Suricata

I added that for the manpage and help command (PR done) but with the config I'm not sure what we want to have. The log level setting in the config won't take affect at all unless I use at least "-v" but it will never log more then added with "-v[vv]", so adding "config" as log level in the setting won't change the logfile output unless I also use "-vvv". But if I use "perf" as log level in the config and use "-vvv" I don't see the Config ouput in the logfile but in the stdout from the terminal where I start suricata. Looks like it's not what you might expect as user. IMHO the config setting should always affect the log level of the logfile and be seperated from the "-v[vv]" argument for the stdout output. Suggestions?

How about if we take the approach of command line override - if it is specified on the command line - it should override the config setting - aka "-vvv" should result in max verbosity.

The PR was https://github.com/inliniac/suricata/pull/2877 but looks like we still need to define some parts. I'm a bit confused (see my post above as well) how we want those different settings (config and commandline) and levels to work.

Is this still relevant? Can I take this up?

It sounds like we have to define what make sense and what the behaviour should be, then make sure the code matches that.

I'd like to recommend that -v, or multiple -v's only increase the verbosity, but to fixed levels. But will never decrease the verbosity set in the configuration file. For example:

-v -> info
-vv -> perf
-vvv -> config
-vvvv -> debug

(hmm, of note, I think config should come before perf but thats another topic)

This should change the verbosity level for any enabled output, but will never decrease the verbosity level. For example, if I have the file output enabled with level set to config, -v or -vv will not reset it to info or perf. However, -vvvv will set it to debug.

So -v is not an increase of whatever the configured level is as suggested in a PR which can be confusing to document.

-h output:

    -v[vvvv]                             : be more verbose (use multiple times to increase verbosity)

And in the manual we could do something like:

.. option:: -v

   Increase the verbosity of the Suricata application output by
   increasing the log level.

   - -v: INFO
   - -vv: PERF
   - -vvv: CONFIG
   - -vvvv: DEBUG (if enabled)

   This option will not make the log level less verbose than
   configured in your suricata.yaml.

I agree. Think this is a large code change? If possible it would be nice to get this into 5.0, but if it is too intrusive we can push it back.