[Oisf-users] Splitting config into multiple yaml files.

[Jason Ish]

On Tue, Jun 24, 2014 at 2:08 AM, Andreas Moe <andmoe at mnemonic.no> wrote:
> Hi, im trying to split my suricata yaml files into multiple files. Currently
> it is only split into two files: suricata_main.yaml and
> suricata_outputs_tweak.yaml The idea is to have a general configuration for
> suricata, and be able to further tweak the output of: unified2-alert,
> http-log, and file-store on individual sensors. In my main configuration I
> have the following configured in the outputs section:
>
>
>
> outputs:
>
>   - fast
>
>   - eve-log
>
>   - tls-log
>
> …. Etc (all configured as i would like as default)
>
>
>
> In my suricata_outputs_tweak file I have then configured the following
> (these are NOT written or mentioned in the main configuration file):
>
> - unified2
>
> - http-log
>
> - file-store
>
>
>
> Then, my problem comes when I try to include this file.
>
> outputs: !include suricata_outputs_tweak.yaml

This second declaration of outputs overrides the previous one, they
are not merge together.  The closest you can probably get to what you
want is to include each tweaked output in its own file, something
like:

outputs:
  - fast
      <inline-configuration>
  -  unified2-alert: !include unified2.config

> With this I get:
>
> Starting suricata: 24/6/2014 -- 09:43:24 - <Info> - Configuration node
> 'outputs' redefined.
>
> 24/6/2014 -- 09:43:24 - <Info> - Including configuration file suricata
> _outputs_tweak.yaml at parent node outputs.
>
>
>
> It both includes it at the parent node outputs, but also gives me
> information that the outputs node has been redefined?? Ex: I set fast-log to
> enabled in main config, but if I am able to load my “tweaks” file that says
> nothing about fast-log, fast-log is not enabled…

The --dump-config option may be useful to you, it may have cleared up
what was going on.

This is another case where YAMLs aliases, anchors and merge keys may
help, but they are not currently supported.

Hope that helps,
Jason