17.6.1. Update File-store v1 Configuration to V2ΒΆ
Given a file-store configuration like:
- file-store:
enabled: yes # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
force-hash: [md5] # force logging of md5 checksums
force-filestore: no # force storing of all files
stream-depth: 1mb # reassemble 1mb into a stream, set to no to disable
waldo: file.waldo # waldo file to store the file_id across runs
max-open-files: 0 # how many files to keep open (O means none)
write-meta: yes # write a .meta file if set to yes
include-pid: yes # include the pid in filenames if set to yes.
The following changes will need to be made to convert to a v2 style configuration:
- The
versionfield must be set to 2. - The
log-dirfield should be renamed todir. It is recommended to use a new directory instead of an existing v1 directory. - Remove the
waldooption. It is no longer used. - Remove the
write-metaoption. - Optionally set
write-fileinfoto enable writing of a metadata file along side the extracted file. Not that this option is disabled by default as afileinfoevent can be written to the Eve log file. - Remove the
include-pidoption. There is no equivalent to this option in file-store v2.
Example converted configuration:
- file-store:
version: 2
enabled: yes
dir: filestore
force-hash: [md5]
file-filestore: no
stream-depth: 1mb
max-open-files: 0
write-fileinfo: yes
Refer to the File Extraction section of the manual for information about the format of the file-store directory for file-store v2.