[Bro] Feature Request: Append
erik clark
philosnef at gmail.com
Wed Oct 5 06:00:24 PDT 2016
I agree that appending in json format mode would be nice. We are moving to
json format away from tsv to save on tsidx bucket size in splunk. While I
dont think we would see a major need for this, it would save analysts from
having to scrounge through multiple log files for the same type if somehow
the logs rotated out early because of a bro restart.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161005/2b1fb6a6/attachment.html
More information about the Bro
mailing list