On Wed, Jul 01, 2020 at 14:03 -0700, Jon Siwek wrote:
> What if an open() rarely or never happens again for a given log? Ah, right, forgot about that case. So yeah, agree, the shadow files are useful for this and to retain whatever information we need. > * Changed: running through a function of same-name, but it happened to > get changed between restart is probably still going to be closer to > what user expects than running it through the default post-processor > which is completely different ? I was thinking not the default post-processor, but whatever is configured for the log file we are just opening (if we did it at open() time). But yeah, won't work when the cleanup happens already before the new open. Robin -- Robin Sommer * Corelight, Inc. * ro...@corelight.com * www.corelight.com _______________________________________________ Zeek-Dev mailing list Zeek-Dev@zeek.org http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
