Skip to content

Commit

Permalink
doc/pcap-log: Remove squil documentation
Browse files Browse the repository at this point in the history 
Issue: 6347
  • Loading branch information
@jlucovsky @victorjulien
jlucovsky authored and victorjulien committed Jan 17, 2024
1 parent 9101878 commit 58f882d
Showing 1 changed file with 6 additions and 19 deletions.
25 changes: 6 additions & 19 deletions doc/userguide/configuration/suricata-yaml.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -457,34 +457,22 @@ look at all packets whenever you want. In the normal mode a pcap file
is created in the default-log-dir. It can also be created elsewhere if
a absolute path is set in the yaml-file.

The file that is saved in example the default -log-dir
/var/log/suricata, can be be opened with every program which supports
The file that is saved in example the ``default-log-dir``
`/var/log/suricata`, can be be opened with every program which supports
the pcap file format. This can be Wireshark, TCPdump, Suricata, Snort
and many others.

The pcap-log option can be enabled and disabled.

There is a size limit for the pcap-log file that can be set. The
default limit is 32 MB. If the log-file reaches this limit, the file
will be rotated and a new one will be created. The pcap-log option
has an extra functionality for "Sguil":http://sguil.sourceforge.net/
that can be enabled in the 'mode' option. In the sguil mode the
"sguil_base_dir" indicates the base directory. In this base dir the
pcaps are created in a Sguil-specific directory structure that is
based on the day:

::

$sguil_base_dir/YYYY-MM-DD/$filename.<timestamp>

If you would like to use Suricata with Sguil, do not forget to enable
(and if necessary modify) the base dir in the suricata.yaml file.
will be rotated and a new one will be created.
Remember that in the 'normal' mode, the file will be saved in
default-log-dir or in the absolute path (if set).

The pcap files can be compressed before being written to disk by setting
the compression option to lz4. This option is incompatible with sguil
mode. Note: On Windows, this option increases disk I/O instead of
the compression option to lz4.
Note: On Windows, this option increases disk I/O instead of
reducing it. When using lz4 compression, you can enable checksums using
the lz4-checksum option, and you can set the compression level lz4-level
to a value between 0 and 16, where higher levels result in higher
Expand Down Expand Up @@ -514,8 +502,7 @@ the alert.
# Limit in MB.
limit: 32

mode: sguil # "normal" (default) or sguil.
sguil_base_dir: /nsm_data/
mode: normal # "normal" or multi
conditional: alerts

Verbose Alerts Log (alert-debug.log)
Expand Down

0 comments on commit 58f882d

Please sign in to comment.