diff --git a/doc/userguide/Makefile.am b/doc/userguide/Makefile.am index 724ec78acc..159e6d4545 100644 --- a/doc/userguide/Makefile.am +++ b/doc/userguide/Makefile.am @@ -8,6 +8,7 @@ EXTRA_DIST = \ configuration \ file-extraction \ index.rst \ + upgrade \ upgrade.rst \ initscripts.rst \ install.rst \ diff --git a/doc/userguide/output/eve/index.rst b/doc/userguide/output/eve/index.rst index bb56991c2a..1d593bbed4 100644 --- a/doc/userguide/output/eve/index.rst +++ b/doc/userguide/output/eve/index.rst @@ -1,5 +1,7 @@ +.. _eve: + EVE -====== +=== .. toctree:: diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst index e9b274bad8..e4eedb051d 100644 --- a/doc/userguide/upgrade.rst +++ b/doc/userguide/upgrade.rst @@ -52,6 +52,7 @@ Removals - Individual Eve (JSON) loggers have been removed. For example, ``stats-json``, ``dns-json``, etc. Use multiple Eve logger instances if this behavior is still required. See :ref:`multiple-eve-instances`. +- Unified2 has been removed. See :ref:`unified2-removed`. Upgrading 4.1 to 5.0 -------------------- diff --git a/doc/userguide/upgrade/unified2.rst b/doc/userguide/upgrade/unified2.rst new file mode 100644 index 0000000000..351aca5d8b --- /dev/null +++ b/doc/userguide/upgrade/unified2.rst @@ -0,0 +1,41 @@ +:orphan: Document not referenced in a toctree, so add this. + +.. _unified2-removed: + +Unified2 Output Removed +----------------------- + +As of Suricata 6.0 the Unified2 output has been removed. The legacy +Unified2 format lacks the flexibility found in the Eve format, and is +considerably more difficult to integrate with other tools. The +current recommended output is :ref:`eve`. + +Packet (Payload) Logging +------------------------ + +By default, Eve does not log the packet or payload like Unified2 +does. This can be done with Eve by enabling the payload in Eve alert +logs. This will log the payload in base64 format to be compatible with +the JSON format of Eve logs. + +It is important to note that while Eve does have an option to log the +packet, it is the payload option that provides the equivalent data to +that of the Unified2 output. + +Migration Tools +--------------- + +Meer +~~~~ + +Meer is an Eve log processing tool that can process Eve logs and +insert them into a database that is compatible with Barnyard2. This +could could be used as a Barnyard2 replacement if your use of Unified2 +was to have Suricata events added this style of database for use with +tools such as Snorby and BASE. + +More information on Meer can be found at its GitHub project page: +`https://github.com/beave/meer `_. + +.. note:: Please note that Meer is not supported or maintained by the + OISF or the Suricata development team.