diff --git a/scripts/base/frameworks/control/main.bro b/scripts/base/frameworks/control/main.bro index 22422eb51d..f82a157036 100644 --- a/scripts/base/frameworks/control/main.bro +++ b/scripts/base/frameworks/control/main.bro @@ -49,8 +49,6 @@ export { ## Variable IDs that are to be ignored by the update process. const ignore_ids: set[string] = { - # FIXME: Bro crashes if it tries to send this ID. - "Log::rotation_control", }; ## Event for requesting the value of an ID (a variable). diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro index 2e9b1040ca..64548af848 100644 --- a/scripts/base/frameworks/logging/main.bro +++ b/scripts/base/frameworks/logging/main.bro @@ -32,8 +32,10 @@ export { ## to derive a name. ## ## id: The log stream. - ## path: A suggested path value, which may be either the filter's ``path`` - ## if defined or a fall-back generated internally. + ## path: A suggested path value, which may be either the filter's + ## ``path`` if defined, else a previous result from the function. + ## If no ``path`` is defined for the filter, then the first call + ## to the function will contain an empty string. ## rec: An instance of the streams's ``columns`` type with its ## fields set to the values to logged. ## @@ -65,20 +67,6 @@ export { ## table are initialized by each writer type. const default_rotation_postprocessors: table[Writer] of function(info: RotationInfo) : bool &redef; - ## Type for controlling file rotation. - type RotationControl: record { - ## Rotation interval. - interv: interval &default=default_rotation_interval; - ## Callback function to trigger for rotated files. If not set, the default - ## comes out of default_rotation_postprocessors. - postprocessor: function(info: RotationInfo) : bool &optional; - }; - - ## Specifies rotation parameters per ``(id, path)`` tuple. - ## If a pair is not found in this table, default values defined in - ## ``RotationControl`` are used. - const rotation_control: table[Writer, string] of RotationControl &default=[] &redef; - ## Filter customizing logging. type Filter: record { ## Descriptive name to reference this filter. @@ -114,8 +102,10 @@ export { ## connection ... ## ## id: The log stream. - ## path: A suggested path value, which may be either the filter's ``path`` - ## if defined or a fall-back generated internally. + ## path: A suggested path value, which may be either the filter's + ## ``path`` if defined, else a previous result from the function. + ## If no ``path`` is defined for the filter, then the first call + ## to the function will contain an empty string. ## rec: An instance of the streams's ``columns`` type with its ## fields set to the values to logged. ## @@ -136,10 +126,12 @@ export { ## If true, entries are passed on to remote peers. log_remote: bool &default=enable_remote_logging; - ## If set, the rotation control value is automatically added to - ## :bro:id:`Log::rotation_control` for the filter's (writer, path) - ## when adding the filter to a stream via :bro:id:`Log::add_filter` - rotation: RotationControl &optional; + ## Rotation interval. + interv: interval &default=default_rotation_interval; + + ## Callback function to trigger for rotated files. If not set, + ## the default comes out of default_rotation_postprocessors. + postprocessor: function(info: RotationInfo) : bool &optional; }; ## Sentinel value for indicating that a filter was not found when looked up. @@ -182,10 +174,9 @@ function default_path_func(id: ID, path: string, rec: any) : string local parts = split1(id_str, /::/); if ( |parts| == 2 ) { - # TODO: the core shouldn't be suggesting paths anymore. Only - # statically defined paths should be sent into here. This - # is only to cope with the core generated paths. - if ( to_lower(parts[2]) != path ) + # The suggested path value is a previous result of this function + # or a filter path explicitly set by the user, so continue using it + if ( path != "" ) return path; # Example: Notice::LOG -> "notice" diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro index b095e92cbf..92e0e0bea1 100644 --- a/scripts/base/frameworks/notice/main.bro +++ b/scripts/base/frameworks/notice/main.bro @@ -215,18 +215,6 @@ function log_mailing_postprocessor(info: Log::RotationInfo): bool return T; } -# This extra export section here is just because this redefinition should -# be documented as part of the "public API" of this script, but the redef -# needs to occur after the postprocessor function implementation. -export { - ## By default, an ASCII version of the the alarm log is emailed daily to any - ## configured :bro:id:`Notice::mail_dest` if not operating on trace files. - redef Log::rotation_control += { - [Log::WRITER_ASCII, "alarm-mail"] = - [$interv=24hrs, $postprocessor=log_mailing_postprocessor] - }; -} - event bro_init() &priority=5 { Log::create_stream(Notice::LOG, [$columns=Info, $ev=log_notice]); @@ -237,9 +225,9 @@ event bro_init() &priority=5 # Make sure that this alarm log is also output as text so that it can # be packaged up and emailed later. if ( ! reading_traces() && mail_dest != "" ) - Log::add_filter(Notice::ALARM_LOG, [$name="alarm-mail", - $path="alarm-mail", - $writer=Log::WRITER_ASCII]); + Log::add_filter(Notice::ALARM_LOG, + [$name="alarm-mail", $path="alarm-mail", $writer=Log::WRITER_ASCII, + $interv=24hrs, $postprocessor=log_mailing_postprocessor]); } # TODO: fix this. diff --git a/src/LogMgr.cc b/src/LogMgr.cc index ecf7a43cb6..0a5638f074 100644 --- a/src/LogMgr.cc +++ b/src/LogMgr.cc @@ -36,6 +36,8 @@ struct LogMgr::Filter { EnumVal* writer; bool local; bool remote; + double interval; + Func* postprocessor; int num_fields; LogField** fields; @@ -52,7 +54,9 @@ struct LogMgr::WriterInfo { EnumVal* type; double open_time; Timer* rotation_timer; - LogWriter *writer; + double interval; + Func* postprocessor; + LogWriter* writer; }; struct LogMgr::Stream { @@ -382,17 +386,6 @@ bool LogVal::Write(SerializationFormat* fmt) const LogMgr::Filter::~Filter() { - // If there's a rotation control table entry associated with this - // filter's (writer, path), remove it - TableVal* rc = BifConst::Log::rotation_control->AsTableVal(); - - ListVal* index = new ListVal(TYPE_ANY); - index->Append(writer->Ref()); - index->Append(path_val->Ref()); - - Unref(rc->Delete(index)); - Unref(index); - for ( int i = 0; i < num_fields; ++i ) delete fields[i]; @@ -743,6 +736,8 @@ bool LogMgr::AddFilter(EnumVal* id, RecordVal* fval) Val* path_func = fval->LookupWithDefault(rtype->FieldOffset("path_func")); Val* log_local = fval->LookupWithDefault(rtype->FieldOffset("log_local")); Val* log_remote = fval->LookupWithDefault(rtype->FieldOffset("log_remote")); + Val* interv = fval->LookupWithDefault(rtype->FieldOffset("interv")); + Val* postprocessor = fval->LookupWithDefault(rtype->FieldOffset("postprocessor")); Filter* filter = new Filter; filter->name = name->AsString()->CheckString(); @@ -752,12 +747,16 @@ bool LogMgr::AddFilter(EnumVal* id, RecordVal* fval) filter->writer = writer->Ref()->AsEnumVal(); filter->local = log_local->AsBool(); filter->remote = log_remote->AsBool(); + filter->interval = interv->AsInterval(); + filter->postprocessor = postprocessor ? postprocessor->AsFunc() : 0; Unref(name); Unref(pred); Unref(path_func); Unref(log_local); Unref(log_remote); + Unref(interv); + Unref(postprocessor); // Build the list of fields that the filter wants included, including // potentially rolling out fields. @@ -783,40 +782,14 @@ bool LogMgr::AddFilter(EnumVal* id, RecordVal* fval) else { - // If no path is given, use the Stream ID as the default but - // strip the namespace. - const char* s = stream->name.c_str(); - const char* e = s + strlen(s); - - const char* t = strstr(s, "::"); - if ( t ) - s = t + 2; - - string path(s, e); - std::transform(path.begin(), path.end(), path.begin(), ::tolower); - - filter->path = path; - filter->path_val = new StringVal(path.c_str()); + // If no path is given, it's derived based upon the value returned by + // the first call to the filter's path_func (during first write) + filter->path_val = 0; } // Remove any filter with the same name we might already have. RemoveFilter(id, filter->name); - // Install the rotation support, if given - Val* rot_val = fval->Lookup(rtype->FieldOffset("rotation")); - if ( rot_val ) - { - TableVal* rc = BifConst::Log::rotation_control->AsTableVal(); - - ListVal* index = new ListVal(TYPE_ANY); - index->Append(filter->writer->Ref()); - index->Append(filter->path_val->Ref()); - - rc->Assign(index, rot_val->Ref()); - - Unref(index); - } - // Add the new one. stream->filters.push_back(filter); @@ -927,7 +900,12 @@ bool LogMgr::Write(EnumVal* id, RecordVal* columns) { val_list vl(3); vl.append(id->Ref()); - vl.append(filter->path_val->Ref()); + Val* path_arg; + if ( filter->path_val ) + path_arg = filter->path_val; + else + path_arg = new StringVal(""); + vl.append(path_arg->Ref()); vl.append(columns->Ref()); Val* v = filter->path_func->Call(&vl); @@ -938,6 +916,13 @@ bool LogMgr::Write(EnumVal* id, RecordVal* columns) return false; } + if ( ! filter->path_val ) + { + Unref(path_arg); + filter->path = v->AsString()->CheckString(); + filter->path_val = v->Ref(); + } + path = v->AsString()->CheckString(); Unref(v); @@ -1264,6 +1249,24 @@ LogWriter* LogMgr::CreateWriter(EnumVal* id, EnumVal* writer, string path, winfo->writer = writer_obj; winfo->open_time = network_time; winfo->rotation_timer = 0; + winfo->interval = 0; + winfo->postprocessor = 0; + + // search for a corresponding filter for the writer/path pair and use its + // rotation settings + list::const_iterator it; + for ( it = stream->filters.begin(); it != stream->filters.end(); ++it ) + { + Filter* f = *it; + if ( f->writer->AsEnum() == writer->AsEnum() && + f->path == winfo->writer->Path() ) + { + winfo->interval = f->interval; + winfo->postprocessor = f->postprocessor; + break; + } + } + InstallRotationTimer(winfo); stream->writers.insert( @@ -1441,22 +1444,6 @@ void RotationTimer::Dispatch(double t, int is_expire) } } -RecordVal* LogMgr::LookupRotationControl(EnumVal* writer, string path) - { - TableVal* rc = BifConst::Log::rotation_control->AsTableVal(); - - ListVal* index = new ListVal(TYPE_ANY); - index->Append(writer->Ref()); - index->Append(new StringVal(path.c_str())); - - Val* r = rc->Lookup(index); - assert(r); - - Unref(index); - - return r->AsRecordVal(); - } - void LogMgr::InstallRotationTimer(WriterInfo* winfo) { if ( terminating ) @@ -1468,13 +1455,7 @@ void LogMgr::InstallRotationTimer(WriterInfo* winfo) winfo->rotation_timer = 0; } - RecordVal* rc = - LookupRotationControl(winfo->type, winfo->writer->Path()); - - assert(rc); - - int idx = rc->Type()->AsRecordType()->FieldOffset("interv"); - double rotation_interval = rc->LookupWithDefault(idx)->AsInterval(); + double rotation_interval = winfo->interval; if ( rotation_interval ) { @@ -1535,11 +1516,6 @@ bool LogMgr::FinishedRotation(LogWriter* writer, string new_name, string old_nam if ( ! winfo ) return true; - RecordVal* rc = - LookupRotationControl(winfo->type, winfo->writer->Path()); - - assert(rc); - // Create the RotationInfo record. RecordVal* info = new RecordVal(BifType::Record::Log::RotationInfo); info->Assign(0, winfo->type->Ref()); @@ -1549,15 +1525,12 @@ bool LogMgr::FinishedRotation(LogWriter* writer, string new_name, string old_nam info->Assign(4, new Val(close, TYPE_TIME)); info->Assign(5, new Val(terminating, TYPE_BOOL)); - int idx = rc->Type()->AsRecordType()->FieldOffset("postprocessor"); - assert(idx >= 0); - - Val* func = rc->Lookup(idx); + Func* func = winfo->postprocessor; if ( ! func ) { ID* id = global_scope()->Lookup("Log::__default_rotation_postprocessor"); assert(id); - func = id->ID_Val(); + func = id->ID_Val()->AsFunc(); } assert(func); @@ -1565,7 +1538,10 @@ bool LogMgr::FinishedRotation(LogWriter* writer, string new_name, string old_nam // Call the postprocessor function. val_list vl(1); vl.append(info); - Val* v = func->AsFunc()->Call(&vl); + ODesc d; + func->Describe(&d); + fprintf(stderr, "%s\n", d.Description()); + Val* v = func->Call(&vl); int result = v->AsBool(); Unref(v); return result; diff --git a/src/LogMgr.h b/src/LogMgr.h index 033a6ba3fd..10530960cb 100644 --- a/src/LogMgr.h +++ b/src/LogMgr.h @@ -129,7 +129,6 @@ private: void RemoveDisabledWriters(Stream* stream); void InstallRotationTimer(WriterInfo* winfo); void Rotate(WriterInfo* info); - RecordVal* LookupRotationControl(EnumVal* writer, string path); Filter* FindFilter(EnumVal* id, StringVal* filter); WriterInfo* FindWriter(LogWriter* writer); diff --git a/src/logging.bif b/src/logging.bif index 0e48633d5a..501eb899d9 100644 --- a/src/logging.bif +++ b/src/logging.bif @@ -10,9 +10,6 @@ module Log; type Filter: record; type Stream: record; type RotationInfo: record; -type RotationControl: record; - -const Log::rotation_control: RotationControl; function Log::__create_stream%(id: Log::ID, stream: Log::Stream%) : bool %{ diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.filter-remove-rotation/out b/testing/btest/Baseline/scripts.base.frameworks.logging.filter-remove-rotation/out deleted file mode 100644 index f07e999e38..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.filter-remove-rotation/out +++ /dev/null @@ -1,10 +0,0 @@ -{ -[WRITER_ASCII, test2] = [interv=30.0 mins, postprocessor=Test::custom_rotate -{ -print custom rotate, Test::info; -return (T); -}] -} -{ - -} diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.rotate-in-filter/out b/testing/btest/Baseline/scripts.base.frameworks.logging.rotate-in-filter/out deleted file mode 100644 index 18bd12d88f..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.rotate-in-filter/out +++ /dev/null @@ -1,83 +0,0 @@ -1st test.2011-03-07-03-00-05.log test 11-03-07_03.00.05 11-03-07_04.00.05 0 -1st test.2011-03-07-04-00-05.log test 11-03-07_04.00.05 11-03-07_05.00.05 0 -1st test.2011-03-07-05-00-05.log test 11-03-07_05.00.05 11-03-07_06.00.05 0 -1st test.2011-03-07-06-00-05.log test 11-03-07_06.00.05 11-03-07_07.00.05 0 -1st test.2011-03-07-07-00-05.log test 11-03-07_07.00.05 11-03-07_08.00.05 0 -1st test.2011-03-07-08-00-05.log test 11-03-07_08.00.05 11-03-07_09.00.05 0 -1st test.2011-03-07-09-00-05.log test 11-03-07_09.00.05 11-03-07_10.00.05 0 -1st test.2011-03-07-10-00-05.log test 11-03-07_10.00.05 11-03-07_11.00.05 0 -1st test.2011-03-07-11-00-05.log test 11-03-07_11.00.05 11-03-07_12.00.05 0 -1st test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1 -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_03.00.05.log, path=test2, open=1299466805.0, close=1299470395.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_03.59.55.log, path=test2, open=1299470395.0, close=1299470405.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_04.00.05.log, path=test2, open=1299470405.0, close=1299473995.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_04.59.55.log, path=test2, open=1299473995.0, close=1299474005.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_05.00.05.log, path=test2, open=1299474005.0, close=1299477595.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_05.59.55.log, path=test2, open=1299477595.0, close=1299477605.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_06.00.05.log, path=test2, open=1299477605.0, close=1299481195.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_06.59.55.log, path=test2, open=1299481195.0, close=1299481205.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_07.00.05.log, path=test2, open=1299481205.0, close=1299484795.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_07.59.55.log, path=test2, open=1299484795.0, close=1299484805.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_08.00.05.log, path=test2, open=1299484805.0, close=1299488395.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_08.59.55.log, path=test2, open=1299488395.0, close=1299488405.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_09.00.05.log, path=test2, open=1299488405.0, close=1299491995.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_09.59.55.log, path=test2, open=1299491995.0, close=1299492005.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_10.00.05.log, path=test2, open=1299492005.0, close=1299495595.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_10.59.55.log, path=test2, open=1299495595.0, close=1299495605.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_11.00.05.log, path=test2, open=1299495605.0, close=1299499195.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_11.59.55.log, path=test2, open=1299499195.0, close=1299499205.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_12.00.05.log, path=test2, open=1299499205.0, close=1299502795.0, terminating=F] -custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_12.59.55.log, path=test2, open=1299502795.0, close=1299502795.0, terminating=T] -# t id.orig_h id.orig_p id.resp_h id.resp_p -1299466805.000000 10.0.0.1 20 10.0.0.2 1024 -1299470395.000000 10.0.0.2 20 10.0.0.3 0 -1299470405.000000 10.0.0.1 20 10.0.0.2 1025 -1299473995.000000 10.0.0.2 20 10.0.0.3 1 -1299474005.000000 10.0.0.1 20 10.0.0.2 1026 -1299477595.000000 10.0.0.2 20 10.0.0.3 2 -1299477605.000000 10.0.0.1 20 10.0.0.2 1027 -1299481195.000000 10.0.0.2 20 10.0.0.3 3 -1299481205.000000 10.0.0.1 20 10.0.0.2 1028 -1299484795.000000 10.0.0.2 20 10.0.0.3 4 -1299484805.000000 10.0.0.1 20 10.0.0.2 1029 -1299488395.000000 10.0.0.2 20 10.0.0.3 5 -1299488405.000000 10.0.0.1 20 10.0.0.2 1030 -1299491995.000000 10.0.0.2 20 10.0.0.3 6 -1299492005.000000 10.0.0.1 20 10.0.0.2 1031 -1299495595.000000 10.0.0.2 20 10.0.0.3 7 -1299495605.000000 10.0.0.1 20 10.0.0.2 1032 -1299499195.000000 10.0.0.2 20 10.0.0.3 8 -1299499205.000000 10.0.0.1 20 10.0.0.2 1033 -1299502795.000000 10.0.0.2 20 10.0.0.3 9 -> test.2011-03-07-03-00-05.log -> test.2011-03-07-04-00-05.log -> test.2011-03-07-05-00-05.log -> test.2011-03-07-06-00-05.log -> test.2011-03-07-07-00-05.log -> test.2011-03-07-08-00-05.log -> test.2011-03-07-09-00-05.log -> test.2011-03-07-10-00-05.log -> test.2011-03-07-11-00-05.log -> test.2011-03-07-12-00-05.log -> test.log -> test2-11-03-07_03.00.05.log -> test2-11-03-07_03.59.55.log -> test2-11-03-07_04.00.05.log -> test2-11-03-07_04.59.55.log -> test2-11-03-07_05.00.05.log -> test2-11-03-07_05.59.55.log -> test2-11-03-07_06.00.05.log -> test2-11-03-07_06.59.55.log -> test2-11-03-07_07.00.05.log -> test2-11-03-07_07.59.55.log -> test2-11-03-07_08.00.05.log -> test2-11-03-07_08.59.55.log -> test2-11-03-07_09.00.05.log -> test2-11-03-07_09.59.55.log -> test2-11-03-07_10.00.05.log -> test2-11-03-07_10.59.55.log -> test2-11-03-07_11.00.05.log -> test2-11-03-07_11.59.55.log -> test2-11-03-07_12.00.05.log -> test2-11-03-07_12.59.55.log -> test2.log diff --git a/testing/btest/scripts/base/frameworks/logging/filter-remove-rotation.bro b/testing/btest/scripts/base/frameworks/logging/filter-remove-rotation.bro deleted file mode 100644 index bb89116084..0000000000 --- a/testing/btest/scripts/base/frameworks/logging/filter-remove-rotation.bro +++ /dev/null @@ -1,30 +0,0 @@ -# @TEST-EXEC: bro -b %INPUT >out -# @TEST-EXEC: btest-diff out - -module Test; - -export { - redef enum Log::ID += { Test }; - - type Info: record { - t: time; - id: conn_id; - } &log; -} - -function custom_rotate(info: Log::RotationInfo) : bool -{ - print "custom rotate", info; - return T; -} - -event bro_init() -{ - Log::create_stream(Test, [$columns=Info]); - Log::add_filter(Test, [$name="2nd", $path="test2", - $rotation=[$interv=30mins, $postprocessor=custom_rotate]]); - print Log::rotation_control; - Log::remove_filter(Test, "2nd"); - # The RotationControl should be removed now - print Log::rotation_control; -} diff --git a/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro b/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro index 55cc4d532e..b89701c72d 100644 --- a/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro +++ b/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro @@ -26,15 +26,10 @@ function custom_rotate(info: Log::RotationInfo) : bool return T; } -redef Log::rotation_control += { - [Log::WRITER_ASCII, "test2"] = [$interv=30mins, $postprocessor=custom_rotate] -}; - event bro_init() { Log::create_stream(Test::LOG, [$columns=Log]); - Log::add_filter(Test::LOG, [$name="2nd", $path="test2"]); - + Log::add_filter(Test::LOG, [$name="2nd", $path="test2", $interv=30mins, $postprocessor=custom_rotate]); } event new_connection(c: connection) diff --git a/testing/btest/scripts/base/frameworks/logging/rotate-in-filter.bro b/testing/btest/scripts/base/frameworks/logging/rotate-in-filter.bro deleted file mode 100644 index e1a27d0b0e..0000000000 --- a/testing/btest/scripts/base/frameworks/logging/rotate-in-filter.bro +++ /dev/null @@ -1,39 +0,0 @@ -# -# @TEST-EXEC: bro -b -r %DIR/rotation.trace %INPUT 2>&1 | egrep "test|test2" | sort >out -# @TEST-EXEC: for i in `ls test*.log | sort`; do printf '> %s\n' $i; cat $i; done | sort | uniq >>out -# @TEST-EXEC: btest-diff out - -module Test; - -export { - # Create a new ID for our log stream - redef enum Log::ID += { Test }; - - # Define a record with all the columns the log file can have. - # (I'm using a subset of fields from ssh-ext for demonstration.) - type Log: record { - t: time; - id: conn_id; # Will be rolled out into individual columns. - } &log; -} - -redef Log::default_rotation_interval = 1hr; -redef Log::default_rotation_postprocessor_cmd = "echo 1st"; - -function custom_rotate(info: Log::RotationInfo) : bool -{ - print "custom rotate", info; - return T; -} - -event bro_init() -{ - Log::create_stream(Test, [$columns=Log]); - Log::add_filter(Test, [$name="2nd", $path="test2", - $rotation=[$interv=30mins, $postprocessor=custom_rotate]]); -} - -event new_connection(c: connection) - { - Log::write(Test, [$t=network_time(), $id=c$id]); - }