current suricata.yaml is missing rotate-interval "example"
I noticed that the current (4.1) docs describes the usage of eve-log rotation, "rotate-interval" (https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#output-eve-rotate)
But it's not included in the current suricata.yaml file (https://github.com/OISF/suricata/blob/master/suricata.yaml.in), perhaps it should?
Updated by Victor Julien almost 4 years ago
Not sure. For a long time we added all options to the default yaml, but we've started to change our mind a bit on that. The default yaml is huge and quite intimidating to new users. So perhaps the lesser used options should just be in the user guide.
Updated by Mikael Keri almost 4 years ago
I do agree that a too big configuration file, do tend to be a bit intimidating, but then again I also like to know all the options available. Which sometimes can be a bit hard to get out of the docs.
Not saying that I'm missing anything from the docs =)
"All" the Elastic products ships with both a simple config file and then a full one with all the possible options, so one that will easily get you up and running and one that includes all the possible settings that you can use but requires a bit more work to understand. Could that be a way forward?
Updated by Jason Ish over 3 years ago
Andreas Herz wrote:
@Jason Ish do you have an idea for a template generator for that case?
As an alternative we could add links to the documentation into the config?
No ideas for a generator here. The idea is that the doc is complete, while the default config is the most common options. It means keeping 2 things in sync. Not ideal, and I don't think there is a trivial solution.