[Bro] Feature Request: Append
philosnef at gmail.com
Wed Oct 5 06:00:24 PDT 2016
I agree that appending in json format mode would be nice. We are moving to
json format away from tsv to save on tsidx bucket size in splunk. While I
dont think we would see a major need for this, it would save analysts from
having to scrounge through multiple log files for the same type if somehow
the logs rotated out early because of a bro restart.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro