tls-log: deprecate

tls-log is now deprecated and will be removed in Suricata 9.0. Display a deprecation notice on use, and add notes to the user guide. Ticket: #6542
1 year ago · 5853fb922d
parent ab26323a96
commit 5853fb922d
5 changed files with 9 additions and 13 deletions
--- a/doc/userguide/configuration/suricata-yaml.rst
+++ b/doc/userguide/configuration/suricata-yaml.rst
@ -403,6 +403,9 @@ The format is documented in :ref:`Eve JSON Format <eve-json-format>`.
 TLS parameters and certificates logging (tls.log)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+.. attention:: tls-log is deprecated in Suricata 8.0 and will be
+               removed in Suricata 9.0.
+
 The TLS handshake parameters can be logged in a line based log as well.
 By default, the logfile is `tls.log` in the suricata log directory.
 See :ref:`Custom TLS logging <output-custom-tls-logging>` for details
--- a/doc/userguide/output/custom-tls-logging.rst
+++ b/doc/userguide/output/custom-tls-logging.rst
@ -3,6 +3,9 @@
 Custom tls logging
 ===================

+.. attention:: tls-log is deprecated in Suricata 8.0 and will be
+               removed in Suricata 9.0.
+
 In your Suricata.yaml, find the tls-log section and edit as follows:

 ::
--- a/doc/userguide/upgrade.rst
+++ b/doc/userguide/upgrade.rst
@ -79,6 +79,7 @@ Removals
 Deprecations
 ~~~~~~~~~~~~
 - The ``http-log`` output is now deprecated and will be removed in Suricata 9.0.
+- The ``tls-log`` output is now deprecated and will be removed in Suricata 9.0.

 Upgrading 6.0 to 7.0
 --------------------
--- a/src/log-tlslog.c
+++ b/src/log-tlslog.c
@ -201,6 +201,8 @@ static void LogTlsLogExitPrintStats(ThreadVars *tv, void *data)
 * */
 static OutputInitResult LogTlsLogInitCtx(ConfNode *conf)
 {
+    SCLogWarning("The tls-log output has been deprecated and will be removed in Suricata 9.0.");
+
    OutputInitResult result = { NULL, false };
    LogFileCtx* file_ctx = LogFileNewCtx();

--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -352,19 +352,6 @@ outputs:
        #   state-update: false             # log packets triggering a TCP state update
        #   spurious-retransmission: false  # log spurious retransmission packets

-  # a line based log of TLS handshake parameters (no alerts)
-  - tls-log:
-      enabled: no  # Log TLS connections.
-      filename: tls.log # File to store TLS logs.
-      append: yes
-      #extended: yes     # Log extended information like fingerprint
-      #custom: yes       # enabled the custom logging format (defined by customformat)
-      #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D"
-      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-      # output TLS transaction where the session is resumed using a
-      # session id
-      #session-resumption: no
-
  # output module to store certificates chain to disk
  - tls-store:
      enabled: no