ja4sentinel/config.yml.example

# Sample configuration file for ja4sentinel
# Copy to config.yml and adjust as needed

core:
  # Network interface to capture traffic from
  # Use "any" to capture from all interfaces (recommended)
  # Or specify a specific interface (e.g., eth0, ens192, etc.)
  interface: eth0

  # TCP ports to monitor for TLS handshakes
  listen_ports:
    - 443
    - 8443

  # Optional BPF filter (leave empty for auto-generated filter based on listen_ports and local_ips)
  bpf_filter: ""

  # Local IP addresses to monitor (traffic destined to these IPs will be captured)
  # Leave empty for auto-detection (recommended) - excludes loopback addresses
  # Or specify manually: ["192.168.1.10", "10.0.0.5", "2001:db8::1"]
  local_ips: []

  # Source IP addresses or CIDR ranges to exclude from capture
  # Useful for filtering out internal traffic, health checks, or monitoring systems
  # Examples: ["10.0.0.0/8", "192.168.1.1", "172.16.0.0/12"]
  exclude_source_ips: []

  # Timeout in seconds for TLS handshake extraction (default: 30)
  flow_timeout_sec: 30

  # Buffer size for packet channel (default: 1000, increase for high-traffic environments)
  packet_buffer_size: 1000

  # Log level: debug, info, warn, error (default: info)
  # Can be overridden by JA4SENTINEL_LOG_LEVEL environment variable
  log_level: info

outputs:
  # Output to UNIX socket (for systemd/journald or other consumers)
  # Only JSON LogRecord data is sent - no diagnostic logs
  - type: unix_socket
    enabled: true
    params:
      socket_path: /var/run/logcorrelator/network.socket

  # Output to stdout (JSON lines)
  # Diagnostic logs (error, debug, warning) should go here
  # - type: stdout
  #   enabled: false
  #   params: {}

  # Output to file
  # Only JSON LogRecord data is sent - no diagnostic logs
  # - type: file
  #   enabled: false
  #   params:
  #     path: /var/log/ja4sentinel/ja4.log