From ba4b8faea26ff1efe371320f8dd7b854daf07509 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 7 Dec 2022 10:52:27 +0100 Subject: [PATCH 1/3] zeek.bif: Add has_event_group() / has_module_events() Introduce helpers to determine if a given attribute or module event group exists given a string. --- src/zeek.bif | 40 +++++++++++++++++-- .../core.event-groups.existence/output | 6 +++ .../btest/core/event-groups/existence.zeek | 31 ++++++++++++++ 3 files changed, 73 insertions(+), 4 deletions(-) create mode 100644 testing/btest/Baseline/core.event-groups.existence/output create mode 100644 testing/btest/core/event-groups/existence.zeek diff --git a/src/zeek.bif b/src/zeek.bif index 636dd35067..a42fc45ee2 100644 --- a/src/zeek.bif +++ b/src/zeek.bif @@ -5631,6 +5631,10 @@ static bool disable_event_group(zeek::EventGroupKind kind, const char *group) return true; } +static bool has_event_group(zeek::EventGroupKind kind, const char *group) + { + return zeek::event_registry->LookupGroup(kind, group) != nullptr; + } %%} ## Enabled the given event group. @@ -5640,7 +5644,8 @@ static bool disable_event_group(zeek::EventGroupKind kind, const char *group) ## ## group: The group to enable. ## -## .. zeek:see:: disable_event_group +## .. zeek:see:: enable_event_group disable_event_group has_event_group +## enable_module_events disable_module_events has_module_events function enable_event_group%(group: string%) : bool %{ return zeek::val_mgr->Bool(enable_event_group(zeek::EventGroupKind::Attribute, @@ -5654,13 +5659,26 @@ function enable_event_group%(group: string%) : bool ## ## group: The group to disable. ## -## .. zeek:see:: enable_event_group +## .. zeek:see:: enable_event_group disable_event_group has_event_group +## enable_module_events disable_module_events has_module_events function disable_event_group%(group: string%) : bool %{ return zeek::val_mgr->Bool(disable_event_group(zeek::EventGroupKind::Attribute, group->CheckString())); %} +## Does an attribute event group with this name exist? +## +## group: The group name. +## +## .. zeek:see:: enable_event_group disable_event_group has_event_group +## enable_module_events disable_module_events has_module_events +function has_event_group%(group: string%) : bool + %{ + return zeek::val_mgr->Bool(has_event_group(zeek::EventGroupKind::Attribute, + group->CheckString())); + %} + ## Enable all event handlers and hooks in the given module. ## ## All event handlers and hooks defined in the given module will be enabled @@ -5668,7 +5686,8 @@ function disable_event_group%(group: string%) : bool ## ## module_name: The module to enable. ## -## .. zeek:see:: disable_module_events enable_event_group disable_event_group +## .. zeek:see:: enable_event_group disable_event_group has_event_group +## enable_module_events disable_module_events has_module_events function enable_module_events%(module_name: string%) : bool %{ return zeek::val_mgr->Bool(enable_event_group(zeek::EventGroupKind::Module, @@ -5681,9 +5700,22 @@ function enable_module_events%(module_name: string%) : bool ## ## module_name: The module to disable. ## -## .. zeek:see:: enable_module_events enable_event_group disable_event_group +## .. zeek:see:: enable_event_group disable_event_group has_event_group +## enable_module_events disable_module_events has_module_events function disable_module_events%(module_name: string%) : bool %{ return zeek::val_mgr->Bool(disable_event_group(zeek::EventGroupKind::Module, module_name->CheckString())); %} + +## Does a module event group with this name exist? +## +## group: The group name. +## +## .. zeek:see:: enable_event_group disable_event_group has_event_group +## enable_module_events disable_module_events has_module_events +function has_module_events%(group: string%) : bool + %{ + return zeek::val_mgr->Bool(has_event_group(zeek::EventGroupKind::Module, + group->CheckString())); + %} diff --git a/testing/btest/Baseline/core.event-groups.existence/output b/testing/btest/Baseline/core.event-groups.existence/output new file mode 100644 index 0000000000..93112d5f70 --- /dev/null +++ b/testing/btest/Baseline/core.event-groups.existence/output @@ -0,0 +1,6 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +PASS: eg: has test-my-protocol (T == T) +PASS: eg: has not test-my-protocol-nope (F == F) +PASS: eg: has not eg TestMyProtocol::Logging (F == F) +PASS: me: has TestMyProtocol::Logging (T == T) +PASS: me: has not test-my-protocol (F == F) diff --git a/testing/btest/core/event-groups/existence.zeek b/testing/btest/core/event-groups/existence.zeek new file mode 100644 index 0000000000..e201e8d1cf --- /dev/null +++ b/testing/btest/core/event-groups/existence.zeek @@ -0,0 +1,31 @@ +# @TEST-DOC: Test for has_module_events and has_event_group +# @TEST-EXEC: zeek -b %INPUT > output +# @TEST-EXEC: btest-diff output + +module TestMyProtocol::Logging; + +event http_request(c: connection, method: string, original_URI: string, + unescaped_URI: string, version: string) {} + +module TestMyProtocol; + +event http_request(c: connection, method: string, original_URI: string, + unescaped_URI: string, version: string) &group="test-my-protocol" {} + +module Test; + +function assert_expected(msg: string, expected: bool, actual: bool) + { + local prefix = expected == actual ? "PASS" : "FAIL"; + print fmt("%s: %s (%s == %s)", prefix, msg, expected, actual); + } + +event zeek_init() + { + assert_expected("eg: has test-my-protocol", T, has_event_group("test-my-protocol")); + assert_expected("eg: has not test-my-protocol-nope", F, has_event_group("test-my-protocol-nope")); + assert_expected("eg: has not eg TestMyProtocol::Logging", F, has_event_group("TestMyProtocol::Logging")); + + assert_expected("me: has TestMyProtocol::Logging", T, has_module_events("TestMyProtocol::Logging")); + assert_expected("me: has not test-my-protocol", F, has_module_events("test-my-protocol")); + } From a0aa00fa8178c3d7f8a879ea7276361765938e28 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 17 Nov 2022 18:04:59 +0100 Subject: [PATCH 2/3] logging: Add event_groups to Stream This commit adds an optional event_groups field to the Logging::Stream record to associated event groups with logging streams. This can be used to disable all event groups of a logging stream when it is disabled. It does require making an explicit connection between the logging stream and the involved groups, however. --- NEWS | 6 + scripts/base/frameworks/logging/main.zeek | 38 ++ testing/btest/Baseline/plugins.hooks/output | 588 +++++++++--------- .../output | 49 ++ .../packet.log | 19 + .../logging/event-groups-integration.zeek | 75 +++ 6 files changed, 481 insertions(+), 294 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.event-groups-integration/output create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.event-groups-integration/packet.log create mode 100644 testing/btest/scripts/base/frameworks/logging/event-groups-integration.zeek diff --git a/NEWS b/NEWS index 75918b49f4..286f5f8cbd 100644 --- a/NEWS +++ b/NEWS @@ -127,6 +127,12 @@ New Functionality implemented in a given module can be toggled with ``disable_module_events()`` and ``enable_module_events()``. +- Extend the ``Logging::Stream`` record with an ``event_groups`` field and + toggle these during ``Log::disable_stream`` and ``Log::enable_stream`` + invocations. This allows for explicit/manual opt-in performance optimizations + by turning off event handlers at runtime that are only needed for log + generation. + - On Linux, the AF_PACKET packet source plugin (https://github.com/zeek/zeek-af_packet-plugin) is included as builtin plugin by default. To select this packet source, prefix the interface name with ``af_packet``. diff --git a/scripts/base/frameworks/logging/main.zeek b/scripts/base/frameworks/logging/main.zeek index c8ce19848a..1629bcb4c0 100644 --- a/scripts/base/frameworks/logging/main.zeek +++ b/scripts/base/frameworks/logging/main.zeek @@ -373,6 +373,21 @@ export { ## New Filters created for this stream will inherit ## this policy hook, unless they provide their own. policy: PolicyHook &optional; + + ## Event groups associated with this stream that are disabled + ## when :zeek:see:`Log::disable_stream` is invoked and + ## re-enabled during :zeek:see:`Log::enable_stream`. + ## + ## This field can be used to short-circuit event handlers that + ## are solely responsible for logging functionality at runtime + ## when a log stream is disabled. + ## + ## This field allows for both, attribute event groups and module + ## event groups. If the given group names exists as attribute + ## or module or either event group, they are disabled when the + ## log stream is disabled and enabled when the stream is + ## enabled again. + event_groups: set[string] &default=set(); }; ## Sentinel value for indicating that a filter was not found when looked up. @@ -733,6 +748,19 @@ function remove_stream(id: ID) : bool function disable_stream(id: ID) : bool { delete active_streams[id]; + + if ( id in all_streams ) + { + for ( group in all_streams[id]$event_groups ) + { + if ( has_module_events(group) ) + disable_module_events(group); + + if ( has_event_group(group) ) + disable_event_group(group); + } + } + return __disable_stream(id); } @@ -742,7 +770,17 @@ function enable_stream(id: ID) : bool return F; if ( id in all_streams ) + { active_streams[id] = all_streams[id]; + for ( group in all_streams[id]$event_groups ) + { + if ( has_module_events(group) ) + enable_module_events(group); + + if ( has_event_group(group) ) + enable_event_group(group); + } + } return T; } diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 8d2e000f01..3ad9df3716 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -242,55 +242,55 @@ 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=weird, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (X509::LOG, [name=default, writer=Log::WRITER_ASCII, path=x509, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, path=mysql, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Broker::LOG, [columns=Broker::Info, ev=, path=broker, policy=Broker::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster, policy=Cluster::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc, policy=DCE_RPC::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DPD::LOG, [columns=DPD::Info, ev=, path=dpd, policy=DPD::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=, path=mqtt_publish, policy=MQTT::log_policy_publish])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm, policy=NTLM::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter, policy=PacketFilter::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files, policy=SMB::log_policy_files])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping, policy=SMB::log_policy_mapping])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog, policy=Syslog::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Broker::LOG, [columns=Broker::Info, ev=, path=broker, policy=Broker::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster, policy=Cluster::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc, policy=DCE_RPC::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DPD::LOG, [columns=DPD::Info, ev=, path=dpd, policy=DPD::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=, path=mqtt_publish, policy=MQTT::log_policy_publish, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm, policy=NTLM::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter, policy=PacketFilter::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files, policy=SMB::log_policy_files, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping, policy=SMB::log_policy_mapping, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog, policy=Syslog::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}])) -> 0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> @@ -440,55 +440,55 @@ 0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Weird::LOG, default)) -> 0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (X509::LOG, default)) -> 0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (mysql::LOG, default)) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Broker::LOG, [columns=Broker::Info, ev=, path=broker, policy=Broker::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster, policy=Cluster::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc, policy=DCE_RPC::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (DPD::LOG, [columns=DPD::Info, ev=, path=dpd, policy=DPD::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=, path=mqtt_publish, policy=MQTT::log_policy_publish])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm, policy=NTLM::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter, policy=PacketFilter::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files, policy=SMB::log_policy_files])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping, policy=SMB::log_policy_mapping])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog, policy=Syslog::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Broker::LOG, [columns=Broker::Info, ev=, path=broker, policy=Broker::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster, policy=Cluster::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc, policy=DCE_RPC::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (DPD::LOG, [columns=DPD::Info, ev=, path=dpd, policy=DPD::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=, path=mqtt_publish, policy=MQTT::log_policy_publish, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm, policy=NTLM::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter, policy=PacketFilter::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files, policy=SMB::log_policy_files, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping, policy=SMB::log_policy_mapping, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog, policy=Syslog::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}])) -> 0.000000 MetaHookPost CallFunction(Log::get_filter, , (SSL::LOG, default)) -> 0.000000 MetaHookPost CallFunction(Log::log_stream_policy, , ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=], PacketFilter::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=])) -> @@ -1781,55 +1781,55 @@ 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=weird, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (X509::LOG, [name=default, writer=Log::WRITER_ASCII, path=x509, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, path=mysql, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Broker::LOG, [columns=Broker::Info, ev=, path=broker, policy=Broker::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster, policy=Cluster::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc, policy=DCE_RPC::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DPD::LOG, [columns=DPD::Info, ev=, path=dpd, policy=DPD::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=, path=mqtt_publish, policy=MQTT::log_policy_publish])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm, policy=NTLM::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter, policy=PacketFilter::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files, policy=SMB::log_policy_files])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping, policy=SMB::log_policy_mapping])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog, policy=Syslog::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Broker::LOG, [columns=Broker::Info, ev=, path=broker, policy=Broker::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster, policy=Cluster::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc, policy=DCE_RPC::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DPD::LOG, [columns=DPD::Info, ev=, path=dpd, policy=DPD::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=, path=mqtt_publish, policy=MQTT::log_policy_publish, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm, policy=NTLM::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter, policy=PacketFilter::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files, policy=SMB::log_policy_files, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping, policy=SMB::log_policy_mapping, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog, policy=Syslog::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}])) 0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) @@ -1979,55 +1979,55 @@ 0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Weird::LOG, default)) 0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (X509::LOG, default)) 0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (mysql::LOG, default)) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Broker::LOG, [columns=Broker::Info, ev=, path=broker, policy=Broker::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster, policy=Cluster::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc, policy=DCE_RPC::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (DPD::LOG, [columns=DPD::Info, ev=, path=dpd, policy=DPD::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=, path=mqtt_publish, policy=MQTT::log_policy_publish])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm, policy=NTLM::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter, policy=PacketFilter::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files, policy=SMB::log_policy_files])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping, policy=SMB::log_policy_mapping])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog, policy=Syslog::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Broker::LOG, [columns=Broker::Info, ev=, path=broker, policy=Broker::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster, policy=Cluster::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc, policy=DCE_RPC::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (DPD::LOG, [columns=DPD::Info, ev=, path=dpd, policy=DPD::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=, path=mqtt_publish, policy=MQTT::log_policy_publish, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm, policy=NTLM::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter, policy=PacketFilter::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files, policy=SMB::log_policy_files, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping, policy=SMB::log_policy_mapping, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog, policy=Syslog::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}])) 0.000000 MetaHookPre CallFunction(Log::get_filter, , (SSL::LOG, default)) 0.000000 MetaHookPre CallFunction(Log::log_stream_policy, , ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=], PacketFilter::LOG)) 0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=])) @@ -3319,55 +3319,55 @@ 0.000000 | HookCallFunction Log::__add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=weird, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=]) 0.000000 | HookCallFunction Log::__add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, path=x509, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=]) 0.000000 | HookCallFunction Log::__add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, path=mysql, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=]) -0.000000 | HookCallFunction Log::__create_stream(Broker::LOG, [columns=Broker::Info, ev=, path=broker, policy=Broker::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster, policy=Cluster::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc, policy=DCE_RPC::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(DPD::LOG, [columns=DPD::Info, ev=, path=dpd, policy=DPD::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }]) -0.000000 | HookCallFunction Log::__create_stream(HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect]) -0.000000 | HookCallFunction Log::__create_stream(MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=, path=mqtt_publish, policy=MQTT::log_policy_publish]) -0.000000 | HookCallFunction Log::__create_stream(MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe]) -0.000000 | HookCallFunction Log::__create_stream(Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm, policy=NTLM::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop]) -0.000000 | HookCallFunction Log::__create_stream(NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt]) -0.000000 | HookCallFunction Log::__create_stream(Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm]) -0.000000 | HookCallFunction Log::__create_stream(Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter, policy=PacketFilter::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files, policy=SMB::log_policy_files]) -0.000000 | HookCallFunction Log::__create_stream(SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping, policy=SMB::log_policy_mapping]) -0.000000 | HookCallFunction Log::__create_stream(SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog, policy=Syslog::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy]) -0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy]) +0.000000 | HookCallFunction Log::__create_stream(Broker::LOG, [columns=Broker::Info, ev=, path=broker, policy=Broker::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster, policy=Cluster::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc, policy=DCE_RPC::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(DPD::LOG, [columns=DPD::Info, ev=, path=dpd, policy=DPD::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=, path=mqtt_publish, policy=MQTT::log_policy_publish, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm, policy=NTLM::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter, policy=PacketFilter::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files, policy=SMB::log_policy_files, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping, policy=SMB::log_policy_mapping, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog, policy=Syslog::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}]) 0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) @@ -3517,55 +3517,55 @@ 0.000000 | HookCallFunction Log::add_stream_filters(Weird::LOG, default) 0.000000 | HookCallFunction Log::add_stream_filters(X509::LOG, default) 0.000000 | HookCallFunction Log::add_stream_filters(mysql::LOG, default) -0.000000 | HookCallFunction Log::create_stream(Broker::LOG, [columns=Broker::Info, ev=, path=broker, policy=Broker::log_policy]) -0.000000 | HookCallFunction Log::create_stream(Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster, policy=Cluster::log_policy]) -0.000000 | HookCallFunction Log::create_stream(Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy]) -0.000000 | HookCallFunction Log::create_stream(Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy]) -0.000000 | HookCallFunction Log::create_stream(DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc, policy=DCE_RPC::log_policy]) -0.000000 | HookCallFunction Log::create_stream(DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy]) -0.000000 | HookCallFunction Log::create_stream(DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy]) -0.000000 | HookCallFunction Log::create_stream(DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy]) -0.000000 | HookCallFunction Log::create_stream(DPD::LOG, [columns=DPD::Info, ev=, path=dpd, policy=DPD::log_policy]) -0.000000 | HookCallFunction Log::create_stream(FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy]) -0.000000 | HookCallFunction Log::create_stream(Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }]) -0.000000 | HookCallFunction Log::create_stream(HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy]) -0.000000 | HookCallFunction Log::create_stream(IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy]) -0.000000 | HookCallFunction Log::create_stream(Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy]) -0.000000 | HookCallFunction Log::create_stream(KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy]) -0.000000 | HookCallFunction Log::create_stream(MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect]) -0.000000 | HookCallFunction Log::create_stream(MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=, path=mqtt_publish, policy=MQTT::log_policy_publish]) -0.000000 | HookCallFunction Log::create_stream(MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe]) -0.000000 | HookCallFunction Log::create_stream(Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy]) -0.000000 | HookCallFunction Log::create_stream(NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm, policy=NTLM::log_policy]) -0.000000 | HookCallFunction Log::create_stream(NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy]) -0.000000 | HookCallFunction Log::create_stream(NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop]) -0.000000 | HookCallFunction Log::create_stream(NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy]) -0.000000 | HookCallFunction Log::create_stream(NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt]) -0.000000 | HookCallFunction Log::create_stream(Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm]) -0.000000 | HookCallFunction Log::create_stream(Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy]) -0.000000 | HookCallFunction Log::create_stream(OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy]) -0.000000 | HookCallFunction Log::create_stream(OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy]) -0.000000 | HookCallFunction Log::create_stream(PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy]) -0.000000 | HookCallFunction Log::create_stream(PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter, policy=PacketFilter::log_policy]) -0.000000 | HookCallFunction Log::create_stream(RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy]) -0.000000 | HookCallFunction Log::create_stream(RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy]) -0.000000 | HookCallFunction Log::create_stream(RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy]) -0.000000 | HookCallFunction Log::create_stream(Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy]) -0.000000 | HookCallFunction Log::create_stream(SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy]) -0.000000 | HookCallFunction Log::create_stream(SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files, policy=SMB::log_policy_files]) -0.000000 | HookCallFunction Log::create_stream(SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping, policy=SMB::log_policy_mapping]) -0.000000 | HookCallFunction Log::create_stream(SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy]) -0.000000 | HookCallFunction Log::create_stream(SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy]) -0.000000 | HookCallFunction Log::create_stream(SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy]) -0.000000 | HookCallFunction Log::create_stream(SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy]) -0.000000 | HookCallFunction Log::create_stream(SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy]) -0.000000 | HookCallFunction Log::create_stream(Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy]) -0.000000 | HookCallFunction Log::create_stream(Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy]) -0.000000 | HookCallFunction Log::create_stream(Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog, policy=Syslog::log_policy]) -0.000000 | HookCallFunction Log::create_stream(Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy]) -0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy]) -0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy]) -0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy]) +0.000000 | HookCallFunction Log::create_stream(Broker::LOG, [columns=Broker::Info, ev=, path=broker, policy=Broker::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster, policy=Cluster::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc, policy=DCE_RPC::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(DPD::LOG, [columns=DPD::Info, ev=, path=dpd, policy=DPD::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=, path=mqtt_publish, policy=MQTT::log_policy_publish, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm, policy=NTLM::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter, policy=PacketFilter::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files, policy=SMB::log_policy_files, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping, policy=SMB::log_policy_mapping, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog, policy=Syslog::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}]) +0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}]) 0.000000 | HookCallFunction Log::get_filter(SSL::LOG, default) 0.000000 | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=], PacketFilter::LOG) 0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=]) diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.event-groups-integration/output b/testing/btest/Baseline/scripts.base.frameworks.logging.event-groups-integration/output new file mode 100644 index 0000000000..284f7c3fbf --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.event-groups-integration/output @@ -0,0 +1,49 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +packet counting, 1 +packet observer, 1 +packet logging, 1 +packet counting, 2 +packet observer, 2 +packet logging, 2 +packet counting, 3 +packet observer, 3 +packet logging, 3 +packet counting, 4 +packet observer, 4 +packet logging, 4 +packet counting, 5 +packet observer, 5 +packet logging, 5 +packet counting, 6 +Log::disable_stream() +packet counting, 7 +packet counting, 8 +packet counting, 9 +packet counting, 10 +packet counting, 11 +packet counting, 12 +packet counting, 13 +packet counting, 14 +packet counting, 15 +packet counting, 16 +packet counting, 17 +packet counting, 18 +packet counting, 19 +packet counting, 20 +packet counting, 21 +packet counting, 22 +packet counting, 23 +packet counting, 24 +packet counting, 25 +Log::enable_stream() +packet observer, 25 +packet logging, 25 +packet counting, 26 +packet observer, 26 +packet logging, 26 +packet counting, 27 +packet observer, 27 +packet logging, 27 +packet counting, 28 +packet observer, 28 +packet logging, 28 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.event-groups-integration/packet.log b/testing/btest/Baseline/scripts.base.frameworks.logging.event-groups-integration/packet.log new file mode 100644 index 0000000000..2fd7c801ce --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.event-groups-integration/packet.log @@ -0,0 +1,19 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path packet +#open XXXX-XX-XX-XX-XX-XX +#fields ts c ttl len +#types time count count count +XXXXXXXXXX.XXXXXX 1 64 66 +XXXXXXXXXX.XXXXXX 2 59 117 +XXXXXXXXXX.XXXXXX 3 64 80 +XXXXXXXXXX.XXXXXX 4 59 127 +XXXXXXXXXX.XXXXXX 5 64 66 +XXXXXXXXXX.XXXXXX 25 64 64 +XXXXXXXXXX.XXXXXX 26 59 159 +XXXXXXXXXX.XXXXXX 27 64 64 +XXXXXXXXXX.XXXXXX 28 59 226 +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/scripts/base/frameworks/logging/event-groups-integration.zeek b/testing/btest/scripts/base/frameworks/logging/event-groups-integration.zeek new file mode 100644 index 0000000000..65cb15b379 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/logging/event-groups-integration.zeek @@ -0,0 +1,75 @@ +# @TEST-DOC: Count packets, disable the packet log stream (and it's module group) and re-enable it again, verifying handlers are disabled and re-enabled, too. + +# @TEST-EXEC: zeek -b -r ${TRACES}/wikipedia.trace -f 'port 53' %INPUT >output +# @TEST-EXEC: btest-diff output +# @TEST-EXEC: btest-diff packet.log + +module PacketCounter; + +export { + redef enum Log::ID += { LOG }; + + type Info: record { + ts: time &log; + c: count &log; + ttl: count &log; + len: count &log; + }; + + # Counting all the packets. + global pcount = 0; +} + +event zeek_init() + { + Log::create_stream(LOG, [$columns=Info, $path="packet", + $event_groups=set("PacketCounter::Logging")]); + } + +event new_packet(c: connection, p: pkt_hdr) + { + ++pcount; + + print "packet counting", pcount; + + # Have 5 packets logged, now disable the stream. + if ( pcount == 6 ) + { + print "Log::disable_stream()"; + Log::disable_stream(LOG); + } + + # Re-enable logging after 25 packets. Packet 25 will actually + # be logged as the handler is enabled just before this one + # (at a higher priority) completes. + if ( pcount == 25 ) + { + print "Log::enable_stream()"; + Log::enable_stream(LOG); + } + } + +# Handler with a attribute group matching the log stream event group. +# It only produces a bit of output to verify it's being disabled and +# re-enabled during Log::enable_stream() / Log::disable_stream(). +event new_packet(c: connection, p: pkt_hdr) &group="PacketCounter::Logging" &priority=-5 + { + print "packet observer", pcount; + } + +# This is where our actual logging happens. We have a "print" statement +# as to verify the code doesn't actually run when the stream got disabled. +module PacketCounter::Logging; + +event new_packet(c: connection, p: pkt_hdr) &priority=-10 + { + print "packet logging", PacketCounter::pcount; + local rec = PacketCounter::Info( + $ts=network_time(), + $c=PacketCounter::pcount, + $ttl=p$ip$ttl, + $len=p$ip$len, + ); + + Log::write(PacketCounter::LOG, rec); + } From 93f3c2b612bee4dd8ebb88ee260501a44bef9572 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 7 Dec 2022 14:36:21 +0100 Subject: [PATCH 3/3] testing/external: Bump cluster testing commit --- testing/external/commit-hash.zeek-testing-cluster | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/external/commit-hash.zeek-testing-cluster b/testing/external/commit-hash.zeek-testing-cluster index d7e1f4c802..46c1ebaae4 100644 --- a/testing/external/commit-hash.zeek-testing-cluster +++ b/testing/external/commit-hash.zeek-testing-cluster @@ -1 +1 @@ -04b919ed3e29e1b07e21ca4308fae06fe5e976d3 +010a5bf2a0078190c3403d6cc973910de925b826