<div dir="auto">Hi Henri,<div dir="auto"><br></div><div dir="auto">Great question. </div><div dir="auto">The logging framework is extremely flexible and allows for log stream columns to dynamically change during run time. This means at startup, the bro_init() event, Zeek may not know all the columns of all the logs. Here's a script I wrote for you which sort of answers your question. If you have more questions about it, just reach back out to the list.</div><div dir="auto"><br></div><div dir="auto">-AK</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><div dir="auto">function pfunk(rec: any): bool {</div><div dir="auto"> print type_name(rec);</div><div dir="auto"> return T;</div><div dir="auto">}</div><div dir="auto"><br></div><div dir="auto">event bro_init() {</div><div dir="auto"> for (id in Log::active_streams) {</div><div dir="auto"> for (fname in Log::get_filter_names(id)) {</div><div dir="auto"> local filter: Log::Filter;</div><div dir="auto"> filter = Log::get_filter(id, fname);</div><div dir="auto"> filter$pred = pfunk;</div><div dir="auto"> Log::add_filter(id, filter);</div><div dir="auto"> }</div><div dir="auto"> }</div><div dir="auto">}</div><div dir="auto"><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Oct 16, 2019, 13:48 Henri Dubois-Ferriere <<a href="mailto:henridf@gmail.com">henridf@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I'm trying to print the record type for each log stream at startup. Something like:<div><br></div><div> for ( id in Log::active_streams ) {<br> local stream = Log::active_streams[id];<br> print stream$path, stream$columns;<br></div><div>}<br><br></div><div>doesn't work because $columns is a record type, and gets stringified "<no value description>".</div><div><br></div><div>Is there a way to do this in zeek script?</div><div><br></div><div>Thanks,</div><div>Henri</div></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank" rel="noreferrer">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div>