From 6bde33aca7dfe1265c08884e5b34b2c903a531f4 Mon Sep 17 00:00:00 2001 From: Henrik Kramselund Jereminsen Date: Tue, 11 May 2021 09:25:24 +0200 Subject: [PATCH 1/3] Introduce script-land variable that can be used to set logdir. Addresses GH-772 --- scripts/base/frameworks/logging/writers/ascii.zeek | 5 +++++ src/logging/writers/ascii/Ascii.cc | 14 ++++++++++++++ src/logging/writers/ascii/Ascii.h | 3 ++- src/logging/writers/ascii/ascii.bif | 1 + 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/scripts/base/frameworks/logging/writers/ascii.zeek b/scripts/base/frameworks/logging/writers/ascii.zeek index 0ebdde22e0..483656e578 100644 --- a/scripts/base/frameworks/logging/writers/ascii.zeek +++ b/scripts/base/frameworks/logging/writers/ascii.zeek @@ -54,6 +54,11 @@ export { ## This option is also available as a per-filter ``$config`` option. const gzip_file_extension = "gz" &redef; + ## Default logs to current directory + ## Can be redefined to send files into logging directory + ## + const logdir = "." &redef; + ## Format of timestamps when writing out JSON. By default, the JSON ## formatter will use double values for timestamps which represent the ## number of seconds from the UNIX epoch. diff --git a/src/logging/writers/ascii/Ascii.cc b/src/logging/writers/ascii/Ascii.cc index 942aa5125b..5f1da6d68b 100644 --- a/src/logging/writers/ascii/Ascii.cc +++ b/src/logging/writers/ascii/Ascii.cc @@ -252,6 +252,12 @@ void Ascii::InitConfigOptions() (const char*) BifConst::LogAscii::gzip_file_extension->Bytes(), BifConst::LogAscii::gzip_file_extension->Len() ); + + logdir.assign( + (const char*) BifConst::LogAscii::logdir->Bytes(), + BifConst::LogAscii::logdir->Len() + ); + } bool Ascii::InitFilterOptions() @@ -344,6 +350,9 @@ bool Ascii::InitFilterOptions() else if ( strcmp(i->first, "gzip_file_extension") == 0 ) gzip_file_extension.assign(i->second); + + else if ( strcmp(i->first, "logdir") == 0 ) + logdir.assign(i->second); } if ( ! InitFormatter() ) @@ -448,6 +457,11 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const threading::Fiel ext += gzip_file_extension.empty() ? "gz" : gzip_file_extension; } + if ( ! logdir.empty() ) + { + fname = logdir.empty() ? fname : logdir + "/" + fname; + } + fname += ext; bool use_shadow = BifConst::LogAscii::enable_leftover_log_rotation && Info().rotation_interval > 0; diff --git a/src/logging/writers/ascii/Ascii.h b/src/logging/writers/ascii/Ascii.h index 6b52899051..1ae863164e 100644 --- a/src/logging/writers/ascii/Ascii.h +++ b/src/logging/writers/ascii/Ascii.h @@ -75,7 +75,8 @@ private: bool use_json; bool enable_utf_8; std::string json_timestamps; - + std::string logdir; + threading::Formatter* formatter; bool init_options; }; diff --git a/src/logging/writers/ascii/ascii.bif b/src/logging/writers/ascii/ascii.bif index 0b3323a76c..c7d30ad531 100644 --- a/src/logging/writers/ascii/ascii.bif +++ b/src/logging/writers/ascii/ascii.bif @@ -16,3 +16,4 @@ const enable_utf_8: bool; const json_timestamps: JSON::TimestampFormat; const gzip_level: count; const gzip_file_extension: string; +const logdir: string; From 74561e922f2913175906e138739cf42f533c2536 Mon Sep 17 00:00:00 2001 From: Henrik Kramselund Jereminsen Date: Sat, 15 May 2021 09:53:51 +0200 Subject: [PATCH 2/3] Logdir: Change requested by 0xxon, no problem Suggestion from 0xxon to look at Input Framework inspired this change --- scripts/base/frameworks/logging/writers/ascii.zeek | 2 +- src/logging/writers/ascii/Ascii.cc | 13 ++++++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/scripts/base/frameworks/logging/writers/ascii.zeek b/scripts/base/frameworks/logging/writers/ascii.zeek index 483656e578..628cf92a83 100644 --- a/scripts/base/frameworks/logging/writers/ascii.zeek +++ b/scripts/base/frameworks/logging/writers/ascii.zeek @@ -57,7 +57,7 @@ export { ## Default logs to current directory ## Can be redefined to send files into logging directory ## - const logdir = "." &redef; + const logdir = "" &redef; ## Format of timestamps when writing out JSON. By default, the JSON ## formatter will use double values for timestamps which represent the diff --git a/src/logging/writers/ascii/Ascii.cc b/src/logging/writers/ascii/Ascii.cc index 5f1da6d68b..a9e1691376 100644 --- a/src/logging/writers/ascii/Ascii.cc +++ b/src/logging/writers/ascii/Ascii.cc @@ -457,10 +457,17 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const threading::Fiel ext += gzip_file_extension.empty() ? "gz" : gzip_file_extension; } - if ( ! logdir.empty() ) + if ( fname.front() != '/' && ! logdir.empty() ) { - fname = logdir.empty() ? fname : logdir + "/" + fname; - } + string path = logdir; + std::size_t last = path.find_last_not_of('/'); + + if ( last == string::npos ) // Nothing but slashes -- weird but ok... + path = "/"; + else + path.erase(last + 1); + fname = path + "/" + fname; + } fname += ext; From cd5d80c13df459f27c89dd6903da26cc173c98f1 Mon Sep 17 00:00:00 2001 From: Henrik Kramselund Jereminsen Date: Mon, 24 May 2021 10:55:53 +0200 Subject: [PATCH 3/3] Copy of ascii-empty test, just changed path in the beginning --- .../ssh-filtered.log | 13 +++++++ .../base/frameworks/logging/ascii-logdir.zeek | 39 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.ascii-logdir/ssh-filtered.log create mode 100644 testing/btest/scripts/base/frameworks/logging/ascii-logdir.zeek diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-logdir/ssh-filtered.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-logdir/ssh-filtered.log new file mode 100644 index 0000000000..981cb7e1dc --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-logdir/ssh-filtered.log @@ -0,0 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +PREFIX<>separator | +PREFIX<>set_separator|, +PREFIX<>empty_field|EMPTY +PREFIX<>unset_field|NOT-SET +PREFIX<>path|ssh +PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b +PREFIX<>types|time|addr|port|addr|port|string|string|bool +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-logdir.zeek b/testing/btest/scripts/base/frameworks/logging/ascii-logdir.zeek new file mode 100644 index 0000000000..91190980ca --- /dev/null +++ b/testing/btest/scripts/base/frameworks/logging/ascii-logdir.zeek @@ -0,0 +1,39 @@ +# +# @TEST-EXEC: mkdir logdir +# @TEST-EXEC: zeek -b %INPUT LogAscii::logdir=logdir +# @TEST-EXEC: cat logdir/ssh.log | grep -v PREFIX.*20..- >ssh-filtered.log +# @TEST-EXEC: btest-diff ssh-filtered.log + +redef LogAscii::output_to_stdout = F; +redef LogAscii::separator = "|"; +redef LogAscii::empty_field = "EMPTY"; +redef LogAscii::unset_field = "NOT-SET"; +redef LogAscii::meta_prefix = "PREFIX<>"; + +module SSH; + +export { + redef enum Log::ID += { LOG }; + + type Log: record { + t: time; + id: conn_id; # Will be rolled out into individual columns. + status: string &optional; + country: string &default="unknown"; + b: bool &optional; + } &log; +} + +event zeek_init() +{ + Log::create_stream(SSH::LOG, [$columns=Log]); + + local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; + + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $country="US"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $country="BR"]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $b=T, $status="failure", $country=""]); + +}