Add/improve documentation for pcre substring capture logging
Currently, if a user wants to log a matching string from a rule that uses `pcre`, there isn't much documentation to help them understand how can they do that.
Our documentation has:
And some `suricata-verify` tests could provide some examples:
And others in the eve-matadata-* dirs.
But we could have all that better documented.
(image offers context from ad hoc support offered in our IRC chat)
Updated by Jason Ish almost 2 years ago
More documentation here as well: https://blog.inliniac.net/2016/12/20/suricata-bits-ints-and-vars/