mirror of
https://github.com/zeek/zeek.git
synced 2025-10-09 01:58:20 +00:00
ded98cd373
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the zeek-docs repo.
148 lines
5.4 KiB
ReStructuredText
148 lines
5.4 KiB
ReStructuredText
:tocdepth: 3
|
|
|
|
base/frameworks/analyzer/logging.zeek
|
|
=====================================
|
|
.. zeek:namespace:: Analyzer::Logging
|
|
|
|
Logging analyzer violations into analyzer.log
|
|
|
|
:Namespace: Analyzer::Logging
|
|
:Imports: :doc:`base/frameworks/analyzer/main.zeek </scripts/base/frameworks/analyzer/main.zeek>`, :doc:`base/frameworks/logging </scripts/base/frameworks/logging/index>`
|
|
|
|
Summary
|
|
~~~~~~~
|
|
Runtime Options
|
|
###############
|
|
=========================================================================================== ==============================================================
|
|
:zeek:id:`Analyzer::Logging::failure_data_max_size`: :zeek:type:`count` :zeek:attr:`&redef` If a violation contains information about the data causing it,
|
|
include at most this many bytes of it in the log.
|
|
=========================================================================================== ==============================================================
|
|
|
|
Types
|
|
#####
|
|
========================================================= ===========================================================================
|
|
:zeek:type:`Analyzer::Logging::Info`: :zeek:type:`record` The record type defining the columns to log in the analyzer logging stream.
|
|
========================================================= ===========================================================================
|
|
|
|
Redefinitions
|
|
#############
|
|
======================================= ===========================================
|
|
:zeek:type:`Log::ID`: :zeek:type:`enum` Add the analyzer logging stream identifier.
|
|
|
|
* :zeek:enum:`Analyzer::Logging::LOG`
|
|
======================================= ===========================================
|
|
|
|
Events
|
|
######
|
|
============================================================== ===============================================================================
|
|
:zeek:id:`Analyzer::Logging::log_analyzer`: :zeek:type:`event` An event that can be handled to access the :zeek:type:`Analyzer::Logging::Info`
|
|
record as it is sent on to the logging framework.
|
|
============================================================== ===============================================================================
|
|
|
|
Hooks
|
|
#####
|
|
====================================================================== =============================================
|
|
:zeek:id:`Analyzer::Logging::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
|
|
====================================================================== =============================================
|
|
|
|
|
|
Detailed Interface
|
|
~~~~~~~~~~~~~~~~~~
|
|
Runtime Options
|
|
###############
|
|
.. zeek:id:: Analyzer::Logging::failure_data_max_size
|
|
:source-code: base/frameworks/analyzer/logging.zeek 39 39
|
|
|
|
:Type: :zeek:type:`count`
|
|
:Attributes: :zeek:attr:`&redef`
|
|
:Default: ``40``
|
|
|
|
If a violation contains information about the data causing it,
|
|
include at most this many bytes of it in the log.
|
|
|
|
Types
|
|
#####
|
|
.. zeek:type:: Analyzer::Logging::Info
|
|
:source-code: base/frameworks/analyzer/logging.zeek 13 35
|
|
|
|
:Type: :zeek:type:`record`
|
|
|
|
|
|
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
|
|
|
|
Timestamp of the violation.
|
|
|
|
|
|
.. zeek:field:: analyzer_kind :zeek:type:`string` :zeek:attr:`&log`
|
|
|
|
The kind of analyzer involved. Currently "packet", "file"
|
|
or "protocol".
|
|
|
|
|
|
.. zeek:field:: analyzer_name :zeek:type:`string` :zeek:attr:`&log`
|
|
|
|
The name of the analyzer as produced by :zeek:see:`Analyzer::name`
|
|
for the analyzer's tag.
|
|
|
|
|
|
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
Connection UID if available.
|
|
|
|
|
|
.. zeek:field:: fuid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
File UID if available.
|
|
|
|
|
|
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
Connection identifier if available.
|
|
|
|
|
|
.. zeek:field:: proto :zeek:type:`transport_proto` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
Transport protocol for the violation, if available.
|
|
|
|
|
|
.. zeek:field:: failure_reason :zeek:type:`string` :zeek:attr:`&log`
|
|
|
|
Failure or violation reason, if available.
|
|
|
|
|
|
.. zeek:field:: failure_data :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
Data causing failure or violation if available. Truncated
|
|
to :zeek:see:`Analyzer::Logging::failure_data_max_size`.
|
|
|
|
|
|
.. zeek:field:: packet_segment :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
|
|
|
|
(present if :doc:`/scripts/policy/frameworks/analyzer/packet-segment-logging.zeek` is loaded)
|
|
|
|
A chunk of the payload that most likely resulted in the
|
|
analyzer violation.
|
|
|
|
|
|
The record type defining the columns to log in the analyzer logging stream.
|
|
|
|
Events
|
|
######
|
|
.. zeek:id:: Analyzer::Logging::log_analyzer
|
|
:source-code: base/frameworks/analyzer/logging.zeek 43 43
|
|
|
|
:Type: :zeek:type:`event` (rec: :zeek:type:`Analyzer::Logging::Info`)
|
|
|
|
An event that can be handled to access the :zeek:type:`Analyzer::Logging::Info`
|
|
record as it is sent on to the logging framework.
|
|
|
|
Hooks
|
|
#####
|
|
.. zeek:id:: Analyzer::Logging::log_policy
|
|
:source-code: policy/frameworks/analyzer/packet-segment-logging.zeek 38 50
|
|
|
|
:Type: :zeek:type:`Log::PolicyHook`
|
|
|
|
A default logging policy hook for the stream.
|
|
|
|
|