cluster/logger: Fix leftover-log-rotation in multi-logger setups

Populating log_metadata during zeek_init() is too late for the leftover-log-rotation functionality, so do it at script parse time. Also, prepend archiver_ to the log_metadata table and encoding function due to being in the global namespace and to align with the archiver_rotation_format_func. This hasn't been in a released version yet, so fine to rename still. Closes #3112
2025-10-02 06:38:20 +00:00 · 2023-06-13 10:36:40 +02:00 · 2023-06-13 10:36:40 +02:00 · 6d1991fb6a
commit 6d1991fb6a
parent 27432c457c
3 changed files with 64 additions and 16 deletions
--- a/scripts/base/frameworks/cluster/nodes/logger.zeek
+++ b/scripts/base/frameworks/cluster/nodes/logger.zeek
@ -22,13 +22,21 @@ redef Log::default_rotation_interval = 1 hrs;
 ## Alarm summary mail interval.
 redef Log::default_mail_alarms_interval = 24 hrs;

-## Generic log metadata rendered into the filename that zeek-archiver may interpret.
-## This is populated with a log_suffix entry within zeek_init() when multiple
-## logger nodes are defined in cluster-layout.zeek.
-global log_metadata: table[string] of string;
+## Generic log metadata rendered into filename that zeek-archiver may interpret.
+global archiver_log_metadata: table[string] of string &redef;
+
+# Populate archiver_log_metadata with a "log_suffix" entry when multiple
+# loggers are configured in Cluster::nodes. Need to evaluate at script
+# loading time as leftover-log-rotation functionality is invoking
+# archiver_rotation_format_func early on during InitPostScript().
+@if ( Cluster::get_node_count(Cluster::LOGGER) > 1 )
+redef archiver_log_metadata += {
+	["log_suffix"] = Cluster::node,
+};
+@endif

 ## Encode the given table as zeek-archiver understood metadata part.
-function encode_log_metadata(tbl: table[string] of string): string
+function archiver_encode_log_metadata(tbl: table[string] of string): string
 	{
 	local metadata_vec: vector of string;
 	for ( k, v in tbl )
@ -57,8 +65,8 @@ function archiver_rotation_format_func(ri: Log::RotationFmtInfo): Log::RotationP
 	local close_str = strftime(Log::default_rotation_date_format, ri$close);
 	local base = fmt("%s__%s__%s__", ri$path, open_str, close_str);

-	if ( |log_metadata| > 0 )
-		base = fmt("%s%s__", base, encode_log_metadata(log_metadata));
+	if ( |archiver_log_metadata| > 0 )
+		base = fmt("%s%s__", base, archiver_encode_log_metadata(archiver_log_metadata));

 	local rval = Log::RotationPath($file_basename=base);
 	return rval;
@ -71,15 +79,6 @@ redef Log::default_rotation_dir = "log-queue";
 redef Log::rotation_format_func = archiver_rotation_format_func;

 redef LogAscii::enable_leftover_log_rotation = T;
-
-event zeek_init()
-	{
-	if ( "log_suffix" in log_metadata )
-		return;
-
-	if ( Cluster::get_node_count(Cluster::LOGGER) > 1 )
-		log_metadata["log_suffix"] = Cluster::node;
-	}
@else

 ## Use the cluster's archive logging script.