# collector configuration file
#
# Run collector with flag -conf and specify location of the configuration file.
#
# You can override all the values using environment variables with the format like
#   COLLECTOR__<ANYNAME>=<section>__<key>=<value>
# As an example you can set dataPath in [general] section as
#   COLLECTOR__DATAPATH=general__dataPath=C:\\some\\path\\data.db
# This parameter can be configured using -env-override, set it to empty string to disable this feature

[general]

# (obsolete, use acceptLicense instead)
# acceptEULA = false

# Please review license https://www.outcoldsolutions.com/docs/license-agreement/
# and accept license by changing the value to *true*
acceptLicense = false

# location for the database
# is used to store position of the files and internal state
dataPath = ../var/collectord

# log level (trace, debug, info, warn, error, fatal)
logLevel = info

# http server gives access to two endpoints
# /healthz
# /metrics
httpServerBinding =

# telemetry report endpoint, set it to empty string to disable telemetry
telemetryEndpoint = https://license.outcold.solutions/telemetry/

# license check endpoint
licenseEndpoint = https://license.outcold.solutions/license/

# license server through proxy
licenseServerProxyUrl =

# authentication with basic authorization (user:password)
licenseServerProxyBasicAuth =

# license key
license =

# docker daemon hostname is used by default as hostname
# use this configuration to override
hostname = ${HOSTNAME}

# Default output for events, logs and metrics
# valid values: splunk and devnull
# Use devnull by default if you don't want to redirect data
defaultOutput = splunk

# Default buffer size for file input
fileInputBufferSize = 256b

# Maximum size of one line the file reader can read
fileInputLineMaxSize = 1mb

# Include custom fields to attach to every event, in example below every event sent to Splunk will hav
# indexed field my_environment=dev. Fields names should match to ^[a-z][_a-z0-9]*$
# Better way to configure that is to specify labels for Docker Hosts.
# ; fields.my_environment = dev
fields.linux_cluster = -

# Include EC2 Metadata (see list of possible fields https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)
# Should be in format ec2Metadata.{desired_field_name} = {url path to read the value}
# ec2Metadata.ec2_instance_id = /latest/meta-data/instance-id
# ec2Metadata.ec2_instance_type = /latest/meta-data/instance-type

# subdomain for the annotations added to the pods, workloads, namespaces or containers, like splunk.collectord.io/..
annotationsSubdomain =

# Configure acknowledgement database.
# - force fsync on every write to Write-Ahead-Log
db.fsync = false
# - maximum size of the Write-Ahead-Log
db.compactAt = 1M

# configure global thruput per second for forwarded logs (metrics are not included)
# for example if you set `thruputPerSecond = 512Kb`, that will limit amount of logs forwarded
# from the single Collectord instance to 512Kb per second.
# You can configure thruput individually for the logs (including specific for container logs) below
thruputPerSecond =

# Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
# older than 7 days
tooOldEvents =

# Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
tooNewEvents =


# cgroup input
# sends stas for the host and cgroups (containers)
[input.system_stats]

# disable system level stats
disabled.host = false

# cgroups fs location
pathCgroups = /sys/fs/cgroup

# proc location
pathProc = /proc

# how often to collect cgroup stats
statsInterval = 30s

# override type
type.host = linux_stats_v2_host

# specify Splunk index
index.host =

# set output (splunk or devnull, default is [general]defaultOutput)
output.host =


# mount input (collects mount stats where docker runtime is stored)
[input.mount_stats]

# disable system level stats
disabled = false

# how often to collect mount stats
statsInterval = 30s

# override type
type = linux_mount_stats

# specify Splunk index
index =

# set output (splunk or devnull, default is [general]defaultOutput)
output =


# proc input
[input.proc_stats]

# disable proc level stats
disabled = false

# proc location
pathProc = /proc

# how often to collect proc stats
statsInterval = 60s

# override type
type = linux_proc_stats_v2

# specify Splunk index
index.host =

# proc filesystem includes by default system threads (there can be over 100 of them)
# these stats do not help with the observability
# excluding them can reduce the size of the index, performance of the searches and usage of the collector
includeSystemThreads = false

# set output (splunk or devnull, default is [general]defaultOutput)
output.host =


# network stats
[input.net_stats]

# disable net stats
disabled = false

# proc path location
pathProc = /proc

# how often to collect net stats
statsInterval = 30s

# override type
type = linux_net_stats_v2

# specify Splunk index
index =

# set output (splunk or devnull, default is [general]defaultOutput)
output =


# network socket table
[input.net_socket_table]

# disable net stats
disabled = false

# proc path location
pathProc = /proc

# how often to collect net stats
statsInterval = 30s

# override type
type = linux_net_socket_table

# specify Splunk index
index =

# set output (splunk or devnull, default is [general]defaultOutput)
output =

# group connections by tcp_state, localAddr, remoteAddr (if localPort is not the port it is listening on)
# that can significally reduces the amount of events
group = true


# Input syslog(.\d+)? files
[input.files::syslog]

# disable host level logs
disabled = false

# root location of log files
path = /var/log/

# regex matching pattern
match = ^(syslog|messages)(.\d+)?$

# limit search only on one level
recursive = false

# files are read using polling schema, when reach the EOF how often to check if files got updated
pollingInterval = 250ms

# how often o look for the new files under logs path
walkingInterval = 5s

# include verbose fields in events (file offset)
verboseFields = false

# override type
type = linux_host_logs

# specify Splunk index
index =

# field extraction
extraction = ^(?P<timestamp>[A-Za-z]+\s+\d+\s\d+:\d+:\d+)\s(?P<syslog_hostname>[^\s]+)\s(?P<syslog_component>[^:\[]+)(\[(?P<syslog_pid>\d+)\])?: (.+)$

# timestamp field
timestampField = timestamp

# format for timestamp
# the layout defines the format by showing how the reference time, defined to be `Mon Jan 2 15:04:05 -0700 MST 2006`
timestampFormat = Jan 2 15:04:05

# Adjust date, if month/day aren't set in format
timestampSetMonth = false
timestampSetDay = false

# timestamp location (if not defined by format)
timestampLocation = Local

# sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
samplingPercent = -1

# sampling key for hash based sampling (should be regexp with the named match pattern `key`)
samplingKey =

# set output (splunk or devnull, default is [general]defaultOutput)
output =

# configure default thruput per second for for each container log
# for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
# from the single container to 128Kb per second.
thruputPerSecond =

# Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
# older than 7 days
tooOldEvents =

# Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
tooNewEvents =


# Input all *.log(.\d+)? files
[input.files::logs]

# disable host level logs
disabled = false

# root location of log files
path = /var/log/

# regex matching pattern
match = ^(([\w\-.]+\.log(.[\d\-]+)?)|(docker))$

# files are read using polling schema, when reach the EOF how often to check if files got updated
pollingInterval = 250ms

# how often o look for the new files under logs path
walkingInterval = 5s

# include verbose fields in events (file offset)
verboseFields = false

# override type
type = linux_host_logs

# specify Splunk index
index =

# field extraction
extraction =

# timestamp field
timestampField =

# format for timestamp
# the layout defines the format by showing how the reference time, defined to be `Mon Jan 2 15:04:05 -0700 MST 2006`
timestampFormat =

# timestamp location (if not defined by format)
timestampLocation =

# sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
samplingPercent = -1

# sampling key (should be regexp with the named match pattern `key`)
samplingKey =

# set output (splunk or devnull, default is [general]defaultOutput)
output =

# configure default thruput per second for for each container log
# for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
# from the single container to 128Kb per second.
thruputPerSecond =

# Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
# older than 7 days
tooOldEvents =

# Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
tooNewEvents =


[input.journald]

# disable host level logs
disabled = false

# root location of log files
path.persistent = /var/log/journal/
path.volatile = /run/log/journal/

# when reach end of journald, how often to pull
pollingInterval = 250ms

# override type
type = linux_host_logs

# specify Splunk index
index =

# sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
samplingPercent = -1

# sampling key (should be regexp with the named match pattern `key`)
samplingKey =

# how often to reopen the journald to free old files
reopenInterval = 1h

# set output (splunk or devnull, default is [general]defaultOutput)
output =

# configure default thruput per second for for each container log
# for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
# from the single container to 128Kb per second.
thruputPerSecond =

# Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
# older than 7 days
tooOldEvents =

# Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
tooNewEvents =


# Default configuration for join multi-lines
[pipe.join]

# Maximum interval of messages in pipeline
maxInterval = 100ms

# Maximum time to wait for the messages in pipeline
maxWait = 1s

# Maximum message size
maxSize = 100K


# Splunk output
[output.splunk]

# Splunk HTTP Event Collector url
url =
# You can specify muiltiple splunk URls with
#
# urls.0 = https://server1:8088/services/collector/event/1.0
# urls.1 = https://server1:8088/services/collector/event/1.0
# urls.2 = https://server1:8088/services/collector/event/1.0
#
# Limitations:
# * The urls cannot have different path.

# Specify how URL should be picked up (in case if multiple is used)
# urlSelection = random|round-robin|random-with-round-robin
# where:
# * random - choose random url on first selection and after each failure (connection or HTTP status code >= 500)
# * round-robin - choose url starting from first one and bump on each failure (connection or HTTP status code >= 500)
# * random-with-round-robin - choose random url on first selection and after that in round-robin on each
#                             failure (connection or HTTP status code >= 500)
urlSelection = random-with-round-robin

# Splunk HTTP Event Collector Token
token =

# Allow invalid SSL server certificate
insecure = false

# Path to CA cerificate
caPath =

# CA Name to verify
caName =

# path for client certificate (if required)
clientCertPath =

# path for client key (if required)
clientKeyPath =

# Events are batched with the maximum size set by batchSize and staying in pipeline for not longer
# than set by frequency
frequency = 5s
batchSize = 768K
# limit by the number of events (0 value has no limit on the number of events)
events = 50

# Splunk through proxy
proxyUrl =

# authentication with basic authorization (user:password)
proxyBasicAuth =

# Splunk acknowledgement url (.../services/collector/ack)
ackUrl =
# You can specify muiltiple splunk URls for ackUrl
#
# ackUrls.0 = https://server1:8088/services/collector/ack
# ackUrls.1 = https://server1:8088/services/collector/ack
# ackUrls.2 = https://server1:8088/services/collector/ack
#
# Make sure that they in the same order as urls for url, to make sure that this Splunk instance will be
# able to acknowledge the payload.
#
# Limitations:
# * The urls cannot have different path.

# Enable index acknowledgment
ackEnabled = false

# Index acknowledgment timeout
ackTimeout = 3m

# Timeout specifies a time limit for requests made by collector.
# The timeout includes connection time, any
# redirects, and reading the response body.
timeout = 30s

# in case when pipeline can post to multiple indexes, we want to avoid posibility of blocking
# all pipelines, because just some events have incorrect index
dedicatedClientPerIndex = true

# (obsolete) in case if some indexes aren't used anymore, how often to destroy the dedicated client
# dedicatedClientCleanPeriod = 24h

# possible values: RedirectToDefault, Drop, Retry
incorrectIndexBehavior = RedirectToDefault

# gzip compression level (nocompression, default, 1...9)
compressionLevel = default

# number of dedicated splunk output threads (to increase throughput above 4k events per second)
threads = 1