suricata.yaml: remove filestore v1 configuration

5 years ago · 6850dbc852
parent ca88e4d0e3
commit 6850dbc852
2 changed files with 38 additions and 6 deletions
--- a/doc/userguide/file-extraction/config-update.rst
+++ b/doc/userguide/file-extraction/config-update.rst
@ -0,0 +1,38 @@
+Update File-store v1 Configuration to V2
+========================================
+
+Given a file-store configuration like::
+
+  - file-store:
+      enabled: yes        # set to yes to enable
+      log-dir: files      # directory to store the files
+      force-magic: no     # force logging magic on all stored files
+      force-hash: [md5]   # force logging of md5 checksums
+      force-filestore: no # force storing of all files
+      stream-depth: 1mb   # reassemble 1mb into a stream, set to no to disable
+      waldo: file.waldo   # waldo file to store the file_id across runs
+      max-open-files: 0   # how many files to keep open (O means none)
+      write-meta: yes     # write a .meta file if set to yes
+      include-pid: yes    # include the pid in filenames if set to yes.
+
+the following changes will need to be made to convert to a V2 style configuration:
+
+* A ``version`` field must be set to 2.
+* The ``log-dir`` field should be renamed to ``dir``. It is recommended to use a new directory instead of an existing v1 directory.
+* Remove the ``waldo`` option. It is no longer used.
+* Remove the ``write-meta`` option. Optionally set ``write-fileinfo`` to enable writing of a metadata file along side the extracted file. Not that this option is disabled by default as a ``fileinfo`` event can be written to the Eve log file.
+* Remove the ``include-pid`` option. There is no equivalent to this option in file-store v2.
+
+Example converted configuration::
+
+  - file-store:
+      version: 2
+      enabled: yes
+      dir: filestore
+      force-hash: [md5]
+      file-filestore: no
+      stream-depth: 1mb
+      max-open-files: 0
+      write-fileinfo: yes
+
+Refer to the :ref:`File Extraction` section of the manual for information about the format of the file-store directory for file-store v2.
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -485,12 +485,6 @@ outputs:
        # one taken into consideration.
        header: X-Forwarded-For

-  # deprecated - file-store v1
-  - file-store:
-      enabled: no
-      # further options documented at:
-      # https://suricata.readthedocs.io/en/suricata-5.0.0/file-extraction/file-extraction.html#file-store-version-1
-
  # Log TCP data after stream normalization
  # Two types: file or dir:
  #     - file logs into a single logfile.