base/frameworks/analyzer/logging.zeek
- Analyzer::Logging
Logging analyzer confirmations and violations into analyzer.log
- Namespace
Analyzer::Logging
- Imports
base/frameworks/analyzer/main.zeek, base/frameworks/config, base/frameworks/logging
Summary
Runtime Options
Enable logging of analyzer violations and optionally confirmations
when |
|
If a violation contains information about the data causing it, include at most this many bytes of it in the log. |
|
Set of analyzers for which to not log confirmations or violations. |
|
Enable analyzer_confirmation. |
|
Enable tracking of analyzers getting disabled. |
Types
The record type defining the columns to log in the analyzer logging stream. |
Redefinitions
Add the analyzer logging stream identifier. |
Hooks
A default logging policy hook for the stream. |
Detailed Interface
Runtime Options
- Analyzer::Logging::enable
-
Enable logging of analyzer violations and optionally confirmations when
Analyzer::Logging::include_confirmations
is set.
- Analyzer::Logging::failure_data_max_size
-
If a violation contains information about the data causing it, include at most this many bytes of it in the log.
- Analyzer::Logging::ignore_analyzers
- Type
- Attributes
- Default
{}
Set of analyzers for which to not log confirmations or violations.
- Analyzer::Logging::include_confirmations
-
Enable analyzer_confirmation. They are usually less interesting outside of development of analyzers or troubleshooting scenarios. Setting this option may also generated multiple log entries per connection, minimally one for each conn.log entry with a populated service field.
- Analyzer::Logging::include_disabling
-
Enable tracking of analyzers getting disabled. This is mostly interesting for troubleshooting of analyzers in DPD scenarios. Setting this option may also generated multiple log entries per connection.
Types
- Analyzer::Logging::Info
- Type
-
- ts:
time
&log
Timestamp of confirmation or violation.
- cause:
string
&log
What caused this log entry to be produced. This can currently be “violation” or “confirmation”.
- analyzer_kind:
string
&log
The kind of analyzer involved. Currently “packet”, “file” or “protocol”.
- analyzer_name:
string
&log
The name of the analyzer as produced by
Analyzer::name
for the analyzer’s tag.- uid:
string
&log
&optional
Connection UID if available.
- fuid:
string
&log
&optional
File UID if available.
- id:
conn_id
&log
&optional
Connection identifier if available
- failure_reason:
string
&log
&optional
Failure or violation reason, if available.
- failure_data:
string
&log
&optional
Data causing failure or violation if available. Truncated to
Analyzer::Logging::failure_data_max_size
.
- ts:
The record type defining the columns to log in the analyzer logging stream.
Hooks
- Analyzer::Logging::log_policy
- Type
A default logging policy hook for the stream.