From: Jason Ish Date: Tue, 17 Jan 2017 06:33:17 +0000 (-0600) Subject: doc: update unified2 section X-Git-Tag: suricata-4.0.0-beta1~294 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=89ba5816dc303d54741bdfd0a3896c7c1ce50d91;p=thirdparty%2Fsuricata.git doc: update unified2 section Remove documentation on older unified formats that have been removed. --- diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index 8feee0f538..363114ef2e 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -359,66 +359,71 @@ For more advanced configuration options, see :ref:`Eve JSON Output `. -Log output for use with Barnyard (unified.log) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -This log only supports IPv4. Its information will be stored in the -default logging directory. This log is designed to be stored in a -binary format on the hard disc, where it will be further processed by -Barnyard. Barnyard can store the output in a database, so Suricata can -work on other important tasks. Barnyard can add the files in the -Mysql-database, send them to Sguil or several other output options. - -There is a size-limit to the log-file: If Suricata generates an alert, -it stores this alert in a unified-file. Suricata keeps continuing -doing that, until the file has reached its limit. Which in the default -case is at 32 MB. At that point Suricata generates a new file and the -process starts all over again. Barnyard keeps on processing these -files. To prevent Suricata from filling up the hard disc, a size limit -is enforced. When the limit is reached, the file will 'role-over', -creating a new file. Barnyard removes old files. To every file, -Suricata adds a time stamp, so it is easy to see which one came first -and which one is the latter. - -:: +Alert output for use with Barnyard2 (unified2.alert) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Unified-log: #The log-name. - enabled: no #This log is not enabled. Set 'yes' to enable. - filename: unified.log #The name of the file in the default logging directory. - limit: 32 #The file size limit in megabytes. +This log format is a binary format compatible with the unified2 output +of another popular IDS format and is designed for use with Barnyard2 +or other tools that consume the unified2 log format. -This output option has been removed in Suricata 1.1rc1 (see ticket -#353). +By default a file with the given filename and a timestamp (unix epoch +format) will be created until the file hits the configured size limit, +then a new file, with a new timestamp will be created. It is the job +of other tools, such as Barnyard2 to cleanup old unified2 files. -Alert output for use with Barnyard (unified.alert) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +If the `nostamp` option is set the log file will not have a timestamp +appended. The file will be re-opened on SIGHUP like other log files +allowing external log rotation tools to work as expected. However, if +the limit is reach the file will be deleted and re-opened. -This log only supports IPv4. Its information will be stored in the -default logging directory. For further information read the above -information about ( 2) unified.log) +This output supports IPv6 and IPv4 events. :: - -Unified-alert: #The log-name. - enabled: no #This log is not enabled. Set 'yes' to enable. - filename: unified.alert #The name of the file in the default logging directory. - limit: 32 #The file size limit in megabytes. - -This output option has been removed in Suricata 1.1rc1 (see ticket #353). - -Alert output for use with Barnyard2 (unified2.alert) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -This log also supports IPv6 in addition to IPv4. It's information will -be stored in the default logging directory. For further information -read the above information about 2. unified.log. - -:: + - unified2-alert: + enabled: yes - - unified2-alert: #The log-name. - enabled: yes #This log is enabled. Set 'no' to disable. - filename: unified2.alert #The name of the file in the default logging directory. - limit: 32 #The file size limit in megabytes. + # The filename to log to in the default log directory. A + # timestamp in unix epoch time will be appended to the filename + # unless nostamp is set to yes. + filename: unified2.alert + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + #limit: 32mb + + # By default unified2 log files have the file creation time (in + # unix epoch format) appended to the filename. Set this to yes to + # disable this behaviour. + #nostamp: no + + # Sensor ID field of unified2 alerts. + #sensor-id: 0 + + # Include payload of packets related to alerts. Defaults to true, set to + # false if payload is not required. + #payload: yes + + # HTTP X-Forwarded-For support by adding the unified2 extra header or + # overwriting the source or destination IP address (depending on flow + # direction) with the one reported in the X-Forwarded-For HTTP header. + # This is helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". Note + # that in the "overwrite" mode, if the reported IP address in the HTTP + # X-Forwarded-For header is of a different version of the packet + # received, it will fall-back to "extra-data" mode. + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For This alert output needs Barnyard2.