Merge branch 'stats-logging-fix' of https://github.com/brittanydonowho/zeek

- Added test case and adjusted whitespace in merge * 'stats-logging-fix' of https://github.com/brittanydonowho/zeek: Fixed stats.zeek to log all data before zeek terminates rather than return too soon
2025-10-15 13:08:20 +00:00 · 2020-04-29 15:43:51 -07:00 · 2020-04-29 15:43:51 -07:00 · ccdaf5f111
commit ccdaf5f111
parent a08b1ff56f 97c8912443
5 changed files with 31 additions and 6 deletions
--- a/4
+++ b/4
@ -1,4 +1,8 @@

+3.2.0-dev.447 | 2020-04-29 15:55:03 -0700
+
+  * GH-713: Fixed misc/stats.zeek skipping a log entry on termination (Brittany Donowho)
+
 3.2.0-dev.445 | 2020-04-29 15:25:03 -0700

  * Add warning message for unknown Broker statuses (Jon Siwek, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-3.2.0-dev.445
+3.2.0-dev.447
--- a/scripts/policy/misc/stats.zeek
+++ b/scripts/policy/misc/stats.zeek
@ -99,11 +99,6 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr
 	local fs = get_file_analysis_stats();
 	local ds = get_dns_stats();

-	if ( zeek_is_terminating() )
-		# No more stats will be written or scheduled when Zeek is
-		# shutting down.
-		return;
-
 	local info: Info = [$ts=nettime,
 			    $peer=peer_description,
 			    $mem=ps$mem/1048576,
@ -146,6 +141,12 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr
 		}

 	Log::write(Stats::LOG, info);
+
+	if ( zeek_is_terminating() )
+		# No more stats will be written or scheduled when Zeek is
+		# shutting down.
+		return;
+
 	schedule report_interval { check_stats(nettime, ns, cs, ps, es, rs, ts, fs, ds) };
 	}

--- a/testing/btest/Baseline/scripts.policy.misc.stats/stats.log
+++ b/testing/btest/Baseline/scripts.policy.misc.stats/stats.log
@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	stats
+#open	2020-04-29-22-53-33
+#fields	pkts_proc
+#types	count
+1
+135
+#close	2020-04-29-22-53-33
--- a/testing/btest/scripts/policy/misc/stats.zeek
+++ b/testing/btest/scripts/policy/misc/stats.zeek
@ -1,4 +1,5 @@
 # @TEST-EXEC: zeek -r $TRACES/wikipedia.trace %INPUT
+# @TEST-EXEC: btest-diff stats.log

@load policy/misc/stats

@ -8,3 +9,11 @@ event load_sample(samples: load_sample_info, CPU: interval, dmem: int)
 	# should still exist to cover potential memory leaks.
 	print CPU;
 	}
+
+event zeek_init()
+	{
+	# Various fields will be unstable for use in baseline, so use one that is.
+	local filter: Log::Filter = [$name="pkt-stats", $include=set("pkts_proc")];
+	Log::remove_filter(Stats::LOG, "default");
+	Log::add_filter(Stats::LOG, filter);
+	}