From db73a1254028778ea67ee17e41897226d17941ed Mon Sep 17 00:00:00 2001
From: Andreas Dolp <dev@andreas-dolp.de>
Date: Tue, 31 May 2022 15:58:54 +0200
Subject: [PATCH] doc/tls: Add documentation for TLS logging

---
 doc/userguide/configuration/suricata-yaml.rst | 21 +++++++++++++++++++
 doc/userguide/output/custom-tls-logging.rst   |  2 ++
 2 files changed, 23 insertions(+)

diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst
index 67299f47ecf5..70c1a1e03660 100644
--- a/doc/userguide/configuration/suricata-yaml.rst
+++ b/doc/userguide/configuration/suricata-yaml.rst
@@ -388,6 +388,27 @@ For more advanced configuration options, see :ref:`Eve JSON Output <eve-json-out
 
 The format is documented in :ref:`Eve JSON Format <eve-json-format>`.
 
+TLS parameters and certificates logging (tls.log)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The TLS handshake parameters can be logged in a line based log as well.
+By default, the logfile is `tls.log` in the suricata log directory.
+See :ref:`Custom TLS logging <output-custom-tls-logging>` for details
+about the configuration and customization of the log format.
+
+Furthermore there is an output module to store TLS certificate files to
+disk. This is similar to :ref:`File-store (File Extraction)
+<suricata-yaml-file-store>`, but for TLS certificates.
+
+Example:
+
+::
+
+  # output module to store certificates chain to disk
+  - tls-store:
+      enabled: yes
+      #certs-log-dir: certs # directory to store the certificates files
+
 A line based log of HTTP requests (http.log)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/doc/userguide/output/custom-tls-logging.rst b/doc/userguide/output/custom-tls-logging.rst
index 74cdb0f12755..18af79ce14c9 100644
--- a/doc/userguide/output/custom-tls-logging.rst
+++ b/doc/userguide/output/custom-tls-logging.rst
@@ -1,3 +1,5 @@
+.. _output-custom-tls-logging:
+
 Custom tls logging
 ===================