logging.zeek

Analyzer::Logging

Logging analyzer confirmations and violations into analyzer.log

Namespace: Analyzer::Logging
Imports: base/frameworks/analyzer/main.zeek, base/frameworks/config, base/frameworks/logging

Summary

Runtime Options

`Analyzer::Logging::enable`: `bool` `&redef`	Enable logging of analyzer violations and optionally confirmations when `Analyzer::Logging::include_confirmations` is set.
`Analyzer::Logging::failure_data_max_size`: `count` `&redef`	If a violation contains information about the data causing it, include at most this many bytes of it in the log.
`Analyzer::Logging::ignore_analyzers`: `set` `&redef`	Set of analyzers for which to not log confirmations or violations.
`Analyzer::Logging::include_confirmations`: `bool` `&redef`	Enable analyzer_confirmation.

Types

Analyzer::Logging::Info: record

The record type defining the columns to log in the analyzer logging stream.

Redefinitions

Log::ID: enum

Add the analyzer logging stream identifier.

Analyzer::Logging::LOG

Hooks

Analyzer::Logging::log_policy: Log::PolicyHook

A default logging policy hook for the stream.

Detailed Interface

Runtime Options

Analyzer::Logging::enable 

Type: bool
Attributes: &redef
Default: T

Enable logging of analyzer violations and optionally confirmations when Analyzer::Logging::include_confirmations is set.

Analyzer::Logging::failure_data_max_size 

Type: count
Attributes: &redef
Default: 40

If a violation contains information about the data causing it, include at most this many bytes of it in the log.

Analyzer::Logging::ignore_analyzers 

Type: set [AllAnalyzers::Tag]
Attributes: &redef
Default: {}

Set of analyzers for which to not log confirmations or violations.

Analyzer::Logging::include_confirmations 

Type: bool
Attributes: &redef
Default: F

Enable analyzer_confirmation. They are usually less interesting outside of development of analyzers or troubleshooting scenarios. Setting this option may also generated multiple log entries per connection, minimally one for each conn.log entry with a populated service field.

Types

Analyzer::Logging::Info 

Type

record

ts: time &log: Timestamp of confirmation or violation.
cause: string &log: What caused this log entry to be produced. This can currently be “violation” or “confirmation”.
analyzer_kind: string &log: The kind of analyzer involved. Currently “packet”, “file” or “protocol”.
analyzer_name: string &log: The name of the analyzer as produced by Analyzer::name for the analyzer’s tag.
uid: string &log &optional: Connection UID if available.
fuid: string &log &optional: File UID if available.
id: conn_id &log &optional: Connection identifier if available
failure_reason: string &log &optional: Failure or violation reason, if available.
failure_data: string &log &optional: Data causing failure or violation if available. Truncated to Analyzer::Logging::failure_data_max_size.

The record type defining the columns to log in the analyzer logging stream.

Hooks

Analyzer::Logging::log_policy 

Type: Log::PolicyHook

A default logging policy hook for the stream.