tls/conf: clarify usage of custom vs extended logs

Since enabling custom logging will replace the extended logging, thus possibly leading to certain fields disappearing from the logs, mention this aspect. Related to Bug OISF#7333
jufajardini · Oct 17, 2024 · 55a7aff · 55a7aff
1 parent a02ae8d
commit 55a7aff
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 0 deletions.
diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst
@@ -273,6 +273,7 @@ The default is to log certificate subject and issuer. If ``extended`` is
 enabled, then the log gets more verbose.
 
 By using ``custom`` it is possible to select which TLS fields to log.
+**Note that this will disable ``extended`` logging.**
 
 ARP
 ~~~

diff --git a/suricata.yaml.in b/suricata.yaml.in
@@ -272,6 +272,7 @@ outputs:
             # session id
             #session-resumption: no
             # custom controls which TLS fields that are included in eve-log
+            # WARNING: enabling custom disables extended logging.
             #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4, subjectaltname]
         - files:
             force-magic: no   # force logging magic on all logged files