# collector configuration file
#
# Run collector with flag -conf and specify location of the configuration file.
#
# You can override all the values using environment variables with the format like
#   COLLECTOR__<ANYNAME>=<section>__<key>=<value>
# As an example you can set dataPath in [general] section as
#   COLLECTOR__DATAPATH=general__dataPath=C:\\some\\path\\data.db
# This parameter can be configured using -env-override, set it to empty string to disable this feature

[general]

# Please review EULA https://www.outcoldsolutions.com/docs/license-agreement/
# and accept eula by uncommenting this code and changing value to *true*
; acceptEULA = false

# location for the database
# is used to store position of the files and internal state
; dataPath = ./data/

# log level (trace, debug, info, warn, error, fatal)
; logLevel = info

# http server gives access to two endpoints
# /healthz
# /metrics
; httpServerBinding = :8080

# telemetry report endpoint, set it to empty string to disable telemetry
; telemetryEndpoint = https://license.outcold.solutions/telemetry/

# license check endpoint
; licenseEndpoint = https://license.outcold.solutions/license/

# license server through proxy
; licenseServerProxyUrl =

# license
; license =

# docker daemon hostname is used by default as hostname
# use this configuration to override
; hostname =

# Include custom fields to attach to every event, in example below every event sent to Splunk will hav
# indexed field my_environment=dev. Fields names should match to ^[a-z][_a-z0-9]*$
# Better way to configure that is to specify labels for Docker Hosts.
# ; fields.my_environment = dev


# connection to docker host
[general.docker]

# url for docker API, only unix socket is supported
; url = unix:///var/run/docker.sock

# path to docker root folder (can fallback to use folder structure to read docker metadata)
; dockerRootFolder =

# In case if pod metadata was not retrievied. how often collector should retry to reload the pod metadata
; MetadataFetchRetry = 5s

# In case if event is recent, how long pipeline should wait for the metadata to be available in Kubernetes API
; MetadataFetchWait = 30s

# In case if collector does not see new events for specific container and with the last metadata refresh
# We have not found this container - fow how long we should keep this metadata in cache.
; MetadataTTL = 5m


# cgroup input
[input.system_stats]

# disable system level stats
; disabled = false

# cgroups fs location
; pathCgroups = /rootfs/sys/fs/cgroup

# proc location
; pathProc = /rootfs/proc

# how often to collect cgroup stats
; statsInterval = 30s

# override type
; type = docker_stats

# specify Splunk index
; index =


# proc input
[input.proc_stats]

# disable proc level stats
; disabled = false

# proc location
; pathProc = /rootfs/proc

# how often to collect proc stats
; statsInterval = 30s

# override type
; type = docker_proc_stats

# specify Splunk index
; index =


# Log files
[input.files]

# disable container logs monitoring
; disabled = false

# root location of docker files
; path = /var/lib/docker/containers/

# glob matching pattern for log files
; glob = */*-json.log*

# files are read using polling schema, when reach the EOF how often to check if files got updated
; pollingInterval = 250ms

# how often to look for the new files under logs path
; walkingInterval = 5s

# include verbose fields in events (file offset)
; verboseFields = false

# override type
; type = docker_logs

# specify Splunk index
; index =


# Input syslog(.\d+)? files
[input.files::syslog]

# disable host level logs
; disabled = false

# root location of docker files
path = /rootfs/var/log/

# regex matching pattern
match = ^(syslog|messages)(.\d+)?$

# limit search only on one level
recursive = false

# files are read using polling schema, when reach the EOF how often to check if files got updated
pollingInterval = 250ms

# how often o look for the new files under logs path
walkingInterval = 5s

# include verbose fields in events (file offset)
verboseFields = false

# override type
type = docker_host_logs

# specify Splunk index
; index =

# field extraction
extraction = ^(?P<timestamp>[A-Za-z]+\s+\d+\s\d+:\d+:\d+)\s(?P<syslog_hostname>[^\s]+)\s(?P<syslog_component>[^:\[]+)(\[(?P<syslog_pid>\d+)\])?: (.+)$

# timestamp field
timestampField = timestamp

# format for timestamp
# the layout defines the format by showing how the reference time, defined to be `Mon Jan 2 15:04:05 -0700 MST 2006`
timestampFormat = Jan 2 15:04:05

# Adjust date, if month/day aren't set in format
; timestampSetMonth = false
; timestampSetDay = false

# timestamp location (if not defined by format)
timestampLocation = Local


# Input all *.log(.\d+)? files
[input.files::logs]

# disable host level logs
; disabled = false

# root location of docker files
path = /rootfs/var/log/

# regex matching pattern
match = ^[\w]+\.log(.\d+)?$

# files are read using polling schema, when reach the EOF how often to check if files got updated
pollingInterval = 250ms

# how often o look for the new files under logs path
walkingInterval = 5s

# include verbose fields in events (file offset)
verboseFields = false

# override type
type = docker_host_logs

# specify Splunk index
; index =

# field extraction
; extraction =

# timestamp field
; timestampField =

# format for timestamp
# the layout defines the format by showing how the reference time, defined to be `Mon Jan 2 15:04:05 -0700 MST 2006`
; timestampFormat =

# timestamp location (if not defined by format)
; timestampLocation =


# Docker input (events)
[input.docker_events]

# disable docker events
; disabled = false

# interval to poll for new events in docker
; eventsPollingInterval = 5s

# override type
; type = docker_events

# specify Splunk index
; index =


# Splunk output
[output.splunk]

# Splunk HTTP Event Collector url
; url =

# Splunk HTTP Event Collector Token
; token =

# Allow invalid SSL server certificate
; insecure = false

# Path to CA cerificate
; caPath =

# CA Name to verify
; caName =

# Events are batched with the maximum size set by batchSize and staying in pipeline for not longer
# than set by frequency
; frequency = 5s
; batchSize = 768K

# Splunk through proxy
; proxyUrl =

# Splunk acknowledgement url (.../services/collector/ack)
; ackUrl =

# Enable index acknowledgment
; ackEnabled = false

# Index acknowledgment timeout
; ackTimeout = 3m


# Pipe to join events (container logs only)
[pipe.join]

# disable joining event
; disabled = false

# Maximum interval of messages in pipeline
; maxInterval = 100ms

# Maximum time to wait for the messages in pipeline
; maxWait = 1s

# Maximum message size
; maxSize = 100K

# Default pattern to indicate new message (should start not from space)
; patternRegex = ^[^\s]


# Define special event join patterns for matched events
# Section consist of [pipe.join::<name>]
# [pipe.join::my_app]
## Set match pattern for the fields
#; matchRegex.docker_container_image = my_app
#; matchRegex.docker_stream = stdout
## All events start from '[<digits>'
#; patternRegex = ^\[\d+