diff --git a/CHANGES b/CHANGES
index 6bbbadddfb..062c95db55 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,19 @@
+5.2.0-dev.427 | 2022-12-13 11:37:47 +0100
+
+ * logging: Add event_groups to Stream (Arne Welzel, Corelight)
+
+ This commit adds an optional event_groups field to the Logging::Stream record
+ to associated event groups with logging streams.
+
+ This can be used to disable all event groups of a logging stream when it is
+ disabled. It does require making an explicit connection between the
+ logging stream and the involved groups, however.
+
+ * zeek.bif: Add has_event_group() / has_module_events() (Arne Welzel, Corelight)
+
+ Introduce helpers to determine if a given attribute or module event
+ group exists given a string.
+
5.2.0-dev.422 | 2022-12-09 16:07:47 +0100
* maintenance updates for -O C++ (Vern Paxson, Corelight)
diff --git a/NEWS b/NEWS
index 75918b49f4..286f5f8cbd 100644
--- a/NEWS
+++ b/NEWS
@@ -127,6 +127,12 @@ New Functionality
implemented in a given module can be toggled with ``disable_module_events()``
and ``enable_module_events()``.
+- Extend the ``Logging::Stream`` record with an ``event_groups`` field and
+ toggle these during ``Log::disable_stream`` and ``Log::enable_stream``
+ invocations. This allows for explicit/manual opt-in performance optimizations
+ by turning off event handlers at runtime that are only needed for log
+ generation.
+
- On Linux, the AF_PACKET packet source plugin (https://github.com/zeek/zeek-af_packet-plugin)
is included as builtin plugin by default. To select this packet source, prefix
the interface name with ``af_packet``.
diff --git a/VERSION b/VERSION
index 6337aeaa1f..4aa473bc34 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-5.2.0-dev.422
+5.2.0-dev.427
diff --git a/scripts/base/frameworks/logging/main.zeek b/scripts/base/frameworks/logging/main.zeek
index c8ce19848a..1629bcb4c0 100644
--- a/scripts/base/frameworks/logging/main.zeek
+++ b/scripts/base/frameworks/logging/main.zeek
@@ -373,6 +373,21 @@ export {
## New Filters created for this stream will inherit
## this policy hook, unless they provide their own.
policy: PolicyHook &optional;
+
+ ## Event groups associated with this stream that are disabled
+ ## when :zeek:see:`Log::disable_stream` is invoked and
+ ## re-enabled during :zeek:see:`Log::enable_stream`.
+ ##
+ ## This field can be used to short-circuit event handlers that
+ ## are solely responsible for logging functionality at runtime
+ ## when a log stream is disabled.
+ ##
+ ## This field allows for both, attribute event groups and module
+ ## event groups. If the given group names exists as attribute
+ ## or module or either event group, they are disabled when the
+ ## log stream is disabled and enabled when the stream is
+ ## enabled again.
+ event_groups: set[string] &default=set();
};
## Sentinel value for indicating that a filter was not found when looked up.
@@ -733,6 +748,19 @@ function remove_stream(id: ID) : bool
function disable_stream(id: ID) : bool
{
delete active_streams[id];
+
+ if ( id in all_streams )
+ {
+ for ( group in all_streams[id]$event_groups )
+ {
+ if ( has_module_events(group) )
+ disable_module_events(group);
+
+ if ( has_event_group(group) )
+ disable_event_group(group);
+ }
+ }
+
return __disable_stream(id);
}
@@ -742,7 +770,17 @@ function enable_stream(id: ID) : bool
return F;
if ( id in all_streams )
+ {
active_streams[id] = all_streams[id];
+ for ( group in all_streams[id]$event_groups )
+ {
+ if ( has_module_events(group) )
+ enable_module_events(group);
+
+ if ( has_event_group(group) )
+ enable_event_group(group);
+ }
+ }
return T;
}
diff --git a/src/zeek.bif b/src/zeek.bif
index 636dd35067..a42fc45ee2 100644
--- a/src/zeek.bif
+++ b/src/zeek.bif
@@ -5631,6 +5631,10 @@ static bool disable_event_group(zeek::EventGroupKind kind, const char *group)
return true;
}
+static bool has_event_group(zeek::EventGroupKind kind, const char *group)
+ {
+ return zeek::event_registry->LookupGroup(kind, group) != nullptr;
+ }
%%}
## Enabled the given event group.
@@ -5640,7 +5644,8 @@ static bool disable_event_group(zeek::EventGroupKind kind, const char *group)
##
## group: The group to enable.
##
-## .. zeek:see:: disable_event_group
+## .. zeek:see:: enable_event_group disable_event_group has_event_group
+## enable_module_events disable_module_events has_module_events
function enable_event_group%(group: string%) : bool
%{
return zeek::val_mgr->Bool(enable_event_group(zeek::EventGroupKind::Attribute,
@@ -5654,13 +5659,26 @@ function enable_event_group%(group: string%) : bool
##
## group: The group to disable.
##
-## .. zeek:see:: enable_event_group
+## .. zeek:see:: enable_event_group disable_event_group has_event_group
+## enable_module_events disable_module_events has_module_events
function disable_event_group%(group: string%) : bool
%{
return zeek::val_mgr->Bool(disable_event_group(zeek::EventGroupKind::Attribute,
group->CheckString()));
%}
+## Does an attribute event group with this name exist?
+##
+## group: The group name.
+##
+## .. zeek:see:: enable_event_group disable_event_group has_event_group
+## enable_module_events disable_module_events has_module_events
+function has_event_group%(group: string%) : bool
+ %{
+ return zeek::val_mgr->Bool(has_event_group(zeek::EventGroupKind::Attribute,
+ group->CheckString()));
+ %}
+
## Enable all event handlers and hooks in the given module.
##
## All event handlers and hooks defined in the given module will be enabled
@@ -5668,7 +5686,8 @@ function disable_event_group%(group: string%) : bool
##
## module_name: The module to enable.
##
-## .. zeek:see:: disable_module_events enable_event_group disable_event_group
+## .. zeek:see:: enable_event_group disable_event_group has_event_group
+## enable_module_events disable_module_events has_module_events
function enable_module_events%(module_name: string%) : bool
%{
return zeek::val_mgr->Bool(enable_event_group(zeek::EventGroupKind::Module,
@@ -5681,9 +5700,22 @@ function enable_module_events%(module_name: string%) : bool
##
## module_name: The module to disable.
##
-## .. zeek:see:: enable_module_events enable_event_group disable_event_group
+## .. zeek:see:: enable_event_group disable_event_group has_event_group
+## enable_module_events disable_module_events has_module_events
function disable_module_events%(module_name: string%) : bool
%{
return zeek::val_mgr->Bool(disable_event_group(zeek::EventGroupKind::Module,
module_name->CheckString()));
%}
+
+## Does a module event group with this name exist?
+##
+## group: The group name.
+##
+## .. zeek:see:: enable_event_group disable_event_group has_event_group
+## enable_module_events disable_module_events has_module_events
+function has_module_events%(group: string%) : bool
+ %{
+ return zeek::val_mgr->Bool(has_event_group(zeek::EventGroupKind::Module,
+ group->CheckString()));
+ %}
diff --git a/testing/btest/Baseline/core.event-groups.existence/output b/testing/btest/Baseline/core.event-groups.existence/output
new file mode 100644
index 0000000000..93112d5f70
--- /dev/null
+++ b/testing/btest/Baseline/core.event-groups.existence/output
@@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+PASS: eg: has test-my-protocol (T == T)
+PASS: eg: has not test-my-protocol-nope (F == F)
+PASS: eg: has not eg TestMyProtocol::Logging (F == F)
+PASS: me: has TestMyProtocol::Logging (T == T)
+PASS: me: has not test-my-protocol (F == F)
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 8d2e000f01..3ad9df3716 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -242,55 +242,55 @@
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=weird, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) ->
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (X509::LOG, [name=default, writer=Log::WRITER_ASCII, path=x509, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) ->
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, path=mysql, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Broker::LOG, [columns=Broker::Info, ev=, path=broker, policy=Broker::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster, policy=Cluster::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc, policy=DCE_RPC::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DPD::LOG, [columns=DPD::Info, ev=, path=dpd, policy=DPD::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=, path=mqtt_publish, policy=MQTT::log_policy_publish])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm, policy=NTLM::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter, policy=PacketFilter::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files, policy=SMB::log_policy_files])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping, policy=SMB::log_policy_mapping])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog, policy=Syslog::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Broker::LOG, [columns=Broker::Info, ev=, path=broker, policy=Broker::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster, policy=Cluster::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc, policy=DCE_RPC::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DPD::LOG, [columns=DPD::Info, ev=, path=dpd, policy=DPD::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=, path=mqtt_publish, policy=MQTT::log_policy_publish, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm, policy=NTLM::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter, policy=PacketFilter::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files, policy=SMB::log_policy_files, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping, policy=SMB::log_policy_mapping, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog, policy=Syslog::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}])) ->
0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=])) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) ->
@@ -440,55 +440,55 @@
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Weird::LOG, default)) ->
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (X509::LOG, default)) ->
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (mysql::LOG, default)) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (Broker::LOG, [columns=Broker::Info, ev=, path=broker, policy=Broker::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster, policy=Cluster::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc, policy=DCE_RPC::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (DPD::LOG, [columns=DPD::Info, ev=, path=dpd, policy=DPD::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=, path=mqtt_publish, policy=MQTT::log_policy_publish])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm, policy=NTLM::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter, policy=PacketFilter::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files, policy=SMB::log_policy_files])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping, policy=SMB::log_policy_mapping])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog, policy=Syslog::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy])) ->
-0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (Broker::LOG, [columns=Broker::Info, ev=, path=broker, policy=Broker::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster, policy=Cluster::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc, policy=DCE_RPC::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (DPD::LOG, [columns=DPD::Info, ev=, path=dpd, policy=DPD::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=, path=mqtt_publish, policy=MQTT::log_policy_publish, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm, policy=NTLM::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter, policy=PacketFilter::log_policy, event_groups={}])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream,