-		{
-		Ref(request_method);
-
 		// DEBUG_MSG("%.6f http_request\n", network_time);
-		ConnectionEventFast(http_request, {
-			BuildConnVal(),
-			request_method,
-			TruncateURI(request_URI->AsStringVal()),
-			TruncateURI(unescaped_URI->AsStringVal()),
-			new StringVal(fmt("%.1f", request_version.ToDouble())),
-		});
-		}
+		EnqueueConnEvent(http_request,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{NewRef{}, request_method},
+			IntrusivePtr{AdoptRef{}, TruncateURI(request_URI->AsStringVal())},
+			IntrusivePtr{AdoptRef{}, TruncateURI(unescaped_URI->AsStringVal())},
+			make_intrusive<StringVal>(fmt("%.1f", request_version.ToDouble()))
+		);
 	}
 
 void HTTP_Analyzer::HTTP_Reply()
 	{
 	if ( http_reply )
-		{
-		ConnectionEventFast(http_reply, {
-			BuildConnVal(),
-			new StringVal(fmt("%.1f", reply_version.ToDouble())),
-			val_mgr->GetCount(reply_code),
+		EnqueueConnEvent(http_reply,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			make_intrusive<StringVal>(fmt("%.1f", reply_version.ToDouble())),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
 			reply_reason_phrase ?
-				reply_reason_phrase->Ref() :
-				new StringVal("<empty>"),
-		});
-		}
+				IntrusivePtr{NewRef{}, reply_reason_phrase} :
+				make_intrusive<StringVal>("<empty>")
+		);
 	else
 		{
 		Unref(reply_reason_phrase);
@@ -1524,12 +1506,10 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
 		RemoveSupportAnalyzer(content_line_resp);
 
 		if ( http_connection_upgrade )
-			{
-			ConnectionEventFast(http_connection_upgrade, {
-				BuildConnVal(),
-				new StringVal(upgrade_protocol),
-			});
-			}
+			EnqueueConnEvent(http_connection_upgrade,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				make_intrusive<StringVal>(upgrade_protocol)
+			);
 		}
 
 	reply_code = 0;
@@ -1690,26 +1670,24 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
 		if ( DEBUG_http )
 			DEBUG_MSG("%.6f http_header\n", network_time);
 
-		ConnectionEventFast(http_header, {
-			BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-			mime::new_string_val(h->get_name())->ToUpper(),
-			mime::new_string_val(h->get_value()),
-		});
+		EnqueueConnEvent(http_header,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_name())->ToUpper()},
+			IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_value())}
+		);
 		}
 	}
 
 void HTTP_Analyzer::HTTP_EntityData(int is_orig, BroString* entity_data)
 	{
 	if ( http_entity_data )
-		{
-		ConnectionEventFast(http_entity_data, {
-			BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-			val_mgr->GetCount(entity_data->Len()),
-			new StringVal(entity_data),
-		});
-		}
+		EnqueueConnEvent(http_entity_data,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(entity_data->Len())},
+			make_intrusive<StringVal>(entity_data)
+		);
 	else
 		delete entity_data;
 	}
diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc
index 9595d6a795..1a3cb6ad34 100644
--- a/src/analyzer/protocol/icmp/ICMP.cc
+++ b/src/analyzer/protocol/icmp/ICMP.cc
@@ -202,22 +202,20 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
                               const IP_Hdr* ip_hdr)
     {
 	if ( icmp_sent )
-		{
-		ConnectionEventFast(icmp_sent, {
-			BuildConnVal(),
-			BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
-		});
-		}
+		EnqueueConnEvent(icmp_sent,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)}
+		);
 
 	if ( icmp_sent_payload )
 		{
 		BroString* payload = new BroString(data, min(len, caplen), 0);
 
-		ConnectionEventFast(icmp_sent_payload, {
-			BuildConnVal(),
-			BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
-			new StringVal(payload),
-		});
+		EnqueueConnEvent(icmp_sent_payload,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)},
+			make_intrusive<StringVal>(payload)
+		);
 		}
 	}
 
@@ -516,13 +514,13 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
 
 	BroString* payload = new BroString(data, caplen, 0);
 
-	ConnectionEventFast(f, {
-		BuildConnVal(),
-		BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
-		val_mgr->GetCount(iid),
-		val_mgr->GetCount(iseq),
-		new StringVal(payload),
-	});
+	EnqueueConnEvent(f,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(iid)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(iseq)},
+		make_intrusive<StringVal>(payload)
+	);
 	}
 
 
@@ -544,21 +542,21 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
 
 	int opt_offset = sizeof(reachable) + sizeof(retrans);
 
-	ConnectionEventFast(f, {
-		BuildConnVal(),
-		BuildICMPVal(icmpp, len, 1, ip_hdr),
-		val_mgr->GetCount(icmpp->icmp_num_addrs), // Cur Hop Limit
-		val_mgr->GetBool(icmpp->icmp_wpa & 0x80), // Managed
-		val_mgr->GetBool(icmpp->icmp_wpa & 0x40), // Other
-		val_mgr->GetBool(icmpp->icmp_wpa & 0x20), // Home Agent
-		val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3), // Pref
-		val_mgr->GetBool(icmpp->icmp_wpa & 0x04), // Proxy
-		val_mgr->GetCount(icmpp->icmp_wpa & 0x02), // Reserved
-		new IntervalVal((double)ntohs(icmpp->icmp_lifetime), Seconds),
-		new IntervalVal((double)ntohl(reachable), Milliseconds),
-		new IntervalVal((double)ntohl(retrans), Milliseconds),
-		BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
-	});
+	EnqueueConnEvent(f,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_num_addrs)}, // Cur Hop Limit
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x80)}, // Managed
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x40)}, // Other
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x20)}, // Home Agent
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3)}, // Pref
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x04)}, // Proxy
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_wpa & 0x02)}, // Reserved
+		make_intrusive<IntervalVal>((double)ntohs(icmpp->icmp_lifetime), Seconds),
+		make_intrusive<IntervalVal>((double)ntohl(reachable), Milliseconds),
+		make_intrusive<IntervalVal>((double)ntohl(retrans), Milliseconds),
+		IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
+	);
 	}
 
 
@@ -577,15 +575,15 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
 
 	int opt_offset = sizeof(in6_addr);
 
-	ConnectionEventFast(f, {
-		BuildConnVal(),
-		BuildICMPVal(icmpp, len, 1, ip_hdr),
-		val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80), // Router
-		val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40), // Solicited
-		val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20), // Override
-		new AddrVal(tgtaddr),
-		BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
-	});
+	EnqueueConnEvent(f,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80)}, // Router
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40)}, // Solicited
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20)}, // Override
+		make_intrusive<AddrVal>(tgtaddr),
+		IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
+	);
 	}
 
 
@@ -604,12 +602,12 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
 
 	int opt_offset = sizeof(in6_addr);
 
-	ConnectionEventFast(f, {
-		BuildConnVal(),
-		BuildICMPVal(icmpp, len, 1, ip_hdr),
-		new AddrVal(tgtaddr),
-		BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
-	});
+	EnqueueConnEvent(f,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
+		make_intrusive<AddrVal>(tgtaddr),
+		IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
+	);
 	}
 
 
@@ -631,13 +629,13 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
 
 	int opt_offset = 2 * sizeof(in6_addr);
 
-	ConnectionEventFast(f, {
-		BuildConnVal(),
-		BuildICMPVal(icmpp, len, 1, ip_hdr),
-		new AddrVal(tgtaddr),
-		new AddrVal(dstaddr),
-		BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
-	});
+	EnqueueConnEvent(f,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
+		make_intrusive<AddrVal>(tgtaddr),
+		make_intrusive<AddrVal>(dstaddr),
+		IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
+	);
 	}
 
 
@@ -649,11 +647,11 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
 	if ( ! f )
 		return;
 
-	ConnectionEventFast(f, {
-		BuildConnVal(),
-		BuildICMPVal(icmpp, len, 1, ip_hdr),
-		BuildNDOptionsVal(caplen, data),
-	});
+	EnqueueConnEvent(f,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
+		IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen, data)}
+	);
 	}
 
 
@@ -674,14 +672,12 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
 		}
 
 	if ( f )
-		{
-		ConnectionEventFast(f, {
-			BuildConnVal(),
-			BuildICMPVal(icmpp, len, 0, ip_hdr),
-			val_mgr->GetCount(icmpp->icmp_code),
-			ExtractICMP4Context(caplen, data),
-		});
-		}
+		EnqueueConnEvent(f,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 0, ip_hdr)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_code)},
+			IntrusivePtr{AdoptRef{}, ExtractICMP4Context(caplen, data)}
+		);
 	}
 
 
@@ -714,14 +710,12 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
 		}
 
 	if ( f )
-		{
-		ConnectionEventFast(f, {
-			BuildConnVal(),
-			BuildICMPVal(icmpp, len, 1, ip_hdr),
-			val_mgr->GetCount(icmpp->icmp_code),
-			ExtractICMP6Context(caplen, data),
-		});
-		}
+		EnqueueConnEvent(f,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_code)},
+			IntrusivePtr{AdoptRef{}, ExtractICMP6Context(caplen, data)}
+		);
 	}
 
 VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
diff --git a/src/analyzer/protocol/ident/Ident.cc b/src/analyzer/protocol/ident/Ident.cc
index 2ccb66dbb9..eb9a7d71df 100644
--- a/src/analyzer/protocol/ident/Ident.cc
+++ b/src/analyzer/protocol/ident/Ident.cc
@@ -84,11 +84,11 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 			Weird("ident_request_addendum", s.CheckString());
 			}
 
-		ConnectionEventFast(ident_request, {
-			BuildConnVal(),
-			val_mgr->GetPort(local_port, TRANSPORT_TCP),
-			val_mgr->GetPort(remote_port, TRANSPORT_TCP),
-		});
+		EnqueueConnEvent(ident_request,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)}
+		);
 
 		did_deliver = true;
 		}
@@ -145,12 +145,12 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 		if ( is_error )
 			{
 			if ( ident_error )
-				ConnectionEventFast(ident_error, {
-					BuildConnVal(),
-					val_mgr->GetPort(local_port, TRANSPORT_TCP),
-					val_mgr->GetPort(remote_port, TRANSPORT_TCP),
-					new StringVal(end_of_line - line, line),
-				});
+				EnqueueConnEvent(ident_error,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)},
+					make_intrusive<StringVal>(end_of_line - line, line)
+				);
 			}
 
 		else
@@ -178,13 +178,13 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 
 			line = skip_whitespace(colon + 1, end_of_line);
 
-			ConnectionEventFast(ident_reply, {
-				BuildConnVal(),
-				val_mgr->GetPort(local_port, TRANSPORT_TCP),
-				val_mgr->GetPort(remote_port, TRANSPORT_TCP),
-				new StringVal(end_of_line - line, line),
-				new StringVal(sys_type_s),
-			});
+			EnqueueConnEvent(ident_reply,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)},
+				make_intrusive<StringVal>(end_of_line - line, line),
+				make_intrusive<StringVal>(sys_type_s)
+			);
 			}
 		}
 	}
diff --git a/src/analyzer/protocol/irc/IRC.cc b/src/analyzer/protocol/irc/IRC.cc
index d380b7742c..ff9bb4cb4c 100644
--- a/src/analyzer/protocol/irc/IRC.cc
+++ b/src/analyzer/protocol/irc/IRC.cc
@@ -233,13 +233,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				// else ###
 				}
 
-			ConnectionEventFast(irc_network_info, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				val_mgr->GetInt(users),
-				val_mgr->GetInt(services),
-				val_mgr->GetInt(servers),
-			});
+			EnqueueConnEvent(irc_network_info,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(users)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(services)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(servers)}
+			);
 			}
 			break;
 
@@ -270,24 +270,23 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( parts.size() > 0 && parts[0][0] == ':' )
 				parts[0] = parts[0].substr(1);
 
-			TableVal* set = new TableVal({NewRef{}, string_set});
+			auto set = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set});
 
 			for ( unsigned int i = 0; i < parts.size(); ++i )
 				{
 				if ( parts[i][0] == '@' )
 					parts[i] = parts[i].substr(1);
-				Val* idx = new StringVal(parts[i].c_str());
-				set->Assign(idx, 0);
-				Unref(idx);
+				auto idx = make_intrusive<StringVal>(parts[i].c_str());
+				set->Assign(idx.get(), 0);
 				}
 
-			ConnectionEventFast(irc_names_info, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(type.c_str()),
-				new StringVal(channel.c_str()),
-				set,
-			});
+			EnqueueConnEvent(irc_names_info,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(type.c_str()),
+				make_intrusive<StringVal>(channel.c_str()),
+				std::move(set)
+			);
 			}
 			break;
 
@@ -315,13 +314,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				// else ###
 				}
 
-			ConnectionEventFast(irc_server_info, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				val_mgr->GetInt(users),
-				val_mgr->GetInt(services),
-				val_mgr->GetInt(servers),
-			});
+			EnqueueConnEvent(irc_server_info,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(users)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(services)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(servers)}
+			);
 			}
 			break;
 
@@ -337,11 +336,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				if ( parts[i] == ":channels" )
 					channels = atoi(parts[i - 1].c_str());
 
-			ConnectionEventFast(irc_channel_info, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				val_mgr->GetInt(channels),
-			});
+			EnqueueConnEvent(irc_channel_info,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(channels)}
+			);
 			}
 			break;
 
@@ -369,12 +368,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				break;
 				}
 
-			ConnectionEventFast(irc_global_users, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(eop - prefix, prefix),
-				new StringVal(++msg),
-			});
+			EnqueueConnEvent(irc_global_users,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(eop - prefix, prefix),
+				make_intrusive<StringVal>(++msg)
+			);
 			break;
 			}
 
@@ -394,12 +393,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				return;
 				}
 
-			val_list vl(6);
-			vl.push_back(BuildConnVal());
-			vl.push_back(val_mgr->GetBool(orig));
-			vl.push_back(new StringVal(parts[0].c_str()));
-			vl.push_back(new StringVal(parts[1].c_str()));
-			vl.push_back(new StringVal(parts[2].c_str()));
+			zeek::Args vl;
+			vl.reserve(6);
+			vl.emplace_back(AdoptRef{}, BuildConnVal());
+			vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
+			vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
+			vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
+			vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
 
 			parts.erase(parts.begin(), parts.begin() + 4);
 
@@ -410,9 +410,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( real_name[0] == ':' )
 				real_name = real_name.substr(1);
 
-			vl.push_back(new StringVal(real_name.c_str()));
+			vl.emplace_back(make_intrusive<StringVal>(real_name.c_str()));
 
-			ConnectionEventFast(irc_whois_user_line, std::move(vl));
+			EnqueueConnEvent(irc_whois_user_line, std::move(vl));
 			}
 			break;
 
@@ -433,11 +433,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				return;
 				}
 
-			ConnectionEventFast(irc_whois_operator_line, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(parts[0].c_str()),
-			});
+			EnqueueConnEvent(irc_whois_operator_line,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(parts[0].c_str())
+			);
 			}
 			break;
 
@@ -463,21 +463,20 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( parts.size() > 0 && parts[0][0] == ':' )
 				parts[0] = parts[0].substr(1);
 
-			TableVal* set = new TableVal({NewRef{}, string_set});
+			auto set = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set});
 
 			for ( unsigned int i = 0; i < parts.size(); ++i )
 				{
-				Val* idx = new StringVal(parts[i].c_str());
-				set->Assign(idx, 0);
-				Unref(idx);
+				auto idx = make_intrusive<StringVal>(parts[i].c_str());
+				set->Assign(idx.get(), 0);
 				}
 
-			ConnectionEventFast(irc_whois_channel_line, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(nick.c_str()),
-				set,
-			});
+			EnqueueConnEvent(irc_whois_channel_line,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(nick.c_str()),
+				std::move(set)
+			);
 			}
 			break;
 
@@ -503,12 +502,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				if ( *t == ':' )
 					++t;
 
-				ConnectionEventFast(irc_channel_topic, {
-					BuildConnVal(),
-					val_mgr->GetBool(orig),
-					new StringVal(parts[1].c_str()),
-					new StringVal(t),
-				});
+				EnqueueConnEvent(irc_channel_topic,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					make_intrusive<StringVal>(parts[1].c_str()),
+					make_intrusive<StringVal>(t)
+				);
 				}
 			else
 				{
@@ -537,19 +536,19 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( parts[7][0] == ':' )
 				parts[7] = parts[7].substr(1);
 
-			ConnectionEventFast(irc_who_line, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(parts[0].c_str()),
-				new StringVal(parts[1].c_str()),
-				new StringVal(parts[2].c_str()),
-				new StringVal(parts[3].c_str()),
-				new StringVal(parts[4].c_str()),
-				new StringVal(parts[5].c_str()),
-				new StringVal(parts[6].c_str()),
-				val_mgr->GetInt(atoi(parts[7].c_str())),
-				new StringVal(parts[8].c_str()),
-			});
+			EnqueueConnEvent(irc_who_line,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(parts[0].c_str()),
+				make_intrusive<StringVal>(parts[1].c_str()),
+				make_intrusive<StringVal>(parts[2].c_str()),
+				make_intrusive<StringVal>(parts[3].c_str()),
+				make_intrusive<StringVal>(parts[4].c_str()),
+				make_intrusive<StringVal>(parts[5].c_str()),
+				make_intrusive<StringVal>(parts[6].c_str()),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(atoi(parts[7].c_str()))},
+				make_intrusive<StringVal>(parts[8].c_str())
+			);
 			}
 			break;
 
@@ -559,25 +558,21 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		case 433:
 		case 436:
 			if ( irc_invalid_nick )
-				{
-				ConnectionEventFast(irc_invalid_nick, {
-					BuildConnVal(),
-					val_mgr->GetBool(orig),
-				});
-				}
+				EnqueueConnEvent(irc_invalid_nick,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}
+				);
 			break;
 
 		// Operator responses.
 		case 381:  // User is operator
 		case 491:  // user is not operator
 			if ( irc_oper_response )
-				{
-				ConnectionEventFast(irc_oper_response, {
-					BuildConnVal(),
-					val_mgr->GetBool(orig),
-					val_mgr->GetBool(code == 381),
-				});
-				}
+				EnqueueConnEvent(irc_oper_response,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(code == 381)}
+				);
 			break;
 
 		case 670:
@@ -588,13 +583,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		// All other server replies.
 		default:
 			if ( irc_reply )
-				ConnectionEventFast(irc_reply, {
-					BuildConnVal(),
-					val_mgr->GetBool(orig),
-					new StringVal(prefix.c_str()),
-					val_mgr->GetCount(code),
-					new StringVal(params.c_str()),
-				});
+				EnqueueConnEvent(irc_reply,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					make_intrusive<StringVal>(prefix.c_str()),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(code)},
+					make_intrusive<StringVal>(params.c_str())
+				);
 			break;
 		}
 		return;
@@ -659,31 +654,31 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 
 			if ( irc_dcc_message )
-				ConnectionEventFast(irc_dcc_message, {
-					BuildConnVal(),
-					val_mgr->GetBool(orig),
-					new StringVal(prefix.c_str()),
-					new StringVal(target.c_str()),
-					new StringVal(parts[1].c_str()),
-					new StringVal(parts[2].c_str()),
-					new AddrVal(htonl(raw_ip)),
-					val_mgr->GetCount(atoi(parts[4].c_str())),
-					parts.size() >= 6 ?
+				EnqueueConnEvent(irc_dcc_message,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					make_intrusive<StringVal>(prefix.c_str()),
+					make_intrusive<StringVal>(target.c_str()),
+					make_intrusive<StringVal>(parts[1].c_str()),
+					make_intrusive<StringVal>(parts[2].c_str()),
+					make_intrusive<AddrVal>(htonl(raw_ip)),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(atoi(parts[4].c_str()))},
+					IntrusivePtr{AdoptRef{}, parts.size() >= 6 ?
 						val_mgr->GetCount(atoi(parts[5].c_str())) :
-						val_mgr->GetCount(0),
-				});
+						val_mgr->GetCount(0)}
+				);
 			}
 
 		else
 			{
 			if ( irc_privmsg_message )
-				ConnectionEventFast(irc_privmsg_message, {
-					BuildConnVal(),
-					val_mgr->GetBool(orig),
-					new StringVal(prefix.c_str()),
-					new StringVal(target.c_str()),
-					new StringVal(message.c_str()),
-				});
+				EnqueueConnEvent(irc_privmsg_message,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					make_intrusive<StringVal>(prefix.c_str()),
+					make_intrusive<StringVal>(target.c_str()),
+					make_intrusive<StringVal>(message.c_str())
+				);
 			}
 		}
 
@@ -702,13 +697,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( message[0] == ':' )
 			message = message.substr(1);
 
-		ConnectionEventFast(irc_notice_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(prefix.c_str()),
-			new StringVal(target.c_str()),
-			new StringVal(message.c_str()),
-		});
+		EnqueueConnEvent(irc_notice_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(prefix.c_str()),
+			make_intrusive<StringVal>(target.c_str()),
+			make_intrusive<StringVal>(message.c_str())
+		);
 		}
 
 	else if ( irc_squery_message && command == "SQUERY" )
@@ -726,34 +721,35 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( message[0] == ':' )
 			message = message.substr(1);
 
-		ConnectionEventFast(irc_squery_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(prefix.c_str()),
-			new StringVal(target.c_str()),
-			new StringVal(message.c_str()),
-		});
+		EnqueueConnEvent(irc_squery_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(prefix.c_str()),
+			make_intrusive<StringVal>(target.c_str()),
+			make_intrusive<StringVal>(message.c_str())
+		);
 		}
 
 	else if ( irc_user_message && command == "USER" )
 		{
 		// extract username and real name
 		vector<string> parts = SplitWords(params, ' ');
-		val_list vl(6);
-		vl.push_back(BuildConnVal());
-		vl.push_back(val_mgr->GetBool(orig));
+		zeek::Args vl;
+		vl.reserve(6);
+		vl.emplace_back(AdoptRef{}, BuildConnVal());
+		vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
 
 		if ( parts.size() > 0 )
-			vl.push_back(new StringVal(parts[0].c_str()));
-		else vl.push_back(val_mgr->GetEmptyString());
+			vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
+		else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
 
 		if ( parts.size() > 1 )
-			vl.push_back(new StringVal(parts[1].c_str()));
-		else vl.push_back(val_mgr->GetEmptyString());
+			vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
+		else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
 
 		if ( parts.size() > 2 )
-			vl.push_back(new StringVal(parts[2].c_str()));
-		else vl.push_back(val_mgr->GetEmptyString());
+			vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
+		else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
 
 		string realname;
 		for ( unsigned int i = 3; i < parts.size(); i++ )
@@ -764,9 +760,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			}
 
 		const char* name = realname.c_str();
-		vl.push_back(new StringVal(*name == ':' ? name + 1 : name));
+		vl.emplace_back(make_intrusive<StringVal>(*name == ':' ? name + 1 : name));
 
-		ConnectionEventFast(irc_user_message, std::move(vl));
+		EnqueueConnEvent(irc_user_message, std::move(vl));
 		}
 
 	else if ( irc_oper_message && command == "OPER" )
@@ -774,14 +770,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		// extract username and password
 		vector<string> parts = SplitWords(params, ' ');
 		if ( parts.size() == 2 )
-			{
-			ConnectionEventFast(irc_oper_message, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(parts[0].c_str()),
-				new StringVal(parts[1].c_str()),
-			});
-			}
+			EnqueueConnEvent(irc_oper_message,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(parts[0].c_str()),
+				make_intrusive<StringVal>(parts[1].c_str())
+			);
 
 		else
 			Weird("irc_invalid_oper_message_format");
@@ -797,12 +791,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			return;
 			}
 
-		val_list vl(6);
-		vl.push_back(BuildConnVal());
-		vl.push_back(val_mgr->GetBool(orig));
-		vl.push_back(new StringVal(prefix.c_str()));
-		vl.push_back(new StringVal(parts[0].c_str()));
-		vl.push_back(new StringVal(parts[1].c_str()));
+		zeek::Args vl;
+		vl.reserve(6);
+		vl.emplace_back(AdoptRef{}, BuildConnVal());
+		vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
+		vl.emplace_back(make_intrusive<StringVal>(prefix.c_str()));
+		vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
+		vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
+
 		if ( parts.size() > 2 )
 			{
 			string comment = parts[2];
@@ -812,12 +808,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( comment[0] == ':' )
 				comment = comment.substr(1);
 
-			vl.push_back(new StringVal(comment.c_str()));
+			vl.emplace_back(make_intrusive<StringVal>(comment.c_str()));
 			}
 		else
-			vl.push_back(val_mgr->GetEmptyString());
+			vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
 
-		ConnectionEventFast(irc_kick_message, std::move(vl));
+		EnqueueConnEvent(irc_kick_message, std::move(vl));
 		}
 
 	else if ( irc_join_message && command == "JOIN" )
@@ -841,7 +837,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				nickname = prefix.substr(0, pos);
 			}
 
-		TableVal* list = new TableVal({NewRef{}, irc_join_list});
+		auto list = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, irc_join_list});
 
 		vector<string> channels = SplitWords(parts[0], ',');
 		vector<string> passwords;
@@ -865,11 +861,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			Unref(info);
 			}
 
-		ConnectionEventFast(irc_join_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			list,
-		});
+		EnqueueConnEvent(irc_join_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			std::move(list)
+		);
 		}
 
 	else if ( irc_join_message && command == "NJOIN" )
@@ -886,13 +882,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			parts[1] = parts[1].substr(1);
 
 		vector<string> users = SplitWords(parts[1], ',');
-		TableVal* list = new TableVal({NewRef{}, irc_join_list});
+		auto list = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, irc_join_list});
 
 		string empty_string = "";
 
 		for ( unsigned int i = 0; i < users.size(); ++i )
 			{
-			RecordVal* info = new RecordVal(irc_join_info);
+			auto info = make_intrusive<RecordVal>(irc_join_info);
 			string nick = users[i];
 			string mode = "none";
 
@@ -922,15 +918,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			info->Assign(2, make_intrusive<StringVal>(empty_string.c_str()));
 			// User mode:
 			info->Assign(3, make_intrusive<StringVal>(mode.c_str()));
-			list->Assign(info, 0);
-			Unref(info);
+			list->Assign(info.get(), 0);
 			}
 
-		ConnectionEventFast(irc_join_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			list,
-		});
+		EnqueueConnEvent(irc_join_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			std::move(list)
+		);
 		}
 
 	else if ( irc_part_message && command == "PART" )
@@ -957,22 +952,21 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			nick = nick.substr(0, pos);
 
 		vector<string> channelList = SplitWords(channels, ',');
-		TableVal* set = new TableVal({NewRef{}, string_set});
+		auto set = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set});
 
 		for ( unsigned int i = 0; i < channelList.size(); ++i )
 			{
-			Val* idx = new StringVal(channelList[i].c_str());
-			set->Assign(idx, 0);
-			Unref(idx);
+			auto idx = make_intrusive<StringVal>(channelList[i].c_str());
+			set->Assign(idx.get(), 0);
 			}
 
-		ConnectionEventFast(irc_part_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(nick.c_str()),
-			set,
-			new StringVal(message.c_str()),
-		});
+		EnqueueConnEvent(irc_part_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(nick.c_str()),
+			std::move(set),
+			make_intrusive<StringVal>(message.c_str())
+		);
 		}
 
 	else if ( irc_quit_message && command == "QUIT" )
@@ -989,12 +983,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				nickname = prefix.substr(0, pos);
 			}
 
-		ConnectionEventFast(irc_quit_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(nickname.c_str()),
-			new StringVal(message.c_str()),
-		});
+		EnqueueConnEvent(irc_quit_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(nickname.c_str()),
+			make_intrusive<StringVal>(message.c_str())
+		);
 		}
 
 	else if ( irc_nick_message && command == "NICK" )
@@ -1003,12 +997,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( nick[0] == ':' )
 			nick = nick.substr(1);
 
-		ConnectionEventFast(irc_nick_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(prefix.c_str()),
-			new StringVal(nick.c_str())
-		});
+		EnqueueConnEvent(irc_nick_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(prefix.c_str()),
+			make_intrusive<StringVal>(nick.c_str())
+		);
 		}
 
 	else if ( irc_who_message && command == "WHO" )
@@ -1028,14 +1022,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( parts.size() > 0 && parts[0].size() > 0 && parts[0][0] == ':' )
 			parts[0] = parts[0].substr(1);
 
-		ConnectionEventFast(irc_who_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
+		EnqueueConnEvent(irc_who_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
 			parts.size() > 0 ?
-				new StringVal(parts[0].c_str()) :
-				val_mgr->GetEmptyString(),
-			val_mgr->GetBool(oper),
-		});
+				make_intrusive<StringVal>(parts[0].c_str()) :
+				IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(oper)}
+		);
 		}
 
 	else if ( irc_whois_message && command == "WHOIS" )
@@ -1058,12 +1052,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		else
 			users = parts[0];
 
-		ConnectionEventFast(irc_whois_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(server.c_str()),
-			new StringVal(users.c_str()),
-		});
+		EnqueueConnEvent(irc_whois_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(server.c_str()),
+			make_intrusive<StringVal>(users.c_str())
+		);
 		}
 
 	else if ( irc_error_message && command == "ERROR" )
@@ -1071,12 +1065,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( params[0] == ':' )
 			params = params.substr(1);
 
-		ConnectionEventFast(irc_error_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(prefix.c_str()),
-			new StringVal(params.c_str()),
-		});
+		EnqueueConnEvent(irc_error_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(prefix.c_str()),
+			make_intrusive<StringVal>(params.c_str())
+		);
 		}
 
 	else if ( irc_invite_message && command == "INVITE" )
@@ -1087,13 +1081,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( parts[1].size() > 0 && parts[1][0] == ':' )
 				parts[1] = parts[1].substr(1);
 
-			ConnectionEventFast(irc_invite_message, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(prefix.c_str()),
-				new StringVal(parts[0].c_str()),
-				new StringVal(parts[1].c_str()),
-			});
+			EnqueueConnEvent(irc_invite_message,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(prefix.c_str()),
+				make_intrusive<StringVal>(parts[0].c_str()),
+				make_intrusive<StringVal>(parts[1].c_str())
+			);
 			}
 		else
 			Weird("irc_invalid_invite_message_format");
@@ -1102,14 +1096,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	else if ( irc_mode_message && command == "MODE" )
 		{
 		if ( params.size() > 0 )
-			{
-			ConnectionEventFast(irc_mode_message, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(prefix.c_str()),
-				new StringVal(params.c_str()),
-			});
-			}
+			EnqueueConnEvent(irc_mode_message,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(prefix.c_str()),
+				make_intrusive<StringVal>(params.c_str())
+			);
 
 		else
 			Weird("irc_invalid_mode_message_format");
@@ -1117,11 +1109,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 	else if ( irc_password_message && command == "PASS" )
 		{
-		ConnectionEventFast(irc_password_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(params.c_str()),
-		});
+		EnqueueConnEvent(irc_password_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(params.c_str())
+		);
 		}
 
 	else if ( irc_squit_message && command == "SQUIT" )
@@ -1139,13 +1131,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				message = message.substr(1);
 			}
 
-		ConnectionEventFast(irc_squit_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(prefix.c_str()),
-			new StringVal(server.c_str()),
-			new StringVal(message.c_str()),
-		});
+		EnqueueConnEvent(irc_squit_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(prefix.c_str()),
+			make_intrusive<StringVal>(server.c_str()),
+			make_intrusive<StringVal>(message.c_str())
+		);
 		}
 
 
@@ -1153,13 +1145,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		{
 		if ( irc_request )
 			{
-			ConnectionEventFast(irc_request, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(prefix.c_str()),
-				new StringVal(command.c_str()),
-				new StringVal(params.c_str()),
-			});
+			EnqueueConnEvent(irc_request,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(prefix.c_str()),
+				make_intrusive<StringVal>(command.c_str()),
+				make_intrusive<StringVal>(params.c_str())
+			);
 			}
 		}
 
@@ -1167,13 +1159,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		{
 		if ( irc_message )
 			{
-			ConnectionEventFast(irc_message, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(prefix.c_str()),
-				new StringVal(command.c_str()),
-				new StringVal(params.c_str()),
-			});
+			EnqueueConnEvent(irc_message,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(prefix.c_str()),
+				make_intrusive<StringVal>(command.c_str()),
+				make_intrusive<StringVal>(params.c_str())
+			);
 			}
 		}
 
@@ -1203,7 +1195,7 @@ void IRC_Analyzer::StartTLS()
 		AddChildAnalyzer(ssl);
 
 	if ( irc_starttls )
-		ConnectionEventFast(irc_starttls, {BuildConnVal()});
+		EnqueueConnEvent(irc_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 	}
 
 vector<string> IRC_Analyzer::SplitWords(const string& input, char split)
diff --git a/src/analyzer/protocol/login/Login.cc b/src/analyzer/protocol/login/Login.cc
index 7db2a81155..2b34fa5f48 100644
--- a/src/analyzer/protocol/login/Login.cc
+++ b/src/analyzer/protocol/login/Login.cc
@@ -290,9 +290,7 @@ void Login_Analyzer::AuthenticationDialog(bool orig, char* line)
 	else if ( IsSkipAuthentication(line) )
 		{
 		if ( authentication_skipped )
-			{
-			ConnectionEventFast(authentication_skipped, {BuildConnVal()});
-			}
+			EnqueueConnEvent(authentication_skipped, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 
 		state = LOGIN_STATE_SKIP;
 		SetSkip(1);
@@ -333,28 +331,22 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
 			}
 
 		else if ( login_terminal && streq(name, "TERM") )
-			{
-			ConnectionEventFast(login_terminal, {
-				BuildConnVal(),
-				new StringVal(val),
-			});
-			}
+			EnqueueConnEvent(login_terminal,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				make_intrusive<StringVal>(val)
+			);
 
 		else if ( login_display && streq(name, "DISPLAY") )
-			{
-			ConnectionEventFast(login_display, {
-				BuildConnVal(),
-				new StringVal(val),
-			});
-			}
+			EnqueueConnEvent(login_display,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				make_intrusive<StringVal>(val)
+			);
 
 		else if ( login_prompt && streq(name, "TTYPROMPT") )
-			{
-			ConnectionEventFast(login_prompt, {
-				BuildConnVal(),
-				new StringVal(val),
-			});
-			}
+			EnqueueConnEvent(login_prompt,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				make_intrusive<StringVal>(val)
+			);
 		}
 
 	delete [] name;
@@ -427,13 +419,14 @@ void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line,
 	Val* password = HaveTypeahead() ?
 				PopUserTextVal() : new StringVal("<none>");
 
-	ConnectionEventFast(f, {
-		BuildConnVal(),
-		username->Ref(),
-		client_name ? client_name->Ref() : val_mgr->GetEmptyString(),
-		password,
-		new StringVal(line),
-	});
+	EnqueueConnEvent(f,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{NewRef{}, username},
+		client_name ? IntrusivePtr{NewRef{}, client_name}
+		            : IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()},
+		IntrusivePtr{AdoptRef{}, password},
+		make_intrusive<StringVal>(line)
+	);
 	}
 
 const char* Login_Analyzer::GetUsername(const char* line) const
@@ -449,10 +442,10 @@ void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line)
 	if ( ! f )
 		return;
 
-	ConnectionEventFast(f, {
-		BuildConnVal(),
-		new StringVal(line),
-	});
+	EnqueueConnEvent(f,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		make_intrusive<StringVal>(line)
+	);
 	}
 
 
@@ -461,13 +454,11 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
 	state = LOGIN_STATE_CONFUSED;	// to suppress further messages
 
 	if ( login_confused )
-		{
-		ConnectionEventFast(login_confused, {
-			BuildConnVal(),
-			new StringVal(msg),
-			new StringVal(line),
-		});
-		}
+		EnqueueConnEvent(login_confused,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			make_intrusive<StringVal>(msg),
+			make_intrusive<StringVal>(line)
+		);
 
 	if ( login_confused_text )
 		{
@@ -487,12 +478,10 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
 void Login_Analyzer::ConfusionText(const char* line)
 	{
 	if ( login_confused_text )
-		{
-		ConnectionEventFast(login_confused_text, {
-			BuildConnVal(),
-			new StringVal(line),
-		});
-		}
+		EnqueueConnEvent(login_confused_text,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			make_intrusive<StringVal>(line)
+		);
 	}
 
 int Login_Analyzer::IsPloy(const char* line)
diff --git a/src/analyzer/protocol/login/NVT.cc b/src/analyzer/protocol/login/NVT.cc
index 47dfca94fe..09d866fe3b 100644
--- a/src/analyzer/protocol/login/NVT.cc
+++ b/src/analyzer/protocol/login/NVT.cc
@@ -462,12 +462,10 @@ const char* NVT_Analyzer::PeerAuthName() const
 void NVT_Analyzer::SetTerminal(const u_char* terminal, int len)
 	{
 	if ( login_terminal )
-		{
-		ConnectionEventFast(login_terminal, {
-			BuildConnVal(),
-			new StringVal(new BroString(terminal, len, 0)),
-		});
-		}
+		EnqueueConnEvent(login_terminal,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			make_intrusive<StringVal>(new BroString(terminal, len, 0))
+		);
 	}
 
 void NVT_Analyzer::SetEncrypting(int mode)
diff --git a/src/analyzer/protocol/login/RSH.cc b/src/analyzer/protocol/login/RSH.cc
index ef9fb3fa18..4b5b81d3c7 100644
--- a/src/analyzer/protocol/login/RSH.cc
+++ b/src/analyzer/protocol/login/RSH.cc
@@ -168,27 +168,37 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 			return;
 		}
 
-	val_list vl(4 + orig);
+	zeek::Args vl;
+	vl.reserve(4 + orig);
 	const char* line = (const char*) data;
 	line = skip_whitespace(line);
-	vl.push_back(BuildConnVal());
-	vl.push_back(client_name ? client_name->Ref() : new StringVal("<none>"));
-	vl.push_back(username ? username->Ref() : new StringVal("<none>"));
-	vl.push_back(new StringVal(line));
+	vl.emplace_back(AdoptRef{}, BuildConnVal());
+
+	if ( client_name )
+		vl.emplace_back(NewRef{}, client_name);
+	else
+		vl.emplace_back(make_intrusive<StringVal>("<none>"));
+
+	if ( username )
+		vl.emplace_back(NewRef{}, username);
+	else
+		vl.emplace_back(make_intrusive<StringVal>("<none>"));
+
+	vl.emplace_back(make_intrusive<StringVal>(line));
 
 	if ( orig )
 		{
 		if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME )
 			// First input
-			vl.push_back(val_mgr->GetTrue());
+			vl.emplace_back(AdoptRef{}, val_mgr->GetTrue());
 		else
-			vl.push_back(val_mgr->GetFalse());
+			vl.emplace_back(AdoptRef{}, val_mgr->GetFalse());
 
-		ConnectionEventFast(rsh_request, std::move(vl));
+		EnqueueConnEvent(rsh_request, std::move(vl));
 		}
 
 	else
-		ConnectionEventFast(rsh_reply, std::move(vl));
+		EnqueueConnEvent(rsh_reply, std::move(vl));
 	}
 
 void Rsh_Analyzer::ClientUserName(const char* s)
diff --git a/src/analyzer/protocol/login/Rlogin.cc b/src/analyzer/protocol/login/Rlogin.cc
index bed3c0317d..e041d757c9 100644
--- a/src/analyzer/protocol/login/Rlogin.cc
+++ b/src/analyzer/protocol/login/Rlogin.cc
@@ -244,10 +244,8 @@ void Rlogin_Analyzer::ServerUserName(const char* s)
 void Rlogin_Analyzer::TerminalType(const char* s)
 	{
 	if ( login_terminal )
-		{
-		ConnectionEventFast(login_terminal, {
-			BuildConnVal(),
-			new StringVal(s),
-		});
-		}
+		EnqueueConnEvent(login_terminal,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			make_intrusive<StringVal>(s)
+		);
 	}
diff --git a/src/analyzer/protocol/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc
index e597ae6275..0a4a901d90 100644
--- a/src/analyzer/protocol/mime/MIME.cc
+++ b/src/analyzer/protocol/mime/MIME.cc
@@ -1365,11 +1365,11 @@ void MIME_Mail::Done()
 		hash_final(md5_hash, digest);
 		md5_hash = nullptr;
 
-		analyzer->ConnectionEventFast(mime_content_hash, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetCount(content_hash_length),
-			new StringVal(new BroString(1, digest, 16)),
-		});
+		analyzer->EnqueueConnEvent(mime_content_hash,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(content_hash_length)},
+			make_intrusive<StringVal>(new BroString(1, digest, 16))
+		);
 		}
 
 	MIME_Message::Done();
@@ -1393,7 +1393,7 @@ void MIME_Mail::BeginEntity(MIME_Entity* /* entity */)
 	cur_entity_id.clear();
 
 	if ( mime_begin_entity )
-		analyzer->ConnectionEventFast(mime_begin_entity, {analyzer->BuildConnVal()});
+		analyzer->EnqueueConnEvent(mime_begin_entity, IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
 
 	buffer_start = data_start = 0;
 	ASSERT(entity_content.size() == 0);
@@ -1405,11 +1405,11 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
 		{
 		BroString* s = concatenate(entity_content);
 
-		analyzer->ConnectionEventFast(mime_entity_data, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetCount(s->Len()),
-			new StringVal(s),
-		});
+		analyzer->EnqueueConnEvent(mime_entity_data,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(s->Len())},
+			make_intrusive<StringVal>(s)
+		);
 
 		if ( ! mime_all_data )
 			delete_strings(entity_content);
@@ -1418,7 +1418,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
 		}
 
 	if ( mime_end_entity )
-		analyzer->ConnectionEventFast(mime_end_entity, {analyzer->BuildConnVal()});
+		analyzer->EnqueueConnEvent(mime_end_entity, IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
 
 	file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
 	cur_entity_id.clear();
@@ -1427,23 +1427,19 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
 void MIME_Mail::SubmitHeader(MIME_Header* h)
 	{
 	if ( mime_one_header )
-		{
-		analyzer->ConnectionEventFast(mime_one_header, {
-			analyzer->BuildConnVal(),
-			BuildHeaderVal(h),
-		});
-		}
+		analyzer->EnqueueConnEvent(mime_one_header,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, BuildHeaderVal(h)}
+		);
 	}
 
 void MIME_Mail::SubmitAllHeaders(MIME_HeaderList& hlist)
 	{
 	if ( mime_all_headers )
-		{
-		analyzer->ConnectionEventFast(mime_all_headers, {
-			analyzer->BuildConnVal(),
-			BuildHeaderTable(hlist),
-		});
-		}
+		analyzer->EnqueueConnEvent(mime_all_headers,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)}
+		);
 	}
 
 void MIME_Mail::SubmitData(int len, const char* buf)
@@ -1476,11 +1472,11 @@ void MIME_Mail::SubmitData(int len, const char* buf)
 		const char* data = (char*) data_buffer->Bytes() + data_start;
 		int data_len = (buf + len) - data;
 
-		analyzer->ConnectionEventFast(mime_segment_data, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetCount(data_len),
-			new StringVal(data_len, data),
-		});
+		analyzer->EnqueueConnEvent(mime_segment_data,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(data_len)},
+			make_intrusive<StringVal>(data_len, data)
+		);
 		}
 
 	cur_entity_id = file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len,
@@ -1523,11 +1519,11 @@ void MIME_Mail::SubmitAllData()
 		BroString* s = concatenate(all_content);
 		delete_strings(all_content);
 
-		analyzer->ConnectionEventFast(mime_all_data, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetCount(s->Len()),
-			new StringVal(s),
-		});
+		analyzer->EnqueueConnEvent(mime_all_data,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(s->Len())},
+			make_intrusive<StringVal>(s)
+		);
 		}
 	}
 
@@ -1551,11 +1547,9 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
 	}
 
 	if ( mime_event )
-		{
-		analyzer->ConnectionEventFast(mime_event, {
-			analyzer->BuildConnVal(),
-			new StringVal(category),
-			new StringVal(detail),
-		});
-		}
+		analyzer->EnqueueConnEvent(mime_event,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			make_intrusive<StringVal>(category),
+			make_intrusive<StringVal>(detail)
+		);
 	}
diff --git a/src/analyzer/protocol/ncp/NCP.cc b/src/analyzer/protocol/ncp/NCP.cc
index 45f333c872..c987c78c7a 100644
--- a/src/analyzer/protocol/ncp/NCP.cc
+++ b/src/analyzer/protocol/ncp/NCP.cc
@@ -62,26 +62,21 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
 	if ( f )
 		{
 		if ( frame->is_orig() )
-			{
-			analyzer->ConnectionEventFast(f, {
-				analyzer->BuildConnVal(),
-				val_mgr->GetCount(frame->frame_type()),
-				val_mgr->GetCount(frame->body_length()),
-				val_mgr->GetCount(req_func),
-			});
-			}
+			analyzer->EnqueueConnEvent(f,
+				IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->frame_type())},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->body_length())},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_func)}
+			);
 		else
-			{
-			analyzer->ConnectionEventFast(f, {
-				analyzer->BuildConnVal(),
-				val_mgr->GetCount(frame->frame_type()),
-				val_mgr->GetCount(frame->body_length()),
-				val_mgr->GetCount(req_frame_type),
-				val_mgr->GetCount(req_func),
-				val_mgr->GetCount(frame->reply()->completion_code()),
-			});
-			}
-
+			analyzer->EnqueueConnEvent(f,
+				IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->frame_type())},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->body_length())},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_frame_type)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_func)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->reply()->completion_code())}
+			);
 		}
 	}
 
diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.cc b/src/analyzer/protocol/netbios/NetbiosSSN.cc
index 8fbedf58b6..86f10e9698 100644
--- a/src/analyzer/protocol/netbios/NetbiosSSN.cc
+++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc
@@ -59,14 +59,12 @@ int NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags,
 				const u_char* data, int len, int is_query)
 	{
 	if ( netbios_session_message )
-		{
-		analyzer->ConnectionEventFast(netbios_session_message, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetBool(is_query),
-			val_mgr->GetCount(type),
-			val_mgr->GetCount(len),
-		});
-		}
+		analyzer->EnqueueConnEvent(netbios_session_message,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_query)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(type)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
+		);
 
 	switch ( type ) {
 	case NETBIOS_SSN_MSG:
@@ -331,18 +329,16 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data,
 		return;
 
 	if ( is_orig >= 0 )
-		{
-		analyzer->ConnectionEventFast(event, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-			new StringVal(new BroString(data, len, 0)),
-		});
-		}
+		analyzer->EnqueueConnEvent(event,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			make_intrusive<StringVal>(new BroString(data, len, 0))
+		);
 	else
-		analyzer->ConnectionEventFast(event, {
-			analyzer->BuildConnVal(),
-			new StringVal(new BroString(data, len, 0)),
-		});
+		analyzer->EnqueueConnEvent(event,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			make_intrusive<StringVal>(new BroString(data, len, 0))
+		);
 	}
 
 
diff --git a/src/analyzer/protocol/pop3/POP3.cc b/src/analyzer/protocol/pop3/POP3.cc
index 7da678f855..2e4af7afcf 100644
--- a/src/analyzer/protocol/pop3/POP3.cc
+++ b/src/analyzer/protocol/pop3/POP3.cc
@@ -830,7 +830,7 @@ void POP3_Analyzer::StartTLS()
 		AddChildAnalyzer(ssl);
 
 	if ( pop3_starttls )
-		ConnectionEventFast(pop3_starttls, {BuildConnVal()});
+		EnqueueConnEvent(pop3_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 	}
 
 void POP3_Analyzer::AuthSuccessfull()
@@ -920,14 +920,16 @@ void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig,
 	if ( ! event )
 		return;
 
-	val_list vl(2 + (bool)arg1 + (bool)arg2);
+	zeek::Args vl;
+	vl.reserve(2 + (bool)arg1 + (bool)arg2);
+
+	vl.emplace_back(AdoptRef{}, BuildConnVal());
+	vl.emplace_back(AdoptRef{}, val_mgr->GetBool(is_orig));
 
-	vl.push_back(BuildConnVal());
-	vl.push_back(val_mgr->GetBool(is_orig));
 	if ( arg1 )
-		vl.push_back(new StringVal(arg1));
+		vl.emplace_back(make_intrusive<StringVal>(arg1));
 	if ( arg2 )
-		vl.push_back(new StringVal(arg2));
+		vl.emplace_back(make_intrusive<StringVal>(arg2));
 
-	ConnectionEventFast(event, std::move(vl));
+	EnqueueConnEvent(event, std::move(vl));
 	}
diff --git a/src/analyzer/protocol/rpc/MOUNT.cc b/src/analyzer/protocol/rpc/MOUNT.cc
index 7265001fe3..c4bfd373bc 100644
--- a/src/analyzer/protocol/rpc/MOUNT.cc
+++ b/src/analyzer/protocol/rpc/MOUNT.cc
@@ -96,7 +96,7 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status
 		{
 		auto vl = event_common_vl(c, rpc_status, mount_status,
 					   start_time, last_time, reply_len, 0);
-		analyzer->ConnectionEventFast(mount_reply_status, std::move(vl));
+		analyzer->EnqueueConnEvent(mount_reply_status, std::move(vl));
 		}
 
 	if ( ! rpc_success )
@@ -169,19 +169,19 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status
 					start_time, last_time, reply_len, (bool)request + (bool)reply);
 
 		if ( request )
-			vl.push_back(request);
+			vl.emplace_back(AdoptRef{}, request);
 
 		if ( reply )
-			vl.push_back(reply);
+			vl.emplace_back(AdoptRef{}, reply);
 
-		analyzer->ConnectionEventFast(event, std::move(vl));
+		analyzer->EnqueueConnEvent(event, std::move(vl));
 		}
 	else
 		Unref(reply);
 	return 1;
 	}
 
-val_list MOUNT_Interp::event_common_vl(RPC_CallInfo *c, 
+zeek::Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
 		      BifEnum::rpc_status rpc_status,
 				      BifEnum::MOUNT3::status_t mount_status,
 				      double rep_start_time,
@@ -189,16 +189,17 @@ val_list MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
 	{
 	// Returns a new val_list that already has a conn_val, and mount3_info.
 	// These are the first parameters for each mount_* event ...
-	val_list vl(2 + extra_elements);
-	vl.push_back(analyzer->BuildConnVal());
-	VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
+	zeek::Args vl;
+	vl.reserve(2 + extra_elements);
+	vl.emplace_back(AdoptRef{}, analyzer->BuildConnVal());
+	auto auxgids = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
 
 	for (size_t i = 0; i < c->AuxGIDs().size(); ++i)
 		{
 		auxgids->Assign(i, val_mgr->GetCount(c->AuxGIDs()[i]));
 		}
 
-	RecordVal* info = new RecordVal(BifType::Record::MOUNT3::info_t);
+	auto info = make_intrusive<RecordVal>(BifType::Record::MOUNT3::info_t);
 	info->Assign(0, BifType::Enum::rpc_status->GetVal(rpc_status));
 	info->Assign(1, BifType::Enum::MOUNT3::status_t->GetVal(mount_status));
 	info->Assign(2, make_intrusive<Val>(c->StartTime(), TYPE_TIME));
@@ -211,9 +212,9 @@ val_list MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
 	info->Assign(9, val_mgr->GetCount(c->Gid()));
 	info->Assign(10, val_mgr->GetCount(c->Stamp()));
 	info->Assign(11, make_intrusive<StringVal>(c->MachineName()));
-	info->Assign(12, auxgids);
+	info->Assign(12, std::move(auxgids));
 
-	vl.push_back(info);
+	vl.emplace_back(std::move(info));
 	return vl;
 	}
 
diff --git a/src/analyzer/protocol/rpc/MOUNT.h b/src/analyzer/protocol/rpc/MOUNT.h
index 182922dfd4..2d78aaaf31 100644
--- a/src/analyzer/protocol/rpc/MOUNT.h
+++ b/src/analyzer/protocol/rpc/MOUNT.h
@@ -16,10 +16,10 @@ protected:
 				const u_char*& buf, int& n, double start_time,
 				double last_time, int reply_len) override;
 
-	// Returns a new val_list that already has a conn_val, rpc_status and
+	// Returns a new arg list that already has a conn_val, rpc_status and
 	// mount_status. These are the first parameters for each mount_* event
 	// ...
-	val_list event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
+	zeek::Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
 				BifEnum::MOUNT3::status_t mount_status,
 				double rep_start_time, double rep_last_time,
 				int reply_len, int extra_elements);
diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc
index 96b7c59c78..a832b0f96d 100644
--- a/src/analyzer/protocol/rpc/NFS.cc
+++ b/src/analyzer/protocol/rpc/NFS.cc
@@ -150,7 +150,7 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 		{
 		auto vl = event_common_vl(c, rpc_status, nfs_status,
 					       start_time, last_time, reply_len, 0);
-		analyzer->ConnectionEventFast(nfs_reply_status, std::move(vl));
+		analyzer->EnqueueConnEvent(nfs_reply_status, std::move(vl));
 		}
 
 	if ( ! rpc_success )
@@ -281,12 +281,12 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 					start_time, last_time, reply_len, (bool)request + (bool)reply);
 
 		if ( request )
-			vl.push_back(request);
+			vl.emplace_back(AdoptRef{}, request);
 
 		if ( reply )
-			vl.push_back(reply);
+			vl.emplace_back(AdoptRef{}, reply);
 
-		analyzer->ConnectionEventFast(event, std::move(vl));
+		analyzer->EnqueueConnEvent(event, std::move(vl));
 		}
 	else
 		Unref(reply);
@@ -318,21 +318,22 @@ StringVal* NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64_t offse
 	return 0;
 	}
 
-val_list NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
+zeek::Args NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
 				      BifEnum::NFS3::status_t nfs_status,
 				      double rep_start_time,
 				      double rep_last_time, int reply_len, int extra_elements)
 	{
 	// Returns a new val_list that already has a conn_val, and nfs3_info.
 	// These are the first parameters for each nfs_* event ...
-	val_list vl(2 + extra_elements);
-	vl.push_back(analyzer->BuildConnVal());
-	VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
+	zeek::Args vl;
+	vl.reserve(2 + extra_elements);
+	vl.emplace_back(IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
+	auto auxgids = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
 
 	for ( size_t i = 0; i < c->AuxGIDs().size(); ++i )
 		auxgids->Assign(i, val_mgr->GetCount(c->AuxGIDs()[i]));
 
-	RecordVal *info = new RecordVal(BifType::Record::NFS3::info_t);
+	auto info = make_intrusive<RecordVal>(BifType::Record::NFS3::info_t);
 	info->Assign(0, BifType::Enum::rpc_status->GetVal(rpc_status));
 	info->Assign(1, BifType::Enum::NFS3::status_t->GetVal(nfs_status));
 	info->Assign(2, make_intrusive<Val>(c->StartTime(), TYPE_TIME));
@@ -345,9 +346,9 @@ val_list NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_st
 	info->Assign(9, val_mgr->GetCount(c->Gid()));
 	info->Assign(10, val_mgr->GetCount(c->Stamp()));
 	info->Assign(11, make_intrusive<StringVal>(c->MachineName()));
-	info->Assign(12, auxgids);
+	info->Assign(12, std::move(auxgids));
 
-	vl.push_back(info);
+	vl.emplace_back(std::move(info));
 	return vl;
 	}
 
diff --git a/src/analyzer/protocol/rpc/NFS.h b/src/analyzer/protocol/rpc/NFS.h
index 8c4e259bd0..272c0612ab 100644
--- a/src/analyzer/protocol/rpc/NFS.h
+++ b/src/analyzer/protocol/rpc/NFS.h
@@ -20,7 +20,7 @@ protected:
 	// Returns a new val_list that already has a conn_val, rpc_status and
 	// nfs_status. These are the first parameters for each nfs_* event
 	// ...
-	val_list event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
+	zeek::Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
 				BifEnum::NFS3::status_t nfs_status,
 				double rep_start_time, double rep_last_time,
 				int reply_len, int extra_elements);
diff --git a/src/analyzer/protocol/rpc/Portmap.cc b/src/analyzer/protocol/rpc/Portmap.cc
index 2b3445ec20..1b2a01875f 100644
--- a/src/analyzer/protocol/rpc/Portmap.cc
+++ b/src/analyzer/protocol/rpc/Portmap.cc
@@ -261,10 +261,10 @@ uint32_t PortmapperInterp::CheckPort(uint32_t port)
 		{
 		if ( pm_bad_port )
 			{
-			analyzer->ConnectionEventFast(pm_bad_port, {
-				analyzer->BuildConnVal(),
-				val_mgr->GetCount(port),
-			});
+			analyzer->EnqueueConnEvent(pm_bad_port,
+				IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(port)}
+			);
 			}
 
 		port = 0;
@@ -282,25 +282,26 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, BifEnum::rpc_statu
 		return;
 		}
 
-	val_list vl;
+	zeek::Args vl;
 
-	vl.push_back(analyzer->BuildConnVal());
+	vl.emplace_back(AdoptRef{}, analyzer->BuildConnVal());
 
 	if ( status == BifEnum::RPC_SUCCESS )
 		{
 		if ( request )
-			vl.push_back(request);
+			vl.emplace_back(AdoptRef{}, request);
 		if ( reply )
-			vl.push_back(reply);
+			vl.emplace_back(AdoptRef{}, reply);
 		}
 	else
 		{
-		vl.push_back(BifType::Enum::rpc_status->GetVal(status).release());
+		vl.emplace_back(BifType::Enum::rpc_status->GetVal(status));
+
 		if ( request )
-			vl.push_back(request);
+			vl.emplace_back(AdoptRef{}, request);
 		}
 
-	analyzer->ConnectionEventFast(f, std::move(vl));
+	analyzer->EnqueueConnEvent(f, std::move(vl));
 	}
 
 Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn)
diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc
index b76cd7d643..7cb0015a92 100644
--- a/src/analyzer/protocol/rpc/RPC.cc
+++ b/src/analyzer/protocol/rpc/RPC.cc
@@ -338,46 +338,40 @@ void RPC_Interpreter::Timeout()
 void RPC_Interpreter::Event_RPC_Dialogue(RPC_CallInfo* c, BifEnum::rpc_status status, int reply_len)
 	{
 	if ( rpc_dialogue )
-		{
-		analyzer->ConnectionEventFast(rpc_dialogue, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetCount(c->Program()),
-			val_mgr->GetCount(c->Version()),
-			val_mgr->GetCount(c->Proc()),
-			BifType::Enum::rpc_status->GetVal(status).release(),
-			new Val(c->StartTime(), TYPE_TIME),
-			val_mgr->GetCount(c->CallLen()),
-			val_mgr->GetCount(reply_len),
-		});
-		}
+		analyzer->EnqueueConnEvent(rpc_dialogue,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Program())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Version())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Proc())},
+			BifType::Enum::rpc_status->GetVal(status),
+			make_intrusive<Val>(c->StartTime(), TYPE_TIME),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->CallLen())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_len)}
+		);
 	}
 
 void RPC_Interpreter::Event_RPC_Call(RPC_CallInfo* c)
 	{
 	if ( rpc_call )
-		{
-		analyzer->ConnectionEventFast(rpc_call, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetCount(c->XID()),
-			val_mgr->GetCount(c->Program()),
-			val_mgr->GetCount(c->Version()),
-			val_mgr->GetCount(c->Proc()),
-			val_mgr->GetCount(c->CallLen()),
-		});
-		}
+		analyzer->EnqueueConnEvent(rpc_call,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->XID())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Program())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Version())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Proc())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->CallLen())}
+		);
 	}
 
 void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status, int reply_len)
 	{
 	if ( rpc_reply )
-		{
-		analyzer->ConnectionEventFast(rpc_reply, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetCount(xid),
-			BifType::Enum::rpc_status->GetVal(status).release(),
-			val_mgr->GetCount(reply_len),
-		});
-		}
+		analyzer->EnqueueConnEvent(rpc_reply,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(xid)},
+			BifType::Enum::rpc_status->GetVal(status),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_len)}
+		);
 	}
 
 void RPC_Interpreter::Weird(const char* msg, const char* addl)
diff --git a/src/analyzer/protocol/smtp/SMTP.cc b/src/analyzer/protocol/smtp/SMTP.cc
index 2cd8148357..1aa3d8ee70 100644
--- a/src/analyzer/protocol/smtp/SMTP.cc
+++ b/src/analyzer/protocol/smtp/SMTP.cc
@@ -219,11 +219,11 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
 
 			if ( smtp_data && ! skip_data )
 				{
-				ConnectionEventFast(smtp_data, {
-					BuildConnVal(),
-					val_mgr->GetBool(orig),
-					new StringVal(data_len, line),
-				});
+				EnqueueConnEvent(smtp_data,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					make_intrusive<StringVal>(data_len, line)
+				);
 				}
 			}
 
@@ -349,14 +349,14 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
 						break;
 				}
 
-				ConnectionEventFast(smtp_reply, {
-					BuildConnVal(),
-					val_mgr->GetBool(orig),
-					val_mgr->GetCount(reply_code),
-					new StringVal(cmd),
-					new StringVal(end_of_line - line, line),
-					val_mgr->GetBool((pending_reply > 0)),
-				});
+				EnqueueConnEvent(smtp_reply,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
+					make_intrusive<StringVal>(cmd),
+					make_intrusive<StringVal>(end_of_line - line, line),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool((pending_reply > 0))}
+				);
 				}
 			}
 
@@ -410,7 +410,7 @@ void SMTP_Analyzer::StartTLS()
 		AddChildAnalyzer(ssl);
 
 	if ( smtp_starttls )
-		ConnectionEventFast(smtp_starttls, {BuildConnVal()});
+		EnqueueConnEvent(smtp_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 	}
 
 
@@ -854,12 +854,17 @@ void SMTP_Analyzer::RequestEvent(int cmd_len, const char* cmd,
 	ProtocolConfirmation();
 
 	if ( smtp_request )
-		ConnectionEventFast(smtp_request, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig_is_sender),
-			(new StringVal(cmd_len, cmd))->ToUpper(),
-			new StringVal(arg_len, arg),
-		});
+		{
+		auto cmd_arg = make_intrusive<StringVal>(cmd_len, cmd);
+		cmd_arg->ToUpper();
+
+		EnqueueConnEvent(smtp_request,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig_is_sender)},
+			std::move(cmd_arg),
+			make_intrusive<StringVal>(arg_len, arg)
+		);
+		}
 	}
 
 void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg,
@@ -874,12 +879,12 @@ void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg,
 		if ( ! orig_is_sender )
 			is_orig = ! is_orig;
 
-		ConnectionEventFast(smtp_unexpected, {
-			BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-			new StringVal(msg),
-			new StringVal(detail_len, detail),
-		});
+		EnqueueConnEvent(smtp_unexpected,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			make_intrusive<StringVal>(msg),
+			make_intrusive<StringVal>(detail_len, detail)
+		);
 		}
 	}
 
diff --git a/src/analyzer/protocol/stepping-stone/SteppingStone.cc b/src/analyzer/protocol/stepping-stone/SteppingStone.cc
index 1d37e83815..79133ffdca 100644
--- a/src/analyzer/protocol/stepping-stone/SteppingStone.cc
+++ b/src/analyzer/protocol/stepping-stone/SteppingStone.cc
@@ -135,10 +135,10 @@ void SteppingStoneEndpoint::Event(EventHandlerPtr f, int id1, int id2)
 		return;
 
 	if ( id2 >= 0 )
-		endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1), val_mgr->GetInt(id2)});
+		endp->TCP()->EnqueueConnEvent(f, IntrusivePtr{AdoptRef{}, val_mgr->GetInt(id1)},
+		                                 IntrusivePtr{AdoptRef{}, val_mgr->GetInt(id2)});
 	else
-		endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1)});
-
+		endp->TCP()->EnqueueConnEvent(f, IntrusivePtr{AdoptRef{}, val_mgr->GetInt(id1)});
 	}
 
 void SteppingStoneEndpoint::CreateEndpEvent(int is_orig)
@@ -146,11 +146,11 @@ void SteppingStoneEndpoint::CreateEndpEvent(int is_orig)
 	if ( ! stp_create_endp )
 		return;
 
-	endp->TCP()->ConnectionEventFast(stp_create_endp, {
-		endp->TCP()->BuildConnVal(),
-		val_mgr->GetInt(stp_id),
-		val_mgr->GetBool(is_orig),
-	});
+	endp->TCP()->EnqueueConnEvent(stp_create_endp,
+		IntrusivePtr{AdoptRef{}, endp->TCP()->BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetInt(stp_id)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
+	);
 	}
 
 SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c)
diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc
index 5851b2113a..77d22d6c1b 100644
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@@ -785,17 +785,17 @@ void TCP_Analyzer::GeneratePacketEvent(
 					const u_char* data, int len, int caplen,
 					int is_orig, TCP_Flags flags)
 	{
-	ConnectionEventFast(tcp_packet, {
-		BuildConnVal(),
-		val_mgr->GetBool(is_orig),
-		new StringVal(flags.AsString()),
-		val_mgr->GetCount(rel_seq),
-		val_mgr->GetCount(flags.ACK() ? rel_ack : 0),
-		val_mgr->GetCount(len),
+	EnqueueConnEvent(tcp_packet,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+		make_intrusive<StringVal>(flags.AsString()),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(rel_seq)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flags.ACK() ? rel_ack : 0)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)},
 		// We need the min() here because Ethernet padding can lead to
 		// caplen > len.
-		new StringVal(min(caplen, len), (const char*) data),
-	});
+		make_intrusive<StringVal>(min(caplen, len), (const char*) data)
+	);
 	}
 
 int TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen,
@@ -1101,12 +1101,10 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 		            base_seq, ack_seq);
 
 		if ( connection_SYN_packet )
-			{
-			ConnectionEventFast(connection_SYN_packet, {
-				BuildConnVal(),
-				SYN_vals->Ref(),
-			});
-			}
+			EnqueueConnEvent(connection_SYN_packet,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{NewRef{}, SYN_vals}
+			);
 
 		Unref(SYN_vals);
 		}
@@ -1347,17 +1345,17 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
 			{
 			auto kind = o[0];
 			auto length = kind < 2 ? 1 : o[1];
-			ConnectionEventFast(tcp_option, {
-				BuildConnVal(),
-				val_mgr->GetBool(is_orig),
-				val_mgr->GetCount(kind),
-				val_mgr->GetCount(length),
-				});
+			EnqueueConnEvent(tcp_option,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(kind)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(length)}
+				);
 			}
 
 	if ( tcp_options )
 		{
-		auto option_list = new VectorVal(BifType::Vector::TCP::OptionList);
+		auto option_list = make_intrusive<VectorVal>(BifType::Vector::TCP::OptionList);
 
 		auto add_option_data = [](RecordVal* rv, const u_char* odata, int olen)
 			{
@@ -1460,11 +1458,11 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
 			}
 			}
 
-		ConnectionEventFast(tcp_options, {
-			BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-			option_list,
-			});
+		EnqueueConnEvent(tcp_options,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			std::move(option_list)
+			);
 		}
 
 	if ( options < opt_end )
@@ -1782,12 +1780,10 @@ int TCP_Analyzer::DataPending(TCP_Endpoint* closing_endp)
 void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp)
 	{
 	if ( connection_EOF )
-		{
-		ConnectionEventFast(connection_EOF, {
-			BuildConnVal(),
-			val_mgr->GetBool(endp->IsOrig()),
-		});
-		}
+		EnqueueConnEvent(connection_EOF,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(endp->IsOrig())}
+		);
 
 	const analyzer_list& children(GetChildren());
 	LOOP_OVER_CONST_CHILDREN(i)
@@ -2064,16 +2060,14 @@ int TCPStats_Endpoint::DataSent(double /* t */, uint64_t seq, int len, int caple
 		 	network_time, seq, len, max_top_seq, data_in_flight);
 
 		if ( tcp_rexmit )
-			{
-			endp->TCP()->ConnectionEventFast(tcp_rexmit, {
-				endp->TCP()->BuildConnVal(),
-				val_mgr->GetBool(endp->IsOrig()),
-				val_mgr->GetCount(seq),
-				val_mgr->GetCount(len),
-				val_mgr->GetCount(data_in_flight),
-				val_mgr->GetCount(endp->peer->window),
-			});
-			}
+			endp->TCP()->EnqueueConnEvent(tcp_rexmit,
+				IntrusivePtr{AdoptRef{}, endp->TCP()->BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(endp->IsOrig())},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(seq)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(data_in_flight)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(endp->peer->window)}
+			);
 		}
 	else
 		max_top_seq = top_seq;
@@ -2121,11 +2115,11 @@ void TCPStats_Analyzer::Done()
 	TCP_ApplicationAnalyzer::Done();
 
 	if ( conn_stats )
-		ConnectionEventFast(conn_stats, {
-			BuildConnVal(),
-			orig_stats->BuildStats(),
-			resp_stats->BuildStats(),
-		});
+		EnqueueConnEvent(conn_stats,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, orig_stats->BuildStats()},
+			IntrusivePtr{AdoptRef{}, resp_stats->BuildStats()}
+		);
 	}
 
 void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const IP_Hdr* ip, int caplen)
diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
index fb3be41996..b05265a1ef 100644
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
@@ -237,13 +237,11 @@ int TCP_Endpoint::DataSent(double t, uint64_t seq, int len, int caplen,
 			reporter->Error("TCP contents write failed: %s", buf);
 
 			if ( contents_file_write_failure )
-				{
-				tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
-					Conn()->BuildConnVal(),
-					val_mgr->GetBool(IsOrig()),
-					new StringVal(buf),
-				});
-				}
+				tcp_analyzer->EnqueueConnEvent(contents_file_write_failure,
+					IntrusivePtr{AdoptRef{}, Conn()->BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
+					make_intrusive<StringVal>(buf)
+				);
 			}
 		}
 
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
index 23b400e585..61166f82fb 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
@@ -151,14 +151,12 @@ void TCP_Reassembler::Gap(uint64_t seq, uint64_t len)
 		endp->Gap(seq, len);
 
 	if ( report_gap(endp, endp->peer) )
-		{
-		dst_analyzer->ConnectionEventFast(content_gap, {
-			dst_analyzer->BuildConnVal(),
-			val_mgr->GetBool(IsOrig()),
-			val_mgr->GetCount(seq),
-			val_mgr->GetCount(len),
-		});
-		}
+		dst_analyzer->EnqueueConnEvent(content_gap,
+			IntrusivePtr{AdoptRef{}, dst_analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(seq)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
+		);
 
 	if ( type == Direct )
 		dst_analyzer->NextUndelivered(seq, len, IsOrig());
@@ -363,13 +361,11 @@ void TCP_Reassembler::RecordBlock(const DataBlock& b, BroFile* f)
 	reporter->Error("TCP_Reassembler contents write failed");
 
 	if ( contents_file_write_failure )
-		{
-		tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
-			Endpoint()->Conn()->BuildConnVal(),
-			val_mgr->GetBool(IsOrig()),
-			new StringVal("TCP reassembler content write failure"),
-		});
-		}
+		tcp_analyzer->EnqueueConnEvent(contents_file_write_failure,
+			IntrusivePtr{AdoptRef{}, Endpoint()->Conn()->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
+			make_intrusive<StringVal>("TCP reassembler content write failure")
+		);
 	}
 
 void TCP_Reassembler::RecordGap(uint64_t start_seq, uint64_t upper_seq, BroFile* f)
@@ -380,13 +376,11 @@ void TCP_Reassembler::RecordGap(uint64_t start_seq, uint64_t upper_seq, BroFile*
 	reporter->Error("TCP_Reassembler contents gap write failed");
 
 	if ( contents_file_write_failure )
-		{
-		tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
-			Endpoint()->Conn()->BuildConnVal(),
-			val_mgr->GetBool(IsOrig()),
-			new StringVal("TCP reassembler gap write failure"),
-		});
-		}
+		tcp_analyzer->EnqueueConnEvent(contents_file_write_failure,
+			IntrusivePtr{AdoptRef{}, Endpoint()->Conn()->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
+			make_intrusive<StringVal>("TCP reassembler gap write failure")
+		);
 	}
 
 void TCP_Reassembler::BlockInserted(DataBlockMap::const_iterator it)
@@ -462,12 +456,12 @@ void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64_t n)
 		BroString* b1_s = new BroString((const u_char*) b1, n, 0);
 		BroString* b2_s = new BroString((const u_char*) b2, n, 0);
 
-		tcp_analyzer->ConnectionEventFast(rexmit_inconsistency, {
-			tcp_analyzer->BuildConnVal(),
-			new StringVal(b1_s),
-			new StringVal(b2_s),
-			new StringVal(flags.AsString()),
-		});
+		tcp_analyzer->EnqueueConnEvent(rexmit_inconsistency,
+			IntrusivePtr{AdoptRef{}, tcp_analyzer->BuildConnVal()},
+			make_intrusive<StringVal>(b1_s),
+			make_intrusive<StringVal>(b2_s),
+			make_intrusive<StringVal>(flags.AsString())
+		);
 		}
 	}
 
@@ -618,14 +612,12 @@ void TCP_Reassembler::DeliverBlock(uint64_t seq, int len, const u_char* data)
 		}
 
 	if ( deliver_tcp_contents )
-		{
-		tcp_analyzer->ConnectionEventFast(tcp_contents, {
-			tcp_analyzer->BuildConnVal(),
-			val_mgr->GetBool(IsOrig()),
-			val_mgr->GetCount(seq),
-			new StringVal(len, (const char*) data),
-		});
-		}
+		tcp_analyzer->EnqueueConnEvent(tcp_contents,
+			IntrusivePtr{AdoptRef{}, tcp_analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(seq)},
+			make_intrusive<StringVal>(len, (const char*) data)
+		);
 
 	// Q. Can we say this because it is already checked in DataSent()?
 	// ASSERT(!Conn()->Skipping() && !SkipDeliveries());
diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc
index 810f493486..04bbe31259 100644
--- a/src/analyzer/protocol/udp/UDP.cc
+++ b/src/analyzer/protocol/udp/UDP.cc
@@ -153,13 +153,11 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 			}
 
 		if ( do_udp_contents )
-			{
-			ConnectionEventFast(udp_contents, {
-				BuildConnVal(),
-				val_mgr->GetBool(is_orig),
-				new StringVal(len, (const char*) data),
-			});
-			}
+			EnqueueConnEvent(udp_contents,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+				make_intrusive<StringVal>(len, (const char*) data)
+			);
 
 		Unref(port_val);
 		}