<div dir="ltr"><div class="gmail_quote"><div dir="ltr">On Sat, Nov 3, 2018 at 9:14 PM Vern Paxson <<a href="mailto:vern@corelight.com">vern@corelight.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks for the pointers & thoughts! A quick question, more in a bit:<br>
<br>
> To better understand the existing behavior, here's the commit that<br>
> introduced this (specifically with regards to conn_id):<br>
> <a href="https://github.com/bro/bro/commit/38a1aa5a346d10de32f9b40e0869cdb48a98974b" rel="noreferrer" target="_blank">https://github.com/bro/bro/commit/38a1aa5a346d10de32f9b40e0869cdb48a98974b</a><br>
> ...<br>
> > Note that for nested record types, the inner fields must likewise<br>
> > be declared with &log. Consequently, conn_id is now declared with<br>
> > &log in bro.init.<br>
<br>
Does your understanding of this accord with the current behavior when<br>
running on testing/btest/scripts/base/frameworks/logging/attr.bro ?<br>
The test suite result has it not logging Log$id, even though it's of<br>
type conn_id, which has &log. (For my new version, it does log it.)<br></blockquote><div><br></div><div>Hmm. I had to think about this for a bit, and I think it does agree with the commit message. It's rather subtle, but because the message talks about how the fields "must likewise be declared with &log," I can see how the expectation would be that *both* the conn_id declaration in init-bare and the usage in your record need to have the &log keyword to be logged. However, before reading that commit message, that was not my expectation for how Bro would behave.</div><div><br></div><div>I've been playing around with this a bit more, and I think that what's described in the commit message is not the current behavior. Specifically, the following seem to behave the same:</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>type conn_id: record {<br> orig_h: addr;<br> orig_p: port;<br> resp_h: addr;<br> resp_p: port;<br>} &log;<br></div></blockquote><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>type conn_id: record {<br> orig_h: addr &log;<br> orig_p: port &log;<br> resp_h: addr &log;<br> resp_p: port &log;<br>}; <br></div></blockquote><div><br></div><div>This example demonstrates that all fields are still logged: <a href="http://try.bro.org/#/trybro/saved/275829">http://try.bro.org/#/trybro/saved/275829</a></div><div><br></div></div><div class="gmail_quote">In my mind, if the keyword is applied to a record, I would expect any new fields added to that record to also be logged. However, if I use conn_id as defined in init-bare (with &log applied to the record), and I redef conn_id as follows, it will not log the new field:<br><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
redef record conn_id += {</div><div> nolog: bool &optional;</div><div>}<br></div></blockquote></div><div class="gmail_quote"><br></div><div class="gmail_quote">I believe that applying &log to a record is just shorthand to applying it individually to all fields on that record, whenever you define or redef that record.</div><div class="gmail_quote"><br></div><div class="gmail_quote">Simply put, I think the current behavior is not correct, and that we should take this opportunity to determine what the behavior *should* be.</div><div class="gmail_quote"><br></div><div class="gmail_quote"> --Vlad<br></div></div>