blob: 5035ac8242452a8ea7202a74baffb63ad491421c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
.. _filestore-update-v1-to-v2:
Update File-store v1 Configuration to V2
========================================
Given a file-store configuration like::
- file-store:
enabled: yes # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
force-hash: [md5] # force logging of md5 checksums
force-filestore: no # force storing of all files
stream-depth: 1mb # reassemble 1mb into a stream, set to no to disable
waldo: file.waldo # waldo file to store the file_id across runs
max-open-files: 0 # how many files to keep open (O means none)
write-meta: yes # write a .meta file if set to yes
include-pid: yes # include the pid in filenames if set to yes.
The following changes will need to be made to convert to a v2 style configuration:
* The ``version`` field must be set to 2.
* The ``log-dir`` field should be renamed to ``dir``. It is recommended to use a new directory instead of an existing v1 directory.
* Remove the ``waldo`` option. It is no longer used.
* Remove the ``write-meta`` option.
* Optionally set ``write-fileinfo`` to enable writing of a metadata file along side the extracted file. Not that this option is disabled by default as a ``fileinfo`` event can be written to the Eve log file.
* Remove the ``include-pid`` option. There is no equivalent to this option in file-store v2.
Example converted configuration::
- file-store:
version: 2
enabled: yes
dir: filestore
force-hash: [md5]
file-filestore: no
stream-depth: 1mb
max-open-files: 0
write-fileinfo: yes
Refer to the :ref:`File Extraction` section of the manual for information about the format of the file-store directory for file-store v2.
|
