tls/conf: clarify usage of custom vs extended logs

Since enabling custom logging will replace the extended logging, thus
possibly leading to certain fields disappearing from the logs, mention
this aspect.

Related to
Bug #7333

diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst
index c9c1d63e021ebf4ba9d2f96457b55e53f8865f4b..7fc40783c2f2e4a27d8614c46270c156665d7e5d 100644 (file)
--- a/doc/userguide/output/eve/eve-json-output.rst
+++ b/doc/userguide/output/eve/eve-json-output.rst
@@ -273,6 +273,7 @@ The default is to log certificate subject and issuer. If ``extended`` is
 enabled, then the log gets more verbose.
 
 By using ``custom`` it is possible to select which TLS fields to log.
+**Note that this will disable ``extended`` logging.**
 
 ARP
 ~~~

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 5f9eaf68393ebffe4c64edbb9f2c1d14737db0e6..f191bf60b9da602e521f528563da8d674909f706 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -272,6 +272,7 @@ outputs:
             # session id
             #session-resumption: no
             # custom controls which TLS fields that are included in eve-log
+            # WARNING: enabling custom disables extended logging.
             #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4, subjectaltname]
         - files:
             force-magic: no   # force logging magic on all logged files