1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
.. _output-custom-tls-logging:
Custom tls logging
===================
.. attention:: tls-log is deprecated in Suricata 8.0 and will be
removed in Suricata 9.0.
In your Suricata.yaml, find the tls-log section and edit as follows:
::
- tls-log:
enabled: yes # Log TLS connections.
filename: tls.log # File to store TLS logs.
append: yes
custom: yes # enabled the custom logging format (defined by customformat)
customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D"
And in your tls.log file you would get the following, for example:
::
12/03/16-19:20:14.85859 10.10.10.4:58274 -> 192.0.78.24:443 VERSION='TLS 1.2' suricata.io NOTBEFORE='2016-10-27T20:36:00' NOTAFTER='2017-01-25T20:36:00'
The list of supported format strings is the following:
* %n - client SNI
* %v - TLS/SSL version
* %d - certificate date not before
* %D - certificate date not after
* %f - certificate fingerprint SHA1
* %s - certificate subject
* %i - certificate issuer dn
* %E - extended format
* %{strftime_format}t - timestamp of the TLS transaction in the selected strftime format. ie: 08/28/12-22:14:30
* %z - precision time in useconds. ie: 693856
* %a - client IP address
* %p - client port number
* %A - server IP address
* %P - server port number
Any non printable character will be represented by its byte value in hexadecimal format (\|XX\|, where XX is the hex code)
|
