# collector configuration file
#
# Run collector with flag -conf and specify location of the configuration file.
#
# You can override all the values using environment variables with the format like
#   COLLECTOR__<ANYNAME>=<section>__<key>=<value>
# As an example you can set dataPath in [general] section as
#   COLLECTOR__DATAPATH=general__dataPath=C:\\some\\path\\data.db
# This parameter can be configured using -env-override, set it to empty string to disable this feature

[general]

# Please review license https://www.outcoldsolutions.com/docs/license-agreement/
# and accept license by changing the value to *true*
acceptLicense = false

# location for the database
# is used to store position of the files and internal state
dataPath = ./data/

# log level (trace, debug, info, warn, error, fatal)
logLevel = info

# http server gives access to two endpoints
# /healthz
# /metrics
httpServerBinding =

# telemetry report endpoint, set it to empty string to disable telemetry
telemetryEndpoint = https://license.outcold.solutions/telemetry/

# license check endpoint
licenseEndpoint = https://license.outcold.solutions/license/

# license server through proxy
licenseServerProxyUrl =

# authentication with basic authorization (user:password)
licenseServerProxyBasicAuth =

# license key
license =

# docker daemon hostname is used by default as hostname
# use this configuration to override
hostname =

# Default output for events, logs and metrics
# valid values: splunk and devnull
# Use devnull by default if you don't want to redirect data
defaultOutput = splunk

# Default buffer size for file input
fileInputBufferSize = 256b

# Maximum size of one line the file reader can read
fileInputLineMaxSize = 1mb

# Include custom fields to attach to every event, in example below every event sent to Splunk will hav
# indexed field my_environment=dev. Fields names should match to ^[a-z][_a-z0-9]*$
# Better way to configure that is to specify labels for Docker Hosts.
# ; fields.my_environment = dev

# Include EC2 Metadata (see list of possible fields https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)
# Should be in format ec2Metadata.{desired_field_name} = {url path to read the value}
# ec2Metadata.ec2_instance_id = /latest/meta-data/instance-id
# ec2Metadata.ec2_instance_type = /latest/meta-data/instance-type

# subdomain for the annotations added to the pods, workloads, namespaces or containers, like splunk.collectord.io/..
annotationsSubdomain =

# configure global thruput per second for forwarded logs (metrics are not included)
# for example if you set `thruputPerSecond = 512Kb`, that will limit amount of logs forwarded
# from the single Collectord instance to 512Kb per second.
# You can configure thruput individually for the logs (including specific for container logs) below
thruputPerSecond =

# Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
# older than 7 days
tooOldEvents =

# Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
tooNewEvents =


[license.client]
# point to the license located on the HTTP web server, or a hosted by the Collectord running as license server
url =
# basic authentication for the HTTP server
basicAuth =
# if SSL, ignore the certificate verification
insecure = false
# CA Path for the Server certificate
capath =
# CA Name fot the Server certificate
caname =
# license server through proxy
proxyUrl =
# authentication with basic authorization (user:password)
proxyBasicAuth =


# forward internal collectord metrics
[input.collectord_metrics]

# disable collectord internal metrics
disabled = false

# override type
type = docker_prometheus

# how often to collect internal metrics
interval = 1m

# set output (splunk or devnull, default is [general]defaultOutput)
output =

# specify Splunk index
index =

# whitelist or blacklist the metrics
whitelist.1 = ^file_input_open$
whitelist.2 = ^file_input_read_bytes$
whitelist.3 = ^docker_handlers$
whitelist.4 = ^pipe$
whitelist.5 = ^pipelines_num$
whitelist.6 = ^splunk_post_bytes_sum.*$
whitelist.7 = ^splunk_post_events_count_sum.*$
whitelist.8 = ^splunk_post_failed_requests$
whitelist.9 = ^splunk_post_message_max_lag_seconds_bucket.*$
whitelist.10 = ^splunk_post_requests_seconds_sum.*$
whitelist.11 = ^splunk_post_retries_required_sum.*$


# connection to docker host
[general.docker]

# url for docker API, only unix socket is supported
url = unix:///rootfs/var/run/docker.sock

# path to docker root folder (can fallback to use folder structure to read docker metadata)
# used to discovery application logs and collecting mount stats (usage)
dockerRootFolder = /rootfs/var/lib/docker/

# Timeout for http responses to docker client. The streaming requests depend on this timeout.
timeout = 1m

# regex to find docker container cgroups (helps excluding other cgroups with matched ID)
containersCgroupFilter = ^/([^/\s]+/)*(((docker-|docker/|ecs/[a-f0-9\-]{36}/)[0-9a-f]{64}(\.scope)?)|(libpod-[0-9a-f]{64}(\.scope)?/container))$

# api version for internal calls
apiVersion = v1.21

# cgroup input
# sends stas for the host and cgroups (containers)
[input.system_stats]

# disable system level stats
disabled.host = false
disabled.cgroup = false

# cgroups fs location
pathCgroups = /rootfs/sys/fs/cgroup

# proc location
pathProc = /rootfs/proc

# how often to collect cgroup stats
statsInterval = 30s

# override type
type.host = docker_stats_v2_host
type.cgroup = docker_stats_v2_cgroup

# specify Splunk index
index.host =
index.cgroup =

# set output (splunk or devnull, default is [general]defaultOutput)
output.host =
output.cgroup =


# mount input (collects mount stats where docker runtime is stored)
[input.mount_stats]

# disable system level stats
disabled = false

# how often to collect mount stats
statsInterval = 30s

# override type
type = docker_mount_stats

# specify Splunk index
index =

# set output (splunk or devnull, default is [general]defaultOutput)
output =


# diskstats input (collects /proc/diskstats)
[input.disk_stats]

# disable system level stats
disabled = false

# how often to collect mount stats
statsInterval = 30s

# override type
type = docker_disk_stats

# specify Splunk index
index =

# set output (splunk or devnull, default is [general]defaultOutput)
output =


# proc input
[input.proc_stats]

# disable proc level stats
disabled = false

# proc location
pathProc = /rootfs/proc

# how often to collect proc stats
statsInterval = 60s

# override type
type = docker_proc_stats_v2

# specify Splunk index
index.host =
index.cgroup =

# proc filesystem includes by default system threads (there can be over 100 of them)
# these stats do not help with the observability
# excluding them can reduce the size of the index, performance of the searches and usage of the collector
includeSystemThreads = false

# set output (splunk or devnull, default is [general]defaultOutput)
output.host =
output.cgroup =


# network stats
[input.net_stats]

# disable net stats
disabled = false

# proc path location
pathProc = /rootfs/proc

# how often to collect net stats
statsInterval = 30s

# override type
type = docker_net_stats_v2

# specify Splunk index
index =

# set output (splunk or devnull, default is [general]defaultOutput)
output =


# network socket table
[input.net_socket_table]

# disable net stats
disabled = false

# proc path location
pathProc = /rootfs/proc

# how often to collect net stats
statsInterval = 30s

# override type
type = docker_net_socket_table

# specify Splunk index
index =

# set output (splunk or devnull, default is [general]defaultOutput)
output =

# group connections by tcp_state, localAddr, remoteAddr (if localPort is not the port it is listening on)
# that can significally reduces the amount of events
group = true


# Log files
[input.files]

# disable container logs monitoring
disabled = false

# root location of docker log files, expecting that this folder has a folder for each container,
# folder is the containerID
path = /rootfs/var/lib/docker/containers/

# (obsolete, ignored) glob matching pattern for log files
# glob = */*-json.log*

# files are read using polling schema, when reach the EOF how often to check if files got updated
pollingInterval = 250ms

# how often to look for the new files under logs path
walkingInterval = 5s

# include verbose fields in events (file offset)
verboseFields = false

# override type
type = docker_logs

# specify Splunk index
index =

# docker splits events when they are larger than 10-100k (depends on the docker version)
# we join them together by default and forward to Splunk as one event
joinPartialEvents = true

# In case if your containers report messages with terminal colors or other escape sequences
# you can enable strip for all the containers in one place.
# Better is to enable it only for required container with the label collectord.io/strip-terminal-escape-sequences=true
stripTerminalEscapeSequences = false
# Regexp used for stripping terminal colors, it does not stip all the escape sequences
# Read http://man7.org/linux/man-pages/man4/console_codes.4.html for more information
stripTerminalEscapeSequencesRegex = (\x1b\[\d{1,3}(;\d{1,3})*m)|(\x07)|(\x1b]\d+(\s\d)?;[^\x07]+\x07)|(.*\x1b\[K)

# sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
samplingPercent = -1

# sampling key for hash based sampling (should be regexp with the named match pattern `key`)
samplingKey =

# set output (splunk or devnull, default is [general]defaultOutput)
output =

# configure default thruput per second for for each container log
# for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
# from the single container to 128Kb per second.
thruputPerSecond =

# Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
# older than 7 days
tooOldEvents =

# Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
tooNewEvents =


# Application Logs
[input.app_logs]

# disable container logs monitoring
disabled = false

# root location of mounts (applies to hostPath mounts only), , if the hostPath differs inside container from the path on host
root = /rootfs

# how often to review list of available volumes
syncInterval = 5s

# glob matching pattern for log files
glob = *.log*

# files are read using polling schema, when reach the EOF how often to check if files got updated
pollingInterval = 250ms

# how often to look for the new files under logs path
walkingInterval = 5s

# include verbose fields in events (file offset)
verboseFields = false

# override type
type = docker_logs

# specify Splunk index
index =

# we split files using new line character, with this configuration you can specify what defines the new event
# after new line
eventPatternRegex = ^[^\s]
# Maximum interval of messages in pipeline
eventPatternMaxInterval = 100ms
# Maximum time to wait for the messages in pipeline
eventPatternMaxWait = 1s
# Maximum message size
eventPatternMaxSize = 100kb

# sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
samplingPercent = -1

# sampling key for hash based sampling (should be regexp with the named match pattern `key`)
samplingKey =

# set output (splunk or devnull, default is [general]defaultOutput)
output =

# configure default thruput per second for for each container log
# for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
# from the single container to 128Kb per second.
thruputPerSecond =

# Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
# older than 7 days
tooOldEvents =

# Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
tooNewEvents =

# Configure how long Collectord should keep the file descriptors open for files, that has not been forwarded yet
# When using PVC, and if pipeline is lagging behind, Collectord holding open fd for files, can cause long termination
# of pods, as kubelet cannot unmount the PVC volume from the system
maxHoldAfterClose = 1800s


# Input syslog(.\d+)? files
[input.files::syslog]

# disable host level logs
disabled = false

# root location of log files
path = /rootfs/var/log/

# regex matching pattern
match = ^(syslog|messages)(.\d+)?$

# limit search only on one level
recursive = false

# files are read using polling schema, when reach the EOF how often to check if files got updated
pollingInterval = 250ms

# how often o look for the new files under logs path
walkingInterval = 5s

# include verbose fields in events (file offset)
verboseFields = false

# override type
type = docker_host_logs

# specify Splunk index
index =

# field extraction
extraction = ^(?P<timestamp>[A-Za-z]+\s+\d+\s\d+:\d+:\d+)\s(?P<syslog_hostname>[^\s]+)\s(?P<syslog_component>[^:\[]+)(\[(?P<syslog_pid>\d+)\])?: (.+)$

# timestamp field
timestampField = timestamp

# format for timestamp
# the layout defines the format by showing how the reference time, defined to be `Mon Jan 2 15:04:05 -0700 MST 2006`
timestampFormat = Jan 2 15:04:05

# Adjust date, if month/day aren't set in format
timestampSetMonth = false
timestampSetDay = false

# timestamp location (if not defined by format)
timestampLocation = Local

# sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
samplingPercent = -1

# sampling key for hash based sampling (should be regexp with the named match pattern `key`)
samplingKey =

# set output (splunk or devnull, default is [general]defaultOutput)
output =

# configure default thruput per second for for each container log
# for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
# from the single container to 128Kb per second.
thruputPerSecond =

# Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
# older than 7 days
tooOldEvents =

# Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
tooNewEvents =


# Input all *.log(.\d+)? files
[input.files::logs]

# disable host level logs
disabled = false

# root location of log files
path = /rootfs/var/log/

# regex matching pattern
match = ^(([\w\-.]+\.log(.[\d\-]+)?)|(docker))$

# files are read using polling schema, when reach the EOF how often to check if files got updated
pollingInterval = 250ms

# how often o look for the new files under logs path
walkingInterval = 5s

# include verbose fields in events (file offset)
verboseFields = false

# override type
type = docker_host_logs

# specify Splunk index
index =

# field extraction
extraction =

# timestamp field
timestampField =

# format for timestamp
# the layout defines the format by showing how the reference time, defined to be `Mon Jan 2 15:04:05 -0700 MST 2006`
timestampFormat =

# timestamp location (if not defined by format)
timestampLocation =

# sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
samplingPercent = -1

# sampling key (should be regexp with the named match pattern `key`)
samplingKey =

# set output (splunk or devnull, default is [general]defaultOutput)
output =

# configure default thruput per second for for each container log
# for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
# from the single container to 128Kb per second.
thruputPerSecond =

# Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
# older than 7 days
tooOldEvents =

# Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
tooNewEvents =


[input.journald]

# disable host level logs
disabled = false

# root location of log files
path.persistent = /rootfs/var/log/journal/
path.volatile = /rootfs/run/log/journal/

# when reach end of journald, how often to pull
pollingInterval = 250ms

# override type
type = docker_host_logs

# specify Splunk index
index =

# sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
samplingPercent = -1

# sampling key (should be regexp with the named match pattern `key`)
samplingKey =

# how often to reopen the journald to free old files
reopenInterval = 1h

# set output (splunk or devnull, default is [general]defaultOutput)
output =

# configure default thruput per second for for each container log
# for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
# from the single container to 128Kb per second.
thruputPerSecond =

# Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
# older than 7 days
tooOldEvents =

# Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
tooNewEvents =

# Move Journald logs reader to a separate process, to prevent process from crashing in case of corrupted log files
spawnExternalProcess = false

# Docker input (events)
[input.docker_events]

# disable docker events
disabled = false

# (obsolete) interval to poll for new events in docker
# docker events are streamed in realtime, recreating connections every ~docker.timeout
# eventsPollingInterval = 5s

# override type
type = docker_events

# specify Splunk index
index =

# set output (splunk or devnull, default is [general]defaultOutput)
output =


[input.docker_api::containers]

# disable docker events
disabled = false

path = /containers/json
inspectPath = /containers//json
interval = 5m
query = all=1
apiVersion =

# override type
type = docker_objects

# specify Splunk index
index =

# set output (splunk or devnull, default is [general]defaultOutput)
output =


[input.docker_api::images]

# disable docker events
disabled = false

path = /images/json
inspectPath = /images//json
interval = 5m
query = all=0
apiVersion =

# override type
type = docker_objects

# specify Splunk index
index =

# set output (splunk or devnull, default is [general]defaultOutput)
output =

[input.docker_api::system]

# disable docker events
disabled = false

path = /system/df
listPath.Volumes = Volumes
interval = 5m
apiVersion =

# override type
type = docker_objects

# specify Splunk index
index =

# set output (splunk or devnull, default is [general]defaultOutput)
output =

# Splunk output
[output.splunk]

# Splunk HTTP Event Collector url
url =
# You can specify muiltiple splunk URls with
#
# urls.0 = https://server1:8088/services/collector/event/1.0
# urls.1 = https://server1:8088/services/collector/event/1.0
# urls.2 = https://server1:8088/services/collector/event/1.0
#
# Limitations:
# * The urls cannot have different path.

# Specify how URL should be picked up (in case if multiple is used)
# urlSelection = random|round-robin|random-with-round-robin
# where:
# * random - choose random url on first selection and after each failure (connection or HTTP status code >= 500)
# * round-robin - choose url starting from first one and bump on each failure (connection or HTTP status code >= 500)
# * random-with-round-robin - choose random url on first selection and after that in round-robin on each
#                             failure (connection or HTTP status code >= 500)
urlSelection = random-with-round-robin

# Splunk HTTP Event Collector Token
token =

# Allow invalid SSL server certificate
insecure = false

# Path to CA cerificate
caPath =

# CA Name to verify
caName =

# path for client certificate (if required)
clientCertPath =

# path for client key (if required)
clientKeyPath =

# Events are batched with the maximum size set by batchSize and staying in pipeline for not longer
# than set by frequency
frequency = 5s
batchSize = 768K
# limit by the number of events (0 value has no limit on the number of events)
events = 50

# Splunk through proxy
proxyUrl =

# authentication with basic authorization (user:password)
proxyBasicAuth =

# Splunk acknowledgement url (.../services/collector/ack)
ackUrl =
# You can specify muiltiple splunk URls for ackUrl
#
# ackUrls.0 = https://server1:8088/services/collector/ack
# ackUrls.1 = https://server1:8088/services/collector/ack
# ackUrls.2 = https://server1:8088/services/collector/ack
#
# Make sure that they in the same order as urls for url, to make sure that this Splunk instance will be
# able to acknowledge the payload.
#
# Limitations:
# * The urls cannot have different path.

# Enable index acknowledgment
ackEnabled = false

# Index acknowledgment timeout
ackTimeout = 3m

# Timeout specifies a time limit for requests made by collector.
# The timeout includes connection time, any
# redirects, and reading the response body.
timeout = 30s

# in case when pipeline can post to multiple indexes, we want to avoid posibility of blocking
# all pipelines, because just some events have incorrect index
dedicatedClientPerIndex = true

# (obsolete) in case if some indexes aren't used anymore, how often to destroy the dedicated client
# dedicatedClientCleanPeriod = 24h

# possible values: RedirectToDefault, Drop, Retry
incorrectIndexBehavior = RedirectToDefault

# gzip compression level (nocompression, default, 1...9)
compressionLevel = default

# number of dedicated splunk output threads (to increase throughput above 4k events per second)
threads = 2
# (BETA) Default algorithm between threads is roundrobin, but you can change it to weighted
threadsAlgorithm = weighted

# if you want to exclude some preindexed fields from events
# excludeFields.docker_container_ip = true

# By default if there are no indexes defined on the message, Collectord sends the event without the index, and
# Splunk HTTP Event Collector going to use the default index for the Token. You can change that, and tell Collectord
# to ignore all events that don't have index defined explicitly
; requireExplicitIndex = true

# You can define if you want to truncate messages that are larger than 1M in length (or define your own size, like 256K)
; maximumMessageLength = 1M

# For messages generated from logs, include unique `event_id` in the event
; includeEventID = false

# Dedicated queue size for the output, default is 1024, larger queue sizes will require more memory,
# but will allow to handle more events in case of network issues
queueSize = 1024

# How many digits after the decimal point to keep for timestamps (0-9)
# Defaults to 3 (milliseconds)
# Change to 6 for microseconds
# Change to 9 for nanoseconds
; timestampPrecision = 3

# Pipe to join events (container logs only)
[pipe.join]

# disable joining event
disabled = false

# Maximum interval of messages in pipeline
maxInterval = 100ms

# Maximum time to wait for the messages in pipeline
maxWait = 1s

# Maximum message size
maxSize = 100K

# Default pattern to indicate new message (should start not from space)
patternRegex = ^[^\s]


# (depricated, use container annotations for settings up join rules)
# Define special event join patterns for matched events
# Section consist of [pipe.join::<name>]
# [pipe.join::my_app]
## Set match pattern for the fields
#; matchRegex.docker_container_image = my_app
#; matchRegex.stream = stdout
## All events start from '[<digits>'
#; patternRegex = ^\[\d+

# You can configure global replace rules for the events, which can help to remove sensitive data
# from logs before they are sent to Splunk. Those rules will be applied to all pipelines for container logs, host logs,
# application logs and events.
# In the following example we replace password=TEST with password=********
; [pipe.replace::name]
; patternRegex = (password=)([^\s]+)
; replace = $1********

# Collectord reports if entropy is low
; [diagnostics::node-entropy]
; settings.path = /rootfs/proc/sys/kernel/random/entropy_avail
; settings.interval = 1h
; settings.threshold = 800

# Collectord can report if node reboot is required
[diagnostics::node-reboot-required]
settings.path = /rootfs/var/run/reboot-required*
settings.interval = 1h

# See https://www.kernel.org/doc/Documentation/admin-guide/hw-vuln/index.rst
# And https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-devices-system-cpu
[diagnostics::cpu-vulnerabilities]
settings.path = /rootfs/sys/devices/system/cpu/vulnerabilities/*
settings.interval = 1h