The unified2 output plugin is a replacement for the unified output plugin. It has the same performance characteristics, but a slightly different logging format. See section 2.6.7 on unified logging for more information.
Unified2 can work in one of three modes, packet logging, alert logging, or true unified logging. Packet logging includes a capture of the entire packet and is specified with log_unified2. Likewise, alert logging will only log events and is specified with alert_unified2. To include both logging styles in a single, unified file, simply specify unified2.
When MPLS support is turned on, MPLS labels can be included in unified2 events. Use option mpls_event_types to enable this. If option mpls_event_types is not used, then MPLS labels will be not be included in unified2 events.
|
Note:
By default, unified 2 files have the file creation time (in Unix Epoch format) appended to each file when it is created.
|