Logging: implement get_filter_names and small fixes.

get_filter_names(id: ID) : set[string] returns the names of the current list of filters for a specified log stream. Furthermore this commit makes a number of logging functions more robust by checking existence of values before trying to modify them. This commit also really implements (and tests) the enable_stream function.
2025-10-02 14:48:21 +00:00 · 2018-01-17 09:29:41 -08:00 · 2018-01-17 09:29:41 -08:00 · a4a9bf4199
commit a4a9bf4199
parent fc6e3b4e36
8 changed files with 263 additions and 20 deletions
--- a/scripts/base/frameworks/logging/main.bro
+++ b/scripts/base/frameworks/logging/main.bro
@ -300,7 +300,7 @@ export {
 	##          the correct type.
 	##
 	## .. bro:see:: Log::remove_filter Log::add_default_filter
-	##    Log::remove_default_filter
+	##    Log::remove_default_filter Log::get_filter Log::get_filter_names
 	global add_filter: function(id: ID, filter: Filter) : bool;

 	## Removes a filter from an existing logging stream.
@ -315,9 +315,21 @@ export {
 	##          if no filter associated with *name* was found.
 	##
 	## .. bro:see:: Log::remove_filter Log::add_default_filter
-	##    Log::remove_default_filter
+	##    Log::remove_default_filter Log::get_filter Log::get_filter_names
 	global remove_filter: function(id: ID, name: string) : bool;

+	## Gets the names of all filters associated with an existing
+	## logging stream.
+	##
+	## id: The ID of a logging stream from which to obtain the list
+	##     of filter names.
+	##
+	## Returns: The set of filter names associated with the stream.
+	##
+	## ..bro:see:: Log::remove_filter Log::add_default_filter
+	##   Log::remove_default_filter Log::get_filter
+	global get_filter_names: function(id: ID) : set[string];
+
 	## Gets a filter associated with an existing logging stream.
 	##
 	## id: The ID associated with a logging stream from which to
@ -331,7 +343,7 @@ export {
 	##          :bro:id:`Log::no_filter` sentinel value.
 	##
 	## .. bro:see:: Log::add_filter Log::remove_filter Log::add_default_filter
-	##              Log::remove_default_filter
+	##              Log::remove_default_filter Log::get_filter_names
 	global get_filter: function(id: ID, name: string) : Filter;

 	## Writes a new log line/entry to a logging stream.
@ -432,6 +444,8 @@ export {

 global all_streams: table[ID] of Stream = table();

+global stream_filters: table[ID] of set[string] = table();
+
 # We keep a script-level copy of all filters so that we can manipulate them.
 global filters: table[ID, string] of Filter;

@ -523,18 +537,49 @@ function create_stream(id: ID, stream: Stream) : bool

 function remove_stream(id: ID) : bool
 	{
+	if ( id in active_streams )
 		delete active_streams[id];
+	if ( id in all_streams )
 		delete all_streams[id];
+
+	if ( id in stream_filters )
+		{
+		for ( i in stream_filters[id] )
+			{
+			if ( [id, i] in filters )
+				delete filters[id, i];
+			}
+		delete stream_filters[id];
+		}
 	return __remove_stream(id);
 	}

 function disable_stream(id: ID) : bool
 	{
+	if ( id in active_streams )
 		delete active_streams[id];

 	return __disable_stream(id);
 	}

+function enable_stream(id: ID) : bool
+	{
+	if ( ! __enable_stream(id) )
+		return F;
+
+	if ( id in all_streams )
+		active_streams[id] = all_streams[id];
+	}
+
+# convenience function to add a filter name to stream_filters
+function add_stream_filters(id: ID, name: string)
+	{
+	if ( id in stream_filters )
+		add stream_filters[id][name];
+	else
+		stream_filters[id] = set(name);
+	}
+
 function add_filter(id: ID, filter: Filter) : bool
 	{
 	local stream = all_streams[id];
@ -545,13 +590,22 @@ function add_filter(id: ID, filter: Filter) : bool
 	if ( ! filter?$path && ! filter?$path_func )
 		filter$path_func = default_path_func;

+	local res = __add_filter(id, filter);
+	if ( res )
+		{
+		add_stream_filters(id, filter$name);
 		filters[id, filter$name] = filter;
-	return __add_filter(id, filter);
+		}
+	return res;
 	}

 function remove_filter(id: ID, name: string) : bool
 	{
+	if ( id in stream_filters && name in stream_filters[id] )
+		delete stream_filters[id][name];
+	if ( [id, name] in filters )
 		delete filters[id, name];
+
 	return __remove_filter(id, name);
 	}

@ -563,6 +617,14 @@ function get_filter(id: ID, name: string) : Filter
 	return no_filter;
 	}

+function get_filter_names(id: ID) : set[string]
+	{
+	if ( id in stream_filters )
+		return stream_filters[id];
+	else
+		return set();
+	}
+
 function write(id: ID, columns: any) : bool
 	{
 	return __write(id, columns);
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@ -256,7 +256,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@ -343,6 +343,49 @@
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Cluster::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Communication::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Conn::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (DCE_RPC::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (DHCP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (DNP3::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (DNS::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (DPD::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (FTP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Files::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (HTTP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (IRC::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Intel::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (KRB::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Modbus::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NTLM::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NetControl::CATCH_RELEASE, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NetControl::DROP, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NetControl::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NetControl::SHUNT, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Notice::ALARM_LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Notice::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (OpenFlow::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (PE::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (PacketFilter::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (RADIUS::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (RDP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (RFB::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Reporter::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SIP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SMTP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SNMP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SOCKS::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SSH::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SSL::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Signatures::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Software::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Syslog::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Tunnel::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Unified2::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Weird::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (X509::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (mysql::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn])) -> <no result>
@ -386,7 +429,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@ -991,7 +1034,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@ -1078,6 +1121,49 @@
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Cluster::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Communication::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Conn::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (DCE_RPC::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (DHCP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (DNP3::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (DNS::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (DPD::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (FTP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Files::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (HTTP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (IRC::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Intel::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (KRB::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Modbus::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NTLM::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NetControl::CATCH_RELEASE, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NetControl::DROP, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NetControl::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NetControl::SHUNT, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Notice::ALARM_LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Notice::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (OpenFlow::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (PE::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (PacketFilter::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (RADIUS::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (RDP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (RFB::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Reporter::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SIP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SMTP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SNMP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SOCKS::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SSH::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SSL::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Signatures::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Software::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Syslog::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Tunnel::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Unified2::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Weird::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (X509::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (mysql::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn]))
@ -1121,7 +1207,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@ -1725,7 +1811,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@ -1812,6 +1898,49 @@
 0.000000 | HookCallFunction Log::add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_stream_filters(Cluster::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Communication::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Conn::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DCE_RPC::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DHCP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DNP3::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DNS::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DPD::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(FTP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Files::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(HTTP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(IRC::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Intel::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(KRB::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Modbus::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NTLM::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NetControl::CATCH_RELEASE, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NetControl::DROP, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NetControl::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NetControl::SHUNT, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Notice::ALARM_LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Notice::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(OpenFlow::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(PE::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(PacketFilter::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(RADIUS::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(RDP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(RFB::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Reporter::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SIP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SMTP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SNMP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SOCKS::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SSH::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SSL::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Signatures::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Software::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Syslog::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Tunnel::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Unified2::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Weird::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(X509::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(mysql::LOG, default)
 0.000000 | HookCallFunction Log::create_stream(Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster])
 0.000000 | HookCallFunction Log::create_stream(Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication])
 0.000000 | HookCallFunction Log::create_stream(Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn])
@ -1855,7 +1984,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@ -2198,7 +2327,7 @@
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.enable-stream/ssh.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.enable-stream/ssh.log
@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#open	2018-01-09-22-31-37
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1515537097.372589	1.2.3.4	1234	2.3.4.5	80	failure	MX
+#close	2018-01-09-22-31-37
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.remove/.stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/.stdout
@ -0,0 +1,7 @@
+{
+default,
+f1
+}
+{
+
+}
--- a/testing/btest/scripts/base/frameworks/logging/disable-stream.bro
+++ b/testing/btest/scripts/base/frameworks/logging/disable-stream.bro
@ -28,6 +28,5 @@ event bro_init()
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
-	
 }

--- a/testing/btest/scripts/base/frameworks/logging/enable-stream.bro
+++ b/testing/btest/scripts/base/frameworks/logging/enable-stream.bro
@ -0,0 +1,33 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+	Log::disable_stream(SSH::LOG);
+
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::enable_stream(SSH::LOG);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+}
+
--- a/testing/btest/scripts/base/frameworks/logging/remove.bro
+++ b/testing/btest/scripts/base/frameworks/logging/remove.bro
@ -2,6 +2,7 @@
 # @TEST-EXEC: bro -b -B logging %INPUT
 # @TEST-EXEC: btest-diff ssh.log
 # @TEST-EXEC: btest-diff ssh.failure.log
+# @TEST-EXEC: btest-diff .stdout

 module SSH;

@ -29,6 +30,7 @@ event bro_init()
 	# Log something.
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	print Log::get_filter_names(SSH::LOG);

 	Log::remove_filter(SSH::LOG, "f1");
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="BR"]);
@ -37,5 +39,6 @@ event bro_init()
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);

 	Log::remove_filter(SSH::LOG, "doesn-not-exist");
+	print Log::get_filter_names(SSH::LOG);
 }