scope.yml
is the sole library configuration file in AppScope.
The contents of the now-eliminated scope_protocol.yml
configuration file reside in the protocol
section of scope.yml
.
Below are the default contents of scope.yml
:
#
# AppScope Runtime Configuration
#
# The AppScope library (`libscope.so`) starts with default configs that are
# mimicked here in this file; meaning, run with no config, or with the stock
# version of this config, and the results are the same.
#
# After loading defaults, the library looks for a config in the following
# places in the order shown. The first readable file found is used and the rest
# are ignored. Entries in the config file override the defaults.
#
# 1. $SCOPE_CONF_PATH
# 2. $SCOPE_HOME/conf/scope.yml
# 3. $SCOPE_HOME/scope.yml
# 4. /etc/scope/scope.yml
# 5. $HOME/conf/scope.yml
# 6. $HOME/scope.yml
# 7. ./conf/scope.yml
# 8. ./scope.yml
#
# Next, SCOPE_* environment variables are used to override corresponding
# entries in the configs. Details are provided below for each setting and
# the corresponding environment variable names.
#
# Finally, if the `cribl > enable` config is true at this point, either from
# the config file or the $SCOPE_CRIBL/$SCOPE_CRIBL_CLOUD environment variable,
# the library forces the following:
#
# - `metric > transport` is redirected to the `cribl` backend
# - `metric > enable` is set to true
# - `metric > format` is set to ndjson
# - `event > transport` is redirected to the `cribl` backend
# - `event > enable` is set to true
# - `event > watch[]` with `name: http` is disabled
# - `libscope > log > level` is set to warn
# - `libscope > configevent` is set to true
#
# Use the `scope extract` command to get a copy of the default `scope.yml`.
#
# Use the command below to get a stripped down version of this config.
#
# egrep -v '^ *#.*$' scope.yml | sed '/^$/d' >scope-minimal.yml
#
# Settings for metrics
#
metric:
# Enable the metrics backend
# Type: boolean
# Values: true, false
# Default: true
# Override: $SCOPE_METRIC_ENABLE
#
#
enable: true
# Settings for the format of metric data
format:
# Metric format type
# Type: string
# Values: statsd, ndjson
# Default: statsd
# Override: $SCOPE_METRIC_FORMAT
#
# When the `cribl` backend is enabled, this is forced to ndjson.
#
type: statsd
# Prefix for statsd metrics; ignored if type isn't statsd
# Type: string
# Values: (and string)
# Default: (none)
# Override: $SCOPE_STATSD_PREFIX
#
statsdprefix:
# Maximum length of formatted statsd metrics; ignored unless type is statsd
# Type: integer
# Values: (greater than zero)
# Default: 512
# Override: $SCOPE_STATSD_MAXLEN
#
statsdmaxlen: 512
# Metric verbosity level
# Type: integer
# Values: 0-9
# Default: 4
# Override: $SCOPE_METRIC_VERBOSITY
#
# This setting controls two different aspects of the metrics generated by
# the library: tag cardinality and aggregation. Lower values reduce the
# verbosity of metric data produced, while higher values increase it.
#
# Metrics have at a minimum name, value, and type properties. Optional tags
# can be added to provide additional detail on the measurement. The library
# adds expanded Statsd tags depending on the value of this setting as
# described below. These affect the cardinality of the metrics data.
#
# 0 none
# 1 adds data and unit
# 2 adds class and proto
# 3 adds op
# 4 adds pid, host, proc, and http_status
# 5 adds domain and file
# 6 adds localip, remoteip, localp, port, and remotep
# 7 adds fd and args
# 8 adds duration, numops, req_per_sec, req, resp, and protocol
#
# The library counts various events and generates metrics for them
# periodically. The verbosity config disables this metric aggregation for
# groups of events. When disabled, events that would normally have been
# summarized in an aggregate metric are instead sent as individual metrics
# with a count of 1 and additional details from the event added, e.g.,
# operation, filename, process, error code, etc.
#
# 0-4 full metric aggregation
# 5 disable error metric aggregation
# 6 disable filesystem open/close and DNS metric aggregation
# 7 disable filesystem stat and network connect metric aggregation
# 8 disable filesystem seek metric aggregation
# 9 disable filesystem read/write and network send/recv metric aggregation
#
verbosity : 4
# The `metric > watch[*]` array contains objects that enable different
# categories of metrics. Their type property specifies the category.
# Comment out an array entry to disable the category. If you comment
# out `metric > watch` entirely, the default metric watch list will be
# used which has all categories enabled.
#
watch:
# The statsd category creates metrics from statsd network traffic that is
# sent from or received by the scoped process. This includes extended
# statsd, where dimensions will be included in the metrics produced.
# See the STATSD protocol detector for more info about how
# network traffic is determined to contain stastd metric data.
#
# Set $SCOPE_METRIC_STATSD to true or false to enable or disable this
# category.
#
- type: statsd
# Backend connection for metrics
#
# When the `cribl` backend is enabled, these settings are ignored and metrics
# are instead sent to the `cribl` backend.
#
transport:
# Set $SCOPE_METRIC_DEST to override the type, host, port, and path configs
# below. The environment variable should be set to a URL.
#
# file:///tmp/output.log send to a file; note the triple slash
# file://stdout send to standard out
# file://stderr send to standard error
# udp://host:port send to a network server (UDP protocol)
# tcp://host:port send to a network server (TCP protocol)
# unix://@abstractname send to a unix domain server w/abstract addr
# unix:///var/run/mysock send to a unix domain server w/filesystem addr
# edge send to cribl edge (over unix domain)
#
# Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
# set the $SCOPE_METRIC_TLS_* variables.
# Connection type
# Type: string
# Values: udp, tcp, unix, file, and edge
# Default: udp
# Override: the protocol token in the $SCOPE_METRIC_DEST URL
#
type: udp
# Connection host/address
# Type: string
# Values: (hostname or IP address)
# Default: 127.0.0.1
# Override: the host token in the $SCOPE_METRIC_DEST URL
#
host: 127.0.0.1
# Connection port
# Type: integer or string
# Values: IP port number or service name
# Default: 8125
# Override: the port token in the $SCOPE_METRIC_DEST URL
#
# The default 8125 is for normal statsd services.
#
port: 8125
# File path / unix domain socket path
# Type: string
# Values: (directory path, or socket path)
# Default: (none)
# Override: the path token in the $SCOPE_METRIC_DEST URL
#
# Applies when connection type is file or unix.
#
#path: ''
# File buffering
# Type: string
# Values: line, full
# Default: line
#
# Only applies when connection type is file
#
# Set this to line if there's a chance that multiple scoped processes will
# be writing to the same file. This prevents interleaving of lines and
# scrambling of the log file. Setting this to full may improve performance
# in single-writer scenarios.
#
#buffer: line
# TLS connection settings
tls:
# Enable TLS for the metrics backend
# Type: boolean
# Values: true, false
# Default: false
# Override: $SCOPE_METRIC_TLS_ENABLE
#
# Only applies when the connection type is tcp.
#
enable: false
# Validate the TLS server certificate
# Type: boolean
# Values: true, false
# Default: false
# Override: $SCOPE_METRIC_TLS_VALIDATE_SERVER
#
# Set to false, works like the `curl -k` option. When set to true, the
# connection will fail if the server certificate cannot be validated.
#
# Only applies if the connection type is tcp and TLS is enabled.
#
validateserver: true
# CA Certificate Path
# Type: string
# Values: (file path)
# Default: (none)
# Override: $SCOPE_METRIC_TLS_CA_CERT_PATH
#
# Leave this blank when validateserver is set to true and the local
# OS-provided trusted CA certificates are used to validate the server's
# certificate. To use a PEM certificate file instead, specify its
# full path; useful with self-signed certificates.
#
# Only applies if the connection type is tcp and TLS is enabled.
#
cacertpath: ''
# Settings for events
#
event:
# Enable the events backend
# Type: boolean
# Values: true, false
# Default: true
# Override: $SCOPE_EVENT_ENABLE
#
#
enable: true
# Tags can be applied to events as with metrics. Settings are in
# the `metric > tags` section. See the notes there for details.
# Settings for the format of event data
format:
# Metric format type
# Type: string
# Values: ndjson
# Default: ndjson
# Override: $SCOPE_EVENT_FORMAT
#
type: ndjson
# Event rate limiter
# Type: integer
# Values: 0+
# Default: 10000
# Override: $SCOPE_EVENT_MAXEPS
#
# Set this to 0 to disable the limiter.
#
maxeventpersec: 10000
# Enable enhanced filesystem event data
# Type: boolean
# Values: true, false
# Default: true
# Override: $SCOPE_ENHANCE_FS
#
# When set to true, `event > watch[*] > type=fs` is enabled. We add uid,
# gid, and mode to open events.
#
enhancefs: true
# The `event > watch[*]` array contains objects that enable different
# categories of events. Their type property specifies the category.
# The rest of the properties are filters, so only matching events are
# generated. Comment out an array entry to disable the category. If you
# comment out `event > watch` entirely, the default event watch list
# will be used which has all but metric enabled.
#
watch:
# The file category includes writes to files. It's intended primarily for
# monitoring log files but is capable of generating events to writes to any
# file. The name and value properties are regular expressions applied to
# the filename and written data, respectively. Events will be generated when
# both match.
#
# Set $SCOPE_EVENT_LOGFILE to true or false to enable or disable this
# category. The regular expressions can be set with
# $SCOPE_EVENT_LOGFILE_NAME and $SCOPE_EVENT_LOGFILE_VALUE.
#
- type: file
name: (\/logs?\/)|(\.log$)|(\.log[.\d])
value: .*
# The console category includes writes to standard out and error and is
# intended for monitoring console output, especially in containerized
# environments where logging to files isn't commonly done. The name and
# value properties are regular expressions applied to the filename and
# written data, respectively. Events will be generated when both match.
#
# Set $SCOPE_EVENT_CONSOLE to true or false to enable or disable this
# category. The regular expressions can be set with
# $SCOPE_EVENT_CONSOLE_NAME and $SCOPE_EVENT_CONSOLE_VALUE.
#
- type: console
name: (stdout)|(stderr)
value: .*
# The net category includes network operations like listen, connect, close,
# send, recv, etc. The name, field, and value properties are regular
# expressions applied to the corresponding event properties. Events will be
# generated when all match.
#
# Set $SCOPE_EVENT_NET to true or false to enable or disable this
# category. The regular expressions can be set with
# $SCOPE_EVENT_NET_NAME, $SCOPE_EVENT_NET_FIELD, and $SCOPE_EVENT_NET_VALUE.
#
- type: net
name: .*
field: .*
value: .*
# The fs category includes filesystem operations like open, close, stat,
# read, write, etc. The name, field, and value properties are regular
# expressions applied to the corresponding event properties. Events will be
# generated when all match.
#
# Set $SCOPE_EVENT_FS to true or false to enable or disable this
# category. The regular expressions can be set with
# $SCOPE_EVENT_FS_NAME, $SCOPE_EVENT_FS_FIELD, and $SCOPE_EVENT_FS_VALUE.
#
- type: fs
name: .*
field: .*
value: .*
# The dns category includes DNS request and response events. The name, field,
# and value properties are regular expressions applied to the corresponding
# event properties. Events will be generated when all match.
#
# Set $SCOPE_EVENT_DNS to true or false to enable or disable this
# category. The regular expressions can be set with
# $SCOPE_EVENT_DNS_NAME, $SCOPE_EVENT_DNS_FIELD, and $SCOPE_EVENT_DNS_VALUE.
#
- type: dns
name: .*
field: .*
value: .*
# The http category includes HTTP request and response events. It currently
# only supports HTTP/1.x, not HTTP/2. The name, field, value, and headers
# properties are regular expressions applied to the corresponding event
# properties. Events will be generated when all match.
#
# Set $SCOPE_EVENT_HTTP to true or false to enable or disable this
# category. The regular expressions can be set with $SCOPE_EVENT_HTTP_NAME,
# $SCOPE_EVENT_HTTP_FIELD, $SCOPE_EVENT_HTTP_VALUE, and
# $SCOPE_EVENT_HTTP_HEADER.
#
# When the `cribl` backend is enabled, this is disabled.
#
- type: http
name: .*
field: .*
value: .*
headers: .* # yes, this should be singular but it's not.
# The metric category is very seldom used. It includes events for
# operations that are included in the metric aggregation described earlier
# in `metric > verbosity`. It essentially enables events the same way
# that setting verbosity to 9 generates raw metrics. This is only ever used
# as a last resort when tracking down a problem and should rarely, if ever,
# be enabled. Fraught with peril!
#
# The name, field, and value properties are all regular expressions. Only
# matching events will be generated.
#
# Warning: Enabling this may interfere with proper metric aggregation.
#
# Set $SCOPE_EVENT_METRIC to true or false to enable or disable this
# category. The regular expressions can be set with
# $SCOPE_EVENT_METRIC_NAME, $SCOPE_EVENT_METRIC_FIELD, and
# $SCOPE_EVENT_METRIC_VALUE.
#
#- type: metric
# name: .*
# field: .*
# value: .*
# Backend connection for events
#
# When the `cribl` backend is enabled, these settings are ignored and events
# are instead sent to the `cribl` backend.
#
transport:
# Set $SCOPE_EVENT_DEST to override the type, host, port, and path configs
# below. The environment variable should be set to a URL.
#
# file:///tmp/output.log send to a file; note the triple slash
# file://stdout send to standard out
# file://stderr send to standard error
# udp://host:port send to a network server (UDP protocol)
# tcp://host:port send to a network server (TCP protocol)
# unix://@abstractname send to a unix domain server w/abstract addr
# unix:///var/run/mysock send to a unix domain server w/filesystem addr
# edge send to cribl edge (over unix domain)
#
# Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
# set the $SCOPE_EVENT_TLS_* variables.
# Connection type
# Type: string
# Values: udp, tcp, unix, file, and edge
# Default: tcp
# Override: the protocol token in the $SCOPE_EVENT_DEST URL
#
type: tcp
# Connection host/address
# Type: string
# Values: (hostname or IP address)
# Default: 127.0.0.1
# Override: the host token in the $SCOPE_EVENT_DEST URL
#
host: 127.0.0.1
# Connection port
# Type: integer or string
# Values: IP port number or service name
# Default: 9109
# Override: the port token in the $SCOPE_EVENT_DEST URL
#
port: 9109
# File path / unix domain socket path
# Type: string
# Values: (directory path, or socket path)
# Default: (none)
# Override: the path token in the $SCOPE_EVENT_DEST URL
#
# Applies when connection type is file or unix.
#
#path: ''
# File buffering
# Type: string
# Values: line, full
# Default: line
#
# Only applies when connection type is file.
#
# Set this to line if there's a chance that multiple scoped processes will
# be writing to the same file. This prevents interleaving of lines and
# scrambling of the log file. Setting this to full may improve performance
# in single-writer scenarios.
#
#buffer: line
# TLS connection settings
tls:
# Enable TLS for the events backend
# Type: boolean
# Values: true, false
# Default: false
# Override: $SCOPE_EVENT_TLS_ENABLE
#
# Only applies when the connection type is tcp.
#
enable: false
# Validate the TLS server certificate
# Type: boolean
# Values: true, false
# Default: false
# Override: $SCOPE_EVENT_TLS_VALIDATE_SERVER
#
# Set to false, works like the `curl -k` option. When set to true, the
# connection will fail if the server certificate cannot be validated.
#
# Only applies if the connection type is tcp and TLS is enabled.
#
validateserver: true
# CA Certificate Path
# Type: string
# Values: (file path)
# Default: (none)
# Override: $SCOPE_EVENT_TLS_CA_CERT_PATH
#
# Leave this blank when validateserver is set to true and the local
# OS-provided trusted CA certificates are used to validate the server's
# certificate. To use a PEM certificate file instead, specify its
# full path; useful with self-signed certificates.
#
# Only applies if the connection type is tcp and TLS is enabled.
#
cacertpath: ''
# Settings for payloads
#
payload:
# Enable payload capture
# Type: boolean
# Values: true, false
# Default: false
# Override: $SCOPE_PAYLOAD_ENABLE
#
# This can produce large amounts of data from I/O-intensive programs and
# should be considered carefully before being enabled.
#
# See `protocol` for a way to enable this for specific protocols instead of
# all traffic.
#
enable: false
# Directory for payload files
# Type: string
# Values: (directory path)
# Default: /tmp
# Override: $SCOPE_PAYLOAD_DIR
#
# Consider using a performant filesystem to reduce I/O performance impacts.
#
dir: '/tmp'
# Setting up the library
#
libscope:
# Enable the config-event message on the event or `cribl` backend
# Type: boolean
# Values: true, false
# Default: true
# Override: $SCOPE_CONFIG_EVENT
#
# The connect-event message is the first one set on the connection and
# contains details identifying the scoped program and the runtime configs.
# It's more commonly referred to as the process-start message.
#
configevent: true
# Metric summary interval
# Type: integer
# Values: 1+ seconds
# Default: 10
# Override: $SCOPE_SUMMARY_PERIOD
#
# See also `metric > verbosity`.
#
summaryperiod : 10
# Command directory
# Type: string
# Values: (directory path)
# Default: /tmp
# Override: $SCOPE_CMD_DIR
#
# The library looks here periodically (see `libscope > summaryperiod`) for a
# file named scope.{pid} matching the current process. If found, it's loaded
# and deleted. The file should contain environment variables, one per line.
#
# SCOPE_METRIC_VERBOSITY=9
# SCOPE_EVENT_HTTP=false
#
# The given variables are applied to the running config just like startup.
#
commanddir : '/tmp'
# Logging settings for the library
#
log:
# Set logging verbosity
# Type: string
# Values: debug, info, warning, error, or none
# Default: warning
# Override: $SCOPE_LOG_LEVEL
#
# When the `cribl` backend is enabled, this is forced to warning.
#
level: warning
# Backend connection for logs
#
transport:
# Set $SCOPE_LOG_DEST to override the type, host, port, and path configs
# below. The environment variable should be set to a URL.
#
# file:///tmp/output.log send to a file; note the triple slash
# file://stdout send to standard out
# file://stderr send to standard error
# udp://host:port send to a network server (UDP protocol)
# tcp://host:port send to a network server (TCP protocol)
# unix://@abstractname send to a unix domain server w/abstract addr
# unix:///var/run/mysock send to a unix domain server w/filesystem addr
# edge send to cribl edge (over unix domain)
#
# Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
# set the $SCOPE_LOG_TLS_* variables.
# Connection type
# Type: string
# Values: udp, tcp, unix, file, and edge
# Default: file
# Override: the protocol token in the $SCOPE_LOG_DEST URL
#
type: file
# Connection host/address
# Type: string
# Values: (hostname or IP address)
# Default: (none)
# Override: the host token in the $SCOPE_LOG_DEST URL
#
#host:
# Connection port
# Type: integer or string
# Values: IP port number or service name
# Default: (none)
# Override: the port token in the $SCOPE_LOG_DEST URL
#
#port:
# File path / unix domain socket path
# Type: string
# Values: (directory path, or socket path)
# Default: '/tmp/scope.log'
# Override: the path token in the $SCOPE_LOG_DEST URL
#
# Applies when connection type is file or unix.
#
path: '/tmp/scope.log'
# File buffering
# Type: string
# Values: line, full
# Default: line
#
# Only applies when connection type is file.
#
# Set this to line if there's a chance that multiple scoped processes will
# be writing to the same file. This prevents interleaving of lines and
# scrambling of the log file. Setting this to full may improve performance
# in single-writer scenarios.
#
buffer: line
# Settings for the `cribl` backend
#
cribl:
# Enable the `cribl` backend
# Type: boolean
# Values: true, false
# Default: true
# Override: $SCOPE_CRIBL_ENABLE
#
enable: true
# Authentication token
# Type: string
# Values: (any)
# Default: (none)
# Override: $SCOPE_CRIBL_AUTHTOKEN
#
# If set, the value is added as a top-level authToken property in the initial
# config-event (header) sent to Cribl when the library connects.
#
#authtoken:
# Backend connection for cribl
#
transport:
# Set $SCOPE_CRIBL to override the type, host, port and socket path configs below.
# The environment variable should be set to a URL.
#
# tcp://host:port send to a TCP server
# unix://@abstractname send to a unix domain server w/abstract addr
# unix:///var/run/mysock send to a unix domain server w/filesystem addr
# edge send to cribl edge (over unix domain)
#
# Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
# set the $SCOPE_CRIBL_TLS_* variables.
#
# Note: file:// is not supported here.
#
# Alternatively, set $SCOPE_CRIBL_CLOUD to the same URL and the library
# sets $SCOPE_CRIBL_TLS_ENABLE=true, $SCOPE_CRIBL_TLS_VALIDATE_SERVER=true,
# and $SCOPE_CRIBL_TLS_CA_CERT_PATH="" for you.
# Connection type
# Type: string
# Values: tcp, unix, and edge
# Default: edge
# Override: the protocol token in the $SCOPE_CRIBL or $SCOPE_CRIBL_CLOUD URL
#
type: edge
# Connection host/address
# Type: string
# Values: (hostname or IP address)
# Default: 127.0.0.1
# Override: the host token in the $SCOPE_CRIBL or $SCOPE_CRIBL_CLOUD URL
#
# Only applies when the connection type is tcp.
#
host: 127.0.0.1
# Connection port
# Type: integer or string
# Values: IP port number or service name
# Default: 10090
# Override: the port token in the $SCOPE_CRIBL or $SCOPE_CRIBL_CLOUD URL
#
# Defaults to 10090, which is the TCP port on the AppScope Source
# in LogStream. If you are using the cloud version, 10090 is the TLS port
# on the client-facing load balancer which is proxied to the cloud instance's
# TCP:10090 port, without TLS.
#
# Use 10091 here if you need to connect to Cribl Cloud without TLS and
# are not making any changes in the AppScope Source.
#
# Only applies when the connection type is tcp.
#
port: 10090
# Unix domain socket path
# Type: string
# Values: socket path
# Default: (none)
# Override: the socket_path token in the $SCOPE_CRIBL or $SCOPE_CRIBL_CLOUD URL
#
# Only applies when the connection type is unix.
#
#path: ''
# TLS connection settings
tls:
# Enable TLS for the metrics backend
# Type: boolean
# Values: true, false
# Default: false
# Override: $SCOPE_CRIBL_TLS_ENABLE or use $SCOPE_CRIBL_CLOUD
#
# Only applies when the connection type is tcp.
#
enable: false
# Validate the TLS server certificate
# Type: boolean
# Values: true, false
# Default: false
# Override: $SCOPE_CRIBL_TLS_VALIDATE_SERVER
#
# Set to false, works like the `curl -k` option. When set to true, the
# connection will fail if the server certificate cannot be validated.
#
# Only applies if the connection type is tcp and TLS is enabled.
#
validateserver: true
# CA Certificate Path
# Type: string
# Values: (file path)
# Default: (none)
# Override: $SCOPE_CRIBL_TLS_CA_CERT_PATH
#
# Leave this blank when validateserver is set to true and the local
# OS-provided trusted CA certificates are used to validate the server's
# certificate. To use a PEM certificate file instead, specify its
# full path; useful with self-signed certificates.
#
# Only applies if the connection type is tcp and TLS is enabled.
#
cacertpath: ''
# Tags for events and metrics
#
tags:
# `key: value` entries here become fields in generated events and metrics.
#
# Simple $EXAMPLE variables in the value will be replaced with the
# corresponding environment variable values. The regex looks for dollar signs
# followed by one or more alphanumeric or underscore characters. If the
# corresponding environment variable is not set, the variable is left in the
# value.
#
# Tags can also be added with environment variables prefixed with SCOPE_TAG_.
# For example, SCOPE_TAG_service=eg is equivalent to the "service" example
# below. The value of the environment variable may contain other variables
# as described above too; i.e. SCOPE_TAG_user=\$USER.
#
#user: $USER
#service: eg
# Protocol detection and handling
#
protocol:
# Entries in this list define protocols that AppScope should detect in network
# payloads and how to handle matches. The first packet seen on a channel is
# checked against the regular expression in each entry in the order they
# appear in this file. When one matches, later entries are skipped.
#
# Entries have the following properties:
#
# name String protocol name used in protocol-detect events and payload
# headers sent to LogStream (required)
# regex The regular expression to use (required)
# binary Boolean indicating whether the regex should be applied to a
# hex-string version of the payload instead of the binary payload
# (default: false)
# len The number of bytes to convert to hex when `binary` is true
# (default: 256)
# detect Boolean indicating whether protocol-detect events should be
# generated (default: true)
# payload Boolean indicating whether payload-processing should be enabled
# for matching streams (default: false)
#
# When payloads are enabled globally (`payload > enable`), the payload
# options here are ignored.
#
# Warning: The `name` value is currently inserted into the JSON header for
# payloads sent to LogStream so it cannot contain double quotes or
# back-slashes without breaking the JSON. It needs to be kept fairly short
# too so the header doesn't exceed the 1k limit. If this becomes a problem,
# we'll consider adding logging and validation.
#
# Example for the plain-text Redis protocol using the default detect and
# payload settings
#
#- name: Redis
# regex: "^[*]\\d+|^[+]\\w+|^[$]\\d+"
# Example for the MongoDB protocol showing how to detect a binary protocol
#
#- name: Mongo
# regex: "^240100000000000000000000d407"
# binary: true
# len: 14
# AppScope uses an internally defined protocol detector for HTTP like the
# example below automatically when the LogStream backend is enabled.
#
# Uncomment this and adjust as needed to override the defaults or to enable
# HTTP detection when not using LogStream.
#
#- name: HTTP
# regex: " HTTP\\/1\\.[0-2]|PRI \\* HTTP\\/2\\.0\r\n\r\nSM\r\n\r\n"
# detect: true
# payload: true
# AppScope uses an internally defined protocol detector for STATSD like the
# example below by default.
#
# Uncomment this and adjust as needed to override the defaults.
#
#- name: STATSD
# regex: "^([^:]+):([\\d.]+)\\|(c|g|ms|s|h)"
# AppScope uses another internally defined protocol detector for TLS like the
# example below by default.
#
# Uncomment this entry to override the regex details or to set detect to
# false. The payload setting here is never used. AppScope never sends
# encrypted payloads to disk and only sends payloads to LogSteam during TLS
# negotiation.
#
#- name: TLS
# regex: "^16030[0-3].{4}0[12]"
# binary: true
# len: 6
# Custom configs
#
custom:
# Entries here represent overrides of the settings defined above for scoped
# processes that match a set of filters. Each has a name and `filter` and
# `config` entries as shown below.
#
# name:
# filter:
# ...
# config:
# ...
#
# Entries under `filter` are used to match aspects of a scoped process. There
# must be at least one of them and all of them must match for the filter to
# succeed. The following filters are supported.
#
# procname: string
#
# Matches if the given string value matches the basename of the scoped
# process.
#
# arg: string
#
# Matches if the given string value appears and a substring anywhere in
# the scoped process's full command line including an options and
# arguments.
#
# hostname: string
#
# Matches if the given string value matches the hostname of the machine
# where the scoped process is running.
#
# username: string
#
# Matches if the given string value matches the username for the scoped
# process's UID.
#
# env: string
#
# The string value is the name of an environment variable alone (i.e.
# "FOO") or with a value (i.e. "FOO=bar"). The filter matches if the
# environment variable is set and, in the later case, the value matches.
#
# ancestor: string
#
# Matches if given string matches the basename of the scoped process's
# partent, parent's parent, etc.
#
# The `config` section specifies the settings that should be overridden when
# the filter matches. Entries under `config` use the same schema as the
# top-level entries (without `custom`).
#
# Increase metric verbosity for processes owned by the "eg" user and running
# on the "eg1" host.
#
#example:
# filter:
# username: eg
# hostname: eg1
# config:
# metric:
# format:
# verbosity: 7
# tags:
# service: eg
# Enable the Cribl/Logstream destination for Nginx processes. Both this entry
# and the `example` entry above would apply if both filters match so the
# service tag here would override the one above.
#
#nginx:
# filter:
# procname: nginx
# config:
# tags:
# service: nginx
# cribl:
# enable: true
# transport:
# type: tcp
# host: in.my-instance.logstream.cribl.cloud
# port: 10090
# tls:
# enable: true
# EOF