Merge branch 'topic/bbannier/named-ctr'

* topic/bbannier/named-ctr: Prefer explicit construction to coercion in record initialization
2025-10-02 06:38:20 +00:00 · 2025-07-15 17:37:41 -07:00 · 2025-07-15 17:37:41 -07:00 · fba319857b
commit fba319857b
parent 907ddce581 d5fd29edcd
141 changed files with 791 additions and 789 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
 8.0.0-dev.667 | 2025-07-15 17:37:41 -0700
  * GH-4559: Prefer explicit construction to coercion in record initialization (Benjamin Bannier, Corelight)
 8.0.0-dev.665 | 2025-07-15 17:36:31 -0700
  * Add missing header to allow std::sort() on GCC 15.1 (Christian Kreibich, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-8.0.0-dev.665
+8.0.0-dev.667
--- a/scripts/base/files/pe/main.zeek
+++ b/scripts/base/files/pe/main.zeek
@ -60,13 +60,13 @@ const pe_mime_types = { "application/x-dosexec" };
 event zeek_init() &priority=5
 	{
 	Files::register_for_mime_types(Files::ANALYZER_PE, pe_mime_types);
-	Log::create_stream(LOG, [$columns=Info, $ev=log_pe, $path="pe", $policy=log_policy]);
+	Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_pe, $path="pe", $policy=log_policy));
 	}
 hook set_file(f: fa_file) &priority=5
 	{
 	if ( ! f?$pe )
-		f$pe = [$ts=f$info$ts, $id=f$id];
+		f$pe = PE::Info($ts=f$info$ts, $id=f$id);
 	}
 event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5
--- a/scripts/base/files/x509/log-ocsp.zeek
+++ b/scripts/base/files/x509/log-ocsp.zeek
@ -40,7 +40,7 @@ export {
 event zeek_init() &priority=5
 	{
-	Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp", $policy=log_policy]);
+	Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_ocsp, $path="ocsp", $policy=log_policy));
 	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
 	}
--- a/scripts/base/files/x509/main.zeek
+++ b/scripts/base/files/x509/main.zeek
@ -117,7 +117,7 @@ redef record Files::Info += {
 event zeek_init() &priority=5
 	{
-	Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509", $policy=log_policy]);
+	Log::create_stream(X509::LOG, Log::Stream($columns=Info, $ev=log_x509, $path="x509", $policy=log_policy));
 	# We use MIME types internally to distinguish between user and CA certificates.
 	# The first certificate in a connection always gets tagged as user-cert, all
@ -167,7 +167,7 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi
 	{
 	local der_cert = x509_get_certificate_string(cert_ref);
 	local fp = hash_function(der_cert);
-	f$info$x509 = [$ts=f$info$ts, $fingerprint=fp, $certificate=cert, $handle=cert_ref];
+	f$info$x509 = X509::Info($ts=f$info$ts, $fingerprint=fp, $certificate=cert, $handle=cert_ref);
 	if ( f$info$mime_type == "application/x-x509-user-cert" )
 		f$info$x509$host_cert = T;
 	if ( f$is_orig )
--- a/scripts/base/frameworks/analyzer/logging.zeek
+++ b/scripts/base/frameworks/analyzer/logging.zeek
@ -46,7 +46,7 @@ export {
 event zeek_init() &priority=5
 	{
-	Log::create_stream(LOG, [$columns=Info, $path="analyzer", $ev=log_analyzer, $policy=log_policy]);
+	Log::create_stream(LOG, Log::Stream($columns=Info, $path="analyzer", $ev=log_analyzer, $policy=log_policy));
 	}
 function log_analyzer_failure(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
--- a/scripts/base/frameworks/broker/log.zeek
+++ b/scripts/base/frameworks/broker/log.zeek
@ -47,17 +47,17 @@ export {
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Broker::LOG, [$columns=Info, $path="broker", $policy=log_policy]);
+	Log::create_stream(Broker::LOG, Log::Stream($columns=Info, $path="broker", $policy=log_policy));
 	}
 function log_status(ev: string, endpoint: EndpointInfo, msg: string)
 	{
 	local r: Info;
-	r = [$ts = network_time(),
+	r = Broker::Info($ts = network_time(),
-	     $ev = ev,
+	                 $ev = ev,
-	     $ty = STATUS,
+	                 $ty = STATUS,
-	     $message = msg];
+	                 $message = msg);
 	if ( endpoint?$network )
 		r$peer = endpoint$network;
@ -87,10 +87,10 @@ event Broker::error(code: ErrorCode, msg: string)
 	ev = subst_string(ev, "_", "-");
 	ev = to_lower(ev);
-	Log::write(Broker::LOG, [$ts = network_time(),
+	Log::write(Broker::LOG, Info($ts = network_time(),
 	           $ev = ev,
 	           $ty = ERROR,
-	           $message = msg]);
+	           $message = msg));
 	Reporter::error(fmt("Broker error (%s): %s", code, msg));
 	}
@ -115,8 +115,8 @@ event Broker::internal_log_event(lvl: LogSeverityLevel, id: string, description:
 			severity = Broker::DEBUG_EVENT;
 			break;
 	}
-	Log::write(Broker::LOG, [$ts = network_time(),
+	Log::write(Broker::LOG, Info($ts = network_time(),
 	           $ty = severity,
 	           $ev = id,
-	           $message = description]);
+	           $message = description));
 	}
--- a/scripts/base/frameworks/cluster/broker-backpressure.zeek
+++ b/scripts/base/frameworks/cluster/broker-backpressure.zeek
@ -5,13 +5,13 @@
 module Cluster;
-global broker_backpressure_disconnects_cf = Telemetry::register_counter_family([
+global broker_backpressure_disconnects_cf = Telemetry::register_counter_family(Telemetry::MetricOpts(
    $prefix="zeek",
    $name="broker-backpressure-disconnects",
    $unit="",
    $label_names=vector("peer"),
    $help_text="Number of Broker peerings dropped due to a neighbor falling behind in message I/O",
-]);
+));
 event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string)
 	{
--- a/scripts/base/frameworks/cluster/broker-telemetry.zeek
+++ b/scripts/base/frameworks/cluster/broker-telemetry.zeek
@ -7,13 +7,13 @@ module Cluster;
 ## This gauge tracks the current number of locally queued messages in each
 ## Broker peering's send buffer. The "peer" label identifies the remote side of
 ## the peering, containing a Zeek cluster node name.
-global broker_peer_buffer_messages_gf = Telemetry::register_gauge_family([
+global broker_peer_buffer_messages_gf = Telemetry::register_gauge_family(Telemetry::MetricOpts(
    $prefix="zeek",
    $name="broker-peer-buffer-messages",
    $unit="",
    $label_names=vector("peer"),
    $help_text="Number of messages queued in Broker's send buffers",
-]);
+));
 ## This gauge tracks recent maximum queue lengths for each Broker peering's send
 ## buffer. Most of the time the send buffers are nearly empty, so this gauge
@ -23,26 +23,26 @@ global broker_peer_buffer_messages_gf = Telemetry::register_gauge_family([
 ## observed message. That is, Zeek keeps a timestamp of when the window started,
 ## and once it notices that the interval has passed, it moves the start of the
 ## window to current time.
-global broker_peer_buffer_recent_max_messages_gf = Telemetry::register_gauge_family([
+global broker_peer_buffer_recent_max_messages_gf = Telemetry::register_gauge_family(Telemetry::MetricOpts(
    $prefix="zeek",
    $name="broker-peer-buffer-recent-max-messages",
    $unit="",
    $label_names=vector("peer"),
    $help_text="Maximum number of messages recently queued in Broker's send buffers",
-]);
+));
 ## This counter tracks for each Broker peering the number of times its send
 ## buffer has overflowed. For the "disconnect" policy this can at most be 1,
 ## since Broker stops the peering at this time. For the "drop_oldest" and
 ## "drop_newest" policies (see :zeek:see:`Broker:peer_overflow_policy`) the count
 ## instead reflects the number of messages lost.
-global broker_peer_buffer_overflows_cf = Telemetry::register_counter_family([
+global broker_peer_buffer_overflows_cf = Telemetry::register_counter_family(Telemetry::MetricOpts(
    $prefix="zeek",
    $name="broker-peer-buffer-overflows",
    $unit="",
    $label_names=vector("peer"),
    $help_text="Number of overflows in Broker's send buffers",
-]);
+));
 # A helper to track overflow counts over past peerings as well as the current
--- a/scripts/base/frameworks/cluster/main.zeek
+++ b/scripts/base/frameworks/cluster/main.zeek
@ -492,7 +492,7 @@ function nodeid_to_node(id: string): NamedNode
 			return NamedNode($name=name, $node=n);
 		}
-	return NamedNode($name="", $node=[$node_type=NONE, $ip=0.0.0.0]);
+	return NamedNode($name="", $node=Node($node_type=NONE, $ip=0.0.0.0));
 	}
 event Cluster::hello(name: string, id: string) &priority=10
@ -572,7 +572,7 @@ event zeek_init() &priority=5
 		terminate();
 		}
-	Log::create_stream(Cluster::LOG, [$columns=Info, $path="cluster", $policy=log_policy]);
+	Log::create_stream(Cluster::LOG, Log::Stream($columns=Info, $path="cluster", $policy=log_policy));
 	}
 function create_store(name: string, persistent: bool &default=F): Cluster::StoreInfo
@ -654,7 +654,7 @@ function create_store(name: string, persistent: bool &default=F): Cluster::Store
 function log(msg: string)
 	{
-	Log::write(Cluster::LOG, [$ts = network_time(), $node = node, $message = msg]);
+	Log::write(Cluster::LOG, Info($ts = network_time(), $node = node, $message = msg));
 	}
 function init(): bool
--- a/scripts/base/frameworks/cluster/supervisor.zeek
+++ b/scripts/base/frameworks/cluster/supervisor.zeek
@ -42,7 +42,7 @@ function __init_cluster_nodes(): bool
 		if ( endp$role in rolemap )
 			typ = rolemap[endp$role];
-		cnode = [$node_type=typ, $ip=endp$host, $p=endp$p];
+		cnode = Cluster::Node($node_type=typ, $ip=endp$host, $p=endp$p);
 		if ( |manager_name| > 0 && cnode$node_type != Cluster::MANAGER )
 			cnode$manager = manager_name;
 		if ( endp?$metrics_port )
--- a/scripts/base/frameworks/config/input.zeek
+++ b/scripts/base/frameworks/config/input.zeek
@ -40,14 +40,14 @@ event zeek_init() &priority=5
 		return;
 	for ( fi in config_files )
-		Input::add_table([$reader=Input::READER_CONFIG,
+		Input::add_table(Input::TableDescription($reader=Input::READER_CONFIG,
 			$mode=Input::REREAD,
 			$source=fi,
 			$name=cat("config-", fi),
 			$idx=ConfigItem,
 			$val=ConfigItem,
 			$want_record=F,
-			$destination=current_config]);
+			$destination=current_config));
 	}
 event InputConfig::new_value(name: string, source: string, id: string, value: any)
@ -67,11 +67,11 @@ function read_config(filename: string)
 	local iname = cat("config-oneshot-", filename);
-	Input::add_event([$reader=Input::READER_CONFIG,
+	Input::add_event(Input::EventDescription($reader=Input::READER_CONFIG,
 		$mode=Input::MANUAL,
 		$source=filename,
 		$name=iname,
 		$fields=EventFields,
-		$ev=config_line]);
+		$ev=config_line));
 	Input::remove(iname);
 	}
--- a/scripts/base/frameworks/config/main.zeek
+++ b/scripts/base/frameworks/config/main.zeek
@ -153,7 +153,7 @@ function config_option_changed(ID: string, new_value: any, location: string): an
 event zeek_init() &priority=10
 	{
-	Log::create_stream(LOG, [$columns=Info, $ev=log_config, $path="config", $policy=log_policy]);
+	Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_config, $path="config", $policy=log_policy));
 	# Limit logging to the manager - everyone else just feeds off it.
@if ( !Cluster::is_enabled() || Cluster::local_node_type() == Cluster::MANAGER )
--- a/scripts/base/frameworks/files/main.zeek
+++ b/scripts/base/frameworks/files/main.zeek
@ -341,7 +341,7 @@ global analyzer_add_callbacks: table[Files::Tag] of function(f: fa_file, args: A
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Files::LOG, [$columns=Info, $ev=log_files, $path="files", $policy=log_policy]);
+	Log::create_stream(Files::LOG, Log::Stream($columns=Info, $ev=log_files, $path="files", $policy=log_policy));
 	}
 function set_info(f: fa_file)
--- a/scripts/base/frameworks/intel/input.zeek
+++ b/scripts/base/frameworks/intel/input.zeek
@ -68,13 +68,13 @@ event zeek_init() &priority=5
 			if ( |path_prefix| > 0 && sub_bytes(a_file, 0, 1) != "/" )
 				source = cat(rstrip(path_prefix, "/"), "/", a_file);
-			Input::add_event([$source=source,
+			Input::add_event(Input::EventDescription($source=source,
-			                  $reader=Input::READER_ASCII,
+			                                         $reader=Input::READER_ASCII,
-			                  $mode=Input::REREAD,
+			                                         $mode=Input::REREAD,
-			                  $name=cat("intel-", a_file),
+			                                         $name=cat("intel-", a_file),
-			                  $fields=Intel::Item,
+			                                         $fields=Intel::Item,
-			                  $ev=Intel::read_entry,
+			                                         $ev=Intel::read_entry,
-			                  $error_ev=Intel::read_error]);
+			                                         $error_ev=Intel::read_error));
 			}
 		}
 	}
--- a/scripts/base/frameworks/intel/main.zeek
+++ b/scripts/base/frameworks/intel/main.zeek
@ -280,7 +280,7 @@ global min_data_store: MinDataStore &redef;
 event zeek_init() &priority=5
 	{
-	Log::create_stream(LOG, [$columns=Info, $ev=log_intel, $path="intel", $policy=log_policy]);
+	Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_intel, $path="intel", $policy=log_policy));
 	}
 # Function that abstracts expiration of different types.
@ -289,7 +289,7 @@ function expire_item(indicator: string, indicator_type: Type, metas: set[MetaDat
 	if ( hook item_expired(indicator, indicator_type, metas) )
 		return item_expiration;
 	else
-		remove([$indicator=indicator, $indicator_type=indicator_type, $meta=[$source=""]], T);
+		remove(Item($indicator=indicator, $indicator_type=indicator_type, $meta=MetaData($source="")), T);
 	return 0 sec;
 	}
--- a/scripts/base/frameworks/logging/main.zeek
+++ b/scripts/base/frameworks/logging/main.zeek
@ -425,7 +425,7 @@ export {
 	};
 	## Sentinel value for indicating that a filter was not found when looked up.
-	const no_filter: Filter = [$name="<not found>"];
+	const no_filter = Filter($name="<not found>");
 	## Creates a new logging stream with the default filter.
 	##
@ -997,7 +997,7 @@ function flush(id: ID): bool
 function add_default_filter(id: ID) : bool
 	{
-	return add_filter(id, [$name="default"]);
+	return add_filter(id, Filter($name="default"));
 	}
 function remove_default_filter(id: ID) : bool
@ -1008,7 +1008,7 @@ function remove_default_filter(id: ID) : bool
 event zeek_init() &priority=5
 	{
 	if ( print_to_log != REDIRECT_NONE )
-		Log::create_stream(PRINTLOG, [$columns=PrintLogInfo, $ev=log_print, $path=print_log_path]);
+		Log::create_stream(PRINTLOG, Log::Stream($columns=PrintLogInfo, $ev=log_print, $path=print_log_path));
 	}
 function empty_post_delay_cb(rec: any, id: ID): bool {
--- a/scripts/base/frameworks/logging/writers/ascii.zeek
+++ b/scripts/base/frameworks/logging/writers/ascii.zeek
@ -7,9 +7,9 @@
 ##! names is printed out as meta information, with no "# fields" prepended; no
 ##! other meta data gets included in that mode.  Example filter using this::
 ##!
-##!    local f: Log::Filter = [$name = "my-filter",
+##!    local f = Log::Filter($name = "my-filter",
-##!                            $writer = Log::WRITER_ASCII,
+##!                          $writer = Log::WRITER_ASCII,
-##!                            $config = table(["tsv"] = "T")];
+##!                          $config = table(["tsv"] = "T"));
 ##!
 module LogAscii;
--- a/scripts/base/frameworks/netcontrol/drop.zeek
+++ b/scripts/base/frameworks/netcontrol/drop.zeek
@ -59,13 +59,13 @@ export {
 event zeek_init() &priority=5
 	{
-	Log::create_stream(NetControl::DROP_LOG, [$columns=DropInfo, $ev=log_netcontrol_drop, $path="netcontrol_drop", $policy=log_policy_drop]);
+	Log::create_stream(NetControl::DROP_LOG, Log::Stream($columns=DropInfo, $ev=log_netcontrol_drop, $path="netcontrol_drop", $policy=log_policy_drop));
 	}
 function drop_connection(c: conn_id, t: interval, location: string &default="") : string
 	{
-	local e: Entity = [$ty=CONNECTION, $conn=c];
+	local e = Entity($ty=CONNECTION, $conn=c);
-	local r: Rule = [$ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location];
+	local r = Rule($ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location);
 	if ( ! hook NetControl::drop_rule_policy(r) )
 		return "";
@ -88,8 +88,8 @@ function drop_connection(c: conn_id, t: interval, location: string &default="")
 function drop_address(a: addr, t: interval, location: string &default="") : string
 	{
-	local e: Entity = [$ty=ADDRESS, $ip=addr_to_subnet(a)];
+	local e = Entity($ty=ADDRESS, $ip=addr_to_subnet(a));
-	local r: Rule = [$ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location];
+	local r = Rule($ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location);
 	if ( ! hook NetControl::drop_rule_policy(r) )
 		return "";
--- a/scripts/base/frameworks/netcontrol/main.zeek
+++ b/scripts/base/frameworks/netcontrol/main.zeek
@ -383,7 +383,7 @@ global rule_entities: table[Entity, RuleType] of Rule;
 event zeek_init() &priority=5
 	{
-	Log::create_stream(NetControl::LOG, [$columns=Info, $ev=log_netcontrol, $path="netcontrol", $policy=log_policy]);
+	Log::create_stream(NetControl::LOG, Log::Stream($columns=Info, $ev=log_netcontrol, $path="netcontrol", $policy=log_policy));
 	}
 function entity_to_info(info: Info, e: Entity)
@ -489,22 +489,22 @@ function rule_to_info(info: Info, r: Rule)
 function log_msg(msg: string, p: PluginState)
 	{
-	Log::write(LOG, [$ts=network_time(), $category=MESSAGE, $msg=msg, $plugin=p$plugin$name(p)]);
+	Log::write(LOG, Info($ts=network_time(), $category=MESSAGE, $msg=msg, $plugin=p$plugin$name(p)));
 	}
 function log_error(msg: string, p: PluginState)
 	{
-	Log::write(LOG, [$ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p)]);
+	Log::write(LOG, Info($ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p)));
 	}
 function log_msg_no_plugin(msg: string)
 	{
-	Log::write(LOG, [$ts=network_time(), $category=MESSAGE, $msg=msg]);
+	Log::write(LOG, Info($ts=network_time(), $category=MESSAGE, $msg=msg));
 	}
 function log_rule(r: Rule, cmd: string, state: InfoState, p: PluginState, msg: string &default="")
 	{
-	local info: Info = [$ts=network_time()];
+	local info = Info($ts=network_time());
 	info$category = RULE;
 	info$cmd = cmd;
 	info$state = state;
@ -519,14 +519,14 @@ function log_rule(r: Rule, cmd: string, state: InfoState, p: PluginState, msg: s
 function log_rule_error(r: Rule, msg: string, p: PluginState)
 	{
-	local info: Info = [$ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p)];
+	local info = Info($ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p));
 	rule_to_info(info, r);
 	Log::write(LOG, info);
 	}
 function log_rule_no_plugin(r: Rule, state: InfoState, msg: string)
 	{
-	local info: Info  = [$ts=network_time()];
+	local info  = Info($ts=network_time());
 	info$category = RULE;
 	info$state = state;
 	info$msg = msg;
@ -538,16 +538,16 @@ function log_rule_no_plugin(r: Rule, state: InfoState, msg: string)
 function whitelist_address(a: addr, t: interval, location: string &default="") : string
 	{
-	local e: Entity = [$ty=ADDRESS, $ip=addr_to_subnet(a)];
+	local e = Entity($ty=ADDRESS, $ip=addr_to_subnet(a));
-	local r: Rule = [$ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location];
+	local r = Rule($ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location);
 	return add_rule(r);
 	}
 function whitelist_subnet(s: subnet, t: interval, location: string &default="") : string
 	{
-	local e: Entity = [$ty=ADDRESS, $ip=s];
+	local e = Entity($ty=ADDRESS, $ip=s);
-	local r: Rule = [$ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location];
+	local r = Rule($ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location);
 	return add_rule(r);
 	}
@ -561,8 +561,8 @@ function redirect_flow(f: flow_id, out_port: count, t: interval, location: strin
 		$dst_h=addr_to_subnet(f$dst_h),
 		$dst_p=f$dst_p
 	);
-	local e: Entity = [$ty=FLOW, $flow=flow];
+	local e = Entity($ty=FLOW, $flow=flow);
-	local r: Rule = [$ty=REDIRECT, $target=FORWARD, $entity=e, $expire=t, $location=location, $out_port=out_port];
+	local r = Rule($ty=REDIRECT, $target=FORWARD, $entity=e, $expire=t, $location=location, $out_port=out_port);
 	return add_rule(r);
 	}
@ -570,19 +570,19 @@ function redirect_flow(f: flow_id, out_port: count, t: interval, location: strin
 function quarantine_host(infected: addr, dns: addr, quarantine: addr, t: interval, location: string &default="") : vector of string
 	{
 	local orules: vector of string = vector();
-	local edrop: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected))];
+	local edrop = Entity($ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected)));
-	local rdrop: Rule = [$ty=DROP, $target=FORWARD, $entity=edrop, $expire=t, $location=location];
+	local rdrop = Rule($ty=DROP, $target=FORWARD, $entity=edrop, $expire=t, $location=location);
 	orules += add_rule(rdrop);
-	local todnse: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(dns), $dst_p=53/udp)];
+	local todnse = Entity($ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(dns), $dst_p=53/udp));
 	local todnsr = Rule($ty=MODIFY, $target=FORWARD, $entity=todnse, $expire=t, $location=location, $mod=FlowMod($dst_h=quarantine), $priority=+5);
 	orules += add_rule(todnsr);
-	local fromdnse: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(dns), $src_p=53/udp, $dst_h=addr_to_subnet(infected))];
+	local fromdnse = Entity($ty=FLOW, $flow=Flow($src_h=addr_to_subnet(dns), $src_p=53/udp, $dst_h=addr_to_subnet(infected)));
 	local fromdnsr = Rule($ty=MODIFY, $target=FORWARD, $entity=fromdnse, $expire=t, $location=location, $mod=FlowMod($src_h=dns), $priority=+5);
 	orules += add_rule(fromdnsr);
-	local wle: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(quarantine), $dst_p=80/tcp)];
+	local wle = Entity($ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(quarantine), $dst_p=80/tcp));
 	local wlr = Rule($ty=WHITELIST, $target=FORWARD, $entity=wle, $expire=t, $location=location, $priority=+5);
 	orules += add_rule(wlr);
--- a/scripts/base/frameworks/netcontrol/plugins/acld.zeek
+++ b/scripts/base/frameworks/netcontrol/plugins/acld.zeek
@ -303,7 +303,7 @@ function create_acld(config: AcldConfig) : PluginState
 		add netcontrol_acld_topics[config$acld_topic];
 	local host = cat(config$acld_host);
-	local p: PluginState = [$acld_config=config, $plugin=acld_plugin, $acld_id=netcontrol_acld_current_id];
+	local p = PluginState($acld_config=config, $plugin=acld_plugin, $acld_id=netcontrol_acld_current_id);
 	if ( [config$acld_port, host] in netcontrol_acld_peers )
 		Reporter::warning(fmt("Peer %s:%s was added to NetControl acld plugin twice.", host, config$acld_port));
--- a/scripts/base/frameworks/netcontrol/plugins/debug.zeek
+++ b/scripts/base/frameworks/netcontrol/plugins/debug.zeek
@ -117,7 +117,7 @@ global debug_plugin = Plugin(
 function create_debug(do_something: bool, name: string) : PluginState
 	{
-	local p: PluginState = [$plugin=debug_plugin];
+	local p = PluginState($plugin=debug_plugin);
 	# FIXME: Why's the default not working?
 	p$config = table();
@ -132,7 +132,7 @@ function create_debug(do_something: bool, name: string) : PluginState
 function create_debug_error(name: string) : PluginState
 	{
-	local p: PluginState = copy([$plugin=debug_plugin]);
+	local p = copy(PluginState($plugin=debug_plugin));
 	p$config["name"] = name;
 	p$config["all"] = "1";
 	p$plugin$add_rule = debug_add_rule_error;
@ -141,7 +141,7 @@ function create_debug_error(name: string) : PluginState
 function create_debug_exists(name: string) : PluginState
 	{
-	local p: PluginState = copy([$plugin=debug_plugin]);
+	local p = copy(PluginState($plugin=debug_plugin));
 	p$config["name"] = name;
 	p$config["all"] = "1";
 	p$plugin$add_rule = debug_add_rule_exists;
--- a/scripts/base/frameworks/netcontrol/plugins/openflow.zeek
+++ b/scripts/base/frameworks/netcontrol/plugins/openflow.zeek
@ -447,7 +447,7 @@ global openflow_plugin = Plugin(
 function create_openflow(controller: OpenFlow::Controller, config: OfConfig &default=[]) : PluginState
 	{
-	local p: PluginState = [$plugin=openflow_plugin, $of_controller=controller, $of_config=config];
+	local p = PluginState($plugin=openflow_plugin, $of_controller=controller, $of_config=config);
 	return p;
 	}
--- a/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek
+++ b/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek
@ -106,7 +106,7 @@ global packetfilter_plugin = Plugin(
 function create_packetfilter() : PluginState
 	{
-	local p: PluginState = [$plugin=packetfilter_plugin];
+	local p = PluginState($plugin=packetfilter_plugin);
 	return p;
 	}
--- a/scripts/base/frameworks/netcontrol/shunt.zeek
+++ b/scripts/base/frameworks/netcontrol/shunt.zeek
@ -40,7 +40,7 @@ export {
 event zeek_init() &priority=5
 	{
-	Log::create_stream(NetControl::SHUNT, [$columns=ShuntInfo, $ev=log_netcontrol_shunt, $path="netcontrol_shunt", $policy=log_policy_shunt]);
+	Log::create_stream(NetControl::SHUNT, Log::Stream($columns=ShuntInfo, $ev=log_netcontrol_shunt, $path="netcontrol_shunt", $policy=log_policy_shunt));
 	}
 function shunt_flow(f: flow_id, t: interval, location: string &default="") : string
@ -51,8 +51,8 @@ function shunt_flow(f: flow_id, t: interval, location: string &default="") : str
 		$dst_h=addr_to_subnet(f$dst_h),
 		$dst_p=f$dst_p
 	);
-	local e: Entity = [$ty=FLOW, $flow=flow];
+	local e = Entity($ty=FLOW, $flow=flow);
-	local r: Rule = [$ty=DROP, $target=MONITOR, $entity=e, $expire=t, $location=location];
+	local r = Rule($ty=DROP, $target=MONITOR, $entity=e, $expire=t, $location=location);
 	local id = add_rule(r);
--- a/scripts/base/frameworks/notice/actions/pp-alarms.zeek
+++ b/scripts/base/frameworks/notice/actions/pp-alarms.zeek
@ -102,9 +102,9 @@ event zeek_init()
 	# This replaces the standard non-pretty-printing filter.
 	Log::add_filter(Notice::ALARM_LOG,
-			[$name="alarm-mail", $writer=Log::WRITER_NONE,
+			Log::Filter($name="alarm-mail", $writer=Log::WRITER_NONE,
-			 $interv=Log::default_mail_alarms_interval,
+			            $interv=Log::default_mail_alarms_interval,
-			 $postprocessor=pp_postprocessor]);
+			            $postprocessor=pp_postprocessor));
 	}
 hook notice(n: Notice::Info) &priority=-5
--- a/scripts/base/frameworks/notice/main.zeek
+++ b/scripts/base/frameworks/notice/main.zeek
@ -381,16 +381,16 @@ function log_mailing_postprocessor(info: Log::RotationInfo): bool
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Notice::LOG, [$columns=Info, $ev=log_notice, $path="notice", $policy=log_policy]);
+	Log::create_stream(Notice::LOG, Log::Stream($columns=Info, $ev=log_notice, $path="notice", $policy=log_policy));
-	Log::create_stream(Notice::ALARM_LOG, [$columns=Notice::Info, $path="notice_alarm", $policy=log_policy_alarm]);
+	Log::create_stream(Notice::ALARM_LOG, Log::Stream($columns=Notice::Info, $path="notice_alarm", $policy=log_policy_alarm));
 	# If Zeek is configured for mailing notices, set up mailing for alarms.
 	# Make sure that this alarm log is also output as text so that it can
 	# be packaged up and emailed later.
 	if ( ! reading_traces() && mail_dest != "" )
 		Log::add_filter(Notice::ALARM_LOG,
-		    [$name="alarm-mail", $path="alarm-mail", $writer=Log::WRITER_ASCII,
+		                Log::Filter($name="alarm-mail", $path="alarm-mail", $writer=Log::WRITER_ASCII,
-		     $interv=24hrs, $postprocessor=log_mailing_postprocessor]);
+		                            $interv=24hrs, $postprocessor=log_mailing_postprocessor));
 	}
 function email_headers(subject_desc: string, dest: string): string
--- a/scripts/base/frameworks/notice/weird.zeek
+++ b/scripts/base/frameworks/notice/weird.zeek
@ -318,7 +318,7 @@ const notice_actions = {
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Weird::LOG, [$columns=Info, $ev=log_weird, $path="weird", $policy=log_policy]);
+	Log::create_stream(Weird::LOG, Log::Stream($columns=Info, $ev=log_weird, $path="weird", $policy=log_policy));
 	}
 function flow_id_string(src: addr, dst: addr): string
--- a/scripts/base/frameworks/openflow/plugins/log.zeek
+++ b/scripts/base/frameworks/openflow/plugins/log.zeek
@ -50,12 +50,12 @@ export {
 event zeek_init() &priority=5
 	{
-	Log::create_stream(OpenFlow::LOG, [$columns=Info, $ev=log_openflow, $path="openflow", $policy=log_policy]);
+	Log::create_stream(OpenFlow::LOG, Log::Stream($columns=Info, $ev=log_openflow, $path="openflow", $policy=log_policy));
 	}
 function log_flow_mod(state: ControllerState, match: ofp_match, flow_mod: OpenFlow::ofp_flow_mod): bool
 	{
-	Log::write(OpenFlow::LOG, [$ts=network_time(), $dpid=state$log_dpid, $match=match, $flow_mod=flow_mod]);
+	Log::write(LOG, Info($ts=network_time(), $dpid=state$log_dpid, $match=match, $flow_mod=flow_mod));
 	if ( state$log_success_event )
 		event OpenFlow::flow_mod_success(state$_name, match, flow_mod);
--- a/scripts/base/frameworks/packet-filter/main.zeek
+++ b/scripts/base/frameworks/packet-filter/main.zeek
@ -175,7 +175,7 @@ event filter_change_tracking()
 event zeek_init() &priority=5
 	{
-	Log::create_stream(PacketFilter::LOG, [$columns=Info, $path="packet_filter", $policy=log_policy]);
+	Log::create_stream(PacketFilter::LOG, Log::Stream($columns=Info, $path="packet_filter", $policy=log_policy));
 	# Preverify the capture and restrict filters to give more granular failure messages.
 	for ( id, cf in capture_filters )
@ -303,9 +303,9 @@ function install(): bool
 		local error_string : string;
 		if ( state == Pcap::fatal )
 			{
-			NOTICE([$note=Compile_Failure,
+			NOTICE(Notice::Info($note=Compile_Failure,
-			        $msg=fmt("Compiling packet filter failed"),
+			                    $msg=fmt("Compiling packet filter failed"),
-			        $sub=tmp_filter]);
+			                    $sub=tmp_filter));
 			error_string = fmt("Bad pcap filter '%s': %s", tmp_filter,
 			                   Pcap::get_filter_state_string(DefaultPcapFilter));
@ -326,8 +326,8 @@ function install(): bool
 		}
 	local diff = current_time()-ts;
 	if ( diff > max_filter_compile_time )
-		NOTICE([$note=Too_Long_To_Compile_Filter,
+		NOTICE(Notice::Info($note=Too_Long_To_Compile_Filter,
-		        $msg=fmt("A BPF filter is taking longer than %0.1f seconds to compile", diff)]);
+		                    $msg=fmt("A BPF filter is taking longer than %0.1f seconds to compile", diff)));
 	# Set it to the current filter if it passed precompiling
 	current_filter = tmp_filter;
@ -350,9 +350,9 @@ function install(): bool
 		info$success = F;
 		info$failure_reason = Pcap::get_filter_state_string(DefaultPcapFilter);
-		NOTICE([$note=Install_Failure,
+		NOTICE(Notice::Info($note=Install_Failure,
-		        $msg=fmt("Installing packet filter failed"),
+		                    $msg=fmt("Installing packet filter failed"),
-		        $sub=current_filter]);
+		                    $sub=current_filter));
 		}
 	if ( reading_live_traffic() || reading_traces() )
--- a/scripts/base/frameworks/packet-filter/netstats.zeek
+++ b/scripts/base/frameworks/packet-filter/netstats.zeek
@ -24,10 +24,10 @@ event net_stats_update(last_stat: NetStats)
 		{
 		local new_recvd = ns$pkts_recvd - last_stat$pkts_recvd;
 		local new_link = ns$pkts_link - last_stat$pkts_link;
-		NOTICE([$note=Dropped_Packets,
+		NOTICE(Notice::Info($note=Dropped_Packets,
-		        $msg=fmt("%d packets dropped after filtering, %d received%s",
+		                    $msg=fmt("%d packets dropped after filtering, %d received%s",
-		                 new_dropped, new_recvd + new_dropped,
+		                             new_dropped, new_recvd + new_dropped,
-		                 new_link != 0 ? fmt(", %d on link", new_link) : "")]);
+		                             new_link != 0 ? fmt(", %d on link", new_link) : "")));
 		}
 	schedule stats_collection_interval { net_stats_update(ns) };
--- a/scripts/base/frameworks/reporter/main.zeek
+++ b/scripts/base/frameworks/reporter/main.zeek
@ -40,20 +40,20 @@ export {
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Reporter::LOG, [$columns=Info, $path="reporter", $policy=log_policy]);
+	Log::create_stream(Reporter::LOG, Log::Stream($columns=Info, $path="reporter", $policy=log_policy));
 	}
 event reporter_info(t: time, msg: string, location: string) &priority=-5
 	{
-	Log::write(Reporter::LOG, [$ts=t, $level=INFO, $message=msg, $location=location]);
+	Log::write(Reporter::LOG, Info($ts=t, $level=INFO, $message=msg, $location=location));
 	}
 event reporter_warning(t: time, msg: string, location: string) &priority=-5
 	{
-	Log::write(Reporter::LOG, [$ts=t, $level=WARNING, $message=msg, $location=location]);
+	Log::write(Reporter::LOG, Info($ts=t, $level=WARNING, $message=msg, $location=location));
 	}
 event reporter_error(t: time, msg: string, location: string) &priority=-5
 	{
-	Log::write(Reporter::LOG, [$ts=t, $level=ERROR, $message=msg, $location=location]);
+	Log::write(Reporter::LOG, Info($ts=t, $level=ERROR, $message=msg, $location=location));
 	}
--- a/scripts/base/frameworks/signatures/main.zeek
+++ b/scripts/base/frameworks/signatures/main.zeek
@ -145,14 +145,14 @@ global did_sig_log: set[string] &read_expire = 1 hr;
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature, $path="signatures", $policy=log_policy]);
+	Log::create_stream(Signatures::LOG, Log::Stream($columns=Info, $ev=log_signature, $path="signatures", $policy=log_policy));
 	}
 event sig_summary(orig: addr, id: string, msg: string)
 	{
-	NOTICE([$note=Signature_Summary, $src=orig,
+	NOTICE(Notice::Info($note=Signature_Summary, $src=orig,
-	        $msg=fmt("%s: %s", orig, msg),
+	                    $msg=fmt("%s: %s", orig, msg),
-	        $n=count_per_orig[orig,id] ]);
+	                    $n=count_per_orig[orig,id]));
 	}
 event signature_match(state: signature_state, msg: string, data: string)
@ -189,16 +189,16 @@ event signature_match(state: signature_state, msg: string, data: string)
 	if ( action != SIG_QUIET && action != SIG_COUNT_PER_RESP )
 		{
-		local info: Info = [$ts=network_time(),
+		local info = Info($ts=network_time(),
-		                    $note=Sensitive_Signature,
+		                  $note=Sensitive_Signature,
-		                    $uid=state$conn$uid,
+		                  $uid=state$conn$uid,
-		                    $src_addr=src_addr,
+		                  $src_addr=src_addr,
-		                    $src_port=src_port,
+		                  $src_port=src_port,
-		                    $dst_addr=dst_addr,
+		                  $dst_addr=dst_addr,
-		                    $dst_port=dst_port,
+		                  $dst_port=dst_port,
-		                    $event_msg=fmt("%s: %s", src_addr, msg),
+		                  $event_msg=fmt("%s: %s", src_addr, msg),
-		                    $sig_id=sig_id,
+		                  $sig_id=sig_id,
-		                    $sub_msg=data];
+		                  $sub_msg=data);
 		Log::write(Signatures::LOG, info);
 		}
@ -211,12 +211,12 @@ event signature_match(state: signature_state, msg: string, data: string)
 		local dst = state$conn$id$resp_h;
 		if ( ++count_per_resp[dst,sig_id] in count_thresholds )
 			{
-			NOTICE([$note=Count_Signature, $conn=state$conn,
+			NOTICE(Notice::Info($note=Count_Signature, $conn=state$conn,
-			        $msg=msg,
+			                    $msg=msg,
-			        $n=count_per_resp[dst,sig_id],
+			                    $n=count_per_resp[dst,sig_id],
-			        $sub=fmt("%d matches of signature %s on host %s",
+			                    $sub=fmt("%d matches of signature %s on host %s",
-			                 count_per_resp[dst,sig_id],
+			                             count_per_resp[dst,sig_id],
-			                 sig_id, dst)]);
+			                             sig_id, dst)));
 			}
 		}
@ -241,10 +241,10 @@ event signature_match(state: signature_state, msg: string, data: string)
 		}
 	if ( notice )
-		NOTICE([$note=Sensitive_Signature,
+		NOTICE(Notice::Info($note=Sensitive_Signature,
-		        $conn=state$conn, $src=src_addr,
+		                    $conn=state$conn, $src=src_addr,
-		        $dst=dst_addr, $msg=fmt("%s: %s", src_addr, msg),
+		                    $dst=dst_addr, $msg=fmt("%s: %s", src_addr, msg),
-		        $sub=data]);
+		                    $sub=data));
 	if ( action == SIG_FILE_BUT_NO_SCAN || action == SIG_SUMMARY )
 		return;
@ -273,12 +273,12 @@ event signature_match(state: signature_state, msg: string, data: string)
 				orig, sig_id, hcount);
 		Log::write(Signatures::LOG,
-			[$ts=network_time(), $note=Multiple_Sig_Responders,
+		           Info($ts=network_time(), $note=Multiple_Sig_Responders,
-		     $src_addr=orig, $sig_id=sig_id, $event_msg=msg,
+		                $src_addr=orig, $sig_id=sig_id, $event_msg=msg,
-		     $host_count=hcount, $sub_msg=horz_scan_msg]);
+		                $host_count=hcount, $sub_msg=horz_scan_msg));
-		NOTICE([$note=Multiple_Sig_Responders, $src=orig,
+		NOTICE(Notice::Info($note=Multiple_Sig_Responders, $src=orig,
-			$msg=msg, $n=hcount, $sub=horz_scan_msg]);
+		                    $msg=msg, $n=hcount, $sub=horz_scan_msg));
 		last_hthresh[orig] = hcount;
 		}
@ -290,16 +290,16 @@ event signature_match(state: signature_state, msg: string, data: string)
 				orig, vcount, resp);
 		Log::write(Signatures::LOG,
-		           [$ts=network_time(),
+		           Info($ts=network_time(),
-		            $note=Multiple_Signatures,
+		                $note=Multiple_Signatures,
-		            $src_addr=orig,
+		                $src_addr=orig,
-		            $dst_addr=resp, $sig_id=sig_id, $sig_count=vcount,
+		                $dst_addr=resp, $sig_id=sig_id, $sig_count=vcount,
-		            $event_msg=fmt("%s different signatures triggered", vcount),
+		                $event_msg=fmt("%s different signatures triggered", vcount),
-		            $sub_msg=vert_scan_msg]);
+		                $sub_msg=vert_scan_msg));
-		NOTICE([$note=Multiple_Signatures, $src=orig, $dst=resp,
+		NOTICE(Notice::Info($note=Multiple_Signatures, $src=orig, $dst=resp,
-		        $msg=fmt("%s different signatures triggered", vcount),
+		                    $msg=fmt("%s different signatures triggered", vcount),
-		        $n=vcount, $sub=vert_scan_msg]);
+		                    $n=vcount, $sub=vert_scan_msg));
 		last_vthresh[orig] = vcount;
 		}
--- a/scripts/base/frameworks/software/main.zeek
+++ b/scripts/base/frameworks/software/main.zeek
@ -126,7 +126,7 @@ export {
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Software::LOG, [$columns=Info, $ev=log_software, $path="software", $policy=log_policy]);
+	Log::create_stream(Software::LOG, Log::Stream($columns=Info, $ev=log_software, $path="software", $policy=log_policy));
 	}
 type Description: record {
@ -163,7 +163,7 @@ function parse(unparsed_version: string): Description
 			else
 				v = Version($major=extract_count(vs));
-			return [$version=v, $unparsed_version=unparsed_version, $name=software_name];
+			return Description($version=v, $unparsed_version=unparsed_version, $name=software_name);
 			}
 		}
 	else
@ -236,7 +236,7 @@ function parse(unparsed_version: string): Description
 			}
 		}
-	return [$version=v, $unparsed_version=unparsed_version, $name=alternate_names[software_name]];
+	return Description($version=v, $unparsed_version=unparsed_version, $name=alternate_names[software_name]);
 	}
 global parse_cache: table[string] of Description &read_expire=65secs;
@ -269,13 +269,13 @@ function parse_mozilla(unparsed_version: string): Description
 		{
 		software_name = "MSIE";
 		if ( /Trident\/4\.0/ in unparsed_version )
-			v = [$major=8,$minor=0];
+			v = Version($major=8,$minor=0);
 		else if ( /Trident\/5\.0/ in unparsed_version )
-			v = [$major=9,$minor=0];
+			v = Version($major=9,$minor=0);
 		else if ( /Trident\/6\.0/ in unparsed_version )
-			v = [$major=10,$minor=0];
+			v = Version($major=10,$minor=0);
 		else if ( /Trident\/7\.0/ in unparsed_version )
-			v = [$major=11,$minor=0];
+			v = Version($major=11,$minor=0);
 		else
 			{
 			parts = split_string_all(unparsed_version, /MSIE [0-9]{1,2}\.*[0-9]*b?[0-9]*/);
@ -373,7 +373,7 @@ function parse_mozilla(unparsed_version: string): Description
 			v = parse(parts[1])$version;
 		}
-	return [$version=v, $unparsed_version=unparsed_version, $name=software_name];
+	return Description($version=v, $unparsed_version=unparsed_version, $name=software_name);
 	}
--- a/scripts/base/frameworks/spicy/main.zeek
+++ b/scripts/base/frameworks/spicy/main.zeek
@ -8,8 +8,8 @@ export {
 event max_file_depth_exceeded(f: fa_file, args: Files::AnalyzerArgs, limit: count)
    {
-    NOTICE([
+    NOTICE(Notice::Info(
-            $note=Spicy::Spicy_Max_File_Depth_Exceeded,
+                        $note=Spicy::Spicy_Max_File_Depth_Exceeded,
-            $msg=fmt("Maximum file depth exceeded for file %s", f$id)
+                        $msg=fmt("Maximum file depth exceeded for file %s", f$id)
-    ]);
+    ));
    }
--- a/scripts/base/frameworks/sumstats/main.zeek
+++ b/scripts/base/frameworks/sumstats/main.zeek
@ -312,7 +312,7 @@ event zeek_init() &priority=100000
 function init_resultval(r: Reducer): ResultVal
 	{
-	local rv: ResultVal = [$begin=network_time(), $end=network_time()];
+	local rv = ResultVal($begin=network_time(), $end=network_time());
 	hook init_resultval_hook(r, rv);
 	return rv;
 	}
--- a/scripts/base/frameworks/sumstats/plugins/last.zeek
+++ b/scripts/base/frameworks/sumstats/plugins/last.zeek
@ -54,7 +54,7 @@ hook register_observe_plugins()
 		if ( r$num_last_elements > 0 )
 			{
 			if ( ! rv?$last_elements )
-				rv$last_elements = Queue::init([$max_len=r$num_last_elements]);
+				rv$last_elements = Queue::init(Queue::Settings($max_len=r$num_last_elements));
 			Queue::put(rv$last_elements, obs);
 			}
 		});
--- a/scripts/base/frameworks/telemetry/main.zeek
+++ b/scripts/base/frameworks/telemetry/main.zeek
@ -296,12 +296,12 @@ function register_counter_family(opts: MetricOpts): CounterFamily
 	}
 # Fallback Counter returned when there are issues with the labels.
-global error_counter_cf = register_counter_family([
+global error_counter_cf = register_counter_family(MetricOpts(
 	$prefix="zeek",
 	$name="telemetry_counter_usage_error",
 	$unit="",
 	$help_text="This counter is returned when label usage for counters is wrong. Check reporter.log if non-zero."
-]);
+));
 function counter_with(cf: CounterFamily, label_values: labels_vector): Counter
 	{
@ -355,12 +355,12 @@ function register_gauge_family(opts: MetricOpts): GaugeFamily
 	}
 # Fallback Gauge returned when there are issues with the label usage.
-global error_gauge_cf = register_gauge_family([
+global error_gauge_cf = register_gauge_family(MetricOpts(
 	$prefix="zeek",
 	$name="telemetry_gauge_usage_error",
 	$unit="",
 	$help_text="This gauge is returned when label usage for gauges is wrong. Check reporter.log if non-zero."
-]);
+));
 function gauge_with(gf: GaugeFamily, label_values: labels_vector): Gauge
 	{
@ -424,13 +424,13 @@ function register_histogram_family(opts: MetricOpts): HistogramFamily
 	}
 # Fallback Histogram when there are issues with the labels.
-global error_histogram_hf = register_histogram_family([
+global error_histogram_hf = register_histogram_family(MetricOpts(
 	$prefix="zeek",
 	$name="telemetry_histogram_usage_error",
 	$unit="",
 	$help_text="This histogram is returned when label usage for histograms is wrong. Check reporter.log if non-zero.",
 	$bounds=vector(1.0)
-]);
+));
 function histogram_with(hf: HistogramFamily, label_values: labels_vector): Histogram
 	{
@ -474,14 +474,14 @@ event run_sync_hook()
 	}
 # Expose the Zeek version as Prometheus style info metric
-global version_gauge_family = Telemetry::register_gauge_family([
+global version_gauge_family = Telemetry::register_gauge_family(Telemetry::MetricOpts(
 	$prefix="zeek",
 	$name="version_info",
 	$unit="",
 	$help_text="The Zeek version",
 	$label_names=vector("version_number", "major", "minor", "patch", "commit",
                            "beta", "debug","version_string")
-]);
+));
 event zeek_init()
 	{
--- a/scripts/base/frameworks/tunnels/main.zeek
+++ b/scripts/base/frameworks/tunnels/main.zeek
@ -92,7 +92,7 @@ export {
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel", $policy=log_policy]);
+	Log::create_stream(Tunnel::LOG, Log::Stream($columns=Info, $path="tunnel", $policy=log_policy));
 	}
 function register_all(ecv: EncapsulatingConnVector)
--- a/scripts/base/protocols/conn/main.zeek
+++ b/scripts/base/protocols/conn/main.zeek
@ -178,7 +178,7 @@ redef record connection += {
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Conn::LOG, [$columns=Info, $ev=log_conn, $path="conn", $policy=log_policy]);
+	Log::create_stream(Conn::LOG, Log::Stream($columns=Info, $ev=log_conn, $path="conn", $policy=log_policy));
 	}
 function conn_state(c: connection, trans: transport_proto): string
--- a/scripts/base/protocols/dce-rpc/main.zeek
+++ b/scripts/base/protocols/dce-rpc/main.zeek
@ -66,7 +66,7 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
-	Log::create_stream(DCE_RPC::LOG, [$columns=Info, $path="dce_rpc", $policy=log_policy]);
+	Log::create_stream(DCE_RPC::LOG, Log::Stream($columns=Info, $path="dce_rpc", $policy=log_policy));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, ports);
 	}
--- a/scripts/base/protocols/dhcp/main.zeek
+++ b/scripts/base/protocols/dhcp/main.zeek
@ -130,7 +130,7 @@ redef likely_server_ports += { 67/udp };
 event zeek_init() &priority=5
 	{
-	Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, $path="dhcp", $policy=log_policy]);
+	Log::create_stream(DHCP::LOG, Log::Stream($columns=Info, $ev=log_dhcp, $path="dhcp", $policy=log_policy));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
 	}
--- a/scripts/base/protocols/dnp3/main.zeek
+++ b/scripts/base/protocols/dnp3/main.zeek
@ -42,7 +42,7 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
-	Log::create_stream(DNP3::LOG, [$columns=Info, $ev=log_dnp3, $path="dnp3", $policy=log_policy]);
+	Log::create_stream(DNP3::LOG, Log::Stream($columns=Info, $ev=log_dnp3, $path="dnp3", $policy=log_policy));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, ports);
 	}
@ -50,7 +50,7 @@ event dnp3_application_request_header(c: connection, is_orig: bool, application_
 	{
 	if ( ! c?$dnp3 )
 		{
-		c$dnp3 = [$ts=network_time(), $uid=c$uid, $id=c$id];
+		c$dnp3 = Info($ts=network_time(), $uid=c$uid, $id=c$id);
 		Conn::register_removal_hook(c, finalize_dnp3);
 		}
@ -62,7 +62,7 @@ event dnp3_application_response_header(c: connection, is_orig: bool, application
 	{
 	if ( ! c?$dnp3 )
 		{
-		c$dnp3 = [$ts=network_time(), $uid=c$uid, $id=c$id];
+		c$dnp3 = Info($ts=network_time(), $uid=c$uid, $id=c$id);
 		Conn::register_removal_hook(c, finalize_dnp3);
 		}
--- a/scripts/base/protocols/dns/main.zeek
+++ b/scripts/base/protocols/dns/main.zeek
@ -164,7 +164,7 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
-	Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns, $path="dns", $policy=log_policy]);
+	Log::create_stream(DNS::LOG, Log::Stream($columns=Info, $ev=log_dns, $path="dns", $policy=log_policy));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, ports);
 	}
--- a/scripts/base/protocols/ftp/files.zeek
+++ b/scripts/base/protocols/ftp/files.zeek
@ -43,8 +43,8 @@ function describe_file(f: fa_file): string
 event zeek_init() &priority=5
 	{
 	Files::register_protocol(Analyzer::ANALYZER_FTP_DATA,
-	                         [$get_file_handle = FTP::get_file_handle,
+	                         Files::ProtoRegistration($get_file_handle = FTP::get_file_handle,
-	                          $describe        = FTP::describe_file]);
+	                                                  $describe        = FTP::describe_file));
 	}
 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
--- a/scripts/base/protocols/ftp/main.zeek
+++ b/scripts/base/protocols/ftp/main.zeek
@ -88,7 +88,7 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
-	Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp, $path="ftp", $policy=log_policy]);
+	Log::create_stream(FTP::LOG, Log::Stream($columns=Info, $ev=log_ftp, $path="ftp", $policy=log_policy));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, ports);
 	}
@ -307,8 +307,8 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5
 		if ( data$valid )
 			{
-			add_expected_data_channel(c$ftp, [$passive=F, $orig_h=id$resp_h,
+			add_expected_data_channel(c$ftp, ExpectedDataChannel($passive=F, $orig_h=id$resp_h,
-			                                  $resp_h=data$h, $resp_p=data$p]);
+			                                                     $resp_h=data$h, $resp_p=data$p));
 			}
 		else
 			{
@ -403,8 +403,8 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 			if ( code == 229 && data$h == [::] )
 				data$h = c$id$resp_h;
-			add_expected_data_channel(c$ftp, [$passive=T, $orig_h=c$id$orig_h,
+			add_expected_data_channel(c$ftp, ExpectedDataChannel($passive=T, $orig_h=c$id$orig_h,
-			                          $resp_h=data$h, $resp_p=data$p]);
+			                                                     $resp_h=data$h, $resp_p=data$p));
 			}
 		else
 			{
--- a/scripts/base/protocols/ftp/utils-commands.zeek
+++ b/scripts/base/protocols/ftp/utils-commands.zeek
@ -80,7 +80,7 @@ export {
 function add_pending_cmd(pc: PendingCmds, seq: count, cmd: string, arg: string): CmdArg
 	{
-	local ca = [$cmd = cmd, $arg = arg, $seq=seq, $ts=network_time()];
+	local ca = CmdArg($cmd = cmd, $arg = arg, $seq=seq, $ts=network_time());
 	pc[ca$seq] = ca;
 	return ca;
--- a/scripts/base/protocols/http/files.zeek
+++ b/scripts/base/protocols/http/files.zeek
@ -51,6 +51,6 @@ function describe_file(f: fa_file): string
 event zeek_init() &priority=5
 	{
 	Files::register_protocol(Analyzer::ANALYZER_HTTP,
-	                         [$get_file_handle = HTTP::get_file_handle,
+	                         Files::ProtoRegistration($get_file_handle = HTTP::get_file_handle,
-	                          $describe        = HTTP::describe_file]);
+	                                                  $describe        = HTTP::describe_file));
 	}
--- a/scripts/base/protocols/http/main.zeek
+++ b/scripts/base/protocols/http/main.zeek
@ -156,7 +156,7 @@ redef likely_server_ports += { ports };
 # Initialize the HTTP logging stream and ports.
 event zeek_init() &priority=5
 	{
-	Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http, $path="http", $policy=log_policy]);
+	Log::create_stream(HTTP::LOG, Log::Stream($columns=Info, $ev=log_http, $path="http", $policy=log_policy));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports);
 	}
@ -299,7 +299,7 @@ event http_reply(c: connection, version: string, code: count, reason: string) &p
 		# "tunnel".
 		local tid = copy(c$id);
 		tid$orig_p = 0/tcp;
-		Tunnel::register([$cid=tid, $tunnel_type=Tunnel::HTTP]);
+		Tunnel::register(Tunnel::EncapsulatingConn($cid=tid, $tunnel_type=Tunnel::HTTP));
 		}
 	}
--- a/scripts/base/protocols/irc/files.zeek
+++ b/scripts/base/protocols/irc/files.zeek
@ -26,7 +26,7 @@ function get_file_handle(c: connection, is_orig: bool): string
 event zeek_init() &priority=5
 	{
 	Files::register_protocol(Analyzer::ANALYZER_IRC_DATA,
-	                         [$get_file_handle = IRC::get_file_handle]);
+	                         Files::ProtoRegistration($get_file_handle = IRC::get_file_handle));
 	}
 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
--- a/scripts/base/protocols/irc/main.zeek
+++ b/scripts/base/protocols/irc/main.zeek
@ -45,7 +45,7 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
-	Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log, $path="irc", $policy=log_policy]);
+	Log::create_stream(IRC::LOG, Log::Stream($columns=Info, $ev=irc_log, $path="irc", $policy=log_policy));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, ports);
 	}
--- a/scripts/base/protocols/krb/files.zeek
+++ b/scripts/base/protocols/krb/files.zeek
@ -64,12 +64,12 @@ function describe_file(f: fa_file): string
 event zeek_init() &priority=5
 	{
 	Files::register_protocol(Analyzer::ANALYZER_KRB_TCP,
-	                         [$get_file_handle = KRB::get_file_handle,
+	                         Files::ProtoRegistration($get_file_handle = KRB::get_file_handle,
-	                          $describe        = KRB::describe_file]);
+	                                                  $describe        = KRB::describe_file));
 	Files::register_protocol(Analyzer::ANALYZER_KRB,
-	                         [$get_file_handle = KRB::get_file_handle,
+	                         Files::ProtoRegistration($get_file_handle = KRB::get_file_handle,
-	                          $describe        = KRB::describe_file]);
+	                                                  $describe        = KRB::describe_file));
 	}
 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
--- a/scripts/base/protocols/krb/main.zeek
+++ b/scripts/base/protocols/krb/main.zeek
@ -83,7 +83,7 @@ event zeek_init() &priority=5
 	{
 	Analyzer::register_for_ports(Analyzer::ANALYZER_KRB, udp_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_KRB_TCP, tcp_ports);
-	Log::create_stream(KRB::LOG, [$columns=Info, $ev=log_krb, $path="kerberos", $policy=log_policy]);
+	Log::create_stream(KRB::LOG, Log::Stream($columns=Info, $ev=log_krb, $path="kerberos", $policy=log_policy));
 	}
 function set_session(c: connection): bool
--- a/scripts/base/protocols/ldap/main.zeek
+++ b/scripts/base/protocols/ldap/main.zeek
@ -144,8 +144,8 @@ event zeek_init() &priority=5 {
  Analyzer::register_for_ports(Analyzer::ANALYZER_LDAP_TCP, LDAP::ports_tcp);
  Analyzer::register_for_ports(Analyzer::ANALYZER_LDAP_UDP, LDAP::ports_udp);
-  Log::create_stream(LDAP::LDAP_LOG, [$columns=MessageInfo, $ev=log_ldap, $path="ldap", $policy=log_policy]);
+  Log::create_stream(LDAP::LDAP_LOG, Log::Stream($columns=MessageInfo, $ev=log_ldap, $path="ldap", $policy=log_policy));
-  Log::create_stream(LDAP::LDAP_SEARCH_LOG, [$columns=SearchInfo, $ev=log_ldap_search, $path="ldap_search", $policy=log_policy_search]);
+  Log::create_stream(LDAP::LDAP_SEARCH_LOG, Log::Stream($columns=SearchInfo, $ev=log_ldap_search, $path="ldap_search", $policy=log_policy_search));
 }
 #############################################################################
@ -163,17 +163,17 @@ function set_session(c: connection, message_id: int, opcode: LDAP::ProtocolOpcod
    c$ldap$searches = table();
  if ((opcode in OPCODES_SEARCH) && (message_id !in c$ldap$searches)) {
-    c$ldap$searches[message_id] = [$ts=network_time(),
+    c$ldap$searches[message_id] = SearchInfo($ts=network_time(),
-                                   $uid=c$uid,
+                                             $uid=c$uid,
-                                   $id=c$id,
+                                             $id=c$id,
-                                   $message_id=message_id,
+                                             $message_id=message_id,
-                                   $result_count=0];
+                                             $result_count=0);
  } else if ((opcode !in OPCODES_SEARCH) && (message_id !in c$ldap$messages)) {
-    c$ldap$messages[message_id] = [$ts=network_time(),
+    c$ldap$messages[message_id] = MessageInfo($ts=network_time(),
-                                   $uid=c$uid,
+                                              $uid=c$uid,
-                                   $id=c$id,
+                                              $id=c$id,
-                                   $message_id=message_id];
+                                              $message_id=message_id);
  }
 }
--- a/scripts/base/protocols/modbus/main.zeek
+++ b/scripts/base/protocols/modbus/main.zeek
@ -42,7 +42,7 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Modbus::LOG, [$columns=Info, $ev=log_modbus, $path="modbus", $policy=log_policy]);
+	Log::create_stream(Modbus::LOG, Log::Stream($columns=Info, $ev=log_modbus, $path="modbus", $policy=log_policy));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_MODBUS, ports);
 	}
@ -69,7 +69,7 @@ event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) &prio
 	{
 	if ( ! c?$modbus )
 		{
-		c$modbus = [$ts=network_time(), $uid=c$uid, $id=c$id];
+		c$modbus = Info($ts=network_time(), $uid=c$uid, $id=c$id);
 		}
 	c$modbus$ts   = network_time();
--- a/scripts/base/protocols/mqtt/main.zeek
+++ b/scripts/base/protocols/mqtt/main.zeek
@ -150,9 +150,9 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
-	Log::create_stream(MQTT::CONNECT_LOG, [$columns=ConnectInfo, $ev=log_mqtt, $path="mqtt_connect", $policy=log_policy_connect]);
+	Log::create_stream(MQTT::CONNECT_LOG, Log::Stream($columns=ConnectInfo, $ev=log_mqtt, $path="mqtt_connect", $policy=log_policy_connect));
-	Log::create_stream(MQTT::SUBSCRIBE_LOG, [$columns=SubscribeInfo, $path="mqtt_subscribe", $policy=log_policy_subscribe]);
+	Log::create_stream(MQTT::SUBSCRIBE_LOG, Log::Stream($columns=SubscribeInfo, $path="mqtt_subscribe", $policy=log_policy_subscribe));
-	Log::create_stream(MQTT::PUBLISH_LOG, [$columns=PublishInfo, $path="mqtt_publish", $policy=log_policy_publish]);
+	Log::create_stream(MQTT::PUBLISH_LOG, Log::Stream($columns=PublishInfo, $path="mqtt_publish", $policy=log_policy_publish));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_MQTT, ports);
 	}
--- a/scripts/base/protocols/mysql/main.zeek
+++ b/scripts/base/protocols/mysql/main.zeek
@ -45,7 +45,7 @@ const ports = { 1434/tcp, 3306/tcp };
 event zeek_init() &priority=5
 	{
-	Log::create_stream(mysql::LOG, [$columns=Info, $ev=log_mysql, $path="mysql", $policy=log_policy]);
+	Log::create_stream(mysql::LOG, Log::Stream($columns=Info, $ev=log_mysql, $path="mysql", $policy=log_policy));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_MYSQL, ports);
 	}
--- a/scripts/base/protocols/ntlm/main.zeek
+++ b/scripts/base/protocols/ntlm/main.zeek
@ -49,7 +49,7 @@ redef record connection += {
 event zeek_init() &priority=5
 	{
-	Log::create_stream(NTLM::LOG, [$columns=Info, $path="ntlm", $policy=log_policy]);
+	Log::create_stream(NTLM::LOG, Log::Stream($columns=Info, $path="ntlm", $policy=log_policy));
 	}
 function set_session(c: connection)
--- a/scripts/base/protocols/ntp/main.zeek
+++ b/scripts/base/protocols/ntp/main.zeek
@ -61,7 +61,7 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
 	Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
-	Log::create_stream(NTP::LOG, [$columns = Info, $ev = log_ntp, $path="ntp", $policy=log_policy]);
+	Log::create_stream(NTP::LOG, Log::Stream($columns = Info, $ev = log_ntp, $path="ntp", $policy=log_policy));
 	}
 event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
--- a/scripts/base/protocols/postgresql/main.zeek
+++ b/scripts/base/protocols/postgresql/main.zeek
@ -75,7 +75,7 @@ redef likely_server_ports += { ports };
 event zeek_init() {
 	Analyzer::register_for_ports(Analyzer::ANALYZER_POSTGRESQL, ports);
-	Log::create_stream(PostgreSQL::LOG, [$columns=Info, $ev=log_postgresql, $path="postgresql"]);
+	Log::create_stream(PostgreSQL::LOG, Log::Stream($columns=Info, $ev=log_postgresql, $path="postgresql"));
 }
 hook set_session(c: connection) {
--- a/scripts/base/protocols/quic/main.zeek
+++ b/scripts/base/protocols/quic/main.zeek
@ -236,6 +236,6 @@ hook finalize_quic(c: connection)
 event zeek_init()
 	{
-	Log::create_stream(LOG, [$columns=Info, $ev=log_quic, $path="quic", $policy=log_policy]);
+	Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_quic, $path="quic", $policy=log_policy));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_QUIC, quic_ports);
 	}
--- a/scripts/base/protocols/radius/main.zeek
+++ b/scripts/base/protocols/radius/main.zeek
@ -65,7 +65,7 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
-	Log::create_stream(RADIUS::LOG, [$columns=Info, $ev=log_radius, $path="radius", $policy=log_policy]);
+	Log::create_stream(RADIUS::LOG, Log::Stream($columns=Info, $ev=log_radius, $path="radius", $policy=log_policy));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports);
 	}
--- a/scripts/base/protocols/rdp/main.zeek
+++ b/scripts/base/protocols/rdp/main.zeek
@ -98,7 +98,7 @@ redef likely_server_ports += { rdp_ports, rdpeudp_ports };
 event zeek_init() &priority=5
 	{
-	Log::create_stream(RDP::LOG, [$columns=RDP::Info, $ev=log_rdp, $path="rdp", $policy=log_policy]);
+	Log::create_stream(RDP::LOG, Log::Stream($columns=RDP::Info, $ev=log_rdp, $path="rdp", $policy=log_policy));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_RDP, rdp_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_RDPEUDP, rdpeudp_ports);
 	}
@ -155,7 +155,7 @@ function set_session(c: connection)
 	{
 	if ( ! c?$rdp )
 		{
-		c$rdp = [$ts=network_time(),$id=c$id,$uid=c$uid];
+		c$rdp = Info($ts=network_time(),$id=c$id,$uid=c$uid);
 		Conn::register_removal_hook(c, finalize_rdp);
 		# The RDP session is scheduled to be logged from
 		# the time it is first initiated.
--- a/scripts/base/protocols/redis/main.zeek
+++ b/scripts/base/protocols/redis/main.zeek
@ -96,8 +96,8 @@ redef likely_server_ports += {ports};
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Redis::LOG, [$columns=Info, $path="redis",
+	Log::create_stream(Redis::LOG, Log::Stream($columns=Info, $path="redis",
-	    $policy=log_policy]);
+	    $policy=log_policy));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_REDIS, ports);
 	}
--- a/scripts/base/protocols/rfb/main.zeek
+++ b/scripts/base/protocols/rfb/main.zeek
@ -85,7 +85,7 @@ redef record connection += {
 event zeek_init() &priority=5
 	{
-	Log::create_stream(RFB::LOG, [$columns=Info, $ev=log_rfb, $path="rfb", $policy=log_policy]);
+	Log::create_stream(RFB::LOG, Log::Stream($columns=Info, $ev=log_rfb, $path="rfb", $policy=log_policy));
 	}
 function write_log(c:connection)
--- a/scripts/base/protocols/sip/main.zeek
+++ b/scripts/base/protocols/sip/main.zeek
@ -106,7 +106,7 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
-	Log::create_stream(SIP::LOG, [$columns=Info, $ev=log_sip, $path="sip", $policy=log_policy]);
+	Log::create_stream(SIP::LOG, Log::Stream($columns=Info, $ev=log_sip, $path="sip", $policy=log_policy));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SIP, ports);
 	}
--- a/scripts/base/protocols/smb/consts.zeek
+++ b/scripts/base/protocols/smb/consts.zeek
@ -7,8 +7,8 @@ export {
 	};
 	const statuses: table[count] of StatusCode = {
-		[0x00000000] = [$id="SUCCESS", $desc="The operation completed successfully."],
+		[0x00000000] = StatusCode($id="SUCCESS", $desc="The operation completed successfully."),
-	} &redef &default=function(i: count):StatusCode { local unknown=fmt("unknown-%d", i); return [$id=unknown, $desc=unknown]; };
+	} &redef &default=function(i: count):StatusCode { local unknown=fmt("unknown-%d", i); return StatusCode($id=unknown, $desc=unknown); };
 	## Heuristic detection of named pipes when the pipe
 	## mapping isn't seen. This variable is defined in
--- a/scripts/base/protocols/smb/files.zeek
+++ b/scripts/base/protocols/smb/files.zeek
@ -50,8 +50,8 @@ function describe_file(f: fa_file): string
 event zeek_init() &priority=5
 	{
 	Files::register_protocol(Analyzer::ANALYZER_SMB,
-	                         [$get_file_handle = SMB::get_file_handle,
+	                         Files::ProtoRegistration($get_file_handle = SMB::get_file_handle,
-	                          $describe        = SMB::describe_file]);
+	                                                  $describe        = SMB::describe_file ));
 	}
 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
--- a/scripts/base/protocols/smb/main.zeek
+++ b/scripts/base/protocols/smb/main.zeek
@ -186,8 +186,8 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
-	Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo, $path="smb_files", $policy=log_policy_files]);
+	Log::create_stream(SMB::FILES_LOG, Log::Stream($columns=SMB::FileInfo, $path="smb_files", $policy=log_policy_files));
-	Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo, $path="smb_mapping", $policy=log_policy_mapping]);
+	Log::create_stream(SMB::MAPPING_LOG, Log::Stream($columns=SMB::TreeInfo, $path="smb_mapping", $policy=log_policy_mapping));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, ports);
 	}
--- a/scripts/base/protocols/smtp/files.zeek
+++ b/scripts/base/protocols/smtp/files.zeek
@ -41,8 +41,8 @@ function describe_file(f: fa_file): string
 event zeek_init() &priority=5
 	{
 	Files::register_protocol(Analyzer::ANALYZER_SMTP,
-	                         [$get_file_handle = SMTP::get_file_handle,
+	                         Files::ProtoRegistration($get_file_handle = SMTP::get_file_handle,
-	                          $describe        = SMTP::describe_file]);
+	                                                  $describe        = SMTP::describe_file));
 	}
 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
--- a/scripts/base/protocols/smtp/main.zeek
+++ b/scripts/base/protocols/smtp/main.zeek
@ -120,7 +120,7 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
-	Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp, $path="smtp", $policy=log_policy]);
+	Log::create_stream(SMTP::LOG, Log::Stream($columns=SMTP::Info, $ev=log_smtp, $path="smtp", $policy=log_policy));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, ports);
 	}
--- a/scripts/base/protocols/snmp/main.zeek
+++ b/scripts/base/protocols/snmp/main.zeek
@ -73,7 +73,7 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SNMP, ports);
-	Log::create_stream(SNMP::LOG, [$columns=SNMP::Info, $ev=log_snmp, $path="snmp", $policy=log_policy]);
+	Log::create_stream(SNMP::LOG, Log::Stream($columns=SNMP::Info, $ev=log_snmp, $path="snmp", $policy=log_policy));
 	}
 function init_state(c: connection, h: SNMP::Header): Info
--- a/scripts/base/protocols/socks/main.zeek
+++ b/scripts/base/protocols/socks/main.zeek
@ -55,7 +55,7 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
-	Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks, $path="socks", $policy=log_policy]);
+	Log::create_stream(SOCKS::LOG, Log::Stream($columns=Info, $ev=log_socks, $path="socks", $policy=log_policy));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports);
 	}
@ -67,7 +67,7 @@ function set_session(c: connection, version: count)
 	{
 	if ( ! c?$socks )
 		{
-		c$socks = [$ts=network_time(), $id=c$id, $uid=c$uid, $version=version];
+		c$socks = Info($ts=network_time(), $id=c$id, $uid=c$uid, $version=version);
 		Conn::register_removal_hook(c, finalize_socks);
 		}
 	}
@ -85,7 +85,7 @@ event socks_request(c: connection, version: count, request_type: count,
 	# proxied connection.  We treat this as a singular "tunnel".
 	local cid = copy(c$id);
 	cid$orig_p = 0/tcp;
-	Tunnel::register([$cid=cid, $tunnel_type=Tunnel::SOCKS]);
+	Tunnel::register(Tunnel::EncapsulatingConn($cid=cid, $tunnel_type=Tunnel::SOCKS));
 	}
 event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port) &priority=5
--- a/scripts/base/protocols/ssh/main.zeek
+++ b/scripts/base/protocols/ssh/main.zeek
@ -139,7 +139,7 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports);
-	Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh, $path="ssh", $policy=log_policy]);
+	Log::create_stream(SSH::LOG, Log::Stream($columns=Info, $ev=log_ssh, $path="ssh", $policy=log_policy));
 	}
 function set_session(c: connection)
--- a/scripts/base/protocols/ssl/files.zeek
+++ b/scripts/base/protocols/ssl/files.zeek
@ -97,13 +97,12 @@ function describe_file(f: fa_file): string
 event zeek_init() &priority=5
 	{
 	Files::register_protocol(Analyzer::ANALYZER_SSL,
-	                         [$get_file_handle = SSL::get_file_handle,
+	                         Files::ProtoRegistration($get_file_handle = SSL::get_file_handle,
-	                          $describe        = SSL::describe_file]);
+	                                                  $describe        = SSL::describe_file));
 	Files::register_protocol(Analyzer::ANALYZER_DTLS,
-	                         [$get_file_handle = SSL::get_file_handle,
+	                         Files::ProtoRegistration($get_file_handle = SSL::get_file_handle,
-	                          $describe        = SSL::describe_file]);
+	                                                  $describe        = SSL::describe_file));
 	local ssl_filter = Log::get_filter(SSL::LOG, "default");
 	if ( ssl_filter$name != "<not found>" )
--- a/scripts/base/protocols/ssl/main.zeek
+++ b/scripts/base/protocols/ssl/main.zeek
@ -196,7 +196,7 @@ redef likely_server_ports += { ssl_ports, dtls_ports };
 # Priority needs to be higher than priority of zeek_init in ssl/files.zeek
 event zeek_init() &priority=6
 	{
-	Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl, $path="ssl", $policy=log_policy]);
+	Log::create_stream(SSL::LOG, Log::Stream($columns=Info, $ev=log_ssl, $path="ssl", $policy=log_policy));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ssl_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, dtls_ports);
 	}
@ -205,7 +205,7 @@ function set_session(c: connection)
 	{
 	if ( ! c?$ssl )
 		{
-		c$ssl = [$ts=network_time(), $uid=c$uid, $id=c$id];
+		c$ssl = Info($ts=network_time(), $uid=c$uid, $id=c$id);
 		Conn::register_removal_hook(c, finalize_ssl);
 		}
 	}
--- a/scripts/base/protocols/syslog/main.zeek
+++ b/scripts/base/protocols/syslog/main.zeek
@ -38,7 +38,7 @@ redef likely_server_ports += { ports };
 event zeek_init() &priority=5
 	{
-	Log::create_stream(Syslog::LOG, [$columns=Info, $path="syslog", $policy=log_policy]);
+	Log::create_stream(Syslog::LOG, Log::Stream($columns=Info, $path="syslog", $policy=log_policy));
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, ports);
 	}
--- a/scripts/base/protocols/websocket/main.zeek
+++ b/scripts/base/protocols/websocket/main.zeek
@ -228,5 +228,5 @@ event websocket_established(c: connection, aid: count) &priority=-5
 event zeek_init()
 	{
-	Log::create_stream(LOG, [$columns=Info, $ev=log_websocket, $path="websocket", $policy=log_policy]);
+	Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_websocket, $path="websocket", $policy=log_policy));
 	}
--- a/scripts/base/utils/active-http.zeek
+++ b/scripts/base/utils/active-http.zeek
@ -98,7 +98,7 @@ function request(req: Request): ActiveHTTP::Response
 	local cmd = request2curl(req, bodyfile, headersfile);
 	local stdin_data = req?$client_data ? req$client_data : "";
-	return when [req, resp, cmd, stdin_data, bodyfile, headersfile] ( local result = Exec::run([$cmd=cmd, $stdin=stdin_data, $read_files=set(bodyfile, headersfile)]) )
+	return when [req, resp, cmd, stdin_data, bodyfile, headersfile] ( local result = Exec::run(Exec::Command($cmd=cmd, $stdin=stdin_data, $read_files=set(bodyfile, headersfile))) )
 		{
 		# If there is no response line then nothing else will work either.
 		if ( ! (result?$files && headersfile in result$files) )
--- a/scripts/base/utils/dir.zeek
+++ b/scripts/base/utils/dir.zeek
@ -28,7 +28,7 @@ event Dir::monitor_ev(dir: string, last_files: set[string],
                      callback: function(fname: string),
                      poll_interval: interval)
 	{
-	when [dir, last_files, callback, poll_interval] ( local result = Exec::run([$cmd=fmt("ls -1 %s/", safe_shell_quote(dir))]) )
+	when [dir, last_files, callback, poll_interval] ( local result = Exec::run(Exec::Command($cmd=fmt("ls -1 %s/", safe_shell_quote(dir)))) )
 		{
 		if ( result$exit_code != 0 )
 			{
--- a/scripts/base/utils/exec.zeek
+++ b/scripts/base/utils/exec.zeek
@ -142,12 +142,12 @@ event InputRaw::process_finished(name: string, source:string, exit_code:count, s
 		delete pending_commands[name];
 	else
 		for ( read_file in pending_files[name] )
-			Input::add_event([$source=fmt("%s", read_file),
+			Input::add_event(Input::EventDescription($source=fmt("%s", read_file),
-			                  $name=fmt("%s_%s", name, read_file),
+			                                         $name=fmt("%s_%s", name, read_file),
-			                  $reader=Input::READER_RAW,
+			                                         $reader=Input::READER_RAW,
-			                  $want_record=F,
+			                                         $want_record=F,
-			                  $fields=FileLine,
+			                                         $fields=FileLine,
-			                  $ev=Exec::file_line]);
+			                                         $ev=Exec::file_line));
 	}
 function run(cmd: Command): Result
@ -169,14 +169,14 @@ function run(cmd: Command): Result
 		["stdin"]       = cmd$stdin,
 		["read_stderr"] = "1",
 	};
-	Input::add_event([$name=cmd$uid,
+	Input::add_event(Input::EventDescription($name=cmd$uid,
-	                  $source=fmt("%s |", cmd$cmd),
+	                                         $source=fmt("%s |", cmd$cmd),
-	                  $reader=Input::READER_RAW,
+	                                         $reader=Input::READER_RAW,
-	                  $mode=Input::STREAM,
+	                                         $mode=Input::STREAM,
-	                  $fields=Exec::OneLine,
+	                                         $fields=Exec::OneLine,
-	                  $ev=Exec::line,
+	                                         $ev=Exec::line,
-	                  $want_record=F,
+	                                         $want_record=F,
-	                  $config=config_strings]);
+	                                         $config=config_strings));
 	return when [cmd] ( cmd$uid !in pending_commands )
 		{
--- a/scripts/base/utils/patterns.zeek
+++ b/scripts/base/utils/patterns.zeek
@ -61,7 +61,7 @@ function match_pattern(s: string, p: pattern): PatternMatchResult
 	if ( |a| == 1 )
 		# no match
-		return [$matched = F, $str = "", $off = 0];
+		return PatternMatchResult($matched = F, $str = "", $off = 0);
 	else
-		return [$matched = T, $str = a[1], $off = |a[0]| + 1];
+		return PatternMatchResult($matched = T, $str = a[1], $off = |a[0]| + 1);
 	}
--- a/scripts/policy/frameworks/analyzer/debug-logging.zeek
+++ b/scripts/policy/frameworks/analyzer/debug-logging.zeek
@ -69,8 +69,8 @@ export {
 event zeek_init() &priority=5
 	{
-	Log::create_stream(LOG, [$columns=Info, $path="analyzer_debug", $policy=log_policy,
+	Log::create_stream(LOG, Log::Stream($columns=Info, $path="analyzer_debug", $policy=log_policy,
-	                         $event_groups=set("Analyzer::DebugLogging")]);
+	                                    $event_groups=set("Analyzer::DebugLogging")));
 	local enable_handler = function(id: string, new_value: bool): bool {
 	if ( new_value )
--- a/scripts/policy/frameworks/analyzer/deprecated-dpd-log.zeek
+++ b/scripts/policy/frameworks/analyzer/deprecated-dpd-log.zeek
@ -33,7 +33,7 @@ redef record connection += {
 event zeek_init() &priority=5
 	{
-	Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd", $policy=log_policy]);
+	Log::create_stream(DPD::LOG, Log::Stream($columns=Info, $path="dpd", $policy=log_policy));
 	}
 # before the same event in dpd.zeek
--- a/scripts/policy/frameworks/analyzer/detect-protocols.zeek
+++ b/scripts/policy/frameworks/analyzer/detect-protocols.zeek
@ -93,7 +93,7 @@ function get_protocol(c: connection, a: AllAnalyzers::Tag) : protocol
 			str = |str| > 0 ? fmt("%s/%s", str, p) : p;
 		}
-	return [$a=Analyzer::name(a), $sub=str];
+	return protocol($a=Analyzer::name(a), $sub=str);
 	}
 function fmt_protocol(p: protocol) : string
@ -115,9 +115,9 @@ function do_notice(c: connection, a: AllAnalyzers::Tag, d: dir)
 	local p = get_protocol(c, a);
 	local s = fmt_protocol(p);
-	NOTICE([$note=Protocol_Found,
+	NOTICE(Notice::Info($note=Protocol_Found,
 		$msg=fmt("%s %s on port %s", id_string(c$id), s, c$id$resp_p),
-		$sub=s, $conn=c]);
+		$sub=s, $conn=c));
 	# We report multiple Server_Found's per host if we find a new
 	# sub-protocol.
@ -130,10 +130,10 @@ function do_notice(c: connection, a: AllAnalyzers::Tag, d: dir)
 	if ( (! known || newsub) && a !in suppress_servers )
 		{
-		NOTICE([$note=Server_Found,
+		NOTICE(Notice::Info($note=Server_Found,
 			$msg=fmt("%s: %s server on port %s%s", c$id$resp_h, s,
 				c$id$resp_p, (known ? " (update)" : "")),
-			$p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h]);
+			$p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h));
 		if ( ! known )
 			servers[c$id$resp_h, c$id$resp_p, p$a] = set();
--- a/scripts/policy/frameworks/intel/seen/conn-established.zeek
+++ b/scripts/policy/frameworks/intel/seen/conn-established.zeek
@ -6,7 +6,7 @@ event connection_established(c: connection)
 	if ( c$orig$state == TCP_ESTABLISHED &&
 	     c$resp$state == TCP_ESTABLISHED )
 		{
-		Intel::seen([$host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG]);
+		Intel::seen(Intel::Seen($host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG));
-		Intel::seen([$host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP]);
+		Intel::seen(Intel::Seen($host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP));
 		}
 	}
--- a/scripts/policy/frameworks/intel/seen/dns.zeek
+++ b/scripts/policy/frameworks/intel/seen/dns.zeek
@ -3,8 +3,8 @@
 event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &group="Intel::DOMAIN"
 	{
-	Intel::seen([$indicator=query,
+	Intel::seen(Intel::Seen($indicator=query,
-	             $indicator_type=Intel::DOMAIN,
+	                        $indicator_type=Intel::DOMAIN,
-	             $conn=c,
+	                        $conn=c,
-	             $where=DNS::IN_REQUEST]);
+	                        $where=DNS::IN_REQUEST));
 	}
--- a/scripts/policy/frameworks/intel/seen/file-names.zeek
+++ b/scripts/policy/frameworks/intel/seen/file-names.zeek
@ -10,10 +10,10 @@ event file_new(f: fa_file) &group="Intel::FILE_NAME"
 		return;
 	if ( f?$info && f$info?$filename )
-		Intel::seen([$indicator=f$info$filename,
+		Intel::seen(Intel::Seen($indicator=f$info$filename,
-		             $indicator_type=Intel::FILE_NAME,
+		                        $indicator_type=Intel::FILE_NAME,
-		             $f=f,
+		                        $f=f,
-		             $where=Files::IN_NAME]);
+		                        $where=Files::IN_NAME));
 	}
 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=-5 &group="Intel::FILE_NAME"
@ -23,8 +23,8 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
        return;
 	if ( f?$info && f$info?$filename )
-		Intel::seen([$indicator=f$info$filename,
+		Intel::seen(Intel::Seen($indicator=f$info$filename,
-		             $indicator_type=Intel::FILE_NAME,
+		                        $indicator_type=Intel::FILE_NAME,
-		             $f=f,
+		                        $f=f,
-		             $where=Files::IN_NAME]);
+		                        $where=Files::IN_NAME));
 	}
--- a/scripts/policy/frameworks/intel/seen/http-headers.zeek
+++ b/scripts/policy/frameworks/intel/seen/http-headers.zeek
@ -13,10 +13,10 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &gr
 		# Remove the occasional port value that shows up here.
 		local host = gsub(value, /:[[:digit:]]+$/, "");
 		if ( is_valid_ip(host) )
-			Intel::seen([$host=to_addr(host),
+			Intel::seen(Intel::Seen($host=to_addr(host),
-				     $indicator_type=Intel::ADDR,
+			                        $indicator_type=Intel::ADDR,
-				     $conn=c,
+			                        $conn=c,
-				     $where=HTTP::IN_HOST_HEADER]);
+			                        $where=HTTP::IN_HOST_HEADER));
 		break;
 		case "X-FORWARDED-FOR":
@ -25,10 +25,10 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &gr
 			local addrs = extract_ip_addresses(value);
 			for ( i in addrs )
 				{
-				Intel::seen([$host=to_addr(addrs[i]),
+				Intel::seen(Intel::Seen($host=to_addr(addrs[i]),
-				             $indicator_type=Intel::ADDR,
+				                        $indicator_type=Intel::ADDR,
-				             $conn=c,
+				                        $conn=c,
-				             $where=HTTP::IN_X_FORWARDED_FOR_HEADER]);
+				                        $where=HTTP::IN_X_FORWARDED_FOR_HEADER));
 				}
 			}
 		break;
@ -38,36 +38,36 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &gr
 event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::DOMAIN"
 	{
 	if ( ! is_orig || name != "HOST" )
-	    return;
+		return;
 	# Remove the occasional port value that shows up here.
 	local host = gsub(value, /:[[:digit:]]+$/, "");
 	if ( ! is_valid_ip(host) )
-		Intel::seen([$indicator=host,
+		Intel::seen(Intel::Seen($indicator=host,
-			     $indicator_type=Intel::DOMAIN,
+		                        $indicator_type=Intel::DOMAIN,
-			     $conn=c,
+		                        $conn=c,
-			     $where=HTTP::IN_HOST_HEADER]);
+		                        $where=HTTP::IN_HOST_HEADER));
 	}
 event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::URL"
 	{
 	if ( ! is_orig || name != "REFERER" )
-	    return;
+		return;
-	Intel::seen([$indicator=sub(value, /^.*:\/\//, ""),
+	Intel::seen(Intel::Seen($indicator=sub(value, /^.*:\/\//, ""),
-	             $indicator_type=Intel::URL,
+	                        $indicator_type=Intel::URL,
-	             $conn=c,
+	                        $conn=c,
-	             $where=HTTP::IN_REFERRER_HEADER]);
+	                        $where=HTTP::IN_REFERRER_HEADER));
 	}
 event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::SOFTWARE"
 	{
 	if ( ! is_orig || name != "USER-AGENT" )
-	    return;
+		return;
-	Intel::seen([$indicator=value,
+	Intel::seen(Intel::Seen($indicator=value,
-	             $indicator_type=Intel::SOFTWARE,
+	                        $indicator_type=Intel::SOFTWARE,
-	             $conn=c,
+	                        $conn=c,
-	             $where=HTTP::IN_USER_AGENT_HEADER]);
+	                        $where=HTTP::IN_USER_AGENT_HEADER));
 	}
--- a/scripts/policy/frameworks/intel/seen/http-url.zeek
+++ b/scripts/policy/frameworks/intel/seen/http-url.zeek
@ -5,8 +5,8 @@
 event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &group="Intel::URL"
 	{
 	if ( is_orig && c?$http )
-		Intel::seen([$indicator=HTTP::build_url(c$http),
+		Intel::seen(Intel::Seen($indicator=HTTP::build_url(c$http),
-		             $indicator_type=Intel::URL,
+		                        $indicator_type=Intel::URL,
-		             $conn=c,
+		                        $conn=c,
-		             $where=HTTP::IN_URL]);
+		                        $where=HTTP::IN_URL));
 	}
--- a/scripts/policy/frameworks/intel/seen/smb-filenames.zeek
+++ b/scripts/policy/frameworks/intel/seen/smb-filenames.zeek
@ -14,10 +14,10 @@ event file_new(f: fa_file) &group="Intel::FILE_NAME"
            {
            local split_fname = split_string(c$smb_state$current_file$name, /\\/);
            local fname = split_fname[|split_fname|-1];
-            Intel::seen([$indicator=fname,
+            Intel::seen(Intel::Seen($indicator=fname,
-                        $indicator_type=Intel::FILE_NAME,
+                                    $indicator_type=Intel::FILE_NAME,
-                        $f=f,
+                                    $f=f,
-                        $where=SMB::IN_FILE_NAME]);
+                                    $where=SMB::IN_FILE_NAME));
            }
        }
    }
--- a/scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek
+++ b/scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek
@ -13,10 +13,10 @@ event intel_mime_data(f: fa_file, data: string) &group="Intel::URL"
 		local urls = find_all_urls_without_scheme(data);
 		for ( url in urls )
 			{
-			Intel::seen([$indicator=url,
+			Intel::seen(Intel::Seen($indicator=url,
-			             $indicator_type=Intel::URL,
+			                        $indicator_type=Intel::URL,
-			             $conn=c,
+			                        $conn=c,
-			             $where=SMTP::IN_MESSAGE]);
+			                        $where=SMTP::IN_MESSAGE));
 			}
 		}
 	}
@ -24,5 +24,5 @@ event intel_mime_data(f: fa_file, data: string) &group="Intel::URL"
 event file_new(f: fa_file) &group="Intel::URL"
 	{
 	if ( f$source == "SMTP" )
-		Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, [$stream_event=intel_mime_data]);
+		Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, Files::AnalyzerArgs($stream_event=intel_mime_data));
 	}
--- a/scripts/policy/frameworks/intel/seen/smtp.zeek
+++ b/scripts/policy/frameworks/intel/seen/smtp.zeek
@ -12,16 +12,16 @@ event mime_end_entity(c: connection) &group="Intel::ADDR"
 			local path = c$smtp$path;
 			for ( i in path )
 				{
-				Intel::seen([$host=path[i],
+				Intel::seen(Intel::Seen($host=path[i],
-				             $conn=c,
+				                        $conn=c,
-				             $where=SMTP::IN_RECEIVED_HEADER]);
+				                        $where=SMTP::IN_RECEIVED_HEADER));
 				}
 			}
 		if ( c$smtp?$x_originating_ip )
-			Intel::seen([$host=c$smtp$x_originating_ip,
+			Intel::seen(Intel::Seen($host=c$smtp$x_originating_ip,
-			             $conn=c,
+			                        $conn=c,
-			             $where=SMTP::IN_X_ORIGINATING_IP_HEADER]);
+			                        $where=SMTP::IN_X_ORIGINATING_IP_HEADER));
 		}
 	}
@ -30,10 +30,10 @@ event mime_end_entity(c: connection) &group="Intel::SOFTWARE"
 	if ( c?$smtp )
 		{
 		if ( c$smtp?$user_agent )
-			Intel::seen([$indicator=c$smtp$user_agent,
+			Intel::seen(Intel::Seen($indicator=c$smtp$user_agent,
-			             $indicator_type=Intel::SOFTWARE,
+			                        $indicator_type=Intel::SOFTWARE,
-			             $conn=c,
+			                        $conn=c,
-			             $where=SMTP::IN_HEADER]);
+			                        $where=SMTP::IN_HEADER));
 		}
 	}
@ -43,20 +43,20 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL"
 		{
 		if ( c$smtp?$mailfrom )
 			{
-			Intel::seen([$indicator=c$smtp$mailfrom,
+			Intel::seen(Intel::Seen($indicator=c$smtp$mailfrom,
-			             $indicator_type=Intel::EMAIL,
+			                        $indicator_type=Intel::EMAIL,
-			             $conn=c,
+			                        $conn=c,
-			             $where=SMTP::IN_MAIL_FROM]);
+			                        $where=SMTP::IN_MAIL_FROM ));
 			}
 		if ( c$smtp?$rcptto )
 			{
 			for ( rcptto_addr in c$smtp$rcptto )
 				{
-				Intel::seen([$indicator=rcptto_addr,
+				Intel::seen(Intel::Seen($indicator=rcptto_addr,
-				             $indicator_type=Intel::EMAIL,
+				                        $indicator_type=Intel::EMAIL,
-				             $conn=c,
+				                        $conn=c,
-				             $where=SMTP::IN_RCPT_TO]);
+				                        $where=SMTP::IN_RCPT_TO));
 				}
 			}
@ -64,10 +64,10 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL"
 			{
 			for ( from_addr in extract_email_addrs_set(c$smtp$from) )
 				{
-				Intel::seen([$indicator=from_addr,
+				Intel::seen(Intel::Seen($indicator=from_addr,
-				             $indicator_type=Intel::EMAIL,
+				                        $indicator_type=Intel::EMAIL,
-				             $conn=c,
+				                        $conn=c,
-				             $where=SMTP::IN_FROM]);
+				                        $where=SMTP::IN_FROM));
 				}
 			}
@ -75,10 +75,10 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL"
 			{
 			for ( email_to_addr in c$smtp$to )
 				{
-				Intel::seen([$indicator=extract_first_email_addr(email_to_addr),
+				Intel::seen(Intel::Seen($indicator=extract_first_email_addr(email_to_addr),
-				             $indicator_type=Intel::EMAIL,
+				                        $indicator_type=Intel::EMAIL,
-				             $conn=c,
+				                        $conn=c,
-				             $where=SMTP::IN_TO]);
+				                        $where=SMTP::IN_TO));
 				}
 			}
@ -86,19 +86,19 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL"
 			{
 			for ( cc_addr in c$smtp$cc )
 				{
-				Intel::seen([$indicator=cc_addr,
+				Intel::seen(Intel::Seen($indicator=cc_addr,
-				             $indicator_type=Intel::EMAIL,
+				                        $indicator_type=Intel::EMAIL,
-				             $conn=c,
+				                        $conn=c,
-				             $where=SMTP::IN_CC]);
+				                        $where=SMTP::IN_CC));
 				}
 			}
 		if ( c$smtp?$reply_to )
 			{
-			Intel::seen([$indicator=c$smtp$reply_to,
+			Intel::seen(Intel::Seen($indicator=c$smtp$reply_to,
-			             $indicator_type=Intel::EMAIL,
+			                        $indicator_type=Intel::EMAIL,
-			             $conn=c,
+			                        $conn=c,
-			             $where=SMTP::IN_REPLY_TO]);
+			                        $where=SMTP::IN_REPLY_TO));
 			}
 		}
 	}
--- a/scripts/policy/frameworks/intel/seen/ssl.zeek
+++ b/scripts/policy/frameworks/intel/seen/ssl.zeek
@ -5,10 +5,10 @@
 event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) &group="Intel::DOMAIN"
 	{
 	if ( is_orig && c?$ssl && c$ssl?$server_name )
-		Intel::seen([$indicator=c$ssl$server_name,
+		Intel::seen(Intel::Seen($indicator=c$ssl$server_name,
-		             $indicator_type=Intel::DOMAIN,
+		                        $indicator_type=Intel::DOMAIN,
-		             $conn=c,
+		                        $conn=c,
-		             $where=SSL::IN_SERVER_NAME]);
+		                        $where=SSL::IN_SERVER_NAME));
 	}
 event ssl_established(c: connection) &group="Intel::DOMAIN"
@ -18,9 +18,9 @@ event ssl_established(c: connection) &group="Intel::DOMAIN"
 		return;
 	if ( c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$cn )
-		Intel::seen([$indicator=c$ssl$cert_chain[0]$x509$certificate$cn,
+		Intel::seen(Intel::Seen($indicator=c$ssl$cert_chain[0]$x509$certificate$cn,
 			$indicator_type=Intel::DOMAIN,
 			$fuid=c$ssl$cert_chain[0]$fuid,
 			$conn=c,
-			$where=X509::IN_CERT]);
+			$where=X509::IN_CERT));
 	}
--- a/scripts/policy/frameworks/intel/seen/x509.zeek
+++ b/scripts/policy/frameworks/intel/seen/x509.zeek
@ -5,8 +5,8 @@
 module Intel;
 export {
-        ## Enables the extraction of subject alternate names from the X509 SAN DNS field
+	## Enables the extraction of subject alternate names from the X509 SAN DNS field
-        option enable_x509_ext_subject_alternative_name = T;
+	option enable_x509_ext_subject_alternative_name = T;
 }
 event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName) &group="Intel::DOMAIN"
@ -14,10 +14,10 @@ event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativ
 	if ( enable_x509_ext_subject_alternative_name && ext?$dns )
 		{
 		for ( i in ext$dns )
-			Intel::seen([$indicator=ext$dns[i],
+			Intel::seen(Intel::Seen($indicator=ext$dns[i],
 				$indicator_type=Intel::DOMAIN,
 				$f=f,
-				$where=X509::IN_CERT]);
+				$where=X509::IN_CERT));
 		}
 	}
@ -27,10 +27,10 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi
 		{
 		local email = sub(cert$subject, /^.*emailAddress=/, "");
 		email = sub(email, /,.*$/, "");
-		Intel::seen([$indicator=email,
+		Intel::seen(Intel::Seen($indicator=email,
-			     $indicator_type=Intel::EMAIL,
+		                        $indicator_type=Intel::EMAIL,
-			     $f=f,
+		                        $f=f,
-			     $where=X509::IN_CERT]);
+		                        $where=X509::IN_CERT));
 		}
 	}
@ -38,10 +38,10 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi
 	{
 	if ( f$info?$sha1 ) # if the file_hash event was raised before the x509 event...
 		{
-		Intel::seen([$indicator=f$info$sha1,
+		Intel::seen(Intel::Seen($indicator=f$info$sha1,
-		             $indicator_type=Intel::CERT_HASH,
+		                        $indicator_type=Intel::CERT_HASH,
-		             $f=f,
+		                        $f=f,
-		             $where=X509::IN_CERT]);
+		                        $where=X509::IN_CERT));
 		}
 	}
@ -50,8 +50,8 @@ event file_hash(f: fa_file, kind: string, hash: string) &group="Intel::CERT_HASH
 	if ( ! f?$info || ! f$info?$x509 || kind != "sha1" )
 		return;
-	Intel::seen([$indicator=hash,
+	Intel::seen(Intel::Seen($indicator=hash,
-	             $indicator_type=Intel::CERT_HASH,
+	                        $indicator_type=Intel::CERT_HASH,
-	             $f=f,
+	                        $f=f,
-	             $where=X509::IN_CERT]);
+	                        $where=X509::IN_CERT));
 	}
--- a/scripts/policy/frameworks/management/log.zeek
+++ b/scripts/policy/frameworks/management/log.zeek
@ -88,8 +88,8 @@ function debug(message: string)
 		return;
 	local node = Supervisor::node();
-	Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[DEBUG],
+	Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[DEBUG],
-			 $role=r2s[Management::role], $message=message]);
+	                     $role=r2s[Management::role], $message=message));
 	}
 function info(message: string)
@ -98,8 +98,8 @@ function info(message: string)
 		return;
 	local node = Supervisor::node();
-	Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[INFO],
+	Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[INFO],
-			 $role=r2s[Management::role], $message=message]);
+	                     $role=r2s[Management::role], $message=message));
 	}
 function warning(message: string)
@ -108,8 +108,8 @@ function warning(message: string)
 		return;
 	local node = Supervisor::node();
-	Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[WARNING],
+	Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[WARNING],
-			 $role=r2s[Management::role], $message=message]);
+	                     $role=r2s[Management::role], $message=message));
 	}
 function error(message: string)
@ -118,8 +118,8 @@ function error(message: string)
 		return;
 	local node = Supervisor::node();
-	Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[ERROR],
+	Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[ERROR],
-			 $role=r2s[Management::role], $message=message]);
+	                     $role=r2s[Management::role], $message=message));
 	}
 # Bump priority to ensure the log stream exists when other zeek_init handlers use it.
--- a/scripts/policy/frameworks/management/supervisor/main.zeek
+++ b/scripts/policy/frameworks/management/supervisor/main.zeek
@ -29,8 +29,8 @@ global g_outputs: table[string] of NodeOutputStreams;
 function make_node_output_streams(node: string): NodeOutputStreams
 	{
-	local stdout = Queue::init([$max_len = Management::Supervisor::output_max_lines]);
+	local stdout = Queue::init(Queue::Settings($max_len = Management::Supervisor::output_max_lines));
-	local stderr = Queue::init([$max_len = Management::Supervisor::output_max_lines]);
+	local stderr = Queue::init(Queue::Settings($max_len = Management::Supervisor::output_max_lines));
 	local res = NodeOutputStreams($stdout=stdout, $stderr=stderr);
 	local status = Supervisor::status(node);
--- a/scripts/policy/frameworks/netcontrol/catch-and-release.zeek
+++ b/scripts/policy/frameworks/netcontrol/catch-and-release.zeek
@ -168,7 +168,7 @@ global catch_release_recently_notified: set[addr] &create_expire=30secs;
 event zeek_init() &priority=5
 	{
-	Log::create_stream(NetControl::CATCH_RELEASE, [$columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release", $policy=log_policy_catch_release]);
+	Log::create_stream(NetControl::CATCH_RELEASE, Log::Stream($columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release", $policy=log_policy_catch_release));
 	}
 function get_watch_interval(current_interval: count): interval
--- a/scripts/policy/frameworks/packet-filter/shunt.zeek
+++ b/scripts/policy/frameworks/packet-filter/shunt.zeek
@ -78,9 +78,9 @@ function shunt_filters()
 event zeek_init() &priority=5
 	{
-	register_filter_plugin([
+	register_filter_plugin(FilterPlugin(
 		$func()={ return shunt_filters(); }
-		]);
+		));
 	}
 function current_shunted_conns(): set[conn_id]
@ -97,8 +97,8 @@ function reached_max_shunts(): bool
 	{
 	if ( |shunted_conns| + |shunted_host_pairs| > max_bpf_shunts )
 		{
-		NOTICE([$note=No_More_Conn_Shunts_Available,
+		NOTICE(Notice::Info($note=No_More_Conn_Shunts_Available,
-		        $msg=fmt("%d BPF shunts are in place and no more will be added until space clears.", max_bpf_shunts)]);
+		                    $msg=fmt("%d BPF shunts are in place and no more will be added until space clears.", max_bpf_shunts)));
 		return T;
 		}
 	else
@ -145,10 +145,10 @@ function shunt_conn(id: conn_id): bool
 	{
 	if ( is_v6_addr(id$orig_h) )
 		{
-		NOTICE([$note=Cannot_BPF_Shunt_Conn,
+		NOTICE(Notice::Info($note=Cannot_BPF_Shunt_Conn,
-		        $msg="IPv6 connections can't be shunted with BPF due to limitations in BPF",
+		                    $msg="IPv6 connections can't be shunted with BPF due to limitations in BPF",
-		        $sub="ipv6_conn",
+		                    $sub="ipv6_conn",
-		        $id=id, $identifier=cat(id)]);
+		                    $id=id, $identifier=cat(id)));
 		return F;
 		}
--- a/scripts/policy/frameworks/software/version-changes.zeek
+++ b/scripts/policy/frameworks/software/version-changes.zeek
@ -30,8 +30,8 @@ event Software::version_change(old: Software::Info, new: Software::Info)
 	local msg = fmt("%.6f %s '%s' version changed from %s to %s",
 	                network_time(), old$software_type, old$name,
 	                software_fmt_version(old$version),
-                	software_fmt_version(new$version));
+	                software_fmt_version(new$version));
-	NOTICE([$note=Software_Version_Change, $src=new$host,
+	NOTICE(Notice::Info($note=Software_Version_Change, $src=new$host,
-	        $msg=msg, $sub=software_fmt(new)]);
+	                    $msg=msg, $sub=software_fmt(new)));
 	}
--- a/Show more
+++ b/Show more