Merge remote-tracking branch 'origin/topic/awelzel/topic/awelzel/disable-stream-event-groups-take-two'

* origin/topic/awelzel/topic/awelzel/disable-stream-event-groups-take-two:
  testing/external: Bump cluster testing commit
  logging: Add event_groups to Stream
  zeek.bif: Add has_event_group() / has_module_events()

CHANGES

@@ -1,3 +1,19 @@
+5.2.0-dev.427 | 2022-12-13 11:37:47 +0100
+
+  * logging: Add event_groups to Stream (Arne Welzel, Corelight)
+
+    This commit adds an optional event_groups field to the Logging::Stream record
+    to associated event groups with logging streams.
+
+    This can be used to disable all event groups of a logging stream when it is
+    disabled. It does require making an explicit connection between the
+    logging stream and the involved groups, however.
+
+  * zeek.bif: Add has_event_group() / has_module_events() (Arne Welzel, Corelight)
+
+    Introduce helpers to determine if a given attribute or module event
+    group exists given a string.
+
 5.2.0-dev.422 | 2022-12-09 16:07:47 +0100
 
   * maintenance updates for -O C++ (Vern Paxson, Corelight)

NEWS

@@ -127,6 +127,12 @@ New Functionality
   implemented in a given module can be toggled with ``disable_module_events()``
   and ``enable_module_events()``.
 
+- Extend the ``Logging::Stream`` record with an ``event_groups`` field and
+  toggle these during ``Log::disable_stream`` and ``Log::enable_stream``
+  invocations. This allows for explicit/manual opt-in performance optimizations
+  by turning off event handlers at runtime that are only needed for log
+  generation.
+
 - On Linux, the AF_PACKET packet source plugin (https://github.com/zeek/zeek-af_packet-plugin)
   is included as builtin plugin by default. To select this packet source, prefix
   the interface name with ``af_packet``.

VERSION

@@ -1 +1 @@
-5.2.0-dev.422
+5.2.0-dev.427

scripts/base/frameworks/logging/main.zeek

@@ -373,6 +373,21 @@ export {
 		## New Filters created for this stream will inherit
 		## this policy hook, unless they provide their own.
 		policy: PolicyHook &optional;
+
+		## Event groups associated with this stream that are disabled
+		## when :zeek:see:`Log::disable_stream` is invoked and
+		## re-enabled during :zeek:see:`Log::enable_stream`.
+		##
+		## This field can be used to short-circuit event handlers that
+		## are solely responsible for logging functionality at runtime
+		## when a log stream is disabled.
+		##
+		## This field allows for both, attribute event groups and module
+		## event groups. If the given group names exists as attribute
+		## or module or either event group, they are disabled when the
+		## log stream is disabled and enabled when the stream is
+		## enabled again.
+		event_groups: set[string] &default=set();
 	};
 
 	## Sentinel value for indicating that a filter was not found when looked up.
@@ -733,6 +748,19 @@ function remove_stream(id: ID) : bool
 function disable_stream(id: ID) : bool
 	{
 	delete active_streams[id];
+
+	if ( id in all_streams )
+		{
+		for ( group in all_streams[id]$event_groups )
+			{
+			if ( has_module_events(group) )
+				disable_module_events(group);
+
+			if ( has_event_group(group) )
+				disable_event_group(group);
+			}
+		}
+
 	return __disable_stream(id);
 	}
 
@@ -742,7 +770,17 @@ function enable_stream(id: ID) : bool
 		return F;
 
 	if ( id in all_streams )
+		{
 		active_streams[id] = all_streams[id];
+		for ( group in all_streams[id]$event_groups )
+			{
+			if ( has_module_events(group) )
+				enable_module_events(group);
+
+			if ( has_event_group(group) )
+				enable_event_group(group);
+			}
+		}
 
 	return T;
 	}

src/zeek.bif

@@ -5631,6 +5631,10 @@ static bool disable_event_group(zeek::EventGroupKind kind, const char *group)
 	return true;
 	}
 
+static bool has_event_group(zeek::EventGroupKind kind, const char *group)
+	{
+	return zeek::event_registry->LookupGroup(kind, group) != nullptr;
+	}
 %%}
 
 ## Enabled the given event group.
@@ -5640,7 +5644,8 @@ static bool disable_event_group(zeek::EventGroupKind kind, const char *group)
 ##
 ## group: The group to enable.
 ##
-## .. zeek:see:: disable_event_group
+## .. zeek:see:: enable_event_group disable_event_group has_event_group
+##               enable_module_events disable_module_events has_module_events
 function enable_event_group%(group: string%) : bool
 	%{
 	return zeek::val_mgr->Bool(enable_event_group(zeek::EventGroupKind::Attribute,
@@ -5654,13 +5659,26 @@ function enable_event_group%(group: string%) : bool
 ##
 ## group: The group to disable.
 ##
-## .. zeek:see:: enable_event_group
+## .. zeek:see:: enable_event_group disable_event_group has_event_group
+##               enable_module_events disable_module_events has_module_events
 function disable_event_group%(group: string%) : bool
 	%{
 	return zeek::val_mgr->Bool(disable_event_group(zeek::EventGroupKind::Attribute,
 	                                               group->CheckString()));
 	%}
 
+## Does an attribute event group with this name exist?
+##
+## group: The group name.
+##
+## .. zeek:see:: enable_event_group disable_event_group has_event_group
+##               enable_module_events disable_module_events has_module_events
+function has_event_group%(group: string%) : bool
+	%{
+	return zeek::val_mgr->Bool(has_event_group(zeek::EventGroupKind::Attribute,
+	                                           group->CheckString()));
+	%}
+
 ## Enable all event handlers and hooks in the given module.
 ##
 ## All event handlers and hooks defined in the given module will be enabled
@@ -5668,7 +5686,8 @@ function disable_event_group%(group: string%) : bool
 ##
 ## module_name: The module to enable.
 ##
-## .. zeek:see:: disable_module_events enable_event_group disable_event_group
+## .. zeek:see:: enable_event_group disable_event_group has_event_group
+##               enable_module_events disable_module_events has_module_events
 function enable_module_events%(module_name: string%) : bool
 	%{
 	return zeek::val_mgr->Bool(enable_event_group(zeek::EventGroupKind::Module,
@@ -5681,9 +5700,22 @@ function enable_module_events%(module_name: string%) : bool
 ##
 ## module_name: The module to disable.
 ##
-## .. zeek:see:: enable_module_events enable_event_group disable_event_group
+## .. zeek:see:: enable_event_group disable_event_group has_event_group
+##               enable_module_events disable_module_events has_module_events
 function disable_module_events%(module_name: string%) : bool
 	%{
 	return zeek::val_mgr->Bool(disable_event_group(zeek::EventGroupKind::Module,
 	                                               module_name->CheckString()));
 	%}
+
+## Does a module event group with this name exist?
+##
+## group: The group name.
+##
+## .. zeek:see:: enable_event_group disable_event_group has_event_group
+##               enable_module_events disable_module_events has_module_events
+function has_module_events%(group: string%) : bool
+	%{
+	return zeek::val_mgr->Bool(has_event_group(zeek::EventGroupKind::Module,
+	                                           group->CheckString()));
+	%}

testing/btest/Baseline/core.event-groups.existence/output

@@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+PASS: eg: has test-my-protocol (T == T)
+PASS: eg: has not test-my-protocol-nope (F == F)
+PASS: eg: has not eg TestMyProtocol::Logging (F == F)
+PASS: me: has TestMyProtocol::Logging (T == T)
+PASS: me: has not test-my-protocol (F == F)

testing/btest/Baseline/plugins.hooks/output

@@ -242,55 +242,55 @@
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=weird, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, path=x509, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, path=mysql, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=<uninitialized>, path=dce_rpc, policy=DCE_RPC::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=<uninitialized>, path=mqtt_publish, policy=MQTT::log_policy_publish])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=<uninitialized>, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm, policy=NTLM::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Reporter::LOG, [columns=Reporter::Info, ev=<uninitialized>, path=reporter, policy=Reporter::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=<uninitialized>, path=smb_files, policy=SMB::log_policy_files])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=<uninitialized>, path=smb_mapping, policy=SMB::log_policy_mapping])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Syslog::LOG, [columns=Syslog::Info, ev=<uninitialized>, path=syslog, policy=Syslog::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Tunnel::LOG, [columns=Tunnel::Info, ev=<uninitialized>, path=tunnel, policy=Tunnel::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=<uninitialized>, path=dce_rpc, policy=DCE_RPC::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=<uninitialized>, path=mqtt_publish, policy=MQTT::log_policy_publish, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=<uninitialized>, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm, policy=NTLM::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Reporter::LOG, [columns=Reporter::Info, ev=<uninitialized>, path=reporter, policy=Reporter::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=<uninitialized>, path=smb_files, policy=SMB::log_policy_files, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=<uninitialized>, path=smb_mapping, policy=SMB::log_policy_mapping, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Syslog::LOG, [columns=Syslog::Info, ev=<uninitialized>, path=syslog, policy=Syslog::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Tunnel::LOG, [columns=Tunnel::Info, ev=<uninitialized>, path=tunnel, policy=Tunnel::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
@@ -440,55 +440,55 @@
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Weird::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (X509::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (mysql::LOG, default)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=<uninitialized>, path=dce_rpc, policy=DCE_RPC::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=<uninitialized>, path=mqtt_publish, policy=MQTT::log_policy_publish])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=<uninitialized>, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm, policy=NTLM::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Reporter::LOG, [columns=Reporter::Info, ev=<uninitialized>, path=reporter, policy=Reporter::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=<uninitialized>, path=smb_files, policy=SMB::log_policy_files])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=<uninitialized>, path=smb_mapping, policy=SMB::log_policy_mapping])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Syslog::LOG, [columns=Syslog::Info, ev=<uninitialized>, path=syslog, policy=Syslog::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Tunnel::LOG, [columns=Tunnel::Info, ev=<uninitialized>, path=tunnel, policy=Tunnel::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=<uninitialized>, path=dce_rpc, policy=DCE_RPC::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=<uninitialized>, path=mqtt_publish, policy=MQTT::log_policy_publish, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=<uninitialized>, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm, policy=NTLM::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Reporter::LOG, [columns=Reporter::Info, ev=<uninitialized>, path=reporter, policy=Reporter::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=<uninitialized>, path=smb_files, policy=SMB::log_policy_files, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=<uninitialized>, path=smb_mapping, policy=SMB::log_policy_mapping, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Syslog::LOG, [columns=Syslog::Info, ev=<uninitialized>, path=syslog, policy=Syslog::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Tunnel::LOG, [columns=Tunnel::Info, ev=<uninitialized>, path=tunnel, policy=Tunnel::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::get_filter, <frame>, (SSL::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>], PacketFilter::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>])) -> <no result>
@@ -1781,55 +1781,55 @@
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=weird, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, path=x509, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, path=mysql, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=<uninitialized>, path=dce_rpc, policy=DCE_RPC::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=<uninitialized>, path=mqtt_publish, policy=MQTT::log_policy_publish]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=<uninitialized>, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm, policy=NTLM::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Reporter::LOG, [columns=Reporter::Info, ev=<uninitialized>, path=reporter, policy=Reporter::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=<uninitialized>, path=smb_files, policy=SMB::log_policy_files]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=<uninitialized>, path=smb_mapping, policy=SMB::log_policy_mapping]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Syslog::LOG, [columns=Syslog::Info, ev=<uninitialized>, path=syslog, policy=Syslog::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Tunnel::LOG, [columns=Tunnel::Info, ev=<uninitialized>, path=tunnel, policy=Tunnel::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=<uninitialized>, path=dce_rpc, policy=DCE_RPC::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=<uninitialized>, path=mqtt_publish, policy=MQTT::log_policy_publish, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=<uninitialized>, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm, policy=NTLM::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Reporter::LOG, [columns=Reporter::Info, ev=<uninitialized>, path=reporter, policy=Reporter::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=<uninitialized>, path=smb_files, policy=SMB::log_policy_files, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=<uninitialized>, path=smb_mapping, policy=SMB::log_policy_mapping, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Syslog::LOG, [columns=Syslog::Info, ev=<uninitialized>, path=syslog, policy=Syslog::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Tunnel::LOG, [columns=Tunnel::Info, ev=<uninitialized>, path=tunnel, policy=Tunnel::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}]))
 0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
@@ -1979,55 +1979,55 @@
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Weird::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (X509::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (mysql::LOG, default))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=<uninitialized>, path=dce_rpc, policy=DCE_RPC::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=<uninitialized>, path=mqtt_publish, policy=MQTT::log_policy_publish]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=<uninitialized>, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm, policy=NTLM::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Reporter::LOG, [columns=Reporter::Info, ev=<uninitialized>, path=reporter, policy=Reporter::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=<uninitialized>, path=smb_files, policy=SMB::log_policy_files]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=<uninitialized>, path=smb_mapping, policy=SMB::log_policy_mapping]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Syslog::LOG, [columns=Syslog::Info, ev=<uninitialized>, path=syslog, policy=Syslog::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Tunnel::LOG, [columns=Tunnel::Info, ev=<uninitialized>, path=tunnel, policy=Tunnel::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=<uninitialized>, path=dce_rpc, policy=DCE_RPC::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=<uninitialized>, path=mqtt_publish, policy=MQTT::log_policy_publish, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=<uninitialized>, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm, policy=NTLM::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Reporter::LOG, [columns=Reporter::Info, ev=<uninitialized>, path=reporter, policy=Reporter::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=<uninitialized>, path=smb_files, policy=SMB::log_policy_files, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=<uninitialized>, path=smb_mapping, policy=SMB::log_policy_mapping, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Syslog::LOG, [columns=Syslog::Info, ev=<uninitialized>, path=syslog, policy=Syslog::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Tunnel::LOG, [columns=Tunnel::Info, ev=<uninitialized>, path=tunnel, policy=Tunnel::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}]))
 0.000000   MetaHookPre   CallFunction(Log::get_filter, <frame>, (SSL::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>], PacketFilter::LOG))
 0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>]))
@@ -3319,55 +3319,55 @@
 0.000000 | HookCallFunction Log::__add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=weird, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::__add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, path=x509, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::__add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, path=mysql, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__create_stream(Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=<uninitialized>, path=dce_rpc, policy=DCE_RPC::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }])
-0.000000 | HookCallFunction Log::__create_stream(HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect])
-0.000000 | HookCallFunction Log::__create_stream(MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=<uninitialized>, path=mqtt_publish, policy=MQTT::log_policy_publish])
-0.000000 | HookCallFunction Log::__create_stream(MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=<uninitialized>, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe])
-0.000000 | HookCallFunction Log::__create_stream(Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm, policy=NTLM::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop])
-0.000000 | HookCallFunction Log::__create_stream(NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt])
-0.000000 | HookCallFunction Log::__create_stream(Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm])
-0.000000 | HookCallFunction Log::__create_stream(Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Reporter::LOG, [columns=Reporter::Info, ev=<uninitialized>, path=reporter, policy=Reporter::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(SMB::FILES_LOG, [columns=SMB::FileInfo, ev=<uninitialized>, path=smb_files, policy=SMB::log_policy_files])
-0.000000 | HookCallFunction Log::__create_stream(SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=<uninitialized>, path=smb_mapping, policy=SMB::log_policy_mapping])
-0.000000 | HookCallFunction Log::__create_stream(SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Syslog::LOG, [columns=Syslog::Info, ev=<uninitialized>, path=syslog, policy=Syslog::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Tunnel::LOG, [columns=Tunnel::Info, ev=<uninitialized>, path=tunnel, policy=Tunnel::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy])
+0.000000 | HookCallFunction Log::__create_stream(Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=<uninitialized>, path=dce_rpc, policy=DCE_RPC::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=<uninitialized>, path=mqtt_publish, policy=MQTT::log_policy_publish, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=<uninitialized>, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm, policy=NTLM::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(Reporter::LOG, [columns=Reporter::Info, ev=<uninitialized>, path=reporter, policy=Reporter::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(SMB::FILES_LOG, [columns=SMB::FileInfo, ev=<uninitialized>, path=smb_files, policy=SMB::log_policy_files, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=<uninitialized>, path=smb_mapping, policy=SMB::log_policy_mapping, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(Syslog::LOG, [columns=Syslog::Info, ev=<uninitialized>, path=syslog, policy=Syslog::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(Tunnel::LOG, [columns=Tunnel::Info, ev=<uninitialized>, path=tunnel, policy=Tunnel::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}])
 0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
@@ -3517,55 +3517,55 @@
 0.000000 | HookCallFunction Log::add_stream_filters(Weird::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(X509::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(mysql::LOG, default)
-0.000000 | HookCallFunction Log::create_stream(Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy])
-0.000000 | HookCallFunction Log::create_stream(Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy])
-0.000000 | HookCallFunction Log::create_stream(Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy])
-0.000000 | HookCallFunction Log::create_stream(Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy])
-0.000000 | HookCallFunction Log::create_stream(DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=<uninitialized>, path=dce_rpc, policy=DCE_RPC::log_policy])
-0.000000 | HookCallFunction Log::create_stream(DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy])
-0.000000 | HookCallFunction Log::create_stream(DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy])
-0.000000 | HookCallFunction Log::create_stream(DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy])
-0.000000 | HookCallFunction Log::create_stream(DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy])
-0.000000 | HookCallFunction Log::create_stream(FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy])
-0.000000 | HookCallFunction Log::create_stream(Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }])
-0.000000 | HookCallFunction Log::create_stream(HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy])
-0.000000 | HookCallFunction Log::create_stream(IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy])
-0.000000 | HookCallFunction Log::create_stream(Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy])
-0.000000 | HookCallFunction Log::create_stream(KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy])
-0.000000 | HookCallFunction Log::create_stream(MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect])
-0.000000 | HookCallFunction Log::create_stream(MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=<uninitialized>, path=mqtt_publish, policy=MQTT::log_policy_publish])
-0.000000 | HookCallFunction Log::create_stream(MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=<uninitialized>, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe])
-0.000000 | HookCallFunction Log::create_stream(Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy])
-0.000000 | HookCallFunction Log::create_stream(NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm, policy=NTLM::log_policy])
-0.000000 | HookCallFunction Log::create_stream(NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy])
-0.000000 | HookCallFunction Log::create_stream(NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop])
-0.000000 | HookCallFunction Log::create_stream(NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy])
-0.000000 | HookCallFunction Log::create_stream(NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt])
-0.000000 | HookCallFunction Log::create_stream(Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm])
-0.000000 | HookCallFunction Log::create_stream(Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy])
-0.000000 | HookCallFunction Log::create_stream(OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy])
-0.000000 | HookCallFunction Log::create_stream(OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy])
-0.000000 | HookCallFunction Log::create_stream(PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy])
-0.000000 | HookCallFunction Log::create_stream(PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy])
-0.000000 | HookCallFunction Log::create_stream(RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy])
-0.000000 | HookCallFunction Log::create_stream(RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy])
-0.000000 | HookCallFunction Log::create_stream(RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy])
-0.000000 | HookCallFunction Log::create_stream(Reporter::LOG, [columns=Reporter::Info, ev=<uninitialized>, path=reporter, policy=Reporter::log_policy])
-0.000000 | HookCallFunction Log::create_stream(SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy])
-0.000000 | HookCallFunction Log::create_stream(SMB::FILES_LOG, [columns=SMB::FileInfo, ev=<uninitialized>, path=smb_files, policy=SMB::log_policy_files])
-0.000000 | HookCallFunction Log::create_stream(SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=<uninitialized>, path=smb_mapping, policy=SMB::log_policy_mapping])
-0.000000 | HookCallFunction Log::create_stream(SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy])
-0.000000 | HookCallFunction Log::create_stream(SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy])
-0.000000 | HookCallFunction Log::create_stream(SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy])
-0.000000 | HookCallFunction Log::create_stream(SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy])
-0.000000 | HookCallFunction Log::create_stream(SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy])
-0.000000 | HookCallFunction Log::create_stream(Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy])
-0.000000 | HookCallFunction Log::create_stream(Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy])
-0.000000 | HookCallFunction Log::create_stream(Syslog::LOG, [columns=Syslog::Info, ev=<uninitialized>, path=syslog, policy=Syslog::log_policy])
-0.000000 | HookCallFunction Log::create_stream(Tunnel::LOG, [columns=Tunnel::Info, ev=<uninitialized>, path=tunnel, policy=Tunnel::log_policy])
-0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy])
-0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy])
-0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy])
+0.000000 | HookCallFunction Log::create_stream(Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=<uninitialized>, path=dce_rpc, policy=DCE_RPC::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy{ if ((F == X509::log_x509_in_files_log) && (X509 in X509::rec$analyzers)) break }, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(MQTT::CONNECT_LOG, [columns=MQTT::ConnectInfo, ev=MQTT::log_mqtt, path=mqtt_connect, policy=MQTT::log_policy_connect, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(MQTT::PUBLISH_LOG, [columns=MQTT::PublishInfo, ev=<uninitialized>, path=mqtt_publish, policy=MQTT::log_policy_publish, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(MQTT::SUBSCRIBE_LOG, [columns=MQTT::SubscribeInfo, ev=<uninitialized>, path=mqtt_subscribe, policy=MQTT::log_policy_subscribe, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm, policy=NTLM::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(Reporter::LOG, [columns=Reporter::Info, ev=<uninitialized>, path=reporter, policy=Reporter::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(SMB::FILES_LOG, [columns=SMB::FileInfo, ev=<uninitialized>, path=smb_files, policy=SMB::log_policy_files, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=<uninitialized>, path=smb_mapping, policy=SMB::log_policy_mapping, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(Syslog::LOG, [columns=Syslog::Info, ev=<uninitialized>, path=syslog, policy=Syslog::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(Tunnel::LOG, [columns=Tunnel::Info, ev=<uninitialized>, path=tunnel, policy=Tunnel::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy, event_groups={}])
+0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy, event_groups={}])
 0.000000 | HookCallFunction Log::get_filter(SSL::LOG, default)
 0.000000 | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>], PacketFilter::LOG)
 0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T, failure_reason=<uninitialized>])

testing/btest/Baseline/scripts.base.frameworks.logging.event-groups-integration/output

@@ -0,0 +1,49 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+packet counting, 1
+packet observer, 1
+packet logging, 1
+packet counting, 2
+packet observer, 2
+packet logging, 2
+packet counting, 3
+packet observer, 3
+packet logging, 3
+packet counting, 4
+packet observer, 4
+packet logging, 4
+packet counting, 5
+packet observer, 5
+packet logging, 5
+packet counting, 6
+Log::disable_stream()
+packet counting, 7
+packet counting, 8
+packet counting, 9
+packet counting, 10
+packet counting, 11
+packet counting, 12
+packet counting, 13
+packet counting, 14
+packet counting, 15
+packet counting, 16
+packet counting, 17
+packet counting, 18
+packet counting, 19
+packet counting, 20
+packet counting, 21
+packet counting, 22
+packet counting, 23
+packet counting, 24
+packet counting, 25
+Log::enable_stream()
+packet observer, 25
+packet logging, 25
+packet counting, 26
+packet observer, 26
+packet logging, 26
+packet counting, 27
+packet observer, 27
+packet logging, 27
+packet counting, 28
+packet observer, 28
+packet logging, 28

testing/btest/Baseline/scripts.base.frameworks.logging.event-groups-integration/packet.log

@@ -0,0 +1,19 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	packet
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	c	ttl	len
+#types	time	count	count	count
+XXXXXXXXXX.XXXXXX	1	64	66
+XXXXXXXXXX.XXXXXX	2	59	117
+XXXXXXXXXX.XXXXXX	3	64	80
+XXXXXXXXXX.XXXXXX	4	59	127
+XXXXXXXXXX.XXXXXX	5	64	66
+XXXXXXXXXX.XXXXXX	25	64	64
+XXXXXXXXXX.XXXXXX	26	59	159
+XXXXXXXXXX.XXXXXX	27	64	64
+XXXXXXXXXX.XXXXXX	28	59	226
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/core/event-groups/existence.zeek

@@ -0,0 +1,31 @@
+# @TEST-DOC: Test for has_module_events and has_event_group
+# @TEST-EXEC: zeek -b %INPUT > output
+# @TEST-EXEC: btest-diff output
+
+module TestMyProtocol::Logging;
+
+event http_request(c: connection, method: string, original_URI: string,
+                   unescaped_URI: string, version: string) {}
+
+module TestMyProtocol;
+
+event http_request(c: connection, method: string, original_URI: string,
+                   unescaped_URI: string, version: string) &group="test-my-protocol" {}
+
+module Test;
+
+function assert_expected(msg: string, expected: bool, actual: bool)
+	{
+	local prefix = expected == actual ? "PASS" : "FAIL";
+	print fmt("%s: %s (%s == %s)", prefix, msg, expected, actual);
+	}
+
+event zeek_init()
+	{
+	assert_expected("eg: has test-my-protocol", T, has_event_group("test-my-protocol"));
+	assert_expected("eg: has not test-my-protocol-nope", F, has_event_group("test-my-protocol-nope"));
+	assert_expected("eg: has not eg TestMyProtocol::Logging", F, has_event_group("TestMyProtocol::Logging"));
+
+	assert_expected("me: has TestMyProtocol::Logging", T, has_module_events("TestMyProtocol::Logging"));
+	assert_expected("me: has not test-my-protocol", F, has_module_events("test-my-protocol"));
+	}

testing/btest/scripts/base/frameworks/logging/event-groups-integration.zeek

@@ -0,0 +1,75 @@
+# @TEST-DOC: Count packets, disable the packet log stream (and it's module group) and re-enable it again, verifying handlers are disabled and re-enabled, too.
+
+# @TEST-EXEC: zeek -b -r ${TRACES}/wikipedia.trace -f 'port 53' %INPUT >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff packet.log
+
+module PacketCounter;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		ts: time &log;
+		c: count &log;
+		ttl: count &log;
+		len: count &log;
+	};
+
+	# Counting all the packets.
+	global pcount = 0;
+}
+
+event zeek_init()
+	{
+	Log::create_stream(LOG, [$columns=Info, $path="packet",
+	                         $event_groups=set("PacketCounter::Logging")]);
+	}
+
+event new_packet(c: connection, p: pkt_hdr)
+	{
+	++pcount;
+
+	print "packet counting", pcount;
+
+	# Have 5 packets logged, now disable the stream.
+	if ( pcount == 6 )
+		{
+		print "Log::disable_stream()";
+		Log::disable_stream(LOG);
+		}
+
+	# Re-enable logging after 25 packets. Packet 25 will actually
+	# be logged as the handler is enabled just before this one
+	# (at a higher priority) completes.
+	if ( pcount == 25 )
+		{
+		print "Log::enable_stream()";
+		Log::enable_stream(LOG);
+		}
+	}
+
+# Handler with a attribute group matching the log stream event group.
+# It only produces a bit of output to verify it's being disabled and
+# re-enabled during Log::enable_stream() / Log::disable_stream().
+event new_packet(c: connection, p: pkt_hdr) &group="PacketCounter::Logging" &priority=-5
+	{
+	print "packet observer", pcount;
+	}
+
+# This is where our actual logging happens. We have a "print" statement
+# as to verify the code doesn't actually run when the stream got disabled.
+module PacketCounter::Logging;
+
+event new_packet(c: connection, p: pkt_hdr) &priority=-10
+	{
+	print "packet logging", PacketCounter::pcount;
+	local rec = PacketCounter::Info(
+		$ts=network_time(),
+		$c=PacketCounter::pcount,
+		$ttl=p$ip$ttl,
+		$len=p$ip$len,
+	);
+
+	Log::write(PacketCounter::LOG, rec);
+	}