Debugging exercise not generating `analyzer.log` with zeek-8.1

[bbannier]

With at least zeek-8.1.0 unsupported options do not seem to trigger an protocol violation anymore. We use it in a debugging exercise and need to figure out another way to teach users what to look for.

EDIT

When loading policy/frameworks/analyzer/debug-logging.zeek this information is exposed in analyzer_debug.log, and we probably should update this section to teach about it.

[0xxon]

Moving to analyzer_debug.log seems like the best way forward at the moment - as it is the new version of analyzer.log.

zeek/zeek#5163 is related.

[bbannier]

This section likely needs an overhaul since the reason this is not exposed in analyzer.log anymore is that TFTP uses two connections, and the data connection with the failure never confirmed (also why only analyzer_debug.log has the info). All this is pretty specific to protocols like TFTP or FTP while for normal analyzers debugging with analyzer.log should be enough.

We should find a different example so that we can

• demonstrate analyzer.log, then
• do a potential deep dive on analyzer_debug.log
• close out with recommendation to at least forward analyzer.log to a SIEM