On Sat, Nov 03, 2018 at 21:58 +0000, Vlad Grigorescu wrote:
> In my mind, if the keyword is applied to a record, I would expect any new
> fields added to that record to also be logged.
I believe the reason for not doing that is that then one couldn't add
a field that's *not* being logged (because currently we don't have
remove-an-attribute support).
I like the "&log=T|F" syntax to control this more directly, as long as
"&log" remains being equivalent to "&log=T".
Generally we need to be very careful changing if we want to change any
current semantics here, as it will impact custom log files that people
create in their own scripts.
Robin
--
Robin Sommer * Corelight, Inc. * ro...@corelight.com * www.corelight.com
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
