From: Max Fillinger <maximilian.fillinger@fox-it.com>
Date: Thu, 25 Jan 2018 12:54:58 +0000 (+0100)
Subject: Add info about pcap log compression to user guide
X-Git-Tag: suricata-4.1.0-rc1~107
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ce270a8f6aa0d9d60a514f3a1b5f05a48fbbdfcc;p=thirdparty%2Fsuricata.git

Add info about pcap log compression to user guide
---

diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst
index 91a8b0f136..caa9ec3df2 100644
--- a/doc/userguide/configuration/suricata-yaml.rst
+++ b/doc/userguide/configuration/suricata-yaml.rst
@@ -457,6 +457,14 @@ If you would like to use Suricata with Sguil, do not forget to enable
 Remember that in the 'normal' mode, the file will be saved in
 default-log-dir or in the absolute path (if set).
 
+The pcap files can be compressed before being written to disk by setting
+the compression option to lz4. This option is incompatible with sguil
+mode. Note: On Windows, this option increases disk I/O instead of
+reducing it. When using lz4 compression, you can enable checksums using
+the lz4-checksum option, and you can set the compression level lz4-level
+to a value between 0 and 16, where higher levels result in higher
+compression.
+
 By default all packets are logged except:
 
 - TCP streams beyond stream.reassembly.depth