<div dir="ltr">On Mon, Nov 5, 2018 at 4:40 PM Robin Sommer <<a href="mailto:robin@corelight.com">robin@corelight.com</a>> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
On Sat, Nov 03, 2018 at 21:58 +0000, Vlad Grigorescu wrote:<br>
<br>
> In my mind, if the keyword is applied to a record, I would expect any new<br>
> fields added to that record to also be logged.<br>
<br>
I believe the reason for not doing that is that then one couldn't add<br>
a field that's *not* being logged (because currently we don't have<br>
remove-an-attribute support).<br></blockquote><div><br></div><div>Yeah, I think the reasoning makes sense, and that seemed to be the consensus from the discussion on bro-dev in 2011. My point is simply that with the current behavior, it's not clear (or, AFAICT, documented) that adding &log to a record is just a shorthand for adding &log to each attribute, and that it really has no meaning for the record as a whole.</div><div><br></div><div> --Vlad<br></div><div></div><div><br></div><div> </div></div></div>