mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
4ce3bf3cd2
Update the logging framework tests: since hooks operate by name, they cannot be anonymous. I'm also dropping the &optional attribute from the status field, since here know that the values are actually defined, and access to an optional status field should normally be guarded by the existence test operator. Also includes baseline update for plugins.hooks, which picks up the fact that the pred record field is now gone.
45 lines
1.2 KiB
Text
45 lines
1.2 KiB
Text
|
|
# @TEST-EXEC: zeek -b %INPUT
|
|
# @TEST-EXEC: btest-diff test.success.log
|
|
# @TEST-EXEC: btest-diff test.failure.log
|
|
|
|
module Test;
|
|
|
|
export {
|
|
# Create a new ID for our log stream
|
|
redef enum Log::ID += { LOG };
|
|
|
|
# Define a record with all the columns the log file can have.
|
|
# (I'm using a subset of fields from ssh for demonstration.)
|
|
type Log: record {
|
|
t: time;
|
|
id: conn_id; # Will be rolled out into individual columns.
|
|
status: string;
|
|
country: string &default="unknown";
|
|
} &log;
|
|
}
|
|
|
|
hook success(rec: Log, id: Log::ID, filter: Log::Filter)
|
|
{
|
|
if ( rec$status != "success" )
|
|
break;
|
|
}
|
|
|
|
hook fail(rec: Log, id: Log::ID, filter: Log::Filter)
|
|
{
|
|
if ( rec$status == "success" )
|
|
break;
|
|
}
|
|
|
|
event zeek_init()
|
|
{
|
|
Log::create_stream(Test::LOG, [$columns=Log]);
|
|
Log::remove_default_filter(Test::LOG);
|
|
Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $policy=success]);
|
|
Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $policy=fail]);
|
|
|
|
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
|
local r: Log = [$t=network_time(), $id=cid, $status="success"];
|
|
Log::write(Test::LOG, r);
|
|
Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
|
}
|