Merge remote-tracking branch 'origin/topic/johanna/new-style-analyzer-log'

* origin/topic/johanna/new-style-analyzer-log: NEWS entries for analyzer log changes Move detect-protocol from frameworks/dpd to frameworks/analyzer Introduce new c$failed_analyzers field Settle on analyzer.log for the dpd.log replacement dpd->analyzer.log change - rename files Analyzer failure logging: tweaks and test fixes Introduce analyzer-failed.log, as a replacement for dpd.log Rename analyzer.log to analyzer.debug log; move to policy Move dpd.log to policy script
2025-10-02 14:48:21 +00:00 · 2025-06-05 07:15:59 +01:00 · 2025-06-05 07:15:59 +01:00 · e6755325e1
commit e6755325e1
parent 62dc6ce7bc 9466b10387
127 changed files with 5151 additions and 4742 deletions
--- a/testing/btest/scripts/base/frameworks/analyzer/logging.zeek
+++ b/testing/btest/scripts/base/frameworks/analyzer/logging.zeek
@ -1,19 +0,0 @@
-# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT
-# @TEST-EXEC: mv analyzer.log analyzer.log-default
-# @TEST-EXEC: btest-diff analyzer.log-default
-
-# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT Analyzer::Logging::include_confirmations=T
-# @TEST-EXEC: mv analyzer.log analyzer.log-include-confirmations
-# @TEST-EXEC: btest-diff analyzer.log-include-confirmations
-
-# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT Analyzer::Logging::include_disabling=T
-# @TEST-EXEC: mv analyzer.log analyzer.log-include-disabling
-# @TEST-EXEC: btest-diff analyzer.log-include-disabling
-
-@load base/protocols/conn
-@load base/protocols/dns
-@load base/protocols/socks
-
-# DCE RPC violations are ignored by default. Consider violations for this
-# test so that the analyzer will be disabled eventually.
-redef DPD::ignore_violations -= { Analyzer::ANALYZER_DCE_RPC };
--- a/testing/btest/scripts/base/protocols/dce-rpc/ntlm-empty-av-pair-seq.zeek
+++ b/testing/btest/scripts/base/protocols/dce-rpc/ntlm-empty-av-pair-seq.zeek
@ -2,7 +2,12 @@

 # @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/ntlm-empty-av-sequence.pcap %INPUT
 # @TEST-EXEC: btest-diff ntlm.log
-# @TEST-EXEC: btest-diff dpd.log
+# @TEST-EXEC: btest-diff analyzer.log

+@load frameworks/analyzer/debug-logging.zeek
@load base/protocols/dce-rpc
@load base/protocols/ntlm
+
+# ntlm by default excludes itself from analyzer logging
+
+redef DPD::ignore_violations = {};
--- a/testing/btest/scripts/base/protocols/dce-rpc/ntlm-unterminated-av-pair-seq.zeek
+++ b/testing/btest/scripts/base/protocols/dce-rpc/ntlm-unterminated-av-pair-seq.zeek
@ -2,7 +2,11 @@

 # @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/ntlm-unterminated-av-sequence.pcap %INPUT
 # @TEST-EXEC: btest-diff ntlm.log
-# @TEST-EXEC: btest-diff dpd.log
+# @TEST-EXEC: btest-diff analyzer.log

@load base/protocols/dce-rpc
@load base/protocols/ntlm
+
+# ntlm by default excludes itself from analyzer logging
+
+redef DPD::ignore_violations = {};
--- a/testing/btest/scripts/base/protocols/ftp/ftp-invalid-reply-code.zeek
+++ b/testing/btest/scripts/base/protocols/ftp/ftp-invalid-reply-code.zeek
@ -2,7 +2,7 @@
 # @TEST-EXEC: zeek -b -r $TRACES/ftp/ftp-invalid-reply-code.pcap %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ftp.log
-# @TEST-EXEC: btest-diff dpd.log
+# @TEST-EXEC: btest-diff analyzer.log
 # @TEST-EXEC: test ! -f reporter.log

@load base/protocols/conn
--- a/testing/btest/scripts/base/protocols/ftp/ftp-missing-reply-code.zeek
+++ b/testing/btest/scripts/base/protocols/ftp/ftp-missing-reply-code.zeek
@ -2,7 +2,7 @@
 # @TEST-EXEC: zeek -b -r $TRACES/ftp/ftp-missing-reply-code.pcap %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ftp.log
-# @TEST-EXEC: btest-diff dpd.log
+# @TEST-EXEC: btest-diff analyzer.log
 # @TEST-EXEC: test ! -f reporter.log

@load base/protocols/conn
--- a/testing/btest/scripts/base/protocols/ftp/ftp-missing-space-after-reply-code.zeek
+++ b/testing/btest/scripts/base/protocols/ftp/ftp-missing-space-after-reply-code.zeek
@ -2,7 +2,7 @@
 # @TEST-EXEC: zeek -b -r $TRACES/ftp/ftp-missing-space-after-reply-code.pcap %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ftp.log
-# @TEST-EXEC: btest-diff dpd.log
+# @TEST-EXEC: btest-diff analyzer.log
 # @TEST-EXEC: test ! -f reporter.log

@load base/protocols/conn
--- a/testing/btest/scripts/base/protocols/http/101-switching-protocols.zeek
+++ b/testing/btest/scripts/base/protocols/http/101-switching-protocols.zeek
@ -5,7 +5,7 @@
 #
 # @TEST-EXEC: zeek -r $TRACES/http/websocket.pcap %INPUT
 # @TEST-EXEC: test ! -f weird.log
-# @TEST-EXEC: test ! -f dpd.log
+# @TEST-EXEC: test ! -f analyzer.log
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff websocket.log
 # @TEST-EXEC: btest-diff .stdout
@ -25,7 +25,7 @@ hook WebSocket::configure_analyzer(c: connection, aid: count, config: WebSocket:
 		# The originator's WebSocket frames match HTTP, so DPD would
 		# enable HTTP for the frame's payload, but the responder's frames
 		# contain some ack/status junk just before HTTP response that
-		# trigger a violation. Disable DPD for to prevent a dpd.log
+		# trigger a violation. Disable DPD for to prevent a analyzer.log
 		# entry.
 		config$use_dpd = F;
 	}
--- a/testing/btest/scripts/base/protocols/http/http-11-request-then-cruft.pcap
+++ b/testing/btest/scripts/base/protocols/http/http-11-request-then-cruft.pcap
@ -1,7 +1,7 @@
 # @TEST-EXEC: zeek -b -r $TRACES/http/http-11-request-then-cruft.pcap %INPUT > output
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log
-# @TEST-EXEC: btest-diff dpd.log
+# @TEST-EXEC: btest-diff analyzer.log

@load base/protocols/http
@load base/frameworks/notice/weird
--- a/testing/btest/scripts/base/protocols/ldap/add.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/add.zeek
@ -5,7 +5,6 @@
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
-# @TEST-EXEC: ! test -f dpd.log
 # @TEST-EXEC: ! test -f analyzer.log
 #
 # @TEST-DOC: The addRequest/addResponse operation is not implemented, yet we process it.
--- a/testing/btest/scripts/base/protocols/ldap/sasl-encrypted.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-encrypted.zeek
@ -7,6 +7,6 @@
 # @TEST-EXEC: btest-diff ldap.log
 # @TEST-EXEC: btest-diff ldap_search.log
 # @TEST-EXEC: ! test -f weird.log
-# @TEST-EXEC: ! test -f dpd.log
+# @TEST-EXEC: ! test -f analyzer.log
 #
 # @TEST-DOC: Test LDAP analyzer with SASL encrypted payloads.
--- a/testing/btest/scripts/base/protocols/ldap/sasl-ntlm.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-ntlm.zeek
@ -6,7 +6,6 @@
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
 # @TEST-EXEC: btest-diff ldap_search.log
-# @TEST-EXEC: ! test -f dpd.log
 # @TEST-EXEC: ! test -f analyzer.log
 #
 # @TEST-DOC: This broke after #3826 got merged
--- a/testing/btest/scripts/base/protocols/ldap/sasl-scram-sha-512.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-scram-sha-512.zeek
@ -6,7 +6,6 @@
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
 # @TEST-EXEC: btest-diff ldap_search.log
-# @TEST-EXEC: ! test -f dpd.log
 # @TEST-EXEC: ! test -f analyzer.log
 #
 # @TEST-DOC: This broke after #3826 got merged
--- a/testing/btest/scripts/base/protocols/ldap/sasl-signed-clear-2.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-signed-clear-2.zeek
@ -6,6 +6,6 @@
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
 # @TEST-EXEC: btest-diff ldap_search.log
-# @TEST-EXEC: ! test -f dpd.log
+# @TEST-EXEC: ! test -f analyzer.log
 #
 # @TEST-DOC: Test LDAP analyzer with GSS-API integrity traffic where we can still peak into LDAP wrapped into WRAP tokens.
--- a/testing/btest/scripts/base/protocols/ldap/sasl-signed-clear.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-signed-clear.zeek
@ -6,6 +6,6 @@
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
 # @TEST-EXEC: btest-diff ldap_search.log
-# @TEST-EXEC: ! test -f dpd.log
+# @TEST-EXEC: ! test -f analyzer.log
 #
 # @TEST-DOC: Test LDAP analyzer with GSS-API integrity traffic where we can still peak into LDAP wrapped into WRAP tokens.
--- a/testing/btest/scripts/base/protocols/ldap/sasl-srp-who-am-i.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-srp-who-am-i.zeek
@ -5,7 +5,6 @@
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
-# @TEST-EXEC: ! test -f dpd.log
 # @TEST-EXEC: ! test -f analyzer.log
 #
 # @TEST-DOC: SASL authentication using SRP (Secure Remote Password)
--- a/testing/btest/scripts/base/protocols/ldap/spnego-ntlmssp.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/spnego-ntlmssp.zeek
@ -9,7 +9,6 @@
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
-# @TEST-EXEC: ! test -f dpd.log
 # @TEST-EXEC: ! test -f analyzer.log
 #
 # @TEST-DOC: SASL bindRequest with SPNEGO NTLMSSP.
--- a/testing/btest/scripts/base/protocols/ldap/starttls.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/starttls.zeek
@ -7,7 +7,6 @@
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
 # @TEST-EXEC: btest-diff ssl.log
-# @TEST-EXEC: ! test -f dpd.log
 # @TEST-EXEC: ! test -f analyzer.log
 #
 # @TEST-DOC: LDAP supports StartTLS through extendedRequest 1.3.6.1.4.1.1466.20037
--- a/testing/btest/scripts/base/protocols/ldap/who-am-i.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/who-am-i.zeek
@ -6,7 +6,6 @@
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
-# @TEST-EXEC: ! test -f dpd.log
 # @TEST-EXEC: ! test -f analyzer.log
 #
 # @TEST-DOC: Testing OpenLDAP's ldapwhoami utility with simple authentication.
--- a/testing/btest/scripts/base/protocols/modbus/modbus_and_non_modbus_on_port_502.test
+++ b/testing/btest/scripts/base/protocols/modbus/modbus_and_non_modbus_on_port_502.test
@ -23,10 +23,12 @@
 #
 # @TEST-REQUIRES: ! have-spicy-ssl
 #
-# @TEST-EXEC: zeek -r $TRACES/modbus/modbus-and-non-modbus-p502.pcap
+# @TEST-EXEC: zeek -r $TRACES/modbus/modbus-and-non-modbus-p502.pcap %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff modbus.log
-# @TEST-EXEC: btest-diff analyzer.log
+# @TEST-EXEC: btest-diff analyzer_debug.log

 # The pcap has non Modbus traffic (i.e., DCERPC, HTTP, Magellan, NFS, RDP, TLS) on TCP port 502.
 # This traffic should not be labelled as Modbus in conn.log, and not generate any Modbus events.
+
+@load frameworks/analyzer/debug-logging.zeek
--- a/testing/btest/scripts/base/protocols/pop3/bad-list-retr-crafted.zeek
+++ b/testing/btest/scripts/base/protocols/pop3/bad-list-retr-crafted.zeek
@ -2,8 +2,9 @@
 # @TEST-EXEC: zeek -b -r $TRACES/pop3/bad-list-retr-crafted.pcap %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff weird.log
-# @TEST-EXEC: btest-diff analyzer.log
+# @TEST-EXEC: btest-diff analyzer_debug.log

+@load frameworks/analyzer/debug-logging.zeek
@load base/frameworks/notice/weird
@load base/protocols/conn
@load base/protocols/pop3
--- a/testing/btest/scripts/base/protocols/pop3/redis.zeek
+++ b/testing/btest/scripts/base/protocols/pop3/redis.zeek
@ -3,8 +3,9 @@
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff weird.log
-# @TEST-EXEC: btest-diff analyzer.log
+# @TEST-EXEC: btest-diff analyzer_debug.log

+@load frameworks/analyzer/debug-logging.zeek
@load base/frameworks/notice/weird
@load base/protocols/conn
@load base/protocols/pop3
--- a/testing/btest/scripts/base/protocols/postgresql/http-on-port-5432.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/http-on-port-5432.zeek
@ -3,11 +3,12 @@
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
 # @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/http-on-port-5432.pcap %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service  < conn.log > conn.cut
-# @TEST-EXEC: zeek-cut -m < analyzer.log > analyzer.cut
+# @TEST-EXEC: zeek-cut -m < analyzer_debug.log > analyzer.cut
 #
 # @TEST-EXEC: btest-diff conn.cut
 # @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -r 's,(.*) \(/[^\)]+\),\1 (...),'" btest-diff analyzer.cut
 # @TEST-EXEC: test ! -f postgresql.log

+@load frameworks/analyzer/debug-logging.zeek
@load base/protocols/conn
@load base/protocols/postgresql
--- a/testing/btest/scripts/base/protocols/postgresql/mysql-on-port-5432.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/mysql-on-port-5432.zeek
@ -3,11 +3,12 @@
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
 # @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/mysql-on-port-5432.pcap %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service  < conn.log > conn.cut
-# @TEST-EXEC: zeek-cut -m < analyzer.log > analyzer.cut
+# @TEST-EXEC: zeek-cut -m < analyzer_debug.log > analyzer.cut
 #
 # @TEST-EXEC: btest-diff conn.cut
 # @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -r 's,(.*) \(/[^\)]+\),\1 (...),'" btest-diff analyzer.cut
 # @TEST-EXEC: test ! -f postgresql.log

+@load frameworks/analyzer/debug-logging.zeek
@load base/protocols/conn
@load base/protocols/postgresql
--- a/testing/btest/scripts/base/protocols/quic/decrypt-crash.zeek
+++ b/testing/btest/scripts/base/protocols/quic/decrypt-crash.zeek
@ -3,6 +3,8 @@
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
 # @TEST-EXEC: zeek -Cr $TRACES/quic/383379789-decrypt-crash.pcap base/protocols/quic %INPUT
 # @TEST-EXEC: zeek-cut -m ts uid proto history service < conn.log > conn.log.cut
-# @TEST-EXEC: zeek-cut -m ts uid cause analyzer_kind analyzer_name failure_reason < analyzer.log > analyzer.log.cut
+# @TEST-EXEC: zeek-cut -m ts cause uid analyzer_kind analyzer_name failure_reason < analyzer_debug.log > analyzer_debug.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
-# @TEST-EXEC: TEST_DIFF_CANONIFIER='sed -E "s/\((.+)\.spicy:[0-9]+:[0-9]+(-[0-9]+:[0-9]+)?\)/(\1.spicy:<location>)/g" | $SCRIPTS/diff-remove-abspath' btest-diff analyzer.log.cut
+# @TEST-EXEC: TEST_DIFF_CANONIFIER='sed -E "s/\((.+)\.spicy:[0-9]+:[0-9]+(-[0-9]+:[0-9]+)?\)/(\1.spicy:<location>)/g" | $SCRIPTS/diff-remove-abspath' btest-diff analyzer_debug.log.cut
+
+@load frameworks/analyzer/debug-logging.zeek
--- a/testing/btest/scripts/base/protocols/quic/vector-max-size-crash.zeek
+++ b/testing/btest/scripts/base/protocols/quic/vector-max-size-crash.zeek
@ -3,12 +3,14 @@
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
 # @TEST-EXEC: zeek -Cr $TRACES/quic/vector-max-size-crash.pcap base/protocols/quic %INPUT > out
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
-# @TEST-EXEC: zeek-cut -m ts uid cause analyzer_kind analyzer_name failure_reason < analyzer.log > analyzer.log.cut
+# @TEST-EXEC: zeek-cut -m ts cause uid analyzer_kind analyzer_name failure_reason < analyzer_debug.log > analyzer_debug.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff quic.log

-# @TEST-EXEC: TEST_DIFF_CANONIFIER='sed -E "s/\((.+)\.spicy:[0-9]+:[0-9]+(-[0-9]+:[0-9]+)?\)/(\1.spicy:<location>)/g" | $SCRIPTS/diff-remove-abspath' btest-diff analyzer.log.cut
+# @TEST-EXEC: TEST_DIFF_CANONIFIER='sed -E "s/\((.+)\.spicy:[0-9]+:[0-9]+(-[0-9]+:[0-9]+)?\)/(\1.spicy:<location>)/g" | $SCRIPTS/diff-remove-abspath' btest-diff analyzer_debug.log.cut
+
+@load frameworks/analyzer/debug-logging.zeek

 event QUIC::unhandled_version(c: connection, is_orig: bool, version: count, dcid: string, scid: string)
 	{
--- a/testing/btest/scripts/base/protocols/rdp/rdp-invalid-length.zeek
+++ b/testing/btest/scripts/base/protocols/rdp/rdp-invalid-length.zeek
@ -3,6 +3,7 @@
 # analyzer.log. The pcap used is a snippet of a pcap from OSS-Fuzz #57109.

 # @TEST-EXEC: zeek -C -b -r $TRACES/rdp/rdp-invalid-length.pcap %INPUT
-# @TEST-EXEC: btest-diff analyzer.log
+# @TEST-EXEC: btest-diff analyzer_debug.log

-@load base/protocols/rdp
+@load frameworks/analyzer/debug-logging.zeek
+@load base/protocols/rdp
--- a/testing/btest/scripts/base/protocols/rdp/rdp-no-cookie-msthash.zeek
+++ b/testing/btest/scripts/base/protocols/rdp/rdp-no-cookie-msthash.zeek
@ -4,7 +4,6 @@
 # @TEST-EXEC: btest-diff rdp.log
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: test ! -f analyzer.log
-# @TEST-EXEC: test ! -f dpd.log

@load base/protocols/rdp
@load base/protocols/ssl
--- a/testing/btest/scripts/base/protocols/smb/smb1-OSS-fuzz-54883.test
+++ b/testing/btest/scripts/base/protocols/smb/smb1-OSS-fuzz-54883.test
@ -1,8 +1,9 @@
 #@TEST-EXEC: zeek -b -C -r $TRACES/smb/smb1-OSS-fuzz-54883.pcap %INPUT
-#@TEST-EXEC: btest-diff analyzer.log
+#@TEST-EXEC: btest-diff analyzer_debug.log
 #@TEST-EXEC: ! test -f reporter.log

@load base/protocols/smb
+@load frameworks/analyzer/debug-logging.zeek

 # The traffic generated by OSS Fuzz is broken to the extreme, ensure
 # the analyzer isn't disabled so the original scripting issue triggers.
--- a/testing/btest/scripts/base/protocols/smb/smb2-read-write.zeek
+++ b/testing/btest/scripts/base/protocols/smb/smb2-read-write.zeek
@ -1,7 +1,7 @@
 # @TEST-EXEC: zeek -C -r $TRACES/smb/smb2readwrite.pcap %INPUT
 # @TEST-EXEC: btest-diff smb_files.log
 # @TEST-EXEC: btest-diff files.log
-# @TEST-EXEC: test ! -f dpd.log
+# @TEST-EXEC: test ! -f analyzer.log

@load base/protocols/smb

--- a/testing/btest/scripts/base/protocols/smb/smb2.test
+++ b/testing/btest/scripts/base/protocols/smb/smb2.test
@ -2,7 +2,7 @@
 # @TEST-EXEC: btest-diff smb_files.log
 # @TEST-EXEC: btest-diff smb_mapping.log
 # @TEST-EXEC: btest-diff files.log
-# @TEST-EXEC: test ! -f dpd.log
+# @TEST-EXEC: test ! -f analyzer.log
 # @TEST-EXEC: test ! -f weird.log
 # @TEST-EXEC: btest-diff .stdout

--- a/testing/btest/scripts/base/protocols/smb/smb3-multichannel.test
+++ b/testing/btest/scripts/base/protocols/smb/smb3-multichannel.test
@ -1,6 +1,6 @@
 # @TEST-EXEC: zeek -b -r $TRACES/smb/smb3_multichannel.pcap %INPUT
 # @TEST-EXEC: btest-diff smb_files.log
-# @TEST-EXEC: test ! -f dpd.log
+# @TEST-EXEC: test ! -f analyzer.log
 # @TEST-EXEC: test ! -f weird.log

@load base/protocols/smb
--- a/testing/btest/scripts/base/protocols/smb/smb3.test
+++ b/testing/btest/scripts/base/protocols/smb/smb3.test
@ -1,6 +1,6 @@
 # @TEST-EXEC: zeek -r $TRACES/smb/smb3.pcap %INPUT
 # @TEST-EXEC: btest-diff smb_mapping.log
-# @TEST-EXEC: test ! -f dpd.log
+# @TEST-EXEC: test ! -f analyzer.log
 # @TEST-EXEC: test ! -f weird.log
 # @TEST-EXEC: btest-diff .stdout

--- a/testing/btest/scripts/base/protocols/smb/smb311.test
+++ b/testing/btest/scripts/base/protocols/smb/smb311.test
@ -1,5 +1,5 @@
 # @TEST-EXEC: zeek -b -C -r $TRACES/smb/smb311.pcap %INPUT
-# @TEST-EXEC: test ! -f dpd.log
+# @TEST-EXEC: test ! -f analyzer.log
 # @TEST-EXEC: test ! -f weird.log
 # @TEST-EXEC: btest-diff .stdout

--- a/testing/btest/scripts/base/protocols/ssh/half-duplex-client.zeek
+++ b/testing/btest/scripts/base/protocols/ssh/half-duplex-client.zeek
@ -2,7 +2,10 @@
 # analyzer.log output.

 # @TEST-EXEC: zeek -r $TRACES/ssh/ssh.client-side-half-duplex.pcap %INPUT
-# @TEST-EXEC: btest-diff analyzer.log
+# @TEST-EXEC: btest-diff analyzer_debug.log
 # @TEST-EXEC: btest-diff ssh.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff .stdout
+
+@load frameworks/analyzer/debug-logging.zeek
+
--- a/testing/btest/scripts/base/protocols/ssh/half-duplex-server.zeek
+++ b/testing/btest/scripts/base/protocols/ssh/half-duplex-server.zeek
@ -2,7 +2,9 @@
 # analyzer.log output.

 # @TEST-EXEC: zeek -r $TRACES/ssh/ssh.server-side-half-duplex.pcap %INPUT
-# @TEST-EXEC: btest-diff analyzer.log
+# @TEST-EXEC: btest-diff analyzer_debug.log
 # @TEST-EXEC: btest-diff ssh.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff .stdout
+
+@load frameworks/analyzer/debug-logging.zeek
--- a/testing/btest/scripts/base/protocols/ssh/http-port-22.test
+++ b/testing/btest/scripts/base/protocols/ssh/http-port-22.test
@ -4,4 +4,7 @@
 # @TEST-EXEC: test ! -f ssh.log
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff conn.log
-# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff analyzer.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff analyzer_debug.log
+
+@load frameworks/analyzer/debug-logging.zeek
+
--- a/testing/btest/scripts/base/protocols/ssl/basic.test
+++ b/testing/btest/scripts/base/protocols/ssl/basic.test
@ -3,5 +3,5 @@
 # @TEST-EXEC: zeek -r $TRACES/tls/tls-conn-with-extensions.trace %INPUT
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log
-# @TEST-EXEC: test ! -f dpd.log
+# @TEST-EXEC: test ! -f analyzer.log
 # @TEST-EXEC: test ! -f files.log
--- a/testing/btest/scripts/base/protocols/ssl/dtls-13.test
+++ b/testing/btest/scripts/base/protocols/ssl/dtls-13.test
@ -8,7 +8,7 @@
 # @TEST-EXEC: cat ssl.log >> ssl-all.log
 # @TEST-EXEC: btest-diff ssl-all.log
 # @TEST-EXEC: btest-diff .stdout
-# @TEST-EXEC: test ! -f dpd.log
+# @TEST-EXEC: test ! -f analyzer.log

 event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
 	{
--- a/testing/btest/scripts/base/protocols/ssl/dtls-stun-dpd.test
+++ b/testing/btest/scripts/base/protocols/ssl/dtls-stun-dpd.test
@ -1,8 +1,8 @@
 # @TEST-REQUIRES: ! have-spicy-ssl  # DTLS is not supported in Spicy SSL yet
 # @TEST-EXEC: zeek -b -r $TRACES/tls/webrtc-stun.pcap %INPUT
 # @TEST-EXEC: btest-diff ssl.log
-# @TEST-EXEC: touch dpd.log
-# @TEST-EXEC: btest-diff dpd.log
+# @TEST-EXEC: touch analyzer.log
+# @TEST-EXEC: btest-diff analyzer.log
 # @TEST-EXEC: btest-diff .stdout

@load base/protocols/ssl
--- a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
+++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
@ -9,7 +9,7 @@
 #
 # @TEST-EXEC: zeek -r $TRACES/tls/signed_certificate_timestamp_tls1_0.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
-# @TEST-EXEC: test ! -f dpd.log
+# @TEST-EXEC: test ! -f analyzer.log

 redef SSL::ct_logs += {
 ["\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"] = SSL::CTInfo($description="Google 'Aviator' log", $operator="Google", $url="ct.googleapis.com/aviator/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xf4\xcc\x69\xb2\xe4\x0e\x90\xa3\x8a\xea\x5a\x70\x09\x4f\xef\x13\x62\xd0\x8d\x49\x60\xff\x1b\x40\x50\x07\x0c\x6d\x71\x86\xda\x25\x49\x8d\x65\xe1\x08\x0d\x47\x34\x6b\xbd\x27\xbc\x96\x21\x3e\x34\xf5\x87\x76\x31\xb1\x7f\x1d\xc9\x85\x3b\x0d\xf7\x1f\x3f\xe9"),
--- a/testing/btest/scripts/base/protocols/ssl/tls-protocol-violation.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls-protocol-violation.test
@ -1,5 +1,5 @@
 # This tests that no error messages are output when a protocol violation occurs

 # @TEST-EXEC: zeek -C -r $TRACES/tls/tls1.2-protocol-violation.pcap %INPUT
-# @TEST-EXEC: test -f dpd.log
+# @TEST-EXEC: test -f analyzer.log
 # @TEST-EXEC: btest-diff .stderr
--- a/testing/btest/scripts/base/protocols/ssl/tls1_1.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls1_1.test
@ -3,7 +3,7 @@
 # @TEST-EXEC: zeek -b -r $TRACES/tls/tls1_1.pcap %INPUT
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log
-# @TEST-EXEC: test ! -f dpd.log
+# @TEST-EXEC: test ! -f analyzer.log

@load base/protocols/ssl
@load base/files/x509