The documentation mentions the ability to split out config files into other files using either the ‘include’ key, or with a value beginning with ‘!include’. I’m trying to use the latter to separate items such as af-packet configs, address-groups, port-groups, etc into separate files, for a cleaner config file and it’s also a little easier for me to manage with puppet (avoids a template with a massive amount of variables). However, when I try to actually do this, it does not seem to pick up the file.
Example section in /etc/suricata/suricata.yaml:
af-packet: "!include interfaces.yaml"
/etc/suricata/interfaces.yaml
- interface: enp0s3
cluster-id: 99
threads: auto
Attempting to run manually:
# /sbin/suricata -c /etc/suricata/suricata.yaml --af-packet
17/3/2023 -- 23:36:15 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Invalid logging method: interface, ignoring
17/3/2023 -- 23:36:15 - <Notice> - This is Suricata version 6.0.9 RELEASE running in SYSTEM mode
17/3/2023 -- 23:36:15 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - No interface found in config for af-packet
Any idea what I’m doing wrong here? It also doesn’t seem to load other sections that I try to use ‘!include’ for, such as the address groups, etc
I’m using the suricata rpm from the Rocky Linux 8 EPEL repo.
/sbin/suricata -V
This is Suricata version 6.0.9 RELEASE