Suricata

Currently extended is enabled in the default configuration file, but this is not the default if that field is commented out. We should consider removing this option and just log in extended mode all the time.

When not in extended mode (default mode), the following are logged:

• hostname
• http_port — only if port is present in Host/URL
• url
• http_user_agent
• xff — from X-Forwarded-For
• http_content_type
• content_range {raw, start, end, size}

Extended adds:

• http_refer
• http_method
• protocol
• status — numeric status, if valid
• status_string — if status is non-numeric
• redirect — from Location
• length — response message length

Arguably, some of these extended fields make sense in basic cases, such as method, protocol, and status.

At the same time, it would make sense to hoise the "Server" header into the server field. Its complimentary to the user agent that is already hoisted.