4. Logging & Alerting

This section introduces the Haka logging and alerting API.

4.1. Log

haka.log.fatal(module, fmt, ...)
haka.log.error(module, fmt, ...)
haka.log.warning(module, fmt, ...)
haka.log.info(module, fmt, ...)
haka.log.debug(module, fmt, ...)

Log a message in various levels.

haka.log(module, fmt, ...)

Alias to haka.log.info().

haka.log.setlevel(level)
haka.log.setlevel(module, level)

Set the logging level to display. It can be set globally and also manually for each module.

4.2. Alert

haka.alert{param1=value1, param2=value2[, ...]}

Raise an alert. All parameters are optional.

Parameters:
  • start_time – time
  • end_time – time
  • description – string
  • severity – one of 'low', 'medium' or 'high'
  • confidence'low', 'medium', 'high' or number
  • completion'failed' or 'successful'
  • method – a table
  • method.description – string
  • method.ref – table of strings
  • sources – a table of haka.alert.address(), haka.alert.service()...
  • targets – a table of haka.alert.address(), haka.alert.service()...
  • ref – a table of alert reference
Returns:

Return an alert reference.
Return type:

Opaque object that can be used in haka.alert.update().
haka.alert.address(object1, object2[, ...])
haka.alert.service(object1, object2[, ...])

Create an object to describe a source or a target.

Example:

haka.alert{
    start_time = pkt.raw.timestamp,
    description = "packet received",
    severity = 'medium',
    confidence = 'high',
    completion = 'failed',
    method = {
        description = "Packet sent on the network",
        ref = { "cve:2O13-XXX", "http://intranet/vulnid?id=115", "cwe:809" }
    },
    sources = { haka.alert.address(pkt.src, "evil.host.fqdn") },
    targets = { haka.alert.address(pkt.dst), haka.alert.service("tcp/22", "ssh") }
}
haka.alert.update(my_alert, {param1=value1, param2=value2, [...]} )

Update the alert my_alert. The parameters are the same for the alerts.

Parameters:
  • my_alert – an alert object previously defined
  • param1,param2,... – Same names/values of alert

Example:

local my_alert = haka.alert{ severity = 'low', sources = { haka.alert.address(pkt.src) } }
haka.alert.update(my_alert, { completion = 'failed' } )