suricata/doc/userguide/file-extraction/config-update.rst

.. _filestore-update-v1-to-v2:

Update File-store v1 Configuration to V2
========================================

Given a file-store configuration like::

  - file-store:
      enabled: yes        # set to yes to enable
      log-dir: files      # directory to store the files
      force-magic: no     # force logging magic on all stored files
      force-hash: [md5]   # force logging of md5 checksums
      force-filestore: no # force storing of all files
      stream-depth: 1mb   # reassemble 1mb into a stream, set to no to disable
      waldo: file.waldo   # waldo file to store the file_id across runs
      max-open-files: 0   # how many files to keep open (O means none)
      write-meta: yes     # write a .meta file if set to yes
      include-pid: yes    # include the pid in filenames if set to yes.

The following changes will need to be made to convert to a v2 style configuration:

* The ``version`` field must be set to 2.
* The ``log-dir`` field should be renamed to ``dir``. It is recommended to use a new directory instead of an existing v1 directory.
* Remove the ``waldo`` option. It is no longer used.
* Remove the ``write-meta`` option.
* Optionally set ``write-fileinfo`` to enable writing of a metadata file along side the extracted file. Not that this option is disabled by default as a ``fileinfo`` event can be written to the Eve log file.
* Remove the ``include-pid`` option. There is no equivalent to this option in file-store v2.

Example converted configuration::

  - file-store:
      version: 2
      enabled: yes
      dir: filestore
      force-hash: [md5]
      file-filestore: no
      stream-depth: 1mb
      max-open-files: 0
      write-fileinfo: yes

Refer to the :ref:`File Extraction` section of the manual for information about the format of the file-store directory for file-store v2.