324b0042f8
- Install logcorrelator.yml.example to /etc/logcorrelator/ instead of /usr/share/logcorrelator/ - Change default socket permissions from 0660 to 0666 (world read/write) - Bump version to 1.1.2 - Remove CHANGELOG.md Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
64 lines
1.4 KiB
YAML
64 lines
1.4 KiB
YAML
# logcorrelator configuration file
|
|
# Format: YAML
|
|
|
|
# Logging configuration
|
|
log:
|
|
level: INFO # DEBUG, INFO, WARN, ERROR
|
|
|
|
inputs:
|
|
unix_sockets:
|
|
- name: http
|
|
source_type: A
|
|
path: /var/run/logcorrelator/http.socket
|
|
format: json
|
|
socket_permissions: "0666" # world read/write
|
|
- name: network
|
|
source_type: B
|
|
path: /var/run/logcorrelator/network.socket
|
|
format: json
|
|
socket_permissions: "0666"
|
|
|
|
outputs:
|
|
file:
|
|
enabled: true
|
|
path: /var/log/logcorrelator/correlated.log
|
|
|
|
clickhouse:
|
|
enabled: false
|
|
dsn: clickhouse://user:pass@localhost:9000/db
|
|
table: correlated_logs_http_network
|
|
batch_size: 500
|
|
flush_interval_ms: 200
|
|
max_buffer_size: 5000
|
|
drop_on_overflow: true
|
|
async_insert: true
|
|
timeout_ms: 1000
|
|
|
|
stdout:
|
|
enabled: false
|
|
|
|
correlation:
|
|
# Time window for correlation (A and B must be within this window)
|
|
time_window:
|
|
value: 1
|
|
unit: s
|
|
|
|
# Orphan policy: what to do when no match is found
|
|
orphan_policy:
|
|
apache_always_emit: true # Always emit A events, even without B match
|
|
network_emit: false # Never emit B events alone
|
|
|
|
# Matching mode: one_to_one or one_to_many (Keep-Alive)
|
|
matching:
|
|
mode: one_to_many
|
|
|
|
# Buffer limits (max events in memory)
|
|
buffers:
|
|
max_http_items: 10000
|
|
max_network_items: 20000
|
|
|
|
# TTL for network events (source B)
|
|
ttl:
|
|
network_ttl_s: 30
|
|
|