From e7dc0d885bede2b58094c46ff886e4e6a3a95575 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Sat, 14 Feb 2026 10:03:29 -0500 Subject: [PATCH] doc/config: Update flushing description Update output flushing description to reflect EVE based approach in documentation and config template. Issue: 8286 --- doc/userguide/output/eve/eve-json-output.rst | 4 ++-- doc/userguide/partials/eve-log.yaml | 10 +++++----- suricata.yaml.in | 10 +++++----- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst index c9404f45ee..f25a496f6e 100644 --- a/doc/userguide/output/eve/eve-json-output.rst +++ b/doc/userguide/output/eve/eve-json-output.rst @@ -39,9 +39,9 @@ may be held in memory and written a short time later opening the possibility -- loss. Hence, a heartbeat mechanism is introduced to limit the amount of time buffered data may exist before being -flushed. Control is provided to instruct Suricata's detection threads to flush their EVE output. With default +flushed. A heartbeat thread periodically flushes all active EVE log files directly. With default values, there is no change in output buffering and flushing behavior. ``output-flush-interval`` controls -how often Suricata's detect threads will flush output in a heartbeat fashion. A value of ``0`` means +how often Suricata will flush EVE output in a heartbeat fashion. A value of ``0`` means "never"; non-zero values must be in ``[1-60]`` seconds. Flushing should be considered when ``outputs.buffer-size`` is greater than 0 to limit the amount and diff --git a/doc/userguide/partials/eve-log.yaml b/doc/userguide/partials/eve-log.yaml index 9c8e35f7c6..08e9237e0c 100644 --- a/doc/userguide/partials/eve-log.yaml +++ b/doc/userguide/partials/eve-log.yaml @@ -291,12 +291,12 @@ outputs: # spurious-retransmission: false # log spurious retransmission packets # heartbeat: - # The output-flush-interval value governs how often Suricata will instruct the - # detection threads to flush their EVE output. Specify the value in seconds [1-60] - # and Suricata will initiate EVE log output flushes at that interval. A value - # of 0 means no EVE log output flushes are initiated. When the EVE output + # The output-flush-interval value governs how often Suricata will flush + # EVE log file output. Specify the value in seconds [1-60] and Suricata will + # flush all active EVE log files at that interval. A value of 0 means + # no EVE log output flushes are performed. When the EVE output # buffer-size value is non-zero, some EVE output that was written may remain # buffered. The output-flush-interval governs how much buffered data exists. # - # The default value is: 0 (never instruct detection threads to flush output) + # The default value is: 0 (no periodic flushing) #output-flush-interval: 0 diff --git a/suricata.yaml.in b/suricata.yaml.in index a8be0ae68d..87a49fa13f 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -598,14 +598,14 @@ outputs: # - script1.lua heartbeat: - # The output-flush-interval value governs how often Suricata will instruct the - # detection threads to flush their EVE output. Specify the value in seconds [1-60] - # and Suricata will initiate EVE log output flushes at that interval. A value - # of 0 means no EVE log output flushes are initiated. When the EVE output + # The output-flush-interval value governs how often Suricata will flush + # EVE log file output. Specify the value in seconds [1-60] and Suricata will + # flush all active EVE log files at that interval. A value of 0 means + # no EVE log output flushes are performed. When the EVE output # buffer-size value is non-zero, some EVE output that was written may remain # buffered. The output-flush-interval governs how much buffered data exists. # - # The default value is: 0 (never instruct detection threads to flush output) + # The default value is: 0 (no periodic flushing) #output-flush-interval: 0 # Logging configuration. This is not about logging IDS alerts/events, but