mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
1bd658da8f
This adds a "policy" hook into the logging framework's streams and
filters to replace the existing log filter predicates. The hook
signature is as follows:
hook(rec: any, id: Log::ID, filter: Log::Filter);
The logging manager invokes hooks on each log record. Hooks can veto
log records via a break, and modify them if necessary. Log filters
inherit the stream-level hook, but can override or remove the hook as
needed.
The distribution's existing log streams now come with pre-defined
hooks that users can add handlers to. Their name is standardized as
"log_policy" by convention, with additional suffixes when a module
provides multiple streams. The following adds a handler to the Conn
module's default log policy hook:
hook Conn::log_policy(rec: Conn::Info, id: Log::ID, filter: Log::Filter)
{
if ( some_veto_reason(rec) )
break;
}
By default, this handler will get invoked for any log filter
associated with the Conn::LOG stream.
The existing predicates are deprecated for removal in 4.1 but continue
to work.
62 lines
1.6 KiB
Text
62 lines
1.6 KiB
Text
##! Core script support for logging syslog messages. This script represents
|
|
##! one syslog message as one logged record.
|
|
|
|
@load ./consts
|
|
|
|
module Syslog;
|
|
|
|
export {
|
|
redef enum Log::ID += { LOG };
|
|
|
|
global log_policy: Log::PolicyHook;
|
|
|
|
## The record type which contains the fields of the syslog log.
|
|
type Info: record {
|
|
## Timestamp when the syslog message was seen.
|
|
ts: time &log;
|
|
## Unique ID for the connection.
|
|
uid: string &log;
|
|
## The connection's 4-tuple of endpoint addresses/ports.
|
|
id: conn_id &log;
|
|
## Protocol over which the message was seen.
|
|
proto: transport_proto &log;
|
|
## Syslog facility for the message.
|
|
facility: string &log;
|
|
## Syslog severity for the message.
|
|
severity: string &log;
|
|
## The plain text message.
|
|
message: string &log;
|
|
};
|
|
}
|
|
|
|
redef record connection += {
|
|
syslog: Info &optional;
|
|
};
|
|
|
|
const ports = { 514/udp };
|
|
redef likely_server_ports += { ports };
|
|
|
|
event zeek_init() &priority=5
|
|
{
|
|
Log::create_stream(Syslog::LOG, [$columns=Info, $path="syslog", $policy=log_policy]);
|
|
Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, ports);
|
|
}
|
|
|
|
event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5
|
|
{
|
|
local info: Info;
|
|
info$ts=network_time();
|
|
info$uid=c$uid;
|
|
info$id=c$id;
|
|
info$proto=get_port_transport_proto(c$id$resp_p);
|
|
info$facility=facility_codes[facility];
|
|
info$severity=severity_codes[severity];
|
|
info$message=msg;
|
|
|
|
c$syslog = info;
|
|
}
|
|
|
|
event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=-5
|
|
{
|
|
Log::write(Syslog::LOG, c$syslog);
|
|
}
|