logcorrelator/config.example.yml

# logcorrelator configuration file
# Format: YAML

# Logging configuration
log:
  level: INFO  # DEBUG, INFO, WARN, ERROR

inputs:
  unix_sockets:
    - name: http
      source_type: A
      path: /var/run/logcorrelator/http.socket
      format: json
      socket_permissions: "0666"  # world read/write
    - name: network
      source_type: B
      path: /var/run/logcorrelator/network.socket
      format: json
      socket_permissions: "0666"

outputs:
  file:
    enabled: true
    path: /var/log/logcorrelator/correlated.log

  clickhouse:
    enabled: false
    dsn: clickhouse://user:pass@localhost:9000/db
    table: correlated_logs_http_network
    batch_size: 500
    flush_interval_ms: 200
    max_buffer_size: 5000
    drop_on_overflow: true
    async_insert: true
    timeout_ms: 1000

  stdout:
    enabled: false
    level: INFO  # DEBUG: all logs including orphans, INFO: only correlated, WARN: correlated only, ERROR: none

correlation:
  # Time window for correlation (A and B must be within this window)
  time_window:
    value: 1
    unit: s
  
  # Orphan policy: what to do when no match is found
  orphan_policy:
    apache_always_emit: true  # Always emit A events, even without B match
    network_emit: false       # Never emit B events alone
  
  # Matching mode: one_to_one or one_to_many (Keep-Alive)
  matching:
    mode: one_to_many
  
  # Buffer limits (max events in memory)
  buffers:
    max_http_items: 10000
    max_network_items: 20000
  
  # TTL for network events (source B)
  ttl:
    network_ttl_s: 30