TLS-store enabled but no certificate data collected in folder /var/log/suricata/certs

alex_49100 · August 29, 2025, 2:46pm

Hello to the Suricata community,

Running :

Suricata version 7.0.11 RELEASE
installed from packages on Oracle Linux 9.6 and Debian 13

Topic:

I would like to collect the certificate data via the tls store feature. The suricata.yaml file has been configured as follows (extract) :


- tls-log:
      enabled: yes       # Log TLS connections.
      filename: tls.log  # File to store TLS logs.

- tls-store:
      enabled: yes
      certs-log-dir: /var/log/suricata/certs # directory to store the certificates files

As a result, the certs folder has been created but no certificate data are being collected.

Steps done (on both OL9 and Debian 13):

Having tried relative path “certs” and full path for the name of the folder, checked permissions, which are as follows (extract) :

$ ls -lh /var/log/suricata/
total 86M
drwxr-x---. 2 suricata suricata 4.0K Aug 27 18:04 certs
-rw-rw-r--. 1 suricata suricata  21M Aug 29 16:39 eve.json
...

Any suggestion please ?

Kind regards.

alex_49100 · September 9, 2025, 1:51pm

Hi everyone,
Just a quick add-on on this post : I read the following note in the Suricata 8 documentation :

tls-log is deprecated in Suricata 8.0 and will be removed in Suricata 9.0.

This section in the Suricata user guide states that tls-log is deprecated in version 8.0 and, although the same paragraphs speaks a bit later about the configuration of tls-store, there is no mention that tls-store being also deprecated.
Does this imply that both tls.log and tls-store would be deprecated or is it only tls.log ?

Many thanks.