From 55b922ceed868a4bf6c5d8e662b8c98876cc15d1 Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@gmail.com>
Date: Wed, 16 Oct 2024 16:30:11 -0700
Subject: [PATCH] tls/conf: clarify usage of custom vs extended logs

Since enabling custom logging will replace the extended logging, thus
possibly leading to certain fields disappearing from the logs, mention
this aspect.

Related to
Bug #7333
---
 doc/userguide/output/eve/eve-json-output.rst | 1 +
 suricata.yaml.in                             | 1 +
 2 files changed, 2 insertions(+)

diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst
index c9c1d63e02..7fc40783c2 100644
--- a/doc/userguide/output/eve/eve-json-output.rst
+++ b/doc/userguide/output/eve/eve-json-output.rst
@@ -273,6 +273,7 @@ The default is to log certificate subject and issuer. If ``extended`` is
 enabled, then the log gets more verbose.
 
 By using ``custom`` it is possible to select which TLS fields to log.
+**Note that this will disable ``extended`` logging.**
 
 ARP
 ~~~
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 5f9eaf6839..f191bf60b9 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -272,6 +272,7 @@ outputs:
             # session id
             #session-resumption: no
             # custom controls which TLS fields that are included in eve-log
+            # WARNING: enabling custom disables extended logging.
             #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4, subjectaltname]
         - files:
             force-magic: no   # force logging magic on all logged files