doc: add pcap file logging variable details

author jason taylor <jtfas90@gmail.com>

Wed, 31 Jan 2024 14:51:58 +0000 (14:51 +0000)

committer Victor Julien <victor@inliniac.net>

Wed, 14 Feb 2024 06:04:21 +0000 (07:04 +0100)
author jason taylor <jtfas90@gmail.com>
Wed, 31 Jan 2024 14:51:58 +0000 (14:51 +0000)
committer Victor Julien <victor@inliniac.net>
Wed, 14 Feb 2024 06:04:21 +0000 (07:04 +0100)
diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst

index c04573778b03d1e1252def25fa4a1dc82082ea55..920be735302df282fff650828b2e95a4b80a029e 100644 (file)
--- a/doc/userguide/configuration/suricata-yaml.rst
+++ b/doc/userguide/configuration/suricata-yaml.rst
@@ -505,6 +505,27 @@ the alert.
        mode: normal # "normal" or multi
        conditional: alerts
  
+In ``normal`` mode a pcap file "filename" is created in the default-log-dir or as
+specified by "dir". ``normal`` mode is generally not as performant as ``multi``
+mode.
+
+In multi mode, multiple pcap files are created (per thread) which performs
+better than ``normal`` mode.
+
+In multi mode the filename takes a few special variables:
+  - %n representing the thread number
+  - %i representing the thread id
+  - %t representing the timestamp (secs or secs.usecs based on 'ts-format')
+  
+  Example: filename: pcap.%n.%t
+
+.. note:: It is possible to use directories but the directories are not
+  created by Suricata. For example ``filename: pcaps/%n/log.%s`` will log into
+  the pre-existing ``pcaps`` directory and per thread sub directories.
+  
+.. note:: that the limit and max-files settings are enforced per thread. So the
+  size limit using 8 threads with 1000mb files and 2000 files is about 16TiB.
+
  Verbose Alerts Log (alert-debug.log)
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
author	jason taylor <jtfas90@gmail.com>
	Wed, 31 Jan 2024 14:51:58 +0000 (14:51 +0000)
committer	Victor Julien <victor@inliniac.net>
	Wed, 14 Feb 2024 06:04:21 +0000 (07:04 +0100)