From ce270a8f6aa0d9d60a514f3a1b5f05a48fbbdfcc Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Thu, 25 Jan 2018 13:54:58 +0100 Subject: [PATCH] Add info about pcap log compression to user guide --- doc/userguide/configuration/suricata-yaml.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index 91a8b0f136..caa9ec3df2 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -457,6 +457,14 @@ If you would like to use Suricata with Sguil, do not forget to enable Remember that in the 'normal' mode, the file will be saved in default-log-dir or in the absolute path (if set). +The pcap files can be compressed before being written to disk by setting +the compression option to lz4. This option is incompatible with sguil +mode. Note: On Windows, this option increases disk I/O instead of +reducing it. When using lz4 compression, you can enable checksums using +the lz4-checksum option, and you can set the compression level lz4-level +to a value between 0 and 16, where higher levels result in higher +compression. + By default all packets are logged except: - TCP streams beyond stream.reassembly.depth -- 2.47.2