From: Jason Ish Date: Thu, 29 Aug 2024 14:51:24 +0000 (-0600) Subject: tls-log: deprecate X-Git-Tag: suricata-8.0.0-beta1~938 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5853fb922defd12be4fa1763bc24265ae6fdcd38;p=thirdparty%2Fsuricata.git tls-log: deprecate tls-log is now deprecated and will be removed in Suricata 9.0. Display a deprecation notice on use, and add notes to the user guide. Ticket: #6542 --- diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index 75cf05a7af..f5f3101aae 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -403,6 +403,9 @@ The format is documented in :ref:`Eve JSON Format `. TLS parameters and certificates logging (tls.log) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.. attention:: tls-log is deprecated in Suricata 8.0 and will be + removed in Suricata 9.0. + The TLS handshake parameters can be logged in a line based log as well. By default, the logfile is `tls.log` in the suricata log directory. See :ref:`Custom TLS logging ` for details diff --git a/doc/userguide/output/custom-tls-logging.rst b/doc/userguide/output/custom-tls-logging.rst index 682d320451..29474886c0 100644 --- a/doc/userguide/output/custom-tls-logging.rst +++ b/doc/userguide/output/custom-tls-logging.rst @@ -3,6 +3,9 @@ Custom tls logging =================== +.. attention:: tls-log is deprecated in Suricata 8.0 and will be + removed in Suricata 9.0. + In your Suricata.yaml, find the tls-log section and edit as follows: :: diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst index 591ca986ea..885b8d95db 100644 --- a/doc/userguide/upgrade.rst +++ b/doc/userguide/upgrade.rst @@ -79,6 +79,7 @@ Removals Deprecations ~~~~~~~~~~~~ - The ``http-log`` output is now deprecated and will be removed in Suricata 9.0. +- The ``tls-log`` output is now deprecated and will be removed in Suricata 9.0. Upgrading 6.0 to 7.0 -------------------- diff --git a/src/log-tlslog.c b/src/log-tlslog.c index 12e235c21a..3b4db18049 100644 --- a/src/log-tlslog.c +++ b/src/log-tlslog.c @@ -201,6 +201,8 @@ static void LogTlsLogExitPrintStats(ThreadVars *tv, void *data) * */ static OutputInitResult LogTlsLogInitCtx(ConfNode *conf) { + SCLogWarning("The tls-log output has been deprecated and will be removed in Suricata 9.0."); + OutputInitResult result = { NULL, false }; LogFileCtx* file_ctx = LogFileNewCtx(); diff --git a/suricata.yaml.in b/suricata.yaml.in index a8a63ec357..5a61c8050f 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -352,19 +352,6 @@ outputs: # state-update: false # log packets triggering a TCP state update # spurious-retransmission: false # log spurious retransmission packets - # a line based log of TLS handshake parameters (no alerts) - - tls-log: - enabled: no # Log TLS connections. - filename: tls.log # File to store TLS logs. - append: yes - #extended: yes # Log extended information like fingerprint - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - # output TLS transaction where the session is resumed using a - # session id - #session-resumption: no - # output module to store certificates chain to disk - tls-store: enabled: no