<div dir="ltr">I don't think that's the case? I use json and have the dot notation too. At least, that's what I get with my Corelight, Security Onion, and RockNSM installations. I don't think they are changing anything?<div><br></div><div>Sincerely,<br><div><br></div><div>Richard</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jun 12, 2019 at 12:03 PM Vlad Grigorescu <<a href="mailto:vlad@es.net">vlad@es.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Are you using JSON logs? I think JSON logs use an underscore because the dot notation conflicts with a JSON object.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jun 12, 2019 at 1:05 PM Justin Azoff <<a href="mailto:justin@corelight.com" target="_blank">justin@corelight.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, Jun 12, 2019 at 2:30 AM David Decker <<a href="mailto:x.faith@gmail.com" target="_blank">x.faith@gmail.com</a>> wrote:<br>
><br>
> Zeek<br>
><br>
> Sorry cant find this, but when did id_resp_h become id.resp_h?<br>
> And well for the rest (renamed _ to . )<br>
> Looked through changelog.<br>
<br>
It has always been id.resp_h, you must have had this in your<br>
configuration at one point:<br>
<br>
redef Log::default_scope_sep = "_";<br>
<br>
<br>
-- <br>
Justin<br>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a><br>
</blockquote></div></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Richard Bejtlich<div>Principal Security Strategist, Corelight</div></div></div>