32 lines
974 B
Plaintext
32 lines
974 B
Plaintext
# This tests the intersection of log filters with a custom extension
|
|
# function that also use $include/$exclude: the extension function
|
|
# overrides those restrictions.
|
|
#
|
|
# @TEST-EXEC: zeek -b -r $TRACES/wikipedia.trace %INPUT
|
|
# @TEST-EXEC: btest-diff conn-inc.log
|
|
# @TEST-EXEC: btest-diff conn-exc.log
|
|
|
|
@load base/protocols/conn
|
|
|
|
type Extension: record {
|
|
write_ts: time &log;
|
|
stream: string &log;
|
|
system_name: string &log;
|
|
};
|
|
|
|
function add_extension(path: string): Extension
|
|
{
|
|
return Extension($write_ts = network_time(),
|
|
$stream = path,
|
|
$system_name = peer_description);
|
|
}
|
|
|
|
redef Log::default_ext_func = add_extension;
|
|
|
|
event zeek_init()
|
|
{
|
|
Log::remove_default_filter(Conn::LOG);
|
|
Log::add_filter(Conn::LOG, [$name="default-inc", $path="conn-inc", $include=set("ts", "uid", "id.orig_h", "id.resp_h")]);
|
|
Log::add_filter(Conn::LOG, [$name="default-exc", $path="conn-exc", $exclude=set("_write_ts")]);
|
|
}
|