[Oisf-users] Splitting config into multiple yaml files.

Andreas Moe andmoe at mnemonic.no
Tue Jun 24 08:08:24 UTC 2014

Hi, im trying to split my suricata yaml files into multiple files. Currently it is only split into two files: suricata_main.yaml and suricata_outputs_tweak.yaml The idea is to have a general configuration for suricata, and be able to further tweak the output of: unified2-alert, http-log, and file-store on individual sensors. In my main configuration I have the following configured in the outputs section:

  - fast
  - eve-log
  - tls-log
.... Etc (all configured as i would like as default)

In my suricata_outputs_tweak file I have then configured the following (these are NOT written or mentioned in the main configuration file):
- unified2
- http-log
- file-store

Then, my problem comes when I try to include this file.
outputs: !include suricata_outputs_tweak.yaml

With this I get:
Starting suricata: 24/6/2014 -- 09:43:24 - <Info> - Configuration node 'outputs' redefined.
24/6/2014 -- 09:43:24 - <Info> - Including configuration file suricata _outputs_tweak.yaml at parent node outputs.

It both includes it at the parent node outputs, but also gives me information that the outputs node has been redefined?? Ex: I set fast-log to enabled in main config, but if I am able to load my "tweaks" file that says nothing about fast-log, fast-log is not enabled...

Any suggestions? I can't really find much documentation about this other than a feature tracker: https://redmine.openinfosecfoundation.org/issues/1009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140624/047fdfa7/attachment.html>

More information about the Oisf-users mailing list