Project

General

Profile

Actions

Optimization #2687

open

current suricata.yaml is missing rotate-interval "example"

Added by Mikael Keri over 5 years ago. Updated almost 5 years ago.

Status:
New
Priority:
Low
Target version:
Effort:
Difficulty:
Label:

Description

I noticed that the current (4.1) docs describes the usage of eve-log rotation, "rotate-interval" (https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#output-eve-rotate)

But it's not included in the current suricata.yaml file (https://github.com/OISF/suricata/blob/master/suricata.yaml.in), perhaps it should?

Actions #1

Updated by Victor Julien over 5 years ago

Not sure. For a long time we added all options to the default yaml, but we've started to change our mind a bit on that. The default yaml is huge and quite intimidating to new users. So perhaps the lesser used options should just be in the user guide.

Actions #2

Updated by Mikael Keri over 5 years ago

I do agree that a too big configuration file, do tend to be a bit intimidating, but then again I also like to know all the options available. Which sometimes can be a bit hard to get out of the docs.
Not saying that I'm missing anything from the docs =)

"All" the Elastic products ships with both a simple config file and then a full one with all the possible options, so one that will easily get you up and running and one that includes all the possible settings that you can use but requires a bit more work to understand. Could that be a way forward?

Actions #3

Updated by Victor Julien over 5 years ago

I think it could, yes. The only concern is that I don't want to maintain multiple versions. So we'd have to use some kind of template or generator so that we can maintain a single master file.

Actions #4

Updated by Andreas Herz almost 5 years ago

  • Tracker changed from Bug to Optimization
  • Assignee set to Community Ticket
  • Target version set to TBD
  • Affected Versions deleted (4.1)
Actions #5

Updated by Andreas Herz almost 5 years ago

@Jason Ish do you have an idea for a template generator for that case?

As an alternative we could add links to the documentation into the config?

Actions #6

Updated by Jason Ish almost 5 years ago

Andreas Herz wrote:

@Jason Ish do you have an idea for a template generator for that case?

As an alternative we could add links to the documentation into the config?

No ideas for a generator here. The idea is that the doc is complete, while the default config is the most common options. It means keeping 2 things in sync. Not ideal, and I don't think there is a trivial solution.

Actions

Also available in: Atom PDF