Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
zeek/testing/btest/scripts/base/frameworks/logging/remove.zeek
Christian Kreibich 4ce3bf3cd2 Remove deprecated log filter predicates for 4.1 
Update the logging framework tests: since hooks operate
by name, they cannot be anonymous. I'm also dropping the &optional
attribute from the status field, since here know that the values are
actually defined, and access to an optional status field should
normally be guarded by the existence test operator.

Also includes baseline update for plugins.hooks, which picks up the
fact that the pred record field is now gone.
2021-01-27 10:52:40 -07:00

50 lines
1.4 KiB
Text
Raw Blame History

#
# @TEST-EXEC: zeek -b -B logging %INPUT
# @TEST-EXEC: btest-diff ssh.log
# @TEST-EXEC: btest-diff ssh.failure.log
# @TEST-EXEC: btest-diff .stdout
module SSH;
export {
# Create a new ID for our log stream
redef enum Log::ID += { LOG };
# Define a record with all the columns the log file can have.
# (I'm using a subset of fields from ssh-ext for demonstration.)
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string;
country: string &default="unknown";
} &log;
}
hook fail_only(rec: Log, id: Log::ID, filter: Log::Filter)
{
if ( rec$status != "failure" )
break;
}
event zeek_init()
{
Log::create_stream(SSH::LOG, [$columns=Log]);
Log::add_filter(SSH::LOG, [$name="f1", $path="ssh.failure", $policy=fail_only]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
# Log something.
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
print Log::get_filter_names(SSH::LOG);
Log::remove_filter(SSH::LOG, "f1");
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="BR"]);
Log::remove_filter(SSH::LOG, "default");
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
Log::remove_filter(SSH::LOG, "doesn-not-exist");
print Log::get_filter_names(SSH::LOG);
}
Reference in a new issue View git blame Copy permalink