Rename analyzer.log to analyzer.debug log; move to policy

The current analyzer.log is more useful for debugging than for
operational purposes. Hence this is disabled by default, moved to a
policy script, and the log is renamed to analyzer-debug.log.

Furthermore, logging of analyzer confirmations and disabling analyzers
are now enabled by default.

scripts/base/frameworks/analyzer/__load__.zeek

@@ -1,3 +1,2 @@
 @load ./main
 @load ./dpd
-@load ./logging

scripts/base/frameworks/analyzer/dpd.zeek

@@ -1,4 +1,5 @@
-##! Disables analyzers if protocol violations occur.
+##! Disables analyzers if protocol violations occur, and add service information
+##! to connection log.
 
 module DPD;
 
@@ -27,6 +28,7 @@ redef record connection += {
 	service_violation: set[string] &default=set() &ordered;
 };
 
+## add confirmed protocol analyzers to conn.log service field
 event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &priority=10
 	{
 	if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
@@ -40,6 +42,7 @@ event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirm
 	add c$service[analyzer];
 	}
 
+## Remove failed analyzers from service field and add them to c$service_violation
 event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=10
 	{
 	if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )

scripts/policy/frameworks/analyzer/analyzer-debug-log.zeek

@@ -1,11 +1,10 @@
-##! Logging analyzer confirmations and violations into analyzer.log
+##! Logging analyzer confirmations and violations into analyzer-debug.log
 
 @load base/frameworks/config
 @load base/frameworks/logging
+@load base/frameworks/analyzer
 
-@load ./main
+module Analyzer::DebugLogging;
-
-module Analyzer::Logging;
 
 export {
 	## Add the analyzer logging stream identifier.
@@ -38,12 +37,12 @@ export {
 		failure_reason: string            &log &optional;
 
 		## Data causing failure or violation if available. Truncated
-		## to :zeek:see:`Analyzer::Logging::failure_data_max_size`.
+		## to :zeek:see:`Analyzer::DebugLogging::failure_data_max_size`.
 		failure_data:   string            &log &optional;
 	};
 
 	## Enable logging of analyzer violations and optionally confirmations
-	## when :zeek:see:`Analyzer::Logging::include_confirmations` is set.
+	## when :zeek:see:`Analyzer::DebugLogging::include_confirmations` is set.
 	option enable = T;
 
 	## Enable analyzer_confirmation. They are usually less interesting
@@ -51,13 +50,13 @@ export {
 	## Setting this option may also generated multiple log entries per
 	## connection, minimally one for each conn.log entry with a populated
 	## service field.
-	option include_confirmations = F;
+	option include_confirmations = T;
 
 	## Enable tracking of analyzers getting disabled. This is mostly
 	## interesting for troubleshooting of analyzers in DPD scenarios.
 	## Setting this option may also generated multiple log entries per
 	## connection.
-	option include_disabling = F;
+	option include_disabling = T;
 
 	## If a violation contains information about the data causing it,
 	## include at most this many bytes of it in the log.
@@ -70,8 +69,8 @@ export {
 
 event zeek_init() &priority=5
 	{
-	Log::create_stream(LOG, [$columns=Info, $path="analyzer", $policy=log_policy,
+	Log::create_stream(LOG, [$columns=Info, $path="analyzer-debug", $policy=log_policy,
-	                         $event_groups=set("Analyzer::Logging")]);
+	                         $event_groups=set("Analyzer::DebugLogging")]);
 
 	local enable_handler = function(id: string, new_value: bool): bool {
 	if ( new_value )
@@ -81,37 +80,40 @@ event zeek_init() &priority=5
 
 	return new_value;
 	};
-	Option::set_change_handler("Analyzer::Logging::enable", enable_handler);
+
+	Option::set_change_handler("Analyzer::DebugLogging::enable", enable_handler);
 
 	local include_confirmations_handler = function(id: string, new_value: bool): bool {
 	if ( new_value )
-		    enable_event_group("Analyzer::Logging::include_confirmations");
+		enable_event_group("Analyzer::DebugLogging::include_confirmations");
 	else
-		    disable_event_group("Analyzer::Logging::include_confirmations");
+		disable_event_group("Analyzer::DebugLogging::include_confirmations");
 
 	return new_value;
 	};
-	Option::set_change_handler("Analyzer::Logging::include_confirmations",
+
+	Option::set_change_handler("Analyzer::DebugLogging::include_confirmations",
 	                           include_confirmations_handler);
 
 	local include_disabling_handler = function(id: string, new_value: bool): bool {
 	if ( new_value )
-		    enable_event_group("Analyzer::Logging::include_disabling");
+		enable_event_group("Analyzer::DebugLogging::include_disabling");
 	else
-		    disable_event_group("Analyzer::Logging::include_disabling");
+		disable_event_group("Analyzer::DebugLogging::include_disabling");
 
 	return new_value;
 	};
-	Option::set_change_handler("Analyzer::Logging::include_disabling",
+
+	Option::set_change_handler("Analyzer::DebugLogging::include_disabling",
 	                           include_disabling_handler);
 
 	# Call the handlers directly with the current values to avoid config
 	# framework interactions like creating entries in config.log.
-	enable_handler("Analyzer::Logging::enable", Analyzer::Logging::enable);
+	enable_handler("Analyzer::DebugLogging::enable", Analyzer::DebugLogging::enable);
-	include_confirmations_handler("Analyzer::Logging::include_confirmations",
+	include_confirmations_handler("Analyzer::DebugLogging::include_confirmations",
-	                              Analyzer::Logging::include_confirmations);
+	                              Analyzer::DebugLogging::include_confirmations);
-	include_disabling_handler("Analyzer::Logging::include_disabling",
+	include_disabling_handler("Analyzer::DebugLogging::include_disabling",
-	                          Analyzer::Logging::include_disabling);
+	                          Analyzer::DebugLogging::include_disabling);
 
 	}
 
@@ -149,7 +151,7 @@ function populate_from_file(rec: Info, f: fa_file)
 		}
 	}
 
-event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &group="Analyzer::Logging::include_confirmations"
+event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &group="Analyzer::DebugLogging::include_confirmations"
 	{
 	if ( atype in ignore_analyzers )
 		return;
@@ -200,7 +202,7 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
 	Log::write(LOG, rec);
 	}
 
-hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=-1000 &group="Analyzer::Logging::include_disabling"
+hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=-1000 &group="Analyzer::DebugLogging::include_disabling"
 	{
 	if ( atype in ignore_analyzers )
 		return;