tls/conf: clarify usage of custom vs extended logs

Since enabling custom logging will replace the extended logging, thus possibly leading to certain fields disappearing from the logs, mention this aspect. Related to Bug #7333
5 months ago · 55b922ceed
parent 69fe5121a1
commit 55b922ceed
2 changed files with 2 additions and 0 deletions
--- a/doc/userguide/output/eve/eve-json-output.rst
+++ b/doc/userguide/output/eve/eve-json-output.rst
@ -273,6 +273,7 @@ The default is to log certificate subject and issuer. If ``extended`` is
 enabled, then the log gets more verbose.

 By using ``custom`` it is possible to select which TLS fields to log.
+**Note that this will disable ``extended`` logging.**

 ARP
 ~~~
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -272,6 +272,7 @@ outputs:
            # session id
            #session-resumption: no
            # custom controls which TLS fields that are included in eve-log
+            # WARNING: enabling custom disables extended logging.
            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4, subjectaltname]
        - files:
            force-magic: no   # force logging magic on all logged files