On Mon, Nov 5, 2018 at 4:40 PM Robin Sommer <ro...@corelight.com> wrote:
> > > On Sat, Nov 03, 2018 at 21:58 +0000, Vlad Grigorescu wrote: > > > In my mind, if the keyword is applied to a record, I would expect any new > > fields added to that record to also be logged. > > I believe the reason for not doing that is that then one couldn't add > a field that's *not* being logged (because currently we don't have > remove-an-attribute support). > Yeah, I think the reasoning makes sense, and that seemed to be the consensus from the discussion on bro-dev in 2011. My point is simply that with the current behavior, it's not clear (or, AFAICT, documented) that adding &log to a record is just a shorthand for adding &log to each attribute, and that it really has no meaning for the record as a whole. --Vlad
_______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
