Suricata

In the default config, we have

unix-command:
  enabled: auto

At least on Linux, this leads to the suricata run directory being created as well as the socket being opened.

However, if this section is omitted from a yaml, the behavior is to disable the unix socket.

I believe omitting the setting from the yaml should act as if unix-command.enabled=auto was set.