diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index bb24efa5f3..70a6effdfd 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -161,9 +161,6 @@ outputs section and storing them in outputs.yaml filename: fast.log append: yes - - unified2-alert: - enabled: yes - ... :: @@ -190,9 +187,6 @@ different YAML file. filename: fast.log append: yes - - unified2-alert: - enabled: yes - :: # suricata.yaml @@ -326,80 +320,6 @@ For more advanced configuration options, see :ref:`Eve JSON Output `. -.. _suricata_yaml_unified2: - -Alert output for use with Barnyard2 (unified2.alert) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. note:: Unified2 output has been deprecated and will be removed by - December 2019. Please see the `deprecation policy`_ for more - information. - -This log format is a binary format compatible with the unified2 output -of another popular IDS format and is designed for use with Barnyard2 -or other tools that consume the unified2 log format. - -By default a file with the given filename and a timestamp (unix epoch -format) will be created until the file hits the configured size limit, -then a new file, with a new timestamp will be created. It is the job -of other tools, such as Barnyard2 to cleanup old unified2 files. - -If the `nostamp` option is set the log file will not have a timestamp -appended. The file will be re-opened on SIGHUP like other log files -allowing external log rotation tools to work as expected. However, if -the limit is reach the file will be deleted and re-opened. - -This output supports IPv6 and IPv4 events. - -:: - - - unified2-alert: - enabled: yes - - # The filename to log to in the default log directory. A - # timestamp in unix epoch time will be appended to the filename - # unless nostamp is set to yes. - filename: unified2.alert - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - #limit: 32mb - - # By default unified2 log files have the file creation time (in - # unix epoch format) appended to the filename. Set this to yes to - # disable this behavior. - #nostamp: no - - # Sensor ID field of unified2 alerts. - #sensor-id: 0 - - # Include payload of packets related to alerts. Defaults to true, set to - # false if payload is not required. - #payload: yes - - # HTTP X-Forwarded-For support by adding the unified2 extra header or - # overwriting the source or destination IP address (depending on flow - # direction) with the one reported in the X-Forwarded-For HTTP header. - # This is helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". Note - # that in the "overwrite" mode, if the reported IP address in the HTTP - # X-Forwarded-For header is of a different version of the packet - # received, it will fall-back to "extra-data" mode. - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - -This alert output needs Barnyard2. - A line based log of HTTP requests (http.log) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/doc/userguide/output/log-rotation.rst b/doc/userguide/output/log-rotation.rst index e15e857e7a..d6f00932fc 100644 --- a/doc/userguide/output/log-rotation.rst +++ b/doc/userguide/output/log-rotation.rst @@ -43,5 +43,4 @@ log files is still the responsibility of external tools. These outputs include: - :ref:`Eve ` -- :ref:`Unified2 ` - :ref:`PCAP log `