Config File

scope.yml is the sole library configuration file in AppScope.

In Cribl Edge or Cribl Stream, you can use the AppScope Config Editor to create your own variants of scope.yml and save them in the AppScope Config Library.

The contents of the now-eliminated scope_protocol.yml configuration file reside in the protocol section of scope.yml.

scope.yml Config File

Below are the default contents of scope.yml:

#
# AppScope Runtime Configuration
#
# The AppScope library (`libscope.so`) starts with default configs that are
# mimicked here in this file; meaning, run with no config, or with the stock
# version of this config, and the results are the same.
#
# After loading defaults, the library looks for a config in the following
# places in the order shown. The first readable file found is used and the rest
# are ignored. Entries in the config file override the defaults.
#
#   1. $SCOPE_CONF_PATH
#   2. $SCOPE_HOME/conf/scope.yml
#   3. $SCOPE_HOME/scope.yml
#   4. /etc/scope/scope.yml
#   5. $HOME/conf/scope.yml
#   6. $HOME/scope.yml
#   7. ./conf/scope.yml
#   8. ./scope.yml
#
# Next, SCOPE_* environment variables are used to override corresponding
# entries in the configs. Details are provided below for each setting and
# the corresponding environment variable names.
#
# Finally, if the `cribl > enable` config is true at this point, either from
# the config file or the $SCOPE_CRIBL/$SCOPE_CRIBL_CLOUD environment variable,
# the library forces the following:
#
#   - `metric > transport` is redirected to the `cribl` backend
#   - `metric > enable` is set to true
#   - `metric > format` is set to ndjson
#   - `event > transport` is redirected to the `cribl` backend
#   - `event > enable` is set to true
#   - `libscope > log > level` is set to warn
#   - `libscope > configevent` is set to true
#
# Use the `scope extract` command to get a copy of the default `scope.yml`.
#
# Use the command below to get a stripped-down version of this config.
#
#   egrep -v '^ *#.*$' scope.yml | sed '/^$/d' >scope-minimal.yml
#

# Settings for metrics
#
metric:

  # Enable the metrics backend
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  true
  #   Override: $SCOPE_METRIC_ENABLE
  #
  #
  enable: true

  # Settings for the format of metric data
  format:

    # Metric format type
    #   Type:     string
    #   Values:   statsd, ndjson
    #   Default:  statsd
    #   Override: $SCOPE_METRIC_FORMAT
    #
    # When the `cribl` backend is enabled, this is forced to ndjson.
    #
    type: statsd

    # Prefix for statsd metrics; ignored if type isn't statsd
    #   Type:     string
    #   Values:   (and string)
    #   Default:  (none)
    #   Override: $SCOPE_STATSD_PREFIX
    #
    statsdprefix:

    # Maximum length of formatted statsd metrics; ignored unless type is statsd
    #   Type:     integer
    #   Values:   (greater than zero)
    #   Default:  512
    #   Override: $SCOPE_STATSD_MAXLEN
    #
    statsdmaxlen: 512

    # Metric verbosity level
    #   Type:     integer
    #   Values:   0-9
    #   Default:  4
    #   Override: $SCOPE_METRIC_VERBOSITY
    #
    # This setting controls two different aspects of the metrics generated by
    # the library: tag cardinality and aggregation. Lower values reduce the
    # verbosity of metric data produced, while higher values increase it.
    #
    # Metrics have at a minimum name, value, and type properties. Optional tags
    # can be added to provide additional detail on the measurement. The library
    # adds expanded Statsd tags depending on the value of this setting as
    # described below. These affect the cardinality of the metrics data.
    #
    #   0  none
    #   1  adds data and unit
    #   2  adds class and proto
    #   3  adds op
    #   4  adds pid, host, proc, and http_status
    #   5  adds domain and file
    #   6  adds localip, remoteip, localp, port, and remotep
    #   7  adds fd and args
    #   8  adds duration, numops, req_per_sec, req, resp, and protocol
    #
    # The library counts various events and generates metrics for them
    # periodically. The verbosity config disables this metric aggregation for
    # groups of events. When disabled, events that would normally have been
    # summarized in an aggregate metric are instead sent as individual metrics
    # with a count of 1 and additional details from the event added, e.g.,
    # operation, filename, process, error code, etc.
    #
    #   0-4 full metric aggregation
    #   5   disable error metric aggregation
    #   6   disable filesystem open/close and DNS metric aggregation
    #   7   disable filesystem stat and network connect metric aggregation
    #   8   disable filesystem seek metric aggregation
    #   9   disable filesystem read/write and network send/recv metric aggregation
    #
    verbosity : 4

  # The `metric > watch[*]` array contains objects that enable different
  # categories of metrics. Their `type` property specifies the category.
  # Comment out an array entry to disable the category. If you comment
  # out `metric > watch` entirely, AppScope will use the default metric
  # watch list, which has all categories enabled.
  #
  watch:
    # The statsd category creates metrics from statsd network traffic that is
    # sent from or received by the scoped process. This includes extended
    # statsd, where dimensions will be included in the metrics produced.
    # See the STATSD protocol detector for more info about how
    # network traffic is determined to contain stastd metric data.
    #
    # Set $SCOPE_METRIC_STATSD to true or false to enable or disable this
    # category.
    #
    - type: statsd

    # Metric file system
    #   Type:     string
    #   Values:   fs
    #   Default:  fs
    #   Override: $SCOPE_METRIC_FS
    #
    - type: fs

    # Metric network
    #   Type:     string
    #   Values:   net
    #   Default:  net
    #   Override: $SCOPE_METRIC_NET
    #
    - type: net

    # Metric http
    #   Type:     string
    #   Values:   http
    #   Default:  http
    #   Override: $SCOPE_METRIC_HTTP
    #
    - type: http

    # Metric dns
    #   Type:     string
    #   Values:   dns
    #   Default:  dns
    #   Override: $SCOPE_METRIC_DNS
    #
    - type: dns

    # Metric process
    #   Type:     string
    #   Values:   process
    #   Default:  process
    #   Override: $SCOPE_METRIC_PROC
    #
    - type: process

  # Backend connection for metrics
  #
  # When the `cribl` backend is enabled, these settings are ignored and metrics
  # are instead sent to the `cribl` backend.
  #
  transport:

    # Set $SCOPE_METRIC_DEST to override the type, host, port, and path configs
    # below. The environment variable should be set to a URL.
    #
    #   file:///tmp/output.log  send to a file; note the triple slash
    #   file://stdout           send to standard out
    #   file://stderr           send to standard error
    #   udp://host:port         send to a network server (UDP protocol)
    #   tcp://host:port         send to a network server (TCP protocol)
    #   unix://@abstractname    send to a unix domain server w/abstract addr
    #   unix:///var/run/mysock  send to a unix domain server w/filesystem addr
    #   edge                    send to cribl edge (over unix domain)
    #
    # Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
    # set the $SCOPE_METRIC_TLS_* variables.

    # Connection type
    #   Type:     string
    #   Values:   udp, tcp, unix, file, and edge
    #   Default:  udp
    #   Override: the protocol token in the $SCOPE_METRIC_DEST URL
    #
    type: udp

    # Connection host/address
    #   Type:     string
    #   Values:   (hostname or IP address)
    #   Default:  127.0.0.1
    #   Override: the host token in the $SCOPE_METRIC_DEST URL
    #
    host: 127.0.0.1

    # Connection port
    #   Type:     integer or string
    #   Values:   port number or service name
    #   Default:  8125
    #   Override: the port token in the $SCOPE_METRIC_DEST URL
    #
    # The default 8125 is for normal statsd services.
    #
    port: 8125

    # File path / unix domain socket path
    #   Type:     string
    #   Values:   (directory path, or socket path)
    #   Default:  (none)
    #   Override: the path token in the $SCOPE_METRIC_DEST URL
    #
    # Applies when connection type is file or unix.
    #
    #path: ''

    # File buffering
    #   Type:     string
    #   Values:   line, full
    #   Default:  line
    #
    # Only applies when connection type is file
    #
    # Set this to line if there's a chance that multiple scoped processes will
    # be writing to the same file. This prevents interleaving of lines and
    # scrambling of the log file. Setting this to full may improve performance
    # in single-writer scenarios.
    #
    #buffer: line

    # TLS connection settings
    tls:

      # Enable TLS for the metrics backend
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $SCOPE_METRIC_TLS_ENABLE
      #
      # Only applies when the connection type is tcp.
      #
      enable: false

      # Validate the TLS server certificate
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $SCOPE_METRIC_TLS_VALIDATE_SERVER
      #
      # Set to false, works like the `curl -k` option. When set to true, the
      # connection will fail if the server certificate cannot be validated.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      validateserver: true

      # CA Certificate Path
      #   Type:     string
      #   Values:   (file path)
      #   Default:  (none)
      #   Override: $SCOPE_METRIC_TLS_CA_CERT_PATH
      #
      # Leave this blank when validateserver is set to true and the local
      # OS-provided trusted CA certificates are used to validate the server's
      # certificate. To use a PEM certificate file instead, specify its
      # full path; useful with self-signed certificates.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      cacertpath: ''

# Settings for events
#
event:

  # Enable the events backend
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  true
  #   Override: $SCOPE_EVENT_ENABLE
  #
  #
  enable: true

  # Settings for the format of event data
  format:

    # Metric format type
    #   Type:     string
    #   Values:   ndjson
    #   Default:  ndjson
    #   Override: $SCOPE_EVENT_FORMAT
    #
    type: ndjson

    # Event rate limiter
    #   Type:     integer
    #   Values:   0+
    #   Default:  10000
    #   Override: $SCOPE_EVENT_MAXEPS
    #
    # Set this to 0 to disable the limiter.
    #
    maxeventpersec: 10000

    # Enable enhanced filesystem event data
    #   Type:     boolean
    #   Values:   true, false
    #   Default:  true
    #   Override: $SCOPE_ENHANCE_FS
    #
    # When set to true, `event > watch[*] > type=fs` is enabled. We add uid,
    # gid, and mode to open events.
    #
    enhancefs: true

  # The `event > watch[*]` array contains objects that enable different
  # categories of events. Their `type` property specifies the category.
  # Comment out an array entry to disable the category. If you comment
  # out `event > watch` entirely, AppScope will use the default event
  # watch list, which has all categories except metric enabled.
  #
  watch:

    # The file category includes writes to files. It's intended primarily for
    # monitoring log files, but is capable of generating events from writes to any
    # file. The name and value properties are regular expressions applied to
    # the filename and written data, respectively. Events will be generated when
    # both match.
    #
    # Set $SCOPE_EVENT_LOGFILE to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $SCOPE_EVENT_LOGFILE_NAME and $SCOPE_EVENT_LOGFILE_VALUE.
    #
    - type: file
      name: (\/logs?\/)|(\.log$)|(\.log[.\d]) # matches the filename
      value: .*                               # matches data read or written

    # The console category includes writes to standard out and error and is
    # intended for monitoring console output, especially in containerized
    # environments where logging to files isn't commonly done. The name and
    # value properties are regular expressions applied to the filename and
    # written data, respectively. Events will be generated when both match.
    #
    # Set $SCOPE_EVENT_CONSOLE to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $SCOPE_EVENT_CONSOLE_NAME and $SCOPE_EVENT_CONSOLE_VALUE.
    #
    # Set $SCOPE_ALLOW_BINARY_CONSOLE to true or false to allow or disallow
    # emitting binary data for console events.
    #
    - type: console
      name: (stdout)|(stderr) # matches the output stream
      value: .*               # matches data written
      allowbinary: true

    # The net category includes open and close events on network connections.
    # The name, field, and value properties are regular expressions applied
    # to the corresponding event properties. Events will be generated when
    # all match.
    #
    # Set $SCOPE_EVENT_NET to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $SCOPE_EVENT_NET_NAME, $SCOPE_EVENT_NET_FIELD, and $SCOPE_EVENT_NET_VALUE.
    #
    - type: net
      name: .*
      field: .*
      value: .*

    # The fs category includes filesystem operations like open, close,
    # and delete. The name, field, and value properties are regular
    # expressions applied to the corresponding event properties. Events
    # will be generated when all match.
    #
    # Set $SCOPE_EVENT_FS to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $SCOPE_EVENT_FS_NAME, $SCOPE_EVENT_FS_FIELD, and $SCOPE_EVENT_FS_VALUE.
    #
    - type: fs
      name: .*
      field: .*
      value: .*

    # The dns category includes DNS request and response events. The name,
    # field, and value properties are regular expressions applied to the
    # corresponding event properties. Events will be generated when all
    # match.
    #
    # Set $SCOPE_EVENT_DNS to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $SCOPE_EVENT_DNS_NAME, $SCOPE_EVENT_DNS_FIELD, and $SCOPE_EVENT_DNS_VALUE.
    #
    - type: dns
      name: .*
      field: .*
      value: .*

    # The http category includes HTTP request and response events. The name,
    # field, and value properties are regular expressions applied to the
    # corresponding event properties. Events will be generated when all match.
    #
    # The headers entry is a list of regular expressions that are applied to
    # the HTTP headers in request and response events. Matches are applied to
    # the whole header line, not just the name. Headers that match are included
    # in the generated events. Note that headers named `host`, `user-agent`,
    # `x-forwarded-for`, and `x-appscope` are included by default.
    #
    # Set $SCOPE_EVENT_HTTP to true or false to enable or disable this
    # category. The regular expressions can be set with $SCOPE_EVENT_HTTP_NAME,
    # $SCOPE_EVENT_HTTP_FIELD, $SCOPE_EVENT_HTTP_VALUE, and
    # $SCOPE_EVENT_HTTP_HEADER. Note that $SCOPE_EVENT_HTTP_HEADER only sets
    # a single entry in the `headers` array.
    #
    - type: http
      name: .*         # event name; http.req or http.resp
      field: .*        # matches field names; duration, http_status, etc
      value: .*        # matches field values
      headers:         # list of filters matched against header names
        #- (?i)Accept                # example of case-insensitive filter
        #- "x-content-type-.*: no.*" # example of required quotes

    # The metric category is very seldom used.
    # If turned on, AppScope sends non-aggregated metrics out the event channel.
    # By non-aggregated, we mean metrics with verbosity set to the maximum.
    # This is only ever used as a last resort when tracking down a problem.
    # Enable rarely, if ever. Fraught with peril!
    #
    # The name, field, and value properties are all regular expressions. Only
    # matching events will be generated.
    #
    # Warning: Enabling this may interfere with proper metric aggregation.
    #
    # Set $SCOPE_EVENT_METRIC to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $SCOPE_EVENT_METRIC_NAME, $SCOPE_EVENT_METRIC_FIELD, and
    # $SCOPE_EVENT_METRIC_VALUE.
    #
    #- type: metric
    #  name: .*
    #  field: .*
    #  value: .*

  # Backend connection for events
  #
  # When the `cribl` backend is enabled, these settings are ignored and events
  # are instead sent to the `cribl` backend.
  #
  transport:

    # Set $SCOPE_EVENT_DEST to override the type, host, port, and path configs
    # below. The environment variable should be set to a URL.
    #
    #   file:///tmp/output.log  send to a file; note the triple slash
    #   file://stdout           send to standard out
    #   file://stderr           send to standard error
    #   udp://host:port         send to a network server (UDP protocol)
    #   tcp://host:port         send to a network server (TCP protocol)
    #   unix://@abstractname    send to a unix domain server w/abstract addr
    #   unix:///var/run/mysock  send to a unix domain server w/filesystem addr
    #   edge                    send to cribl edge (over unix domain)
    #
    # Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
    # set the $SCOPE_EVENT_TLS_* variables.

    # Connection type
    #   Type:     string
    #   Values:   udp, tcp, unix, file, and edge
    #   Default:  tcp
    #   Override: the protocol token in the $SCOPE_EVENT_DEST URL
    #
    type: tcp

    # Connection host/address
    #   Type:     string
    #   Values:   (hostname or IP address)
    #   Default:  127.0.0.1
    #   Override: the host token in the $SCOPE_EVENT_DEST URL
    #
    host: 127.0.0.1

    # Connection port
    #   Type:     integer or string
    #   Values:   port number or service name
    #   Default:  9109
    #   Override: the port token in the $SCOPE_EVENT_DEST URL
    #
    port: 9109

    # File path / unix domain socket path
    #   Type:     string
    #   Values:   (directory path, or socket path)
    #   Default:  (none)
    #   Override: the path token in the $SCOPE_EVENT_DEST URL
    #
    # Applies when connection type is file or unix.
    #
    #path: ''

    # File buffering
    #   Type:     string
    #   Values:   line, full
    #   Default:  line
    #
    # Only applies when connection type is file.
    #
    # Set this to line if there's a chance that multiple scoped processes will
    # be writing to the same file. This prevents interleaving of lines and
    # scrambling of the log file. Setting this to full may improve performance
    # in single-writer scenarios.
    #
    #buffer: line

    # TLS connection settings
    tls:

      # Enable TLS for the events backend
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $SCOPE_EVENT_TLS_ENABLE
      #
      # Only applies when the connection type is tcp.
      #
      enable: false

      # Validate the TLS server certificate
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $SCOPE_EVENT_TLS_VALIDATE_SERVER
      #
      # Set to false, works like the `curl -k` option. When set to true, the
      # connection will fail if the server certificate cannot be validated.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      validateserver: true

      # CA Certificate Path
      #   Type:     string
      #   Values:   (file path)
      #   Default:  (none)
      #   Override: $SCOPE_EVENT_TLS_CA_CERT_PATH
      #
      # Leave this blank when validateserver is set to true and the local
      # OS-provided trusted CA certificates are used to validate the server's
      # certificate. To use a PEM certificate file instead, specify its
      # full path; useful with self-signed certificates.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      cacertpath: ''

# Settings for payloads
#
payload:

  # Enable payload capture
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  false
  #   Override: $SCOPE_PAYLOAD_ENABLE
  #
  # This can produce large amounts of data from I/O-intensive programs and
  # should be considered carefully before being enabled.
  #
  # See `protocol` for a way to enable this for specific protocols instead of
  # all traffic.
  #
  enable: false

  # Directory for payload files
  #   Type:     string
  #   Values:   (directory path)
  #   Default:  /tmp
  #   Override: $SCOPE_PAYLOAD_DIR
  #
  # Consider using a performant filesystem to reduce I/O performance impacts.
  #
  dir: '/tmp'

# Setting up the library
#
libscope:

  # Enable the config-event message on the event or `cribl` backend
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  true
  #   Override: $SCOPE_CONFIG_EVENT
  #
  # The config-event message is the first one set on the connection and
  # contains details identifying the scoped program and the runtime configs.
  # It's more commonly referred to as the process-start message.
  #
  configevent: true

  # Metric summary interval
  #   Type:     integer
  #   Values:   1+ seconds
  #   Default:  10
  #   Override: $SCOPE_SUMMARY_PERIOD
  #
  # See also `metric > verbosity`.
  #
  summaryperiod : 10

  # Command directory
  #   Type:     string
  #   Values:   (directory path)
  #   Default:  /tmp
  #   Override: $SCOPE_CMD_DIR
  #
  # The library looks here periodically (see `libscope > summaryperiod`) for a
  # file named scope.{pid} matching the current process. If found, it's loaded
  # and deleted. The file should contain environment variables, one per line.
  #
  #   SCOPE_METRIC_VERBOSITY=9
  #   SCOPE_EVENT_HTTP=false
  #
  # The given variables are applied to the running config just like startup.
  #
  commanddir : '/tmp'


  # Logging settings for the library
  #
  log:

    # Set logging verbosity
    #   Type:     string
    #   Values:   debug, info, warning, error, or none
    #   Default:  warning
    #   Override: $SCOPE_LOG_LEVEL
    #
    # When the `cribl` backend is enabled, this is forced to warning.
    #
    level: warning

    # Backend connection for logs
    #
    transport:

      # Set $SCOPE_LOG_DEST to override the type, host, port, and path configs
      # below. The environment variable should be set to a URL.
      #
      #   file:///tmp/output.log  send to a file; note the triple slash
      #   file://stdout           send to standard out
      #   file://stderr           send to standard error
      #   udp://host:port         send to a network server (UDP protocol)
      #   tcp://host:port         send to a network server (TCP protocol)
      #   unix://@abstractname    send to a unix domain server w/abstract addr
      #   unix:///var/run/mysock  send to a unix domain server w/filesystem addr
      #   edge                    send to cribl edge (over unix domain)
      #
      # Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
      # set the $SCOPE_LOG_TLS_* variables.

      # Connection type
      #   Type:     string
      #   Values:   udp, tcp, unix, file, and edge
      #   Default:  file
      #   Override: the protocol token in the $SCOPE_LOG_DEST URL
      #
      type: file

      # Connection host/address
      #   Type:     string
      #   Values:   (hostname or IP address)
      #   Default:  (none)
      #   Override: the host token in the $SCOPE_LOG_DEST URL
      #
      #host:

      # Connection port
      #   Type:     integer or string
      #   Values:   port number or service name
      #   Default:  (none)
      #   Override: the port token in the $SCOPE_LOG_DEST URL
      #
      #port:

      # File path / unix domain socket path
      #   Type:     string
      #   Values:   (directory path, or socket path)
      #   Default:  '/tmp/scope.log'
      #   Override: the path token in the $SCOPE_LOG_DEST URL
      #
      # Applies when connection type is file or unix.
      #
      path: '/tmp/scope.log'

      # File buffering
      #   Type:     string
      #   Values:   line, full
      #   Default:  line
      #
      # Only applies when connection type is file.
      #
      # Set this to line if there's a chance that multiple scoped processes will
      # be writing to the same file. This prevents interleaving of lines and
      # scrambling of the log file. Setting this to full may improve performance
      # in single-writer scenarios.
      #
      buffer: line

# Settings for the `cribl` backend
#
cribl:

  # Enable the `cribl` backend
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  true
  #   Override: $SCOPE_CRIBL_ENABLE
  #
  enable: true

  # Authentication token
  #   Type:     string
  #   Values:   (any)
  #   Default:  (none)
  #   Override: $SCOPE_CRIBL_AUTHTOKEN
  #
  # If set, the value is added as a top-level authToken property in the initial
  # config-event (header) sent to Cribl when the library connects.
  #
  #authtoken:

  # Backend connection for cribl
  #
  transport:

    # Set $SCOPE_CRIBL to override the type, host, port and socket path configs below.
    # The environment variable should be set to a URL.
    #
    #   tcp://host:port         send to a TCP server
    #   unix://@abstractname    send to a unix domain server w/abstract addr
    #   unix:///var/run/mysock  send to a unix domain server w/filesystem addr
    #   edge                    send to cribl edge (over unix domain)
    #
    # Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
    # set the $SCOPE_CRIBL_TLS_* variables.
    #
    # Note: file:// is not supported here.
    #
    # Alternatively, set $SCOPE_CRIBL_CLOUD to the same URL and the library
    # sets $SCOPE_CRIBL_TLS_ENABLE=true, $SCOPE_CRIBL_TLS_VALIDATE_SERVER=true,
    # and $SCOPE_CRIBL_TLS_CA_CERT_PATH="" for you.

    # Connection type
    #   Type:     string
    #   Values:   tcp, unix, and edge
    #   Default:  edge
    #   Override: the protocol token in the $SCOPE_CRIBL or $SCOPE_CRIBL_CLOUD URL
    #
    type: edge

    # Connection host/address
    #   Type:     string
    #   Values:   (hostname or IP address)
    #   Default:  127.0.0.1
    #   Override: the host token in the $SCOPE_CRIBL or $SCOPE_CRIBL_CLOUD URL
    #
    # Only applies when the connection type is tcp.
    #
    host: 127.0.0.1

    # Connection port
    #   Type:     integer or string
    #   Values:   port number or service name
    #   Default:  10090
    #   Override: the port token in the $SCOPE_CRIBL or $SCOPE_CRIBL_CLOUD URL
    #
    # Defaults to 10090, which is the TCP port on the AppScope Source
    # in Cribl Stream or Cribl Edge. If you are using the cloud version,
    # 10090 is the TLS port on the client-facing load balancer which is
    # proxied to the cloud instance's TCP:10090 port, without TLS.
    #
    # Use 10091 here if you need to connect to Cribl.Cloud without TLS and
    # are not making any changes in the AppScope Source.
    #
    # Only applies when the connection type is tcp.
    #
    port: 10090

    # Unix domain socket path
    #   Type:     string
    #   Values:   socket path
    #   Default:  (none)
    #   Override: the socket_path token in the $SCOPE_CRIBL or $SCOPE_CRIBL_CLOUD URL
    #
    # Only applies when the connection type is unix.
    #
    #path: ''

    # TLS connection settings
    tls:

      # Enable TLS for the metrics backend
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $SCOPE_CRIBL_TLS_ENABLE or use $SCOPE_CRIBL_CLOUD
      #
      # Only applies when the connection type is tcp.
      #
      enable: false

      # Validate the TLS server certificate
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $SCOPE_CRIBL_TLS_VALIDATE_SERVER
      #
      # Set to false, works like the `curl -k` option. When set to true, the
      # connection will fail if the server certificate cannot be validated.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      validateserver: true

      # CA Certificate Path
      #   Type:     string
      #   Values:   (file path)
      #   Default:  (none)
      #   Override: $SCOPE_CRIBL_TLS_CA_CERT_PATH
      #
      # Leave this blank when validateserver is set to true and the local
      # OS-provided trusted CA certificates are used to validate the server's
      # certificate. To use a PEM certificate file instead, specify its
      # full path; useful with self-signed certificates.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      cacertpath: ''

# Tags for events and metrics
#
tags:
  # `key: value` entries here become fields in generated events and metrics.
  #
  # Simple $EXAMPLE variables in the value will be replaced with the
  # corresponding environment variable values. The regex looks for dollar signs
  # followed by one or more alphanumeric or underscore characters. If the
  # corresponding environment variable is not set, the variable is left in the
  # value.
  #
  # Tags can also be added with environment variables prefixed with SCOPE_TAG_.
  # For example, SCOPE_TAG_service=eg is equivalent to the "service" example
  # below. The value of the environment variable may contain other variables
  # as described above too; e.g., SCOPE_TAG_user=\$USER.
  #
  #user: $USER
  #service: eg

# Protocol detection and handling
#
protocol:
  # Entries in this list define protocols that AppScope should detect in network
  # payloads and how to handle matches. The first packet seen on a channel is
  # checked against the regular expression in each entry in the order they
  # appear in this file. When one matches, later entries are skipped.
  #
  # Entries have the following properties:
  #
  #   name     String protocol name used in protocol-detect events and payload
  #            headers sent to Cribl Stream or Cribl Edge (required)
  #   regex    The regular expression to use (required)
  #   binary   Boolean indicating whether the regex should be applied to a
  #            hex-string version of the payload instead of the binary payload
  #            (default: false)
  #   len      The number of bytes to convert to hex when `binary` is true
  #            (default: 256)
  #   detect   Boolean indicating whether protocol-detect events should be
  #            generated (default: true)
  #   payload  Boolean indicating whether payload-processing should be enabled
  #            for matching streams (default: false)
  #
  # When payloads are enabled globally (`payload > enable`), the payload
  # options here are ignored.
  #
  # Warning: The `name` value is currently inserted into the JSON header for
  # payloads sent to Cribl Stream or Cribl Edge, so it cannot contain double
  # quotes or backslashes without breaking the JSON. It needs to be kept fairly
  # short, too, so the header doesn't exceed the 1k limit. If this becomes a
  # problem, we'll consider adding logging and validation.
  #

  # Example for the plain-text Redis protocol using the default detect and
  # payload settings
  #
  #- name: Redis
  #  regex: "^[*]\\d+|^[+]\\w+|^[$]\\d+"

  # Example for the MongoDB protocol showing how to detect a binary protocol
  #
  #- name: Mongo
  #  regex: "^240100000000000000000000d407"
  #  binary: true
  #  len: 14

  # AppScope uses an internally defined protocol detector for HTTP like the
  # example below by default.
  #
  # Uncomment this and adjust as needed to override the defaults.
  #
  #- name: HTTP
  #  regex: "HTTP\\/1\\.[0-2]|PRI \\* HTTP\\/2\\.0\r\n\r\nSM\r\n\r\n"

  # AppScope uses an internally defined protocol detector for STATSD like the
  # example below by default.
  #
  # Uncomment this and adjust as needed to override the defaults.
  #
  #- name: STATSD
  #  regex: "^([^:]+):([\\d.]+)\\|(c|g|ms|s|h)"

  # AppScope uses another internally defined protocol detector for SSL/TLS like
  # the example below by default.
  #
  # Uncomment this entry to override the regex details or to set detect to
  # false. The payload setting here is never used. AppScope never sends
  # encrypted payloads to disk, to Cribl Stream, or to Cribl Edge.
  #
  #- name: TLS
  #  regex: "^(?:(?:16030[0-3].{4})|(?:8[0-9a-fA-F]{3}01))"
  #  binary: true
  #  len: 5

# Custom configs
#
custom:
  # Each custom entry has a name, a `filter` element, and a `config` element.
  # When a scoped process matches the filter(s), the setting defined
  # in the `config` element overrides previously-defined settings.
  #
  #   name:
  #     filter:
  #       ...
  #     config:
  #       ...
  #
  # Entries under `filter` are used to match aspects of a scoped process. There
  # must be at least one of them and all of them must match for the filter to
  # succeed. The following filters are supported.
  #
  #   procname: string
  #
  #     Matches if the given string value matches the basename of the scoped
  #     process.
  #
  #   arg: string
  #
  #     Matches if the given string value appears and a substring anywhere in
  #     the scoped process's full command line including an options and
  #     arguments.
  #
  #   hostname: string
  #
  #     Matches if the given string value matches the hostname of the machine
  #     where the scoped process is running.
  #
  #   username: string
  #
  #     Matches if the given string value matches the username for the scoped
  #     process's UID.
  #
  #   env: string
  #
  #     The string value is the name of an environment variable alone (i.e.
  #     "FOO") or with a value (i.e. "FOO=bar"). The filter matches if the
  #     environment variable is set and, in the later case, the value matches.
  #
  #   ancestor: string
  #
  #     Matches if given string matches the basename of the scoped process's
  #     parent, parent's parent, etc.
  #
  # The `config` section specifies the settings that should be overridden when
  # the filter matches. Entries under `config` use the same schema as the
  # top-level entries (without `custom`).
  #

  # Increase metric verbosity for processes owned by the "eg" user and running
  # on the "eg1" host.
  #
  #example:
  #  filter:
  #    username: eg
  #    hostname: eg1
  #  config:
  #    metric:
  #      format:
  #        verbosity: 7
  #    tags:
  #      service: eg

  # Enable the Cribl Stream destination for Nginx
  # processes. Both this entry and the `example` entry above would
  # apply if both filters match – so the service tag here would
  # override the one above. In this example, we use a Cribl.Cloud-managed
  # Cribl Stream instance.
  #
  #nginx:
  #  filter:
  #    procname: nginx
  #  config:
  #    tags:
  #      service: nginx
  #    cribl:
  #      enable: true
  #      transport:
  #        type: tcp
  #        host: in.my-instance.logstream.cribl.cloud
  #        port: 10090
  #        tls:
  #          enable: true

# EOF