base/frameworks/analyzer/logging.zeek
- Analyzer::Logging
Logging analyzer violations into analyzer.log
- Namespace:
Analyzer::Logging
- Imports:
Summary
Runtime Options
If a violation contains information about the data causing it, include at most this many bytes of it in the log. |
Types
The record type defining the columns to log in the analyzer logging stream. |
Redefinitions
Add the analyzer logging stream identifier. |
Events
An event that can be handled to access the |
Hooks
A default logging policy hook for the stream. |
Detailed Interface
Runtime Options
- Analyzer::Logging::failure_data_max_size
-
If a violation contains information about the data causing it, include at most this many bytes of it in the log.
Types
- Analyzer::Logging::Info
- Type:
- Fields:
-
-
analyzer_kind:
string&log The kind of analyzer involved. Currently “packet”, “file” or “protocol”.
-
analyzer_name:
string&log The name of the analyzer as produced by
Analyzer::namefor the analyzer’s tag.
-
proto:
transport_proto&log&optional Transport protocol for the violation, if available.
-
failure_data:
string&log&optional Data causing failure or violation if available. Truncated to
Analyzer::Logging::failure_data_max_size.
-
packet_segment:
string&optional&log (present if policy/frameworks/analyzer/packet-segment-logging.zeek is loaded)
A chunk of the payload that most likely resulted in the analyzer violation.
-
analyzer_kind:
The record type defining the columns to log in the analyzer logging stream.
Events
- Analyzer::Logging::log_analyzer
- Type:
event(rec:Analyzer::Logging::Info)
An event that can be handled to access the
Analyzer::Logging::Inforecord as it is sent on to the logging framework.
Hooks
- Analyzer::Logging::log_policy
- Type:
A default logging policy hook for the stream.