42 lines
1.3 KiB
Plaintext
42 lines
1.3 KiB
Plaintext
# logcorrelator configuration file
|
|
# Format: directive value [value...]
|
|
# Lines starting with # are comments
|
|
|
|
# Service configuration
|
|
service.name logcorrelator
|
|
service.language go
|
|
|
|
# Input sources (at least 2 required)
|
|
# Format: input.unix_socket <name> <path> [format]
|
|
input.unix_socket apache_source /var/run/logcorrelator/apache.sock json
|
|
input.unix_socket network_source /var/run/logcorrelator/network.sock json
|
|
|
|
# File output
|
|
output.file.enabled true
|
|
output.file.path /var/log/logcorrelator/correlated.log
|
|
|
|
# ClickHouse output
|
|
output.clickhouse.enabled false
|
|
output.clickhouse.dsn clickhouse://user:pass@localhost:9000/db
|
|
output.clickhouse.table correlated_logs_http_network
|
|
output.clickhouse.batch_size 500
|
|
output.clickhouse.flush_interval_ms 200
|
|
output.clickhouse.max_buffer_size 5000
|
|
output.clickhouse.drop_on_overflow true
|
|
output.clickhouse.async_insert true
|
|
output.clickhouse.timeout_ms 1000
|
|
|
|
# Stdout output (for debugging)
|
|
output.stdout.enabled false
|
|
|
|
# Correlation configuration
|
|
correlation.key src_ip,src_port
|
|
correlation.time_window.value 1
|
|
correlation.time_window.unit s
|
|
|
|
# Orphan policy
|
|
# apache_always_emit: always emit A events even without matching B
|
|
# network_emit: emit B events alone (usually false)
|
|
correlation.orphan_policy.apache_always_emit true
|
|
correlation.orphan_policy.network_emit false
|