henridf
commented
4 years ago Thanks @philrz. Suricata uses this to identify content types (the magic stuff is also what the CLI utility file uses). (I'm not even sure if we actually exercise this in our alert-only config though... but at the very least suricata appears to initialize it via magic_load()).
The relevant snippet from the stock suricata.yaml is:
- files:
force-magic: no # force logging magic on all logged files
Fixes the issue that @alfred-landrum ran into here: https://github.com/brimsec/zq/pull/1331#issuecomment-697020087