Hi. Is there a way to eliminate the descriptive record banner that is the first line of the log file?
You can do this per-log or globally.
Globally:
redef LogAscii::include_meta=F;
Depending on what this is for, it may be beneficial to just output your log as JSON:
redef LogAscii::use_json=T;
If you want to do either of these settings only in a single log, you can do this…
event bro_init()
{
Log::remove_default_filter(HTTP::LOG);
local filt = Log::Filter($name="default",
$writer=Log::WRITER_ASCII,
$config=table(["include_meta"] = "F"));
Log::add_filter(HTTP::LOG, filt);
}
You should be able to configure any of the other global ascii log settings the same as I did in that example.
.Seth
Tangentially but related: I just had a look at the code for ascii.bro. It seems that I can't have both JSON and "normal" text, is that correct?
("But why would you want to?" Because I want to have my cake and eat it too 
)
Mike
Sure you can! That use_json name is available for use in the $config table that I used in my filter configuration.
.Seth
Thank you.
Th global setting did not appear to work, but the individual LOG
filter line did .