<div dir="ltr"><div>To better understand the existing behavior, here's the commit that introduced this (specifically with regards to conn_id): <a href="https://github.com/bro/bro/commit/38a1aa5a346d10de32f9b40e0869cdb48a98974b">https://github.com/bro/bro/commit/38a1aa5a346d10de32f9b40e0869cdb48a98974b</a></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><pre>The &log keyword now operates as discussed:
- When associated with individual record fields, it defines them
as being logged.
- When associated with a complete record type, it defines all fields
to be logged.
- When associated with a record extension, it defines all added
fields to be logged.
Note that for nested record types, the inner fields must likewise
be declared with &log. Consequently, conn_id is now declared with
&log in bro.init.</pre></div></blockquote><div>I think the discussion this is referring to is here: <a href="http://mailman.icsi.berkeley.edu/pipermail/bro-dev/2011-March/001107.html">http://mailman.icsi.berkeley.edu/pipermail/bro-dev/2011-March/001107.html</a></div><div><br></div><div class="gmail_quote"><div dir="ltr">On Sat, Nov 3, 2018 at 7:34 PM Vern Paxson <<a href="mailto:vern@corelight.com">vern@corelight.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> (2) This makes me wonder about adding an operator to *remove* an<br>
attribute if present. For example, you could imagine wanting<br>
to now do something like:<br>
<br>
type my_conn_info: record {<br>
id: conn_id -&log;<br>
...<br>
};<br>
<br>
as a way of specifying "if conn_id's have a &log attribute,<br>
I don't want to inherit it".<br></blockquote><div><br></div><div>I've found myself wishing to remove an attribute recently, so this train of thought is relevant. I had imagined something slightly different, which was to maintain &log as it currently exists, but to also be able to explicitly set it to T or F, e.g.:</div><div><br></div><div>> id: conn_id &log=F;</div><div><br></div><div>That would allow me to also be able to use redefs to configure whether or not I want to log something:<br></div><div><br></div><div>> const log_conn = T &redef;</div><div>> ...<br></div><div>> id: conn_id &log=log_conn;</div><div><br></div><div>I think that if we add something like this for &log, it might make sense to add it for other keywords too.<br></div><div><br></div><div> --Vlad<br></div><div><br></div><div><br></div></div></div>