Bro/Zeek Logging Framework for Python

Table of Contents

• Dumpers
  • Predefined Dumpers
  • Abstract Base Dumpers
• Loaders
  • Predefined Loaders
  • Abstract Base Loaders
• Data Model
• Data Types
  • Bro/Zeek Types
  • Abstract Base Types
  • Internal Data
• Typing Annotations
  • Zeek Data Types
  • Bro Data Types
• Data Classes
  • Predefined Data Classes
  • Abstract Base Data Classes
• Exceptions & Warnings
• Internal Auxiliary Functions
• Enum Namespace
  • Module Contents
  • Namespaces
    • Broker Namespace
    • Cluster Namespace
    • DCE_RPC Namespace
    • HTTP Namespace
    • Input Namespace
    • Intel Namespace
    • JSON Namespace
    • Known Namespace
    • LoadBalancing Namespace
    • Log Namespace
    • MOUNT3 Namespace
    • MQTT Namespace
    • NFS3 Namespace
    • NetControl Namespace
    • Notice Namespace
    • OpenFlow Namespace
    • ProtocolDetector Namespace
    • Reporter Namespace
    • SMB Namespace
    • SOCKS Namespace
    • SSL Namespace
    • Signatures Namespace
    • Software Namespace
    • SumStats Namespace
    • Tunnel Namespace
    • Weird Namespace
    • ZeekygenExample Namespace
    • zeek Namespace

Module Contents

Bro/Zeek logging framework.

zlogging.write(data, filename, format, *args, **kwargs)

Write Bro/Zeek log file.

Parameters

• data (Iterable of Model) – Log records as an Iterable of Model per line.

• filename (PathLike[str]) – Log file name.

• format (str) – Log format.

• *args – See write_json() and write_ascii() for more information.

• args (Any) –

• kwargs (Any) –

Keyword Arguments

**kwargs – See write_json() and write_ascii() for more information.

Raises

WriterFormatError – If format is not supported.

Return type

None

zlogging.dump(data, file, format, *args, **kwargs)

Write Bro/Zeek log file.

Parameters

• data (Iterable of Model) – Log records as an Iterable of Model per line.

• format (str) – Log format.

• file (TextFile) – Log file object opened in text mode.

• *args – See dump_json() and dump_ascii() for more information.

• args (Any) –

• kwargs (Any) –

Keyword Arguments

**kwargs – See dump_json() and dump_ascii() for more information.

Raises

WriterFormatError – If format is not supported.

Return type

None

zlogging.dumps(data, format, *args, **kwargs)

Write Bro/Zeek log string.

Parameters

• data (Iterable of Model) – Log records as an Iterable of Model per line.

• format (str) – Log format.

• *args – See dumps_json() and dumps_ascii() for more information.

• args (Any) –

• kwargs (Any) –

Keyword Arguments

**kwargs – See dumps_json() and dumps_ascii() for more information.

Raises

WriterFormatError – If format is not supported.

Return type

str

zlogging.parse(filename, *args, **kwargs)

Parse Bro/Zeek log file.

Parameters

• filename (PathLike[str]) – Log file name.

• *args – See parse_json() and parse_ascii() for more information.

• **kwargs – See parse_json() and parse_ascii() for more information.

• args (Any) –

• kwargs (Any) –

Return type

Union[JSONInfo, ASCIIInfo]

Returns

The parsed JSON log data.

Raises

ParserError – If the format of the log file is unknown.

zlogging.load(file, *args, **kwargs)

Parse Bro/Zeek log file.

Parameters

• file (BinaryFile) – Log file object opened in binary mode.

• *args – See load_json() and load_ascii() for more information.

• **kwargs – See load_json() and load_ascii() for more information.

• args (Any) –

• kwargs (Any) –

Return type

Union[JSONInfo, ASCIIInfo]

Returns

The parsed JSON log data.

Raises

ParserError – If the format of the log file is unknown.

zlogging.loads(data, *args, **kwargs)

Parse Bro/Zeek log string.

Parameters

• data (AnyStr) – Log string as binary or encoded string.

• *args – See loads_json() and loads_ascii() for more information.

• **kwargs – See loads_json() and loads_ascii() for more information.

• args (Any) –

• kwargs (Any) –

Return type

Union[JSONInfo, ASCIIInfo]

Returns

The parsed JSON log data.

Raises

ParserError – If the format of the log file is unknown.

class zlogging.Model(*args, **kwargs)

Bases: object

Log data model.

Variables

• __fields__ (OrderedDict mapping str and BaseType) – Fields of the data model.

• __record_fields__ (OrderedDict mapping str and RecordType) – Fields of record data type in the data model.

• __empty_field__ (bytes) – Placeholder for empty field.

• __unset_field__ (bytes) – Placeholder for unset field.

• __set_separator__ (bytes) – Separator for set/vector fields.

Warns

BroDeprecationWarning – Use of bro_* type annotations.

Raises

• ModelValueError – In case of inconsistency between field data types, or values of unset_field, empty_field and set_separator.

• ModelTypeError – Wrong parameters when initialisation.

Note

Customise the Model.__post_init__ method in your subclassed data model to implement your own ideas.

Example

Define a custom log data model using the prefines Bro/Zeek data types, or subclasses of BaseType:

class MyLog(Model):
    field_one = StringType()
    field_two = SetType(element_type=PortType)

Or you may use type annotations as PEP 484 introduced when declaring data models. All available type hints can be found in zlogging.typing:

class MyLog(Model):
    field_one: zeek_string
    field_two: zeek_set[zeek_port]

However, when mixing annotations and direct assignments, annotations will take proceedings, i.e. the Model class shall process first annotations then assignments. Should there be any conflicts, ModelError will be raised.

See also

See expand_typing() for more information about processing the fields.

property fields

fields of the data model

Type

OrderedDict mapping str and BaseType

Return type

OrderedDict[str, BaseType]

property unset_field

placeholder for empty field

Type

bytes

Return type

bytes

property empty_field

placeholder for unset field

Type

bytes

Return type

bytes

property set_separator

separator for set/vector fields

Type

bytes

Return type

bytes

__post_init__()

Post-processing customisation.

Return type

None

__call__(format)

Serialise data model with given format.

Parameters

format (str) – Serialisation format.

Return type

Any

Returns

The serialised data.

Raises

ModelFormatError – If format is not supproted, i.e. Mode.to{format}() does not exist.

tojson()

Serialise data model as JSON log format.

Return type

OrderedDict[str, Any]

Returns

An OrderedDict mapping each field and serialised JSON serialisable data.

toascii()

Serialise data model as ASCII log format.

Return type

OrderedDict[str, str]

Returns

An OrderedDict mapping each field and serialised text data.

asdict(dict_factory=None)

Convert data model as a dictionary mapping field names to field values.

Parameters

dict_factory (Optional[Type[dict]]) – If given, dict_factory will be used instead of built-in dict.

Return type

Dict[str, Any]

Returns

A dictionary mapping field names to field values.

astuple(tuple_factory=None)

Convert data model as a tuple of field values.

Parameters

tuple_factory (Optional[Type[tuple]]) – If given, tuple_factory will be used instead of built-in namedtuple.

Return type

Tuple[Any, ..]

Returns

A tuple of field values.

zlogging.new_model(name, **fields)

Create a data model dynamically with the appropriate fields.

Parameters

• name (str) – data model name

• **fields – defined fields of the data model

• fields (Any) –

Returns

created data model

Return type

Model

Examples

Typically, we define a data model by subclassing the Model class, as following:

class MyLog(Model):
    field_one = StringType()
    field_two = SetType(element_type=PortType)

when defining dynamically with new_model(), the definition above can be rewrote to:

MyLog = new_model('MyLog', field_one=StringType(), field_two=SetType(element_type=PortType))

class zlogging.AddrType(empty_field=None, unset_field=None, set_separator=None, *args, **kwargs)

Bases: zlogging.types._SimpleType

Bro/Zeek addr data type.

Parameters

• empty_field (bytes or str, optional) – Placeholder for empty field.

• unset_field (bytes or str, optional) – Placeholder for unset field.

• set_separator (bytes or str, optional) – Separator for set/vector fields.

• *args – Variable length argument list.

• **kwargs – Arbitrary keyword arguments.

Variables

• empty_field (bytes) – Placeholder for empty field.

• unset_field (bytes) – Placeholder for unset field.

• set_separator (bytes) – Separator for set/vector fields.

property python_type

Corresponding Python type annotation.

Type

Any

Return type

Any

property zeek_type

Corresponding Zeek type name.

Type

str

Return type

str

parse(data)

Parse data from string.

Parameters

data (Union[AnyStr, IPAddress]) – raw data

Return type

Optional[IPAddress]

Returns

The parsed IP address. If data is unset, None will be returned.

tojson(data)

Serialize data as JSON log format.

Parameters

data (Optional[IPAddress]) – raw data

Returns

The JSON serialisable IP address string.

Return type

str

toascii(data)

Serialize data as ASCII log format.

Parameters

data (Optional[IPAddress]) – raw data

Returns

The ASCII representation of the IP address.

Return type

str

class zlogging.BoolType(empty_field=None, unset_field=None, set_separator=None, *args, **kwargs)

Bases: zlogging.types._SimpleType

Bro/Zeek bool data type.

Parameters

• empty_field (bytes or str, optional) – Placeholder for empty field.

• unset_field (bytes or str, optional) – Placeholder for unset field.

• set_separator (bytes or str, optional) – Separator for set/vector fields.

• *args – Variable length argument list.

• **kwargs – Arbitrary keyword arguments.

Variables

• empty_field (bytes) – Placeholder for empty field.

• unset_field (bytes) – Placeholder for unset field.

• set_separator (bytes) – Separator for set/vector fields.

property python_type

Corresponding Python type annotation.

Type

Any

Return type

Type[bool]

property zeek_type

Corresponding Zeek type name.

Type

str

Return type

Literal[“bool”]

parse(data)

Parse data from string.

Parameters

data (Union[AnyStr, bool]) – raw data

Return type

Optional[bool]

Returns

The parsed boolean data. If data is unset, None will be returned.

Raises

ZeekValueError – If data is NOT unset and NOT T (True) nor F (False) in Bro/Zeek script language.

tojson(data)

Serialize data as JSON log format.

Parameters

data (Optional[bool]) – raw data

Return type

Optional[bool]

Returns

The JSON serialisable boolean data.

toascii(data)

Serialize data as ASCII log format.

Parameters

data (Optional[bool]) – raw data

Returns

T if True, F if False.

Return type

str

class zlogging.CountType(empty_field=None, unset_field=None, set_separator=None, *args, **kwargs)

Bases: zlogging.types._SimpleType

Bro/Zeek count data type.

Parameters

• empty_field (bytes or str, optional) – Placeholder for empty field.

• unset_field (bytes or str, optional) – Placeholder for unset field.

• set_separator (bytes or str, optional) – Separator for set/vector fields.

• *args – Variable length argument list.

• **kwargs – Arbitrary keyword arguments.

Variables

• empty_field (bytes) – Placeholder for empty field.

• unset_field (bytes) – Placeholder for unset field.

• set_separator (bytes) – Separator for set/vector fields.

property python_type

Corresponding Python type annotation.

Type

Any

Return type

Type[uint64]

property zeek_type

Corresponding Zeek type name.

Type

str

Return type

Literal[“count”]

parse(data)

Parse data from string.

Parameters

data (Union[AnyStr, uint64]) – raw data

Return type

Optional[uint64]

Returns

The parsed numeral data. If data is unset, None will be returned.

tojson(data)

Serialize data as JSON log format.

Parameters

data (Optional[uint64]) – raw data

Returns

The JSON serialisable numeral data.

Return type

int

toascii(data)

Serialize data as ASCII log format.

Parameters

data (Optional[uint64]) – raw data

Returns

The ASCII representation of numeral data.

Return type

str

class zlogging.DoubleType(empty_field=None, unset_field=None, set_separator=None, *args, **kwargs)

Bases: zlogging.types._SimpleType

Bro/Zeek double data type.

Parameters

• empty_field (bytes or str, optional) – Placeholder for empty field.

• unset_field (bytes or str, optional) – Placeholder for unset field.

• set_separator (bytes or str, optional) – Separator for set/vector fields.

• *args – Variable length argument list.

• **kwargs – Arbitrary keyword arguments.

Variables

• empty_field (bytes) – Placeholder for empty field.

• unset_field (bytes) – Placeholder for unset field.

• set_separator (bytes) – Separator for set/vector fields.

property python_type

Corresponding Python type annotation.

Type

Any

Return type

Type[Decimal]

property zeek_type

Corresponding Zeek type name.

Type

str

Return type

Literal[“double”]

parse(data)

Parse data from string.

Parameters

data (Union[AnyStr, Decimal]) – raw data

Return type

Optional[Decimal]

Returns

The parsed numeral data. If data is unset, None will be returned.

tojson(data)

Serialize data as JSON log format.

Parameters

data (Optional[Decimal]) – raw data

Returns

The JSON serialisable numeral data.

Return type

float

toascii(data)

Serialize data as ASCII log format.

Parameters

data (Optional[Decimal]) – raw data

Returns

The ASCII representation of numeral data.

Return type

str

class zlogging.EnumType(empty_field=None, unset_field=None, set_separator=None, namespaces=None, bare=False, enum_hook=None, *args, **kwargs)

Bases: zlogging.types._SimpleType

Bro/Zeek enum data type.

Parameters

• empty_field (bytes or str, optional) – Placeholder for empty field.

• unset_field (bytes or str, optional) – Placeholder for unset field.

• set_separator (bytes or str, optional) – Separator for set/vector fields.

• namespaces (List[str], optional) – Namespaces to be loaded.

• bare (bool, optional) – If True, do not load zeek namespace by default.

• enum_hook (dict mapping of str and enum.Enum, optional) – Additional enum to be included in the namespace.

• *args – Variable length argument list.

• **kwargs – Arbitrary keyword arguments.

Variables

• empty_field (bytes) – Placeholder for empty field.

• unset_field (bytes) – Placeholder for unset field.

• set_separator (bytes) – Separator for set/vector fields.

• enum_namespaces (dict mapping str and enum.Enum) – Global namespace for enum data type.

property python_type

Corresponding Python type annotation.

Type

Any

Return type

Any

property zeek_type

Corresponding Zeek type name.

Type

str

Return type

str

parse(data)

Parse data from string.

Parameters

data (Union[AnyStr, Enum]) – raw data

Return type

Optional[Enum]

Returns

The parsed enum data. If data is unset, None will be returned.

Warns

ZeekValueWarning – If date is not defined in the enum namespace.

tojson(data)

Serialize data as JSON log format.

Parameters

data (Optional[Enum]) – raw data

Returns

The JSON serialisable enum data.

Return type

str

toascii(data)

Serialize data as ASCII log format.

Parameters

data (Optional[Enum]) – raw data

Returns

The ASCII representation of the enum data.

Return type

str

class zlogging.IntervalType(empty_field=None, unset_field=None, set_separator=None, *args, **kwargs)

Bases: zlogging.types._SimpleType

Bro/Zeek interval data type.

Parameters

• empty_field (bytes or str, optional) – Placeholder for empty field.

• unset_field (bytes or str, optional) – Placeholder for unset field.

• set_separator (bytes or str, optional) – Separator for set/vector fields.

• *args – Variable length argument list.

• **kwargs – Arbitrary keyword arguments.

Variables

• empty_field (bytes) – Placeholder for empty field.

• unset_field (bytes) – Placeholder for unset field.

• set_separator (bytes) – Separator for set/vector fields.

property python_type

Corresponding Python type annotation.

Type

Any

Return type

Type[TimeDeltaType]

property zeek_type

Corresponding Zeek type name.

Type

str

Return type

Literal[“interval”]

parse(data)

Parse data from string.

Parameters

data (Union[AnyStr, TimeDeltaType]) – raw data

Return type

Optional[TimeDeltaType]

Returns

The parsed numeral data. If data is unset, None will be returned.

tojson(data)

Serialize data as JSON log format.

Parameters

data (Optional[TimeDeltaType]) – raw data

Returns

The JSON serialisable numeral data.

Return type

int

toascii(data)

Serialize data as ASCII log format.

Parameters

data (Optional[TimeDeltaType]) – raw data

Returns

The ASCII representation of numeral data.

Return type

str

class zlogging.IntType(empty_field=None, unset_field=None, set_separator=None, *args, **kwargs)

Bases: zlogging.types._SimpleType

Bro/Zeek int data type.

Parameters

• empty_field (bytes or str, optional) – Placeholder for empty field.

• unset_field (bytes or str, optional) – Placeholder for unset field.

• set_separator (bytes or str, optional) – Separator for set/vector fields.

• *args – Variable length argument list.

• **kwargs – Arbitrary keyword arguments.

Variables

• empty_field (bytes) – Placeholder for empty field.

• unset_field (bytes) – Placeholder for unset field.

• set_separator (bytes) – Separator for set/vector fields.

property python_type

Corresponding Python type annotation.

Type

Any

Return type

Type[int64]

property zeek_type

Corresponding Zeek type name.

Type

str

Return type

Literal[“int”]

parse(data)

Parse data from string.

Parameters

data (Union[AnyStr, int64]) – raw data

Return type

Optional[int64]

Returns

The parsed numeral data. If data is unset, None will be returned.

tojson(data)

Serialize data as JSON log format.

Parameters

data (Optional[int64]) – raw data

Returns

The JSON serialisable numeral data.

Return type

int

toascii(data)

Serialize data as ASCII log format.

Parameters

data (Optional[int64]) – raw data

Returns

The ASCII representation of numeral data.

Return type

str

class zlogging.PortType(empty_field=None, unset_field=None, set_separator=None, *args, **kwargs)

Bases: zlogging.types._SimpleType

Bro/Zeek port data type.

Parameters

• empty_field (bytes or str, optional) – Placeholder for empty field.

• unset_field (bytes or str, optional) – Placeholder for unset field.

• set_separator (bytes or str, optional) – Separator for set/vector fields.

• *args – Variable length argument list.

• **kwargs – Arbitrary keyword arguments.

Variables

• empty_field (bytes) – Placeholder for empty field.

• unset_field (bytes) – Placeholder for unset field.

• set_separator (bytes) – Separator for set/vector fields.

property python_type

Corresponding Python type annotation.

Type

Any

Return type

Type[uint16]

property zeek_type

Corresponding Zeek type name.

Type

str

Return type

Literal[“port”]

parse(data)

Parse data from string.

Parameters

data (Union[AnyStr, uint16]) – raw data

Return type

Optional[uint16]

Returns

The parsed port number. If data is unset, None will be returned.

tojson(data)

Serialize data as JSON log format.

Parameters

data (Optional[uint16]) – raw data

Returns

The JSON serialisable port number string.

Return type

int

toascii(data)

Serialize data as ASCII log format.

Parameters

data (Optional[uint16]) – raw data

Returns

The ASCII representation of the port number.

Return type

str

class zlogging.RecordType(empty_field=None, unset_field=None, set_separator=None, *args, **element_mapping)

Bases: zlogging.types._VariadicType

Bro/Zeek record data type.

Parameters

• empty_field (bytes or str, optional) – Placeholder for empty field.

• unset_field (bytes or str, optional) – Placeholder for unset field.

• set_separator (bytes or str, optional) – Separator for set/vector fields.

• *args – Variable length argument list.

• **kwargs – element_mapping (dict mapping str and BaseType instance): Data type of container’s elements.

Variables

• empty_field (bytes) – Placeholder for empty field.

• unset_field (bytes) – Placeholder for unset field.

• set_separator (bytes) – Separator for set/vector fields.

• element_mapping (dict mapping str and BaseType instance) – Data type of container’s elements.

Raises

• ZeekTypeError – If element_mapping is not supplied.

• ZeekValueError – If element_mapping is not a valid Bro/Zeek data type; or in case of inconsistency from empty_field, unset_field and set_separator of each field.

Note

A valid element_mapping should be a simple or generic data type, i.e. a subclass of _SimpleType or _GenericType.

See also

See _aux_expand_typing() for more information about processing the fields.

property python_type

Corresponding Python type annotation.

Type

Any

Return type

Any

property zeek_type

Corresponding Zeek type name.

Type

str

Return type

Literal[“record”]

element_mapping: OrderedDict[str, Union[_SimpleType, _GenericType]]

class zlogging.SetType(empty_field=None, unset_field=None, set_separator=None, element_type=None, *args, **kwargs)

Bases: zlogging.types._GenericType, Generic[zlogging.types._S]

Bro/Zeek set data type.

Parameters

• empty_field (bytes or str, optional) – Placeholder for empty field.

• unset_field (bytes or str, optional) – Placeholder for unset field.

• set_separator (bytes or str, optional) – Separator for set/vector fields.

• element_type (BaseType instance) – Data type of container’s elements.

• *args – Variable length argument list.

• **kwargs – Arbitrary keyword arguments.

Variables

• empty_field (bytes) – Placeholder for empty field.

• unset_field (bytes) – Placeholder for unset field.

• set_separator (bytes) – Separator for set/vector fields.

• element_type (BaseType instance) – Data type of container’s elements.

Raises

• ZeekTypeError – If element_type is not supplied.

• ZeekValueError – If element_type is not a valid Bro/Zeek data type.

Example

As a generic data type, the class supports the typing proxy as introduced PEP 484:

>>> SetType[StringType]

which is the same at runtime as following:

>>> SetType(element_type=StringType())

Note

A valid element_type should be a simple data type, i.e. a subclass of _SimpleType.

property python_type

Corresponding Python type annotation.

Type

Any

Return type

Any

property zeek_type

Corresponding Zeek type name.

Type

str

Return type

str

parse(data)

Parse data from string.

Parameters

data (Union[AnyStr, Set[_S]]) – raw data

Return type

Optional[Set[_S]]

Returns

The parsed set data. If data is unset, None will be returned.

tojson(data)

Serialize data as JSON log format.

Parameters

data (Optional[Set[_S]]) – raw data

Returns

The JSON serialisable set data.

Return type

list

toascii(data)

Serialize data as ASCII log format.

Parameters

data (Optional[Set[_S]]) – raw data

Returns

The ASCII representation of the set data.

Return type

str

class zlogging.StringType(empty_field=None, unset_field=None, set_separator=None, *args, **kwargs)

Bases: zlogging.types._SimpleType

Bro/Zeek string data type.

Parameters

• empty_field (bytes or str, optional) – Placeholder for empty field.

• unset_field (bytes or str, optional) – Placeholder for unset field.

• set_separator (bytes or str, optional) – Separator for set/vector fields.

• *args – Variable length argument list.

• **kwargs – Arbitrary keyword arguments.

Variables

• empty_field (bytes) – Placeholder for empty field.

• unset_field (bytes) – Placeholder for unset field.

• set_separator (bytes) – Separator for set/vector fields.

property python_type

Corresponding Python type annotation.

Type

Any

Return type

Any

property zeek_type

Corresponding Zeek type name.

Type

str

Return type

Literal[“string”]

parse(data)

Parse data from string.

Parameters

data (Union[AnyStr, ByteString]) – raw data

Return type

Optional[bytes]

Returns

The parsed string data. If data is unset, None will be returned.

tojson(data)

Serialize data as JSON log format.

Parameters

data (Optional[ByteString]) – raw data

Returns

The JSON serialisable string data encoded in ASCII.

Return type

str

toascii(data)

Serialize data as ASCII log format.

Parameters

data (Optional[ByteString]) – raw data

Returns

The ASCII encoded string data.

Return type

str

class zlogging.SubnetType(empty_field=None, unset_field=None, set_separator=None, *args, **kwargs)

Bases: zlogging.types._SimpleType

Bro/Zeek subnet data type.

Parameters

• empty_field (bytes or str, optional) – Placeholder for empty field.

• unset_field (bytes or str, optional) – Placeholder for unset field.

• set_separator (bytes or str, optional) – Separator for set/vector fields.

• *args – Variable length argument list.

• **kwargs – Arbitrary keyword arguments.

Variables

• empty_field (bytes) – Placeholder for empty field.

• unset_field (bytes) – Placeholder for unset field.

• set_separator (bytes) – Separator for set/vector fields.

property python_type

Corresponding Python type annotation.

Type

Any

Return type

Any

property zeek_type

Corresponding Zeek type name.

Type

str

Return type

str

parse(data)

Parse data from string.

Parameters

data (Union[AnyStr, IPNetwork]) – raw data

Return type

Optional[IPNetwork]

Returns

The parsed IP network. If data is unset, None will be returned.

tojson(data)

Serialize data as JSON log format.

Parameters

data (Optional[IPNetwork]) – raw data

Returns

The JSON serialisable IP network string.

Return type

str

toascii(data)

Serialize data as ASCII log format.

Parameters

data (Optional[IPNetwork]) – raw data

Returns

The ASCII representation of the IP network.

Return type

str

class zlogging.TimeType(empty_field=None, unset_field=None, set_separator=None, *args, **kwargs)

Bases: zlogging.types._SimpleType

Bro/Zeek time data type.

Parameters

• empty_field (bytes or str, optional) – Placeholder for empty field.

• unset_field (bytes or str, optional) – Placeholder for unset field.

• set_separator (bytes or str, optional) – Separator for set/vector fields.

• *args – Variable length argument list.

• **kwargs – Arbitrary keyword arguments.

Variables

• empty_field (bytes) – Placeholder for empty field.

• unset_field (bytes) – Placeholder for unset field.

• set_separator (bytes) – Separator for set/vector fields.

property python_type

Corresponding Python type annotation.

Type

Any

Return type

Type[DateTimeType]

property zeek_type

Corresponding Zeek type name.

Type

str

Return type

Literal[“time”]

parse(data)

Parse data from string.

Parameters

data (Union[AnyStr, DateTimeType]) – raw data

Return type

Optional[DateTimeType]

Returns

The parsed numeral data. If data is unset, None will be returned.

tojson(data)

Serialize data as JSON log format.

Parameters

data (Optional[DateTimeType]) – raw data

Returns

The JSON serialisable numeral data.

Return type

float

toascii(data)

Serialize data as ASCII log format.

Parameters

data (Optional[DateTimeType]) – raw data

Returns

The ASCII representation of numeral data.

Return type

str

class zlogging.VectorType(empty_field=None, unset_field=None, set_separator=None, element_type=None, *args, **kwargs)

Bases: zlogging.types._GenericType, Generic[zlogging.types._S]

Bro/Zeek vector data type.

Parameters

• empty_field (bytes or str, optional) – Placeholder for empty field.

• unset_field (bytes or str, optional) – Placeholder for unset field.

• set_separator (bytes or str, optional) – Separator for set/vector fields.

• element_type (BaseType instance) – Data type of container’s elements.

• *args – Variable length argument list.

• **kwargs – Arbitrary keyword arguments.

Variables

• empty_field (bytes) – Placeholder for empty field.

• unset_field (bytes) – Placeholder for unset field.

• set_separator (bytes) – Separator for set/vector fields.

• element_type (BaseType instance) – Data type of container’s elements.

Raises

• ZeekTypeError – If element_type is not supplied.

• ZeekValueError – If element_type is not a valid Bro/Zeek data type.

Example

As a generic data type, the class supports the typing proxy as introduced PEP 484:

>>> VectorType[StringType]

which is the same at runtime as following:

>>> VectorType(element_type=StringType())

Note

A valid element_type should be a simple data type, i.e. a subclass of _SimpleType.

property python_type

Corresponding Python type annotation.

Type

Any

Return type

Any

property zeek_type

Corresponding Zeek type name.

Type

str

Return type

str

parse(data)

Parse data from string.

Parameters

data (Union[AnyStr, List[_S]]) – raw data

Return type

Optional[List[_S]]

Returns

The parsed list data. If data is unset, None will be returned.

tojson(data)

Serialize data as JSON log format.

Parameters

data (Optional[List[_S]]) – raw data

Returns

The JSON serialisable list data.

Return type

list

toascii(data)

Serialize data as ASCII log format.

Parameters

data (Optional[List[_S]]) – raw data

Returns

The ASCII representation of the list data.

Return type

str