Merge remote-tracking branch 'origin/topic/awelzel/zeek-archiver-multiple-loggers'

* origin/topic/awelzel/zeek-archiver-multiple-loggers: cluster/supervisor: Multi-logger awareness Bump zeek-archiver submodule
2025-10-02 06:38:20 +00:00 · 2023-05-09 15:19:43 +02:00 · 2023-05-09 15:19:43 +02:00 · 9330a74fe1
commit 9330a74fe1
parent 1facc34e09 c813872915
7 changed files with 161 additions and 3 deletions
--- a/scripts/base/frameworks/cluster/nodes/logger.zeek
+++ b/scripts/base/frameworks/cluster/nodes/logger.zeek
@ -22,6 +22,32 @@ redef Log::default_rotation_interval = 1 hrs;
 ## Alarm summary mail interval.
 redef Log::default_mail_alarms_interval = 24 hrs;

+## Generic log metadata rendered into the filename that zeek-archiver may interpret.
+## This is populated with a log_suffix entry within zeek_init() when multiple
+## logger nodes are defined in cluster-layout.zeek.
+global log_metadata: table[string] of string;
+
+## Encode the given table as zeek-archiver understood metadata part.
+function encode_log_metadata(tbl: table[string] of string): string
+	{
+	local metadata_vec: vector of string;
+	for ( k, v in log_metadata )
+		{
+		if ( |v| == 0 )  # Assume concious decision to skip this entry.
+			next;
+
+		if ( /[,=]/ in k || /[,=]/ in v )
+			{
+			Reporter::warning(fmt("Invalid log_metadata: k='%s' v='%s'", k, v));
+			next;
+			}
+
+		metadata_vec += fmt("%s=%s", strip(k), strip(v));
+		}
+
+	return join_string_vec(metadata_vec, ",");
+	}
+
 ## This function will rotate logs in a format compatible with zeek-archiver.
 ## If you're using the Supervisor framework, this function will be used,
 ## if not, you can set :zeek:see:`Log::rotation_format_func` to this function.
@ -30,6 +56,10 @@ function archiver_rotation_format_func(ri: Log::RotationFmtInfo): Log::RotationP
 	local open_str = strftime(Log::default_rotation_date_format, ri$open);
 	local close_str = strftime(Log::default_rotation_date_format, ri$close);
 	local base = fmt("%s__%s__%s__", ri$path, open_str, close_str);
+
+	if ( |log_metadata| > 0 )
+		base = fmt("%s%s__", base, encode_log_metadata(log_metadata));
+
 	local rval = Log::RotationPath($file_basename=base);
 	return rval;
 	}
@ -42,6 +72,14 @@ redef Log::rotation_format_func = archiver_rotation_format_func;

 redef LogAscii::enable_leftover_log_rotation = T;

+event zeek_init()
+	{
+	if ( "log_suffix" in log_metadata )
+		return;
+
+	if ( Cluster::get_node_count(Cluster::LOGGER) > 1 )
+		log_metadata["log_suffix"] = Cluster::node;
+	}
@else

 ## Use the cluster's archive logging script.