[Bro] Format of log file

Robin Sommer robin at icir.org
Mon Jul 30 11:32:28 PDT 2007


On Mon, Jul 30, 2007 at 13:34 -0400, Jean-Philippe Luiggi wrote:

>   If you agree with the fact to use tagging as the rules of choice, we may 
>   made a jump on this and develop it for the others files ?

I generally agree though there are two issues to consider:

- tagging is not equally well suited for all logs; something like
http.log does is pretty free-form and harder to force into the
tagging-style.

- it breaks backwards-compatibility, which is large thing because
people have scripts to parse the stuff already.

So my hunch is to stay with what we have for now (i.e., tagged for
notice/alarm, non-tagged for the rest). But I'm not claiming that
this is ideal ...

Robin

-- 
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org 
LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org



More information about the Bro mailing list