diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro
index 998a0e0f6c..234cd950df 100644
--- a/scripts/base/frameworks/logging/main.bro
+++ b/scripts/base/frameworks/logging/main.bro
@@ -300,7 +300,7 @@ export {
## the correct type.
##
## .. bro:see:: Log::remove_filter Log::add_default_filter
- ## Log::remove_default_filter
+ ## Log::remove_default_filter Log::get_filter Log::get_filter_names
global add_filter: function(id: ID, filter: Filter) : bool;
## Removes a filter from an existing logging stream.
@@ -315,9 +315,21 @@ export {
## if no filter associated with *name* was found.
##
## .. bro:see:: Log::remove_filter Log::add_default_filter
- ## Log::remove_default_filter
+ ## Log::remove_default_filter Log::get_filter Log::get_filter_names
global remove_filter: function(id: ID, name: string) : bool;
+ ## Gets the names of all filters associated with an existing
+ ## logging stream.
+ ##
+ ## id: The ID of a logging stream from which to obtain the list
+ ## of filter names.
+ ##
+ ## Returns: The set of filter names associated with the stream.
+ ##
+ ## ..bro:see:: Log::remove_filter Log::add_default_filter
+ ## Log::remove_default_filter Log::get_filter
+ global get_filter_names: function(id: ID) : set[string];
+
## Gets a filter associated with an existing logging stream.
##
## id: The ID associated with a logging stream from which to
@@ -331,7 +343,7 @@ export {
## :bro:id:`Log::no_filter` sentinel value.
##
## .. bro:see:: Log::add_filter Log::remove_filter Log::add_default_filter
- ## Log::remove_default_filter
+ ## Log::remove_default_filter Log::get_filter_names
global get_filter: function(id: ID, name: string) : Filter;
## Writes a new log line/entry to a logging stream.
@@ -432,6 +444,8 @@ export {
global all_streams: table[ID] of Stream = table();
+global stream_filters: table[ID] of set[string] = table();
+
# We keep a script-level copy of all filters so that we can manipulate them.
global filters: table[ID, string] of Filter;
@@ -523,18 +537,49 @@ function create_stream(id: ID, stream: Stream) : bool
function remove_stream(id: ID) : bool
{
- delete active_streams[id];
- delete all_streams[id];
+ if ( id in active_streams )
+ delete active_streams[id];
+ if ( id in all_streams )
+ delete all_streams[id];
+
+ if ( id in stream_filters )
+ {
+ for ( i in stream_filters[id] )
+ {
+ if ( [id, i] in filters )
+ delete filters[id, i];
+ }
+ delete stream_filters[id];
+ }
return __remove_stream(id);
}
function disable_stream(id: ID) : bool
{
- delete active_streams[id];
+ if ( id in active_streams )
+ delete active_streams[id];
return __disable_stream(id);
}
+function enable_stream(id: ID) : bool
+ {
+ if ( ! __enable_stream(id) )
+ return F;
+
+ if ( id in all_streams )
+ active_streams[id] = all_streams[id];
+ }
+
+# convenience function to add a filter name to stream_filters
+function add_stream_filters(id: ID, name: string)
+ {
+ if ( id in stream_filters )
+ add stream_filters[id][name];
+ else
+ stream_filters[id] = set(name);
+ }
+
function add_filter(id: ID, filter: Filter) : bool
{
local stream = all_streams[id];
@@ -545,13 +590,22 @@ function add_filter(id: ID, filter: Filter) : bool
if ( ! filter?$path && ! filter?$path_func )
filter$path_func = default_path_func;
- filters[id, filter$name] = filter;
- return __add_filter(id, filter);
+ local res = __add_filter(id, filter);
+ if ( res )
+ {
+ add_stream_filters(id, filter$name);
+ filters[id, filter$name] = filter;
+ }
+ return res;
}
function remove_filter(id: ID, name: string) : bool
{
- delete filters[id, name];
+ if ( id in stream_filters && name in stream_filters[id] )
+ delete stream_filters[id][name];
+ if ( [id, name] in filters )
+ delete filters[id, name];
+
return __remove_filter(id, name);
}
@@ -563,6 +617,14 @@ function get_filter(id: ID, name: string) : Filter
return no_filter;
}
+function get_filter_names(id: ID) : set[string]
+ {
+ if ( id in stream_filters )
+ return stream_filters[id];
+ else
+ return set();
+ }
+
function write(id: ID, columns: any) : bool
{
return __write(id, columns);
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 1b967636a6..f6a5c4ad37 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -256,7 +256,7 @@
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) ->
-0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T])) ->
+0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) ->
@@ -343,6 +343,49 @@
0.000000 MetaHookPost CallFunction(Log::add_filter, , (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::add_filter, , (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::add_filter, , (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Cluster::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Communication::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Conn::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (DCE_RPC::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (DHCP::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (DNP3::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (DNS::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (DPD::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (FTP::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Files::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (HTTP::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (IRC::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Intel::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (KRB::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Modbus::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (NTLM::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (NetControl::CATCH_RELEASE, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (NetControl::DROP, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (NetControl::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (NetControl::SHUNT, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Notice::ALARM_LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Notice::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (OpenFlow::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (PE::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (PacketFilter::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (RADIUS::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (RDP::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (RFB::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Reporter::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (SIP::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (SMTP::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (SNMP::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (SOCKS::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (SSH::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (SSL::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Signatures::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Software::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Syslog::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Tunnel::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Unified2::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Weird::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (X509::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (mysql::LOG, default)) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (Cluster::LOG, [columns=, ev=, path=cluster])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (Communication::LOG, [columns=, ev=, path=communication])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (Conn::LOG, [columns=, ev=Conn::log_conn, path=conn])) ->
@@ -386,7 +429,7 @@
0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) ->
-0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T])) ->
+0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])) ->
0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) ->
0.000000 MetaHookPost CallFunction(NetControl::init, , ()) ->
0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) ->
@@ -991,7 +1034,7 @@
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]))
-0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG))
@@ -1078,6 +1121,49 @@
0.000000 MetaHookPre CallFunction(Log::add_filter, , (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}]))
0.000000 MetaHookPre CallFunction(Log::add_filter, , (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}]))
0.000000 MetaHookPre CallFunction(Log::add_filter, , (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}]))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Cluster::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Communication::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Conn::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (DCE_RPC::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (DHCP::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (DNP3::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (DNS::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (DPD::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (FTP::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Files::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (HTTP::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (IRC::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Intel::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (KRB::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Modbus::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (NTLM::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (NetControl::CATCH_RELEASE, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (NetControl::DROP, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (NetControl::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (NetControl::SHUNT, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Notice::ALARM_LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Notice::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (OpenFlow::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (PE::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (PacketFilter::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (RADIUS::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (RDP::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (RFB::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Reporter::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (SIP::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (SMTP::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (SNMP::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (SOCKS::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (SSH::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (SSL::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Signatures::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Software::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Syslog::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Tunnel::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Unified2::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Weird::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (X509::LOG, default))
+0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (mysql::LOG, default))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (Cluster::LOG, [columns=, ev=, path=cluster]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (Communication::LOG, [columns=, ev=, path=communication]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (Conn::LOG, [columns=, ev=Conn::log_conn, path=conn]))
@@ -1121,7 +1207,7 @@
0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]))
-0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ())
0.000000 MetaHookPre CallFunction(NetControl::init, , ())
0.000000 MetaHookPre CallFunction(Notice::want_pp, , ())
@@ -1725,7 +1811,7 @@
0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])
0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509])
0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1812,6 +1898,49 @@
0.000000 | HookCallFunction Log::add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])
0.000000 | HookCallFunction Log::add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])
0.000000 | HookCallFunction Log::add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])
+0.000000 | HookCallFunction Log::add_stream_filters(Cluster::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Communication::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Conn::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DCE_RPC::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DHCP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DNP3::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DNS::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DPD::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(FTP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Files::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(HTTP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(IRC::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Intel::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(KRB::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Modbus::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NTLM::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NetControl::CATCH_RELEASE, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NetControl::DROP, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NetControl::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NetControl::SHUNT, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Notice::ALARM_LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Notice::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(OpenFlow::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(PE::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(PacketFilter::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(RADIUS::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(RDP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(RFB::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Reporter::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SIP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SMTP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SNMP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SOCKS::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SSH::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SSL::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Signatures::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Software::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Syslog::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Tunnel::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Unified2::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Weird::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(X509::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(mysql::LOG, default)
0.000000 | HookCallFunction Log::create_stream(Cluster::LOG, [columns=, ev=, path=cluster])
0.000000 | HookCallFunction Log::create_stream(Communication::LOG, [columns=, ev=, path=communication])
0.000000 | HookCallFunction Log::create_stream(Conn::LOG, [columns=, ev=Conn::log_conn, path=conn])
@@ -1855,7 +1984,7 @@
0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])
0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509])
0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction NetControl::check_plugins()
0.000000 | HookCallFunction NetControl::init()
0.000000 | HookCallFunction Notice::want_pp()
@@ -2198,7 +2327,7 @@
0.000000 | HookLoadFile base<...>/x509
0.000000 | HookLoadFile base<...>/xmpp
0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite packet_filter [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite packet_filter [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]
0.000000 | HookQueueEvent NetControl::init()
0.000000 | HookQueueEvent bro_init()
0.000000 | HookQueueEvent filter_change_tracking()
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.enable-stream/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.enable-stream/ssh.log
new file mode 100644
index 0000000000..6ae0bfd050
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.enable-stream/ssh.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator ,
+#empty_field (empty)
+#unset_field -
+#path ssh
+#open 2018-01-09-22-31-37
+#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
+#types time addr port addr port string string
+1515537097.372589 1.2.3.4 1234 2.3.4.5 80 failure MX
+#close 2018-01-09-22-31-37
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remove/.stdout b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/.stdout
new file mode 100644
index 0000000000..10e5d0099a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/.stdout
@@ -0,0 +1,7 @@
+{
+default,
+f1
+}
+{
+
+}
diff --git a/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro b/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro
index 53cfdd1655..2db881deea 100644
--- a/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro
+++ b/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro
@@ -27,7 +27,7 @@ event bro_init()
filter$path= "ssh-new-default";
Log::add_filter(SSH::LOG, filter);
- local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+ local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
}
diff --git a/testing/btest/scripts/base/frameworks/logging/disable-stream.bro b/testing/btest/scripts/base/frameworks/logging/disable-stream.bro
index 6799f7ca2f..c2f64da8e6 100644
--- a/testing/btest/scripts/base/frameworks/logging/disable-stream.bro
+++ b/testing/btest/scripts/base/frameworks/logging/disable-stream.bro
@@ -21,13 +21,12 @@ event bro_init()
Log::disable_stream(SSH::LOG);
- local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+ local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
-
}
diff --git a/testing/btest/scripts/base/frameworks/logging/enable-stream.bro b/testing/btest/scripts/base/frameworks/logging/enable-stream.bro
new file mode 100644
index 0000000000..0f525eced1
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/enable-stream.bro
@@ -0,0 +1,33 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+ redef enum Log::ID += { LOG };
+
+ type Log: record {
+ t: time;
+ id: conn_id; # Will be rolled out into individual columns.
+ status: string &optional;
+ country: string &default="unknown";
+ } &log;
+}
+
+event bro_init()
+{
+ Log::create_stream(SSH::LOG, [$columns=Log]);
+
+ Log::disable_stream(SSH::LOG);
+
+ local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+ Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
+ Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+ Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+ Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+ Log::enable_stream(SSH::LOG);
+ Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/remove.bro b/testing/btest/scripts/base/frameworks/logging/remove.bro
index bb7c302942..3b80d24e9f 100644
--- a/testing/btest/scripts/base/frameworks/logging/remove.bro
+++ b/testing/btest/scripts/base/frameworks/logging/remove.bro
@@ -2,6 +2,7 @@
# @TEST-EXEC: bro -b -B logging %INPUT
# @TEST-EXEC: btest-diff ssh.log
# @TEST-EXEC: btest-diff ssh.failure.log
+# @TEST-EXEC: btest-diff .stdout
module SSH;
@@ -24,11 +25,12 @@ event bro_init()
Log::create_stream(SSH::LOG, [$columns=Log]);
Log::add_filter(SSH::LOG, [$name="f1", $path="ssh.failure", $pred=function(rec: Log): bool { return rec$status == "failure"; }]);
- local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+ local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
# Log something.
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+ print Log::get_filter_names(SSH::LOG);
Log::remove_filter(SSH::LOG, "f1");
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="BR"]);
@@ -37,5 +39,6 @@ event bro_init()
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
Log::remove_filter(SSH::LOG, "doesn-not-exist");
+ print Log::get_filter_names(SSH::LOG);
}