[Bro-Dev] attributes & named types
Robin Sommer
robin at corelight.com
Mon Nov 5 08:40:14 PST 2018
On Sat, Nov 03, 2018 at 21:58 +0000, Vlad Grigorescu wrote:
> In my mind, if the keyword is applied to a record, I would expect any new
> fields added to that record to also be logged.
I believe the reason for not doing that is that then one couldn't add
a field that's *not* being logged (because currently we don't have
remove-an-attribute support).
I like the "&log=T|F" syntax to control this more directly, as long as
"&log" remains being equivalent to "&log=T".
Generally we need to be very careful changing if we want to change any
current semantics here, as it will impact custom log files that people
create in their own scripts.
Robin
--
Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com
More information about the bro-dev
mailing list