# logcorrelator configuration file
# Format: YAML

# Logging configuration
log:
  level: INFO  # DEBUG, INFO, WARN, ERROR

inputs:
  unix_sockets:
    - name: http
      source_type: A
      path: /var/run/logcorrelator/http.socket
      format: json
      socket_permissions: "0666"  # world read/write
    - name: network
      source_type: B
      path: /var/run/logcorrelator/network.socket
      format: json
      socket_permissions: "0666"

outputs:
  file:
    enabled: true
    path: /var/log/logcorrelator/correlated.log

  clickhouse:
    enabled: false
    dsn: clickhouse://user:pass@localhost:9000/db
    table: correlated_logs_http_network
    batch_size: 500
    flush_interval_ms: 200
    max_buffer_size: 5000
    drop_on_overflow: true
    async_insert: true
    timeout_ms: 1000

  stdout:
    enabled: false
    level: INFO  # DEBUG: all logs including orphans, INFO: only correlated, WARN: correlated only, ERROR: none

correlation:
  # Time window for correlation (A and B must be within this window)
  # Increased to 10s to support HTTP Keep-Alive scenarios
  time_window:
    value: 10
    unit: s

  # Orphan policy: what to do when no match is found
  orphan_policy:
    apache_always_emit: true  # Always emit A events, even without B match
    apache_emit_delay_ms: 500  # Wait 500ms before emitting as orphan (allows B to arrive)
    network_emit: false       # Never emit B events alone

  # Matching mode: one_to_one or one_to_many (Keep-Alive)
  matching:
    mode: one_to_many

  # Buffer limits (max events in memory)
  buffers:
    max_http_items: 10000
    max_network_items: 20000

  # TTL for network events (source B)
  # Increased to 120s to support long-lived HTTP Keep-Alive sessions
  ttl:
    network_ttl_s: 120