[Bro-Dev] &log attribute

Seth Hall seth at icir.org
Mon Mar 28 13:42:20 PDT 2011


On Mar 28, 2011, at 1:21 PM, Adam J. Slagell wrote:

> 
> On Mar 28, 2011, at 11:45 AM, Vern Paxson wrote:
> 
>>> The reason is that if I pass a record in for logging, chances are that
>>> I want something logged. If there's no explicit &log attribute
>> 
>> What about explicitly associating an &log with the entire record, rather
>> than with each of it fields?  (I'm not quite picturing the usage you have
>> in mind here, so this may or may not be appropriate.)
> 
> That was my suggestion that Seth didn't like.


I can give a little detail about why I didn't like it. :P

type Info: record {
	ts: time &log;
	id: conn_id &log;
};

Given the above type, I wouldn't want someone giving &log to the entire record because if later, someone else comes along with a script that extends that record to include some extra fields like this...

redef record Info += {
	did_something: bool &default=F &log;
	ready_to_log: bool &default=F;
};

...the whole record would be logged and &ready_to_log might be a variable that they included for tracking if the whole record is prepared to be logged.  This is a technique I use in a few scripts to let users decide which point they'd like to log at based on costs/benefits on early or late logging.  The author of the extension script wouldn't want the $ready_to_log attribute logged since it's really just an internal tracking variable.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/




More information about the bro-dev mailing list