doc: document removal of unified2

And suggest an alternate tool, Meer if compatibility with Barnyard2 style databases is required. Redmine ticket: https://redmine.openinfosecfoundation.org/issues/3497
5 years ago · 7d44e80a50
parent e71f2b22fa
commit 7d44e80a50
4 changed files with 46 additions and 1 deletions
--- a/doc/userguide/Makefile.am
+++ b/doc/userguide/Makefile.am
@ -8,6 +8,7 @@ EXTRA_DIST = \
 	configuration \
 	file-extraction \
 	index.rst \
+	upgrade \
 	upgrade.rst \
 	initscripts.rst \
 	install.rst \
--- a/doc/userguide/output/eve/index.rst
+++ b/doc/userguide/output/eve/index.rst
@ -1,5 +1,7 @@
+.. _eve:
+
 EVE
-======
+===

 .. toctree::

--- a/doc/userguide/upgrade.rst
+++ b/doc/userguide/upgrade.rst
@ -52,6 +52,7 @@ Removals
 - Individual Eve (JSON) loggers have been removed. For example,
  ``stats-json``, ``dns-json``, etc. Use multiple Eve logger instances
  if this behavior is still required. See :ref:`multiple-eve-instances`.
+- Unified2 has been removed. See :ref:`unified2-removed`.

 Upgrading 4.1 to 5.0
 --------------------
--- a/doc/userguide/upgrade/unified2.rst
+++ b/doc/userguide/upgrade/unified2.rst
@ -0,0 +1,41 @@
+:orphan: Document not referenced in a toctree, so add this.
+
+.. _unified2-removed:
+
+Unified2 Output Removed
+-----------------------
+
+As of Suricata 6.0 the Unified2 output has been removed. The legacy
+Unified2 format lacks the flexibility found in the Eve format, and is
+considerably more difficult to integrate with other tools.  The
+current recommended output is :ref:`eve`.
+
+Packet (Payload) Logging
+------------------------
+
+By default, Eve does not log the packet or payload like Unified2
+does. This can be done with Eve by enabling the payload in Eve alert
+logs. This will log the payload in base64 format to be compatible with
+the JSON format of Eve logs.
+
+It is important to note that while Eve does have an option to log the
+packet, it is the payload option that provides the equivalent data to
+that of the Unified2 output.
+
+Migration Tools
+---------------
+
+Meer
+~~~~
+
+Meer is an Eve log processing tool that can process Eve logs and
+insert them into a database that is compatible with Barnyard2. This
+could could be used as a Barnyard2 replacement if your use of Unified2
+was to have Suricata events added this style of database for use with
+tools such as Snorby and BASE.
+
+More information on Meer can be found at its GitHub project page:
+`https://github.com/beave/meer <https://github.com/beave/meer>`_.
+
+.. note:: Please note that Meer is not supported or maintained by the
+          OISF or the Suricata development team.