[Zeek] Field renaming
David Decker
x.faith at gmail.com
Wed Jun 12 12:44:54 PDT 2019
We had an older ta which had the id_resp, that's why I was wondering if it
changed cause all I see more is the id.resp
On Wed, Jun 12, 2019, 12:36 PM Richard Bejtlich <richard at corelight.com>
wrote:
> I don't think that's the case? I use json and have the dot notation too.
> At least, that's what I get with my Corelight, Security Onion, and RockNSM
> installations. I don't think they are changing anything?
>
> Sincerely,
>
> Richard
>
> On Wed, Jun 12, 2019 at 12:03 PM Vlad Grigorescu <vlad at es.net> wrote:
>
>> Are you using JSON logs? I think JSON logs use an underscore because the
>> dot notation conflicts with a JSON object.
>>
>> On Wed, Jun 12, 2019 at 1:05 PM Justin Azoff <justin at corelight.com>
>> wrote:
>>
>>> On Wed, Jun 12, 2019 at 2:30 AM David Decker <x.faith at gmail.com> wrote:
>>> >
>>> > Zeek
>>> >
>>> > Sorry cant find this, but when did id_resp_h become id.resp_h?
>>> > And well for the rest (renamed _ to . )
>>> > Looked through changelog.
>>>
>>> It has always been id.resp_h, you must have had this in your
>>> configuration at one point:
>>>
>>> redef Log::default_scope_sep = "_";
>>>
>>>
>>> --
>>> Justin
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
> Richard Bejtlich
> Principal Security Strategist, Corelight
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190612/d393ee2e/attachment.html
More information about the Zeek
mailing list