- After reload allow to write log files or use syslog.
- Switch user and group to avoid running as root.
- To remove pid file its directory must be writable by suricata user.
- Avoid need to run autoconf by setting variables which will be
  modified by SUBST_CMD


Index: suricata.yaml.in
--- suricata.yaml.in.orig
+++ suricata.yaml.in
@@ -58,7 +58,7 @@ vars:
 # The default logging directory.  Any log or output file will be
 # placed here if it's not specified with a full path name. This can be
 # overridden with the -l command line parameter.
-default-log-dir: @e_logdir@
+default-log-dir: ${LOCALSTATEDIR}/log/suricata
 
 # Global stats configuration
 stats:
@@ -84,14 +84,16 @@ outputs:
   - fast:
       enabled: yes
       filename: fast.log
+      filemode: 664
       append: yes
       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
 
   # Extensible Event Format (nicknamed EVE) event log in JSON format
   - eve-log:
-      enabled: @e_enable_evelog@
+      enabled: yes
       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
       filename: eve.json
+      filemode: 664
       # Enable for multi-threaded eve.json output; output files are amended with
       # an identifier, e.g., eve.9.json
       #threaded: false
@@ -341,6 +343,7 @@ outputs:
   - http-log:
       enabled: no
       filename: http.log
+      filemode: 664
       append: yes
       #extended: yes     # enable this for extended logging information
       #custom: yes       # enable the custom logging format (defined by customformat)
@@ -351,6 +354,7 @@ outputs:
   - tls-log:
       enabled: no  # Log TLS connections.
       filename: tls.log # File to store TLS logs.
+      filemode: 664
       append: yes
       #extended: yes     # Log extended information like fingerprint
       #custom: yes       # enabled the custom logging format (defined by customformat)
@@ -398,6 +402,7 @@ outputs:
   - pcap-log:
       enabled: no
       filename: log.pcap
+      filemode: 664
 
       # File size limit.  Can be specified in kb, mb, gb.  Just a number
       # is parsed as bytes.
@@ -436,6 +441,7 @@ outputs:
   - alert-debug:
       enabled: no
       filename: alert-debug.log
+      filemode: 664
       append: yes
       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
 
@@ -443,6 +449,7 @@ outputs:
   - stats:
       enabled: yes
       filename: stats.log
+      filemode: 664
       append: yes       # append to file (yes) or overwrite it (no)
       totals: yes       # stats for all threads merged together
       threads: no       # per thread stats
@@ -536,6 +543,7 @@ outputs:
       enabled: no
       type: file
       filename: tcp-data.log
+      filemode: 664
 
   # Log HTTP body data after normalization, de-chunking and unzipping.
   # Two types: file or dir.
@@ -549,6 +557,7 @@ outputs:
       enabled: no
       type: file
       filename: http-data.log
+      filemode: 664
 
   # Lua Output Support - execute lua script to generate alert and event
   # output.
@@ -1206,9 +1215,9 @@ datasets:
 ##
 
 # Run Suricata with a specific user-id and group-id:
-#run-as:
-#  user: suri
-#  group: suri
+run-as:
+  user: _suricata
+  group: _suricata
 
 security:
   # if true, prevents process creation from Suricata by calling
@@ -1219,13 +1228,11 @@ security:
     enabled: no
     directories:
       #write:
-      #  - @e_rundir@
       # /usr and /etc folders are added to read list to allow
       # file magic to be used.
       read:
         - /usr/
         - /etc/
-        - @e_sysconfdir@
 
   lua:
     # Allow Lua rules. Disabled by default.
@@ -1238,7 +1245,7 @@ security:
 # Default location of the pid file. The pid file is only used in
 # daemon mode (start Suricata with -D). If not running in daemon mode
 # the --pidfile command line option must be used to create a pid file.
-#pid-file: @e_rundir@suricata.pid
+pid-file: ${LOCALSTATEDIR}/run/suricata/suricata.pid
 
 # Daemon working directory
 # Suricata will change directory to this one if provided
@@ -1306,8 +1313,7 @@ unix-command:
   #filename: custom.socket
 
 # Magic file. The extension .mgc is added to the value here.
-#magic-file: /usr/share/file/magic
-@e_magic_file_comment@magic-file: @e_magic_file@
+#magic-file: ${LOCALBASE}/share/misc/magic
 
 # GeoIP2 database file. Specify path and filename of GeoIP2 database
 # if using rules with "geoip" rule option.
@@ -1345,8 +1351,8 @@ legacy:
 exception-policy: auto
 
 # IP Reputation
-#reputation-categories-file: @e_sysconfdir@iprep/categories.txt
-#default-reputation-path: @e_sysconfdir@iprep
+#reputation-categories-file: ${SYSCONFDIR}/suricata/iprep/categories.txt
+#default-reputation-path: ${SYSCONFDIR}/suricata/iprep
 #reputation-files:
 # - reputation.list
 
@@ -1828,7 +1834,7 @@ profiling:
     limit: 10
 
     # output to json
-    json: @e_enable_evelog@
+    json: true
 
   # per keyword profiling
   keywords:
@@ -2158,22 +2164,44 @@ napatech:
     #
     hashmode: hash5tuplesorted
 
+
+## Enable one or other of the two sections:
+
+
 ##
 ## Configure Suricata to load Suricata-Update managed rules.
 ##
-
-default-rule-path: @e_defaultruledir@
-
+default-rule-path: ${LOCALSTATEDIR}/suricata/rules
 rule-files:
   - suricata.rules
 
 ##
+## Configure Suricata to use basic bundled rules.
+##
+#default-rule-path: ${SYSCONFDIR}/suricata/rules
+#rule-files:
+#  - app-layer-events.rules
+#  - decoder-events.rules
+#  - dhcp-events.rules
+#  - dns-events.rules
+#  - files.rules
+#  - http-events.rules
+#  - ipsec-events.rules
+#  - kerberos-events.rules
+#  - nfs-events.rules
+#  - ntp-events.rules
+#  - smb-events.rules
+#  - smtp-events.rules
+#  - stream-events.rules
+#  - tls-events.rules
+
+##
 ## Auxiliary configuration files.
 ##
 
-classification-file: @e_sysconfdir@classification.config
-reference-config-file: @e_sysconfdir@reference.config
-# threshold-file: @e_sysconfdir@threshold.config
+classification-file: ${SYSCONFDIR}/suricata/classification.config
+reference-config-file: ${SYSCONFDIR}/suricata/reference.config
+# threshold-file: ${SYSCONFDIR}/suricata/threshold.config
 
 ##
 ## Include other configs
