Config File

scope.yml is the sole library configuration file in AppScope.

The contents of the now-eliminated scope_protocol.yml configuration file reside in the protocol section of scope.yml.

scope.yml Config File

Below are the default contents of scope.yml:

#
# AppScope Runtime Configuration
#
# The AppScope library (`libscope.so`) starts with default configs that are
# mimicked here in this file; meaning, run with no config, or with the stock
# version of this config, and the results are the same.
#
# After loading defaults, the library looks for a config in the following
# places in the order shown. The first readable file found is used and the rest
# are ignored. Entries in the config file override the defaults.
# 
#   1. $SCOPE_CONF_PATH
#   2. $SCOPE_HOME/conf/scope.yml
#   3. $SCOPE_HOME/scope.yml
#   4. /etc/scope/scope.yml
#   5. $HOME/conf/scope.yml
#   6. $HOME/scope.yml
#   7. ./conf/scope.yml
#   8. ./scope.yml
#
# Next, SCOPE_* environment variables are used to override corresponding
# entries in the configs. Details are provided below for each setting and
# the corresponding environment variable names.
#
# Finally, if the `cribl > enable` config is true at this point, either from
# the config file or the $SCOPE_CRIBL/$SCOPE_CRIBL_CLOUD environment variable,
# the library forces the following:
#
#   - `metric > transport` is redirected to the `cribl` backend
#   - `metric > enable` is set to true
#   - `metric > format` is set to ndjson
#   - `event > transport` is redirected to the `cribl` backend
#   - `event > enable` is set to true
#   - `libscope > log > level` is set to warn
#   - `libscope > configevent` is set to true
#
# Use the `scope extract` command to get a copy of the default `scope.yml`.
#
# Use the command below to get a stripped-down version of this config.
#
#   egrep -v '^ *#.*$' scope.yml | sed '/^$/d' >scope-minimal.yml
# 

# Settings for metrics
#
metric:

  # Enable the metrics backend
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  true
  #   Override: $SCOPE_METRIC_ENABLE
  #
  #
  enable: true

  # Settings for the format of metric data
  format:

    # Metric format type
    #   Type:     string
    #   Values:   statsd, ndjson
    #   Default:  statsd
    #   Override: $SCOPE_METRIC_FORMAT
    #
    # When the `cribl` backend is enabled, this is forced to ndjson.
    #
    type: statsd

    # Prefix for statsd metrics; ignored if type isn't statsd
    #   Type:     string
    #   Values:   (and string)
    #   Default:  (none)
    #   Override: $SCOPE_STATSD_PREFIX
    #
    statsdprefix:

    # Maximum length of formatted statsd metrics; ignored unless type is statsd
    #   Type:     integer
    #   Values:   (greater than zero)
    #   Default:  512
    #   Override: $SCOPE_STATSD_MAXLEN
    #
    statsdmaxlen: 512

    # Metric verbosity level
    #   Type:     integer
    #   Values:   0-9
    #   Default:  4
    #   Override: $SCOPE_METRIC_VERBOSITY
    #
    # This setting controls two different aspects of the metrics generated by
    # the library: tag cardinality and aggregation. Lower values reduce the
    # verbosity of metric data produced, while higher values increase it.
    #
    # Metrics have at a minimum name, value, and type properties. Optional tags
    # can be added to provide additional detail on the measurement. The library
    # adds expanded Statsd tags depending on the value of this setting as
    # described below. These affect the cardinality of the metrics data.
    #   
    #   0  none
    #   1  adds data and unit
    #   2  adds class and proto
    #   3  adds op
    #   4  adds pid, host, proc, and http_status
    #   5  adds domain and file
    #   6  adds localip, remoteip, localp, port, and remotep
    #   7  adds fd and args
    #   8  adds duration, numops, req_per_sec, req, resp, and protocol
    #
    # The library counts various events and generates metrics for them
    # periodically. The verbosity config disables this metric aggregation for
    # groups of events. When disabled, events that would normally have been
    # summarized in an aggregate metric are instead sent as individual metrics
    # with a count of 1 and additional details from the event added, e.g.,
    # operation, filename, process, error code, etc.
    #
    #   0-4 full metric aggregation
    #   5   disable error metric aggregation
    #   6   disable filesystem open/close and DNS metric aggregation
    #   7   disable filesystem stat and network connect metric aggregation
    #   8   disable filesystem seek metric aggregation
    #   9   disable filesystem read/write and network send/recv metric aggregation
    #
    verbosity : 4

  # The `metric > watch[*]` array contains objects that enable different
  # categories of metrics. Their `type` property specifies the category.
  # Comment out an array entry to disable the category. If you comment
  # out `metric > watch` entirely, AppScope will use the default metric
  # watch list, which has all categories enabled.
  #
  watch:
    # The statsd category creates metrics from statsd network traffic that is
    # sent from or received by the scoped process. This includes extended
    # statsd, where dimensions will be included in the metrics produced.
    # See the STATSD protocol detector for more info about how
    # network traffic is determined to contain stastd metric data.
    #
    # Set $SCOPE_METRIC_STATSD to true or false to enable or disable this
    # category.
    #
    - type: statsd

    # Metric file system
    #   Type:     string
    #   Values:   fs
    #   Default:  fs
    #   Override: $SCOPE_METRIC_FS
    #
    - type: fs

    # Metric network
    #   Type:     string
    #   Values:   net
    #   Default:  net
    #   Override: $SCOPE_METRIC_NET
    #
    - type: net

    # Metric http
    #   Type:     string
    #   Values:   http
    #   Default:  http
    #   Override: $SCOPE_METRIC_HTTP
    #
    - type: http
  
    # Metric dns
    #   Type:     string
    #   Values:   dns
    #   Default:  dns
    #   Override: $SCOPE_METRIC_DNS
    #
    - type: dns
  
    # Metric process
    #   Type:     string
    #   Values:   process
    #   Default:  process
    #   Override: $SCOPE_METRIC_PROC
    #
    - type: process

  # Backend connection for metrics
  #
  # When the `cribl` backend is enabled, these settings are ignored and metrics
  # are instead sent to the `cribl` backend.
  #
  transport:

    # Set $SCOPE_METRIC_DEST to override the type, host, port, and path configs
    # below. The environment variable should be set to a URL.
    #
    #   file:///tmp/output.log  send to a file; note the triple slash
    #   file://stdout           send to standard out
    #   file://stderr           send to standard error
    #   udp://host:port         send to a network server (UDP protocol)
    #   tcp://host:port         send to a network server (TCP protocol)
    #   unix://@abstractname    send to a unix domain server w/abstract addr
    #   unix:///var/run/mysock  send to a unix domain server w/filesystem addr
    #   edge                    send to cribl edge (over unix domain)
    #
    # Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
    # set the $SCOPE_METRIC_TLS_* variables.

    # Connection type
    #   Type:     string
    #   Values:   udp, tcp, unix, file, and edge
    #   Default:  udp
    #   Override: the protocol token in the $SCOPE_METRIC_DEST URL
    #
    type: udp

    # Connection host/address
    #   Type:     string
    #   Values:   (hostname or IP address)
    #   Default:  127.0.0.1
    #   Override: the host token in the $SCOPE_METRIC_DEST URL
    #
    host: 127.0.0.1

    # Connection port
    #   Type:     integer or string
    #   Values:   port number or service name
    #   Default:  8125
    #   Override: the port token in the $SCOPE_METRIC_DEST URL
    #
    # The default 8125 is for normal statsd services.
    #
    port: 8125

    # File path / unix domain socket path
    #   Type:     string
    #   Values:   (directory path, or socket path)
    #   Default:  (none)
    #   Override: the path token in the $SCOPE_METRIC_DEST URL
    #
    # Applies when connection type is file or unix.
    #
    #path: ''

    # File buffering
    #   Type:     string
    #   Values:   line, full
    #   Default:  line
    #
    # Only applies when connection type is file
    #
    # Set this to line if there's a chance that multiple scoped processes will
    # be writing to the same file. This prevents interleaving of lines and
    # scrambling of the log file. Setting this to full may improve performance
    # in single-writer scenarios.
    #
    #buffer: line

    # TLS connection settings
    tls:

      # Enable TLS for the metrics backend
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $SCOPE_METRIC_TLS_ENABLE
      #
      # Only applies when the connection type is tcp.
      #
      enable: false

      # Validate the TLS server certificate
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $SCOPE_METRIC_TLS_VALIDATE_SERVER
      #
      # Set to false, works like the `curl -k` option. When set to true, the
      # connection will fail if the server certificate cannot be validated.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      validateserver: true

      # CA Certificate Path
      #   Type:     string
      #   Values:   (file path)
      #   Default:  (none)
      #   Override: $SCOPE_METRIC_TLS_CA_CERT_PATH
      #
      # Leave this blank when validateserver is set to true and the local
      # OS-provided trusted CA certificates are used to validate the server's
      # certificate. To use a PEM certificate file instead, specify its 
      # full path; useful with self-signed certificates.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      cacertpath: ''

# Settings for events
#
event:

  # Enable the events backend
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  true
  #   Override: $SCOPE_EVENT_ENABLE
  #
  #
  enable: true

  # Settings for the format of event data
  format:

    # Metric format type
    #   Type:     string
    #   Values:   ndjson
    #   Default:  ndjson
    #   Override: $SCOPE_EVENT_FORMAT
    #
    type: ndjson

    # Event rate limiter
    #   Type:     integer
    #   Values:   0+
    #   Default:  10000
    #   Override: $SCOPE_EVENT_MAXEPS
    #
    # Set this to 0 to disable the limiter.
    #
    maxeventpersec: 10000

    # Enable enhanced filesystem event data
    #   Type:     boolean
    #   Values:   true, false
    #   Default:  true
    #   Override: $SCOPE_ENHANCE_FS
    #
    # When set to true, `event > watch[*] > type=fs` is enabled. We add uid,
    # gid, and mode to open events.
    #
    enhancefs: true

  # The `event > watch[*]` array contains objects that enable different
  # categories of events. Their `type` property specifies the category.
  # Comment out an array entry to disable the category. If you comment
  # out `event > watch` entirely, AppScope will use the default event
  # watch list, which has all categories except metric enabled.
  #
  watch:

    # The file category includes writes to files. It's intended primarily for
    # monitoring log files, but is capable of generating events from writes to any
    # file. The name and value properties are regular expressions applied to
    # the filename and written data, respectively. Events will be generated when
    # both match.
    #
    # Set $SCOPE_EVENT_LOGFILE to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $SCOPE_EVENT_LOGFILE_NAME and $SCOPE_EVENT_LOGFILE_VALUE.
    #
    - type: file
      name: (\/logs?\/)|(\.log$)|(\.log[.\d])
      value: .*

    # The console category includes writes to standard out and error and is
    # intended for monitoring console output, especially in containerized
    # environments where logging to files isn't commonly done. The name and
    # value properties are regular expressions applied to the filename and
    # written data, respectively. Events will be generated when both match.
    #
    # Set $SCOPE_EVENT_CONSOLE to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $SCOPE_EVENT_CONSOLE_NAME and $SCOPE_EVENT_CONSOLE_VALUE.
    #
    # Set $SCOPE_ALLOW_BINARY_CONSOLE to true or false to allow or disallow
    # emitting binary data for console events.
    #
    - type: console
      name: (stdout)|(stderr)
      value: .*
      allowbinary: true

    # The net category includes open and close events on network connections.
    # The name, field, and value properties are regular expressions applied
    # to the corresponding event properties. Events will be generated when
    # all match.
    #
    # Set $SCOPE_EVENT_NET to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $SCOPE_EVENT_NET_NAME, $SCOPE_EVENT_NET_FIELD, and $SCOPE_EVENT_NET_VALUE.
    #
    - type: net
      name: .*
      field: .*
      value: .*

    # The fs category includes filesystem operations like open, close,
    # and delete. The name, field, and value properties are regular
    # expressions applied to the corresponding event properties. Events
    # will be generated when all match.
    #
    # Set $SCOPE_EVENT_FS to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $SCOPE_EVENT_FS_NAME, $SCOPE_EVENT_FS_FIELD, and $SCOPE_EVENT_FS_VALUE.
    #
    - type: fs
      name: .*
      field: .*
      value: .*

    # The dns category includes DNS request and response events. The name,
    # field, and value properties are regular expressions applied to the
    # corresponding event properties. Events will be generated when all
    # match.
    #
    # Set $SCOPE_EVENT_DNS to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $SCOPE_EVENT_DNS_NAME, $SCOPE_EVENT_DNS_FIELD, and $SCOPE_EVENT_DNS_VALUE.
    #
    - type: dns
      name: .*
      field: .*
      value: .*

    # The http category includes HTTP request and response events. The name,
    # field, and value properties are regular expressions applied to the
    # corresponding event properties. Events will be generated when all match.
    #
    # The headers entry is a list of regular expressions that are applied to
    # the HTTP headers in request and response events. Matches are applied to
    # the whole header line, not just the name. Headers that match are included
    # in the generated events. Note that headers named `host`, `user-agent`,
    # `x-forwarded-for`, and `x-appscope` are included by default.
    #
    # Set $SCOPE_EVENT_HTTP to true or false to enable or disable this
    # category. The regular expressions can be set with $SCOPE_EVENT_HTTP_NAME,
    # $SCOPE_EVENT_HTTP_FIELD, $SCOPE_EVENT_HTTP_VALUE, and
    # $SCOPE_EVENT_HTTP_HEADER. Note that $SCOPE_EVENT_HTTP_HEADER only sets
    # a single entry in the `headers` array.
    #
    - type: http
      name: .*
      field: .*
      value: .*
      headers: .*                 # yes, this should be singular but it's not.

    # The metric category is very seldom used.
    # If turned on, AppScope sends non-aggregated metrics out the event channel.
    # By non-aggregated, we mean metrics with verbosity set to the maximum.
    # This is only ever used as a last resort when tracking down a problem.
    # Enable rarely, if ever. Fraught with peril!
    #
    # The name, field, and value properties are all regular expressions. Only
    # matching events will be generated.
    #
    # Warning: Enabling this may interfere with proper metric aggregation.
    #
    # Set $SCOPE_EVENT_METRIC to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $SCOPE_EVENT_METRIC_NAME, $SCOPE_EVENT_METRIC_FIELD, and
    # $SCOPE_EVENT_METRIC_VALUE.
    #
    #- type: metric
    #  name: .*
    #  field: .*
    #  value: .*

  # Backend connection for events
  #
  # When the `cribl` backend is enabled, these settings are ignored and events
  # are instead sent to the `cribl` backend.
  #
  transport:

    # Set $SCOPE_EVENT_DEST to override the type, host, port, and path configs
    # below. The environment variable should be set to a URL.
    #
    #   file:///tmp/output.log  send to a file; note the triple slash
    #   file://stdout           send to standard out
    #   file://stderr           send to standard error
    #   udp://host:port         send to a network server (UDP protocol)
    #   tcp://host:port         send to a network server (TCP protocol)
    #   unix://@abstractname    send to a unix domain server w/abstract addr
    #   unix:///var/run/mysock  send to a unix domain server w/filesystem addr
    #   edge                    send to cribl edge (over unix domain)
    #
    # Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
    # set the $SCOPE_EVENT_TLS_* variables.

    # Connection type
    #   Type:     string
    #   Values:   udp, tcp, unix, file, and edge
    #   Default:  tcp
    #   Override: the protocol token in the $SCOPE_EVENT_DEST URL
    #
    type: tcp

    # Connection host/address
    #   Type:     string
    #   Values:   (hostname or IP address)
    #   Default:  127.0.0.1
    #   Override: the host token in the $SCOPE_EVENT_DEST URL
    #
    host: 127.0.0.1

    # Connection port
    #   Type:     integer or string
    #   Values:   port number or service name
    #   Default:  9109
    #   Override: the port token in the $SCOPE_EVENT_DEST URL
    #
    port: 9109

    # File path / unix domain socket path
    #   Type:     string
    #   Values:   (directory path, or socket path)
    #   Default:  (none)
    #   Override: the path token in the $SCOPE_EVENT_DEST URL
    #
    # Applies when connection type is file or unix.
    #
    #path: ''

    # File buffering
    #   Type:     string
    #   Values:   line, full
    #   Default:  line
    #
    # Only applies when connection type is file.
    #
    # Set this to line if there's a chance that multiple scoped processes will
    # be writing to the same file. This prevents interleaving of lines and
    # scrambling of the log file. Setting this to full may improve performance
    # in single-writer scenarios.
    #
    #buffer: line

    # TLS connection settings
    tls:

      # Enable TLS for the events backend
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $SCOPE_EVENT_TLS_ENABLE
      #
      # Only applies when the connection type is tcp.
      #
      enable: false

      # Validate the TLS server certificate
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $SCOPE_EVENT_TLS_VALIDATE_SERVER
      #
      # Set to false, works like the `curl -k` option. When set to true, the
      # connection will fail if the server certificate cannot be validated.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      validateserver: true

      # CA Certificate Path
      #   Type:     string
      #   Values:   (file path)
      #   Default:  (none)
      #   Override: $SCOPE_EVENT_TLS_CA_CERT_PATH
      #
      # Leave this blank when validateserver is set to true and the local
      # OS-provided trusted CA certificates are used to validate the server's
      # certificate. To use a PEM certificate file instead, specify its 
      # full path; useful with self-signed certificates.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      cacertpath: ''

# Settings for payloads
#
payload:

  # Enable payload capture
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  false
  #   Override: $SCOPE_PAYLOAD_ENABLE
  #
  # This can produce large amounts of data from I/O-intensive programs and
  # should be considered carefully before being enabled.
  #
  # See `protocol` for a way to enable this for specific protocols instead of
  # all traffic.
  #
  enable: false

  # Directory for payload files
  #   Type:     string
  #   Values:   (directory path)
  #   Default:  /tmp
  #   Override: $SCOPE_PAYLOAD_DIR
  #
  # Consider using a performant filesystem to reduce I/O performance impacts.
  #
  dir: '/tmp'

# Setting up the library
#
libscope:

  # Enable the config-event message on the event or `cribl` backend
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  true
  #   Override: $SCOPE_CONFIG_EVENT
  #
  # The config-event message is the first one set on the connection and
  # contains details identifying the scoped program and the runtime configs.
  # It's more commonly referred to as the process-start message.
  #
  configevent: true

  # Metric summary interval
  #   Type:     integer
  #   Values:   1+ seconds
  #   Default:  10
  #   Override: $SCOPE_SUMMARY_PERIOD
  #
  # See also `metric > verbosity`.
  #
  summaryperiod : 10

  # Command directory 
  #   Type:     string
  #   Values:   (directory path)
  #   Default:  /tmp
  #   Override: $SCOPE_CMD_DIR
  #
  # The library looks here periodically (see `libscope > summaryperiod`) for a
  # file named scope.{pid} matching the current process. If found, it's loaded
  # and deleted. The file should contain environment variables, one per line.
  #
  #   SCOPE_METRIC_VERBOSITY=9
  #   SCOPE_EVENT_HTTP=false
  #
  # The given variables are applied to the running config just like startup.
  #
  commanddir : '/tmp'


  # Logging settings for the library
  #
  log:

    # Set logging verbosity
    #   Type:     string
    #   Values:   debug, info, warning, error, or none
    #   Default:  warning
    #   Override: $SCOPE_LOG_LEVEL
    #
    # When the `cribl` backend is enabled, this is forced to warning.
    #
    level: warning

    # Backend connection for logs
    #
    transport:

      # Set $SCOPE_LOG_DEST to override the type, host, port, and path configs
      # below. The environment variable should be set to a URL.
      #
      #   file:///tmp/output.log  send to a file; note the triple slash
      #   file://stdout           send to standard out
      #   file://stderr           send to standard error
      #   udp://host:port         send to a network server (UDP protocol)
      #   tcp://host:port         send to a network server (TCP protocol)
      #   unix://@abstractname    send to a unix domain server w/abstract addr
      #   unix:///var/run/mysock  send to a unix domain server w/filesystem addr
      #   edge                    send to cribl edge (over unix domain)
      #
      # Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
      # set the $SCOPE_LOG_TLS_* variables.
  
      # Connection type
      #   Type:     string
      #   Values:   udp, tcp, unix, file, and edge
      #   Default:  file
      #   Override: the protocol token in the $SCOPE_LOG_DEST URL
      #
      type: file

      # Connection host/address
      #   Type:     string
      #   Values:   (hostname or IP address)
      #   Default:  (none)
      #   Override: the host token in the $SCOPE_LOG_DEST URL
      #
      #host: 

      # Connection port
      #   Type:     integer or string
      #   Values:   port number or service name
      #   Default:  (none)
      #   Override: the port token in the $SCOPE_LOG_DEST URL
      #
      #port: 

      # File path / unix domain socket path
      #   Type:     string
      #   Values:   (directory path, or socket path)
      #   Default:  '/tmp/scope.log'
      #   Override: the path token in the $SCOPE_LOG_DEST URL
      #
      # Applies when connection type is file or unix.
      #
      path: '/tmp/scope.log'

      # File buffering
      #   Type:     string
      #   Values:   line, full
      #   Default:  line
      #
      # Only applies when connection type is file.
      #
      # Set this to line if there's a chance that multiple scoped processes will
      # be writing to the same file. This prevents interleaving of lines and
      # scrambling of the log file. Setting this to full may improve performance
      # in single-writer scenarios.
      #
      buffer: line

# Settings for the `cribl` backend
#
cribl:

  # Enable the `cribl` backend
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  true
  #   Override: $SCOPE_CRIBL_ENABLE
  #
  enable: true

  # Authentication token
  #   Type:     string
  #   Values:   (any)
  #   Default:  (none)
  #   Override: $SCOPE_CRIBL_AUTHTOKEN
  #
  # If set, the value is added as a top-level authToken property in the initial
  # config-event (header) sent to Cribl when the library connects.
  #
  #authtoken:

  # Backend connection for cribl
  #
  transport:

    # Set $SCOPE_CRIBL to override the type, host, port and socket path configs below.
    # The environment variable should be set to a URL.
    #
    #   tcp://host:port         send to a TCP server
    #   unix://@abstractname    send to a unix domain server w/abstract addr
    #   unix:///var/run/mysock  send to a unix domain server w/filesystem addr
    #   edge                    send to cribl edge (over unix domain)
    #
    # Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
    # set the $SCOPE_CRIBL_TLS_* variables.
    #
    # Note: file:// is not supported here.
    #
    # Alternatively, set $SCOPE_CRIBL_CLOUD to the same URL and the library
    # sets $SCOPE_CRIBL_TLS_ENABLE=true, $SCOPE_CRIBL_TLS_VALIDATE_SERVER=true,
    # and $SCOPE_CRIBL_TLS_CA_CERT_PATH="" for you.

    # Connection type
    #   Type:     string
    #   Values:   tcp, unix, and edge
    #   Default:  edge
    #   Override: the protocol token in the $SCOPE_CRIBL or $SCOPE_CRIBL_CLOUD URL
    #
    type: edge

    # Connection host/address
    #   Type:     string
    #   Values:   (hostname or IP address)
    #   Default:  127.0.0.1
    #   Override: the host token in the $SCOPE_CRIBL or $SCOPE_CRIBL_CLOUD URL
    #
    # Only applies when the connection type is tcp.
    #
    host: 127.0.0.1

    # Connection port
    #   Type:     integer or string
    #   Values:   port number or service name
    #   Default:  10090
    #   Override: the port token in the $SCOPE_CRIBL or $SCOPE_CRIBL_CLOUD URL
    #
    # Defaults to 10090, which is the TCP port on the AppScope Source
    # in Cribl Stream or Cribl Edge. If you are using the cloud version, 
    # 10090 is the TLS port on the client-facing load balancer which is 
    # proxied to the cloud instance's TCP:10090 port, without TLS.
    #
    # Use 10091 here if you need to connect to Cribl.Cloud without TLS and
    # are not making any changes in the AppScope Source.
    #
    # Only applies when the connection type is tcp.
    #
    port: 10090

    # Unix domain socket path
    #   Type:     string
    #   Values:   socket path
    #   Default:  (none)
    #   Override: the socket_path token in the $SCOPE_CRIBL or $SCOPE_CRIBL_CLOUD URL
    #
    # Only applies when the connection type is unix.
    #
    #path: ''

    # TLS connection settings
    tls:

      # Enable TLS for the metrics backend
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $SCOPE_CRIBL_TLS_ENABLE or use $SCOPE_CRIBL_CLOUD
      #
      # Only applies when the connection type is tcp.
      #
      enable: false

      # Validate the TLS server certificate
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $SCOPE_CRIBL_TLS_VALIDATE_SERVER
      #
      # Set to false, works like the `curl -k` option. When set to true, the
      # connection will fail if the server certificate cannot be validated.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      validateserver: true

      # CA Certificate Path
      #   Type:     string
      #   Values:   (file path)
      #   Default:  (none)
      #   Override: $SCOPE_CRIBL_TLS_CA_CERT_PATH
      #
      # Leave this blank when validateserver is set to true and the local
      # OS-provided trusted CA certificates are used to validate the server's
      # certificate. To use a PEM certificate file instead, specify its 
      # full path; useful with self-signed certificates.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      cacertpath: ''

# Tags for events and metrics
#
tags:
  # `key: value` entries here become fields in generated events and metrics.
  #
  # Simple $EXAMPLE variables in the value will be replaced with the
  # corresponding environment variable values. The regex looks for dollar signs
  # followed by one or more alphanumeric or underscore characters. If the
  # corresponding environment variable is not set, the variable is left in the
  # value.
  #
  # Tags can also be added with environment variables prefixed with SCOPE_TAG_.
  # For example, SCOPE_TAG_service=eg is equivalent to the "service" example
  # below. The value of the environment variable may contain other variables
  # as described above too; e.g., SCOPE_TAG_user=\$USER.
  #
  #user: $USER
  #service: eg
  
# Protocol detection and handling
#
protocol:
  # Entries in this list define protocols that AppScope should detect in network
  # payloads and how to handle matches. The first packet seen on a channel is
  # checked against the regular expression in each entry in the order they
  # appear in this file. When one matches, later entries are skipped.
  #
  # Entries have the following properties:
  #
  #   name     String protocol name used in protocol-detect events and payload
  #            headers sent to Cribl Stream or Cribl Edge (required)
  #   regex    The regular expression to use (required)
  #   binary   Boolean indicating whether the regex should be applied to a
  #            hex-string version of the payload instead of the binary payload
  #            (default: false)
  #   len      The number of bytes to convert to hex when `binary` is true
  #            (default: 256)
  #   detect   Boolean indicating whether protocol-detect events should be
  #            generated (default: true)
  #   payload  Boolean indicating whether payload-processing should be enabled
  #            for matching streams (default: false)
  #
  # When payloads are enabled globally (`payload > enable`), the payload
  # options here are ignored.
  #
  # Warning: The `name` value is currently inserted into the JSON header for
  # payloads sent to Cribl Stream or Cribl Edge, so it cannot contain double 
  # quotes or backslashes without breaking the JSON. It needs to be kept fairly 
  # short, too, so the header doesn't exceed the 1k limit. If this becomes a 
  # problem, we'll consider adding logging and validation.
  #

  # Example for the plain-text Redis protocol using the default detect and
  # payload settings
  #
  #- name: Redis
  #  regex: "^[*]\\d+|^[+]\\w+|^[$]\\d+"

  # Example for the MongoDB protocol showing how to detect a binary protocol
  #
  #- name: Mongo
  #  regex: "^240100000000000000000000d407"
  #  binary: true
  #  len: 14

  # AppScope uses an internally defined protocol detector for HTTP like the
  # example below by default.
  #
  # Uncomment this and adjust as needed to override the defaults.
  #
  #- name: HTTP
  #  regex: "HTTP\\/1\\.[0-2]|PRI \\* HTTP\\/2\\.0\r\n\r\nSM\r\n\r\n"

  # AppScope uses an internally defined protocol detector for STATSD like the
  # example below by default.
  #
  # Uncomment this and adjust as needed to override the defaults.
  #
  #- name: STATSD
  #  regex: "^([^:]+):([\\d.]+)\\|(c|g|ms|s|h)"

  # AppScope uses another internally defined protocol detector for SSL/TLS like
  # the example below by default.
  #
  # Uncomment this entry to override the regex details or to set detect to
  # false. The payload setting here is never used. AppScope never sends
  # encrypted payloads to disk, to Cribl Stream, or to Cribl Edge.
  #
  #- name: TLS
  #  regex: "^(?:(?:16030[0-3].{4})|(?:8[0-9a-fA-F]{3}01))"
  #  binary: true
  #  len: 5


# Custom configs
#
custom:
  # Each custom entry has a name, a `filter` element, and a `config` element.
  # When a scoped process matches the filter(s), the setting defined
  # in the `config` element overrides previously-defined settings.
  #
  #   name:
  #     filter:
  #       ...
  #     config:
  #       ...
  #
  # Entries under `filter` are used to match aspects of a scoped process. There
  # must be at least one of them and all of them must match for the filter to
  # succeed. The following filters are supported.
  #
  #   procname: string
  #
  #     Matches if the given string value matches the basename of the scoped
  #     process.
  #
  #   arg: string
  #
  #     Matches if the given string value appears and a substring anywhere in
  #     the scoped process's full command line including an options and
  #     arguments.
  #
  #   hostname: string
  #
  #     Matches if the given string value matches the hostname of the machine
  #     where the scoped process is running.
  #     
  #   username: string
  #
  #     Matches if the given string value matches the username for the scoped
  #     process's UID.
  #     
  #   env: string
  #
  #     The string value is the name of an environment variable alone (i.e.
  #     "FOO") or with a value (i.e. "FOO=bar"). The filter matches if the
  #     environment variable is set and, in the later case, the value matches.
  #
  #   ancestor: string
  #
  #     Matches if given string matches the basename of the scoped process's
  #     parent, parent's parent, etc.
  #
  # The `config` section specifies the settings that should be overridden when
  # the filter matches. Entries under `config` use the same schema as the
  # top-level entries (without `custom`).
  #
  
  # Increase metric verbosity for processes owned by the "eg" user and running
  # on the "eg1" host.
  #
  #example:
  #  filter:
  #    username: eg
  #    hostname: eg1
  #  config:
  #    metric:
  #      format:
  #        verbosity: 7
  #    tags:
  #      service: eg

  # Enable the Cribl Stream destination for Nginx
  # processes. Both this entry and the `example` entry above would
  # apply if both filters match – so the service tag here would
  # override the one above. In this example, we use a Cribl.Cloud-managed 
  # Cribl Stream instance.
  #
  #nginx:
  #  filter:
  #    procname: nginx
  #  config:
  #    tags:
  #      service: nginx
  #    cribl:
  #      enable: true
  #      transport:
  #        type: tcp
  #        host: in.my-instance.logstream.cribl.cloud
  #        port: 10090
  #        tls:
  #          enable: true

# EOF