Is there currently a way to add the `&log` attribute to exported units' fields (as zeek records' fields)?

TheChamnon · March 10, 2024, 4:02pm

Currently I get the following error:

error: logged record type does not have any &log attributes

Benjamin_Bannier · March 11, 2024, 9:48am

Yes, adding &log attributes is supported but currently not documented.^[1]

If you have a Spicy type

module foo;

public type X = unit {
    x: uint8;
    y: uint8;
    z: uint8;
};

you can create a Zeek record type which has all fields marked &log

module foo;

export {
	type X: record {
		x: count &optional &log;
		y: count &optional &log;
		z: count &optional &log;
	};
}

with the following export statement in an EVT file:

export foo::X &log;

or equivalent

export foo::X as foo::X &log;

To mark just individual record fields &log add the attribute to the exported field list in an EVT file, e.g., to create a Zeek record type

module foo;

export {
	type X: record {
		x: count &optional &log;
		y: count &optional;
		z: count &optional;
	};
}

either of these forms can be used:

export foo::X with { x &log, y, z };
export foo::X as foo::X with { x &log, y, z };

TheChamnon · March 11, 2024, 11:27am

Great, you’re the man!
It is worth noting that this feature does not exist in the current Zeek LTS version (6.0.3).

Topic		Replies	Views
Is it possible that exporting units is broken in Zeek 6.1.1? Spicy spicy	4	218	February 6, 2024
Problem adding a field from http.log to the xss.log Zeek	2	113	May 6, 2022
&log attribute Development development	20	193	May 6, 2022
Bitfield to boolean Spicy	1	285	December 2, 2022
Zeek json log files Zeek	4	635	May 10, 2023