Merge branch 'master' of github.com:/mmguero-dev/json-streaming-logs

ckreibich · ckreibich · commit af109f07fa56 · 2025-12-02T20:36:25.000-08:00
* 'master' of github.com:/mmguero-dev/json-streaming-logs:
  make enabled_logs filter a set of log streams, not strings
  Added new test for enabled_files
  add enabled_logs variable to control which logs get the json_streaming_ treatment
  add enabled_logs variable to control which logs get the json_streaming_ treatment
  add enabled_logs variable to control which logs get the json_streaming_ treatment
diff --git a/scripts/main.zeek b/scripts/main.zeek
@@ -27,6 +27,9 @@ export {
 	## JSON streaming logs.  This is set separately since these logs are ephemeral
 	## and meant to be immediately carried off to some other storage and search system.
 	const JSONStreaming::rotation_interval = 15mins &redef;
+
+	## Set of log streams to get the json_streaming_ treatment. If empty, do all logs.
+	const JSONStreaming::enabled_logs: set[Log::ID] = set() &redef;
 }
 
 type JsonStreamingExtension: record {
@@ -87,6 +90,10 @@ event zeek_init() &priority=-5
 
 	for ( stream in Log::active_streams )
 		{
+		# Skip this filter if it's not in the enabled set (unless enabled_logs is empty)
+		if ( |JSONStreaming::enabled_logs| > 0 && !(stream in JSONStreaming::enabled_logs) )
+		    next;
+
 		for ( filter_name in Log::get_filter_names(stream) )
 			{
 			# This is here because we're modifying the list of filters right now...
diff --git a/testing/tests/logs-filtered.zeek b/testing/tests/logs-filtered.zeek
@@ -0,0 +1,10 @@
+# @TEST-DOC: Verifies that Zeek by default writes both the usual logs and the (filtered) json-streaming ones.
+# @TEST-EXEC: zeek -r $TRACES/http.pcap $PACKAGE %INPUT
+# @TEST-EXEC: for f in conn files http packet_filter; do test -f $f.log; done
+# @TEST-EXEC: for f in files http; do test -f json_streaming_$f.log; done
+# @TEST-EXEC: for f in conn packet_filter; do ! test -f json_streaming_$f.log; done
+
+# Filter the list of files
+redef JSONStreaming::enabled_logs = set(HTTP::LOG, Files::LOG);
+# Turn off log rotation handling because it only kicks in for some of the files:
+redef JSONStreaming::enable_log_rotation = F;

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,9 @@ export {`
`27`	`27`	`## JSON streaming logs. This is set separately since these logs are ephemeral`
`28`	`28`	`## and meant to be immediately carried off to some other storage and search system.`
`29`	`29`	`const JSONStreaming::rotation_interval = 15mins &redef;`
	`30`	`+`
	`31`	`+ ## Set of log streams to get the json_streaming_ treatment. If empty, do all logs.`
	`32`	`+ const JSONStreaming::enabled_logs: set[Log::ID] = set() &redef;`
`30`	`33`	`}`
`31`	`34`
`32`	`35`	`type JsonStreamingExtension: record {`
`@@ -87,6 +90,10 @@ event zeek_init() &priority=-5`
`87`	`90`
`88`	`91`	`for ( stream in Log::active_streams )`
`89`	`92`	`{`
	`93`	`+ # Skip this filter if it's not in the enabled set (unless enabled_logs is empty)`
	`94`	`+ if ( \|JSONStreaming::enabled_logs\| > 0 && !(stream in JSONStreaming::enabled_logs) )`
	`95`	`+ next;`
	`96`	`+`
`90`	`97`	`for ( filter_name in Log::get_filter_names(stream) )`
`91`	`98`	`{`
`92`	`99`	`# This is here because we're modifying the list of filters right now...`