Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 09:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

logging: Add event_groups to Stream

Browse source 
This commit adds an optional event_groups field to the Logging::Stream record
to associated event groups with logging streams.

This can be used to disable all event groups of a logging stream when it is
disabled. It does require making an explicit connection between the
logging stream and the involved groups, however.
This commit is contained in:
Arne Welzel 2022-11-17 18:04:59 +01:00
parent ba4b8faea2
commit a0aa00fa81
6 changed files with 481 additions and 294 deletions
Download patch file Download diff file Expand all files Collapse all files

75
testing/btest/scripts/base/frameworks/logging/event-groups-integration.zeek Normal file
View file

@ -0,0 +1,75 @@
# @TEST-DOC: Count packets, disable the packet log stream (and it's module group) and re-enable it again, verifying handlers are disabled and re-enabled, too.
# @TEST-EXEC: zeek -b -r ${TRACES}/wikipedia.trace -f 'port 53' %INPUT >output
# @TEST-EXEC: btest-diff output
# @TEST-EXEC: btest-diff packet.log
module PacketCounter;
export {
redef enum Log::ID += { LOG };
type Info: record {
ts: time &log;
c: count &log;
ttl: count &log;
len: count &log;
};
# Counting all the packets.
global pcount = 0;
}
event zeek_init()
{
Log::create_stream(LOG, [$columns=Info, $path="packet",
$event_groups=set("PacketCounter::Logging")]);
}
event new_packet(c: connection, p: pkt_hdr)
{
++pcount;
print "packet counting", pcount;
# Have 5 packets logged, now disable the stream.
if ( pcount == 6 )
{
print "Log::disable_stream()";
Log::disable_stream(LOG);
}
# Re-enable logging after 25 packets. Packet 25 will actually
# be logged as the handler is enabled just before this one
# (at a higher priority) completes.
if ( pcount == 25 )
{
print "Log::enable_stream()";
Log::enable_stream(LOG);
}
}
# Handler with a attribute group matching the log stream event group.
# It only produces a bit of output to verify it's being disabled and
# re-enabled during Log::enable_stream() / Log::disable_stream().
event new_packet(c: connection, p: pkt_hdr) &group="PacketCounter::Logging" &priority=-5
{
print "packet observer", pcount;
}
# This is where our actual logging happens. We have a "print" statement
# as to verify the code doesn't actually run when the stream got disabled.
module PacketCounter::Logging;
event new_packet(c: connection, p: pkt_hdr) &priority=-10
{
print "packet logging", PacketCounter::pcount;
local rec = PacketCounter::Info(
$ts=network_time(),
$c=PacketCounter::pcount,
$ttl=p$ip$ttl,
$len=p$ip$len,
);
Log::write(PacketCounter::LOG, rec);
}