doc: update unified2 section

Remove documentation on older unified formats that have
been removed.
pull/2572/head
Jason Ish 9 years ago committed by Victor Julien
parent 82f6103149
commit 89ba5816dc

@ -359,66 +359,71 @@ For more advanced configuration options, see :ref:`Eve JSON Output <eve-json-out
The format is documented in :ref:`Eve JSON Format <eve-json-format>`.
Log output for use with Barnyard (unified.log)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This log only supports IPv4. Its information will be stored in the
default logging directory. This log is designed to be stored in a
binary format on the hard disc, where it will be further processed by
Barnyard. Barnyard can store the output in a database, so Suricata can
work on other important tasks. Barnyard can add the files in the
Mysql-database, send them to Sguil or several other output options.
There is a size-limit to the log-file: If Suricata generates an alert,
it stores this alert in a unified-file. Suricata keeps continuing
doing that, until the file has reached its limit. Which in the default
case is at 32 MB. At that point Suricata generates a new file and the
process starts all over again. Barnyard keeps on processing these
files. To prevent Suricata from filling up the hard disc, a size limit
is enforced. When the limit is reached, the file will 'role-over',
creating a new file. Barnyard removes old files. To every file,
Suricata adds a time stamp, so it is easy to see which one came first
and which one is the latter.
::
Alert output for use with Barnyard2 (unified2.alert)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Unified-log: #The log-name.
enabled: no #This log is not enabled. Set 'yes' to enable.
filename: unified.log #The name of the file in the default logging directory.
limit: 32 #The file size limit in megabytes.
This log format is a binary format compatible with the unified2 output
of another popular IDS format and is designed for use with Barnyard2
or other tools that consume the unified2 log format.
This output option has been removed in Suricata 1.1rc1 (see ticket
#353).
By default a file with the given filename and a timestamp (unix epoch
format) will be created until the file hits the configured size limit,
then a new file, with a new timestamp will be created. It is the job
of other tools, such as Barnyard2 to cleanup old unified2 files.
Alert output for use with Barnyard (unified.alert)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If the `nostamp` option is set the log file will not have a timestamp
appended. The file will be re-opened on SIGHUP like other log files
allowing external log rotation tools to work as expected. However, if
the limit is reach the file will be deleted and re-opened.
This log only supports IPv4. Its information will be stored in the
default logging directory. For further information read the above
information about ( 2) unified.log)
This output supports IPv6 and IPv4 events.
::
-Unified-alert: #The log-name.
enabled: no #This log is not enabled. Set 'yes' to enable.
filename: unified.alert #The name of the file in the default logging directory.
limit: 32 #The file size limit in megabytes.
This output option has been removed in Suricata 1.1rc1 (see ticket #353).
Alert output for use with Barnyard2 (unified2.alert)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This log also supports IPv6 in addition to IPv4. It's information will
be stored in the default logging directory. For further information
read the above information about 2. unified.log.
::
- unified2-alert:
enabled: yes
- unified2-alert: #The log-name.
enabled: yes #This log is enabled. Set 'no' to disable.
filename: unified2.alert #The name of the file in the default logging directory.
limit: 32 #The file size limit in megabytes.
# The filename to log to in the default log directory. A
# timestamp in unix epoch time will be appended to the filename
# unless nostamp is set to yes.
filename: unified2.alert
# File size limit. Can be specified in kb, mb, gb. Just a number
# is parsed as bytes.
#limit: 32mb
# By default unified2 log files have the file creation time (in
# unix epoch format) appended to the filename. Set this to yes to
# disable this behaviour.
#nostamp: no
# Sensor ID field of unified2 alerts.
#sensor-id: 0
# Include payload of packets related to alerts. Defaults to true, set to
# false if payload is not required.
#payload: yes
# HTTP X-Forwarded-For support by adding the unified2 extra header or
# overwriting the source or destination IP address (depending on flow
# direction) with the one reported in the X-Forwarded-For HTTP header.
# This is helpful when reviewing alerts for traffic that is being reverse
# or forward proxied.
xff:
enabled: no
# Two operation modes are available, "extra-data" and "overwrite". Note
# that in the "overwrite" mode, if the reported IP address in the HTTP
# X-Forwarded-For header is of a different version of the packet
# received, it will fall-back to "extra-data" mode.
mode: extra-data
# Two proxy deployments are supported, "reverse" and "forward". In
# a "reverse" deployment the IP address used is the last one, in a
# "forward" deployment the first IP address is used.
deployment: reverse
# Header name where the actual IP address will be reported, if more
# than one IP address is present, the last IP address will be the
# one taken into consideration.
header: X-Forwarded-For
This alert output needs Barnyard2.

Loading…
Cancel
Save