From my understanding, it seems that Logs files can
only be created whenever connection_state_remove event handler is called.
Specifically for the conn.log, that is the event handler in which the log file entries are
written with Log::write(). You can look at where that's done in
For other logs, Log::write() may get called from other event handlers depending on what
the log file is supposed to convey. E.g. in base/protocols/http/main.bro, you'll see
that Log::write() can get called as soon as an HTTP response body is seen, it doesn't
wait for the connection_state_remove event, but it does use it as a fallback for writing
out incomplete request/response pairs.
I can only customize what to update here. If I
don't update it, log files are still created with default values. Is there any way
that I can control when to put values in memory into the log files?
In the case you are extending an existing logging stream, you can update your new logging
state (record fields marked with &log) in any event handler that you expect to occur
before the handlers that do Log::write().
In the case you are designing your own custom logging stream, you get full control over
which event handlers you want to update your logging state and which ones you want to
write to your log stream. For an example see: