[Bro] host field
Seth Hall
seth at icir.org
Tue Oct 4 19:46:18 PDT 2016
> On Oct 4, 2016, at 12:32 PM, Michael Shirk <shirkdog.bsd at gmail.com> wrote:
>
> Seth, in 2.5 is this the way to make elastic happy, so you can rename 'id.orig_h' natively to whatever you want in Bro (minus the dots)?
The way to make elasticsearch happy is probably this...
redef Log::default_scope_sep = "_";
It changes all of the periods in field names to anything you want (underscore in this case).
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list