The format is documented in :ref:`Eve JSON Format <eve-json-format>`.
-Log output for use with Barnyard (unified.log)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-This log only supports IPv4. Its information will be stored in the
-default logging directory. This log is designed to be stored in a
-binary format on the hard disc, where it will be further processed by
-Barnyard. Barnyard can store the output in a database, so Suricata can
-work on other important tasks. Barnyard can add the files in the
-Mysql-database, send them to Sguil or several other output options.
-
-There is a size-limit to the log-file: If Suricata generates an alert,
-it stores this alert in a unified-file. Suricata keeps continuing
-doing that, until the file has reached its limit. Which in the default
-case is at 32 MB. At that point Suricata generates a new file and the
-process starts all over again. Barnyard keeps on processing these
-files. To prevent Suricata from filling up the hard disc, a size limit
-is enforced. When the limit is reached, the file will 'role-over',
-creating a new file. Barnyard removes old files. To every file,
-Suricata adds a time stamp, so it is easy to see which one came first
-and which one is the latter.
-
-::
+Alert output for use with Barnyard2 (unified2.alert)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- -Unified-log: #The log-name.
- enabled: no #This log is not enabled. Set 'yes' to enable.
- filename: unified.log #The name of the file in the default logging directory.
- limit: 32 #The file size limit in megabytes.
+This log format is a binary format compatible with the unified2 output
+of another popular IDS format and is designed for use with Barnyard2
+or other tools that consume the unified2 log format.
-This output option has been removed in Suricata 1.1rc1 (see ticket
-#353).
+By default a file with the given filename and a timestamp (unix epoch
+format) will be created until the file hits the configured size limit,
+then a new file, with a new timestamp will be created. It is the job
+of other tools, such as Barnyard2 to cleanup old unified2 files.
-Alert output for use with Barnyard (unified.alert)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+If the `nostamp` option is set the log file will not have a timestamp
+appended. The file will be re-opened on SIGHUP like other log files
+allowing external log rotation tools to work as expected. However, if
+the limit is reach the file will be deleted and re-opened.
-This log only supports IPv4. Its information will be stored in the
-default logging directory. For further information read the above
-information about ( 2) unified.log)
+This output supports IPv6 and IPv4 events.
::
- -Unified-alert: #The log-name.
- enabled: no #This log is not enabled. Set 'yes' to enable.
- filename: unified.alert #The name of the file in the default logging directory.
- limit: 32 #The file size limit in megabytes.
-
-This output option has been removed in Suricata 1.1rc1 (see ticket #353).
-
-Alert output for use with Barnyard2 (unified2.alert)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-This log also supports IPv6 in addition to IPv4. It's information will
-be stored in the default logging directory. For further information
-read the above information about 2. unified.log.
-
-::
+ - unified2-alert:
+ enabled: yes
- - unified2-alert: #The log-name.
- enabled: yes #This log is enabled. Set 'no' to disable.
- filename: unified2.alert #The name of the file in the default logging directory.
- limit: 32 #The file size limit in megabytes.
+ # The filename to log to in the default log directory. A
+ # timestamp in unix epoch time will be appended to the filename
+ # unless nostamp is set to yes.
+ filename: unified2.alert
+
+ # File size limit. Can be specified in kb, mb, gb. Just a number
+ # is parsed as bytes.
+ #limit: 32mb
+
+ # By default unified2 log files have the file creation time (in
+ # unix epoch format) appended to the filename. Set this to yes to
+ # disable this behaviour.
+ #nostamp: no
+
+ # Sensor ID field of unified2 alerts.
+ #sensor-id: 0
+
+ # Include payload of packets related to alerts. Defaults to true, set to
+ # false if payload is not required.
+ #payload: yes
+
+ # HTTP X-Forwarded-For support by adding the unified2 extra header or
+ # overwriting the source or destination IP address (depending on flow
+ # direction) with the one reported in the X-Forwarded-For HTTP header.
+ # This is helpful when reviewing alerts for traffic that is being reverse
+ # or forward proxied.
+ xff:
+ enabled: no
+ # Two operation modes are available, "extra-data" and "overwrite". Note
+ # that in the "overwrite" mode, if the reported IP address in the HTTP
+ # X-Forwarded-For header is of a different version of the packet
+ # received, it will fall-back to "extra-data" mode.
+ mode: extra-data
+ # Two proxy deployments are supported, "reverse" and "forward". In
+ # a "reverse" deployment the IP address used is the last one, in a
+ # "forward" deployment the first IP address is used.
+ deployment: reverse
+ # Header name where the actual IP address will be reported, if more
+ # than one IP address is present, the last IP address will be the
+ # one taken into consideration.
+ header: X-Forwarded-For
This alert output needs Barnyard2.
projects / thirdparty / suricata.git / commitdiff
