[Zeek] Field renaming
Richard Bejtlich
richard at corelight.com
Wed Jun 12 12:27:26 PDT 2019
I don't think that's the case? I use json and have the dot notation too. At
least, that's what I get with my Corelight, Security Onion, and RockNSM
installations. I don't think they are changing anything?
Sincerely,
Richard
On Wed, Jun 12, 2019 at 12:03 PM Vlad Grigorescu <vlad at es.net> wrote:
> Are you using JSON logs? I think JSON logs use an underscore because the
> dot notation conflicts with a JSON object.
>
> On Wed, Jun 12, 2019 at 1:05 PM Justin Azoff <justin at corelight.com> wrote:
>
>> On Wed, Jun 12, 2019 at 2:30 AM David Decker <x.faith at gmail.com> wrote:
>> >
>> > Zeek
>> >
>> > Sorry cant find this, but when did id_resp_h become id.resp_h?
>> > And well for the rest (renamed _ to . )
>> > Looked through changelog.
>>
>> It has always been id.resp_h, you must have had this in your
>> configuration at one point:
>>
>> redef Log::default_scope_sep = "_";
>>
>>
>> --
>> Justin
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Richard Bejtlich
Principal Security Strategist, Corelight
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190612/835893b2/attachment.html
More information about the Zeek
mailing list