dstore-dist-eventforwarder
Root Node Config¶
A sample dstore-dist-eventforwarderconfiguration is shown below:
listen_addr: ":8332"
filter_tags:
malware:
- TagA
- TagB
contentfilter:
- TagC
elasticsearch:
index: event-forwarder
add_date_to_index: true
addr: http://elasticsearch:9200
user: elastic
password: changeme
The following YAML key-values are supported for configuration at the root node:
| Parameter | Type | Default | Description |
|---|---|---|---|
elasticsearch |
Elasticsearch | ||
filter_tags |
Filter Tags | ||
listen_addr |
<ip:port> |
The address to listen on for protobuf messages. The value is an address:port string, in either v4 or v6 format. IPv6 addresses must be placed in square brackets like this [::1]. You can omit the address to listen on all local addresses |
|
max_concurrent |
integer |
16 | Number of concurrent senders |
tlsconfig |
TLS Config | TLS Configuration for the listener |
Filter Tags¶
The following YAML fields are supported for configuration of filter tags:
| Parameter | Type | Description |
|---|---|---|
blocklist |
List of string |
A list of tags that indicate the event is filtered because the user added the domain to their personal blocklist |
botnet |
List of string |
A list of tags that indicate the event is filtered for the purposes of preventing botnet command and control connections |
contentfilter |
List of string |
A list of tags that indicate the event is filtered because the user asked that category of content to be filtered |
malware |
List of string |
A list of tags that indicate the event is filtered for the purposes of preventing malware |
phishing |
List of string |
A list of tags that indicate the event is filtered for the purposes of preventing phishing |
Elasticsearch¶
The following YAML fields are supported for configuration:
| Parameter | Type | Description |
|---|---|---|
add_date_to_index |
boolean |
If true, append the date to the index name when sending events, e.g. indexname-2006-12-23 |
addr |
string |
The URL of the elasticsearch server |
api_key |
string |
Alternative auth method |
cloud_id |
string |
Alternative auth method |
index |
string |
Name of the elasticsearch index to send events to |
password |
string |
The password to authenticate to elasticsearch |
tlsconfig |
TLS Config | TLS configuration for the connection to elasticsearch. Leave out if not using TLS |
user |
string |
The username to authenticate to elasticsearch |