[Bro] Underscores in field names

Oliver Keyes ironholds at gmail.com
Tue Dec 29 06:21:51 PST 2015


>From the guide to the various log files
(https://www.bro.org/sphinx/script-reference/log-files.html) and some
example files I've accumulated it looks like nested fields are
represented in "flat" log files with period delimiters. So the orig_h
field within the id field becomes id.orig_h. Is this correct?

At the same time I'm seeing files with underscores instead of periods.
>From what I can see on this mailing list and elsewhere, this is a
logging setting - people can switch out periods for underscores to
cover the situation where the software they read the logs /into/ does
not like periods.

My question: can I expect this to be consistent? In other words, for
files to either use periods or underscores, but not both at once?

More information about the Bro mailing list