Config File

scope.yml is the sole library configuration file in AppScope.

The contents of the now-eliminated scope_protocol.yml configuration file reside in the protocol section of scope.yml.

scope.yml Config File

Below are the default contents of scope.yml:

#
# AppScope Runtime Configuration
#
# The AppScope library (`libscope.so`) starts with default configs that are
# mimicked here in this file; meaning, run with no config, or with the stock
# version of this config, and the results are the same.
#
# After loading defaults, the library looks for a config in the following
# places in the order shown. The first readable file found is used and the rest
# are ignored. Entries in the config file override the defaults.
# 
#   1. $SCOPE_CONF_PATH
#   2. $SCOPE_HOME/conf/scope.yml
#   3. $SCOPE_HOME/scope.yml
#   4. /etc/scope/scope.yml
#   5. $HOME/conf/scope.yml
#   6. $HOME/scope.yml
#   7. ./conf/scope.yml
#   8. ./scope.yml
#
# Next, SCOPE_* environment variables are used to override corresponding
# entries in the configs. Details are provided below for each setting and
# the corresponding environment variable names.
#
# Finally, if the `cribl > enable` config is true at this point, either from
# the config file or the $SCOPE_CRIBL/$SCOPE_CRIBL_CLOUD environment variable,
# the library forces the following:
#
#   - `metric > transport` is redirected to the `cribl` backend
#   - `metric > enable` is set to true
#   - `metric > format` is set to ndjson
#   - `event > transport` is redirected to the `cribl` backend
#   - `event > enable` is set to true
#   - `event > watch[]` with `name: http` is disabled
#   - `libscope > log > level` is set to warn
#   - `libscope > configevent` is set to true
#
# Use the `scope extract` command to get a copy of the default `scope.yml`.
#
# Use the command below to get a stripped down version of this config.
#
#   egrep -v '^ *#.*$' scope.yml | sed '/^$/d' >scope-minimal.yml
# 

# Settings for metrics
#
metric:

  # Enable the metrics backend
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  true
  #   Override: $SCOPE_METRIC_ENABLE
  #
  # When the `cribl` backend is enabled, this is forced to true.
  #
  enable: true

  # Settings for the format of metric data
  format:

    # Metric format type
    #   Type:     string
    #   Values:   statsd, ndjson
    #   Default:  statsd
    #   Override: $SCOPE_METRIC_FORMAT
    #
    # When the `cribl` backend is enabled, this is forced to ndjson.
    #
    type: statsd

    # Prefix for statsd metrics; ignored if type isn't statsd
    #   Type:     string
    #   Values:   (and string)
    #   Default:  (none)
    #   Override: $SCOPE_STATSD_PREFIX
    #
    statsdprefix:

    # Maximum length of formatted statsd metrics; ignored unless type is statsd
    #   Type:     integer
    #   Values:   (greater than zero)
    #   Default:  512
    #   Override: $SCOPE_STATSD_MAXLEN
    #
    statsdmaxlen: 512

    # Metric verbosity level
    #   Type:     integer
    #   Values:   0-9
    #   Default:  4
    #   Override: $SCOPE_METRIC_VERBOSITY
    #
    # This setting controls two different aspects of the metrics generated by
    # the library: tag cardinality and aggregation. Lower values reduce the
    # verbosity of metric data produced, while higher values increase it.
    #
    # Metrics have at a minimum name, value, and type properties. Optional tags
    # can be added to provide additional detail on the measurement. The library
    # adds expanded Statsd tags depending on the value of this setting as
    # described below. These affect the cardinality of the metrics data.
    #   
    #   0  none
    #   1  adds data and unit
    #   2  adds class and proto
    #   3  adds op
    #   4  adds pid, host, proc, and http_status
    #   5  adds domain and file
    #   6  adds localip, remoteip, localp, port, and remotep
    #   7  adds fd and args
    #   8  adds duration, numops, req_per_sec, req, resp, and protocol
    #
    # The library counts various events and generates metrics for them
    # periodically. The verbosity config disables this metric aggregation for
    # groups of events. When disabled, events that would normally have been
    # summarized in an aggregate metric are instead sent as individual metrics
    # with a count of 1 and additional details from the event added, e.g.,
    # operation, filename, process, error code, etc.
    #
    #   0-4 full metric aggregation
    #   5   disable error metric aggregation
    #   6   disable filesystem open/close and DNS metric aggregation
    #   7   disable filesystem stat and network connect metric aggregation
    #   8   disable filesystem seek metric aggregation
    #   9   disable filesystem read/write and network send/recv metric aggregation
    #
    verbosity : 4

  # Backend connection for metrics
  #
  # When the `cribl` backend is enabled, these settings are ignored and metrics
  # are instead sent to the `cribl` backend.
  #
  transport:

    # Set $SCOPE_METRIC_DEST to override the type, host, port, and path configs
    # below.  The environment variable should be set to a URL.
    #
    #   file:///tmp/output.log  send to a file; note the triple slash
    #   file://stdout           send to standard out
    #   file://stderr           send to standard error
    #   udp://host:port         send to a network server (UDP protocol)
    #   tcp://host:port         send to a network server (TCP protocol)
    #   unix://@abstractname    send to a unix domain server w/abstract addr
    #   unix:///var/run/mysock  send to a unix domain server w/filesystem addr
    #
    # Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
    # set the $SCOPE_METRIC_TLS_* variables.

    # Connection type
    #   Type:     string
    #   Values:   udp, tcp, unix, and file
    #   Default:  udp
    #   Override: the protocol token in the $SCOPE_METRIC_DEST URL
    #
    type: udp

    # Connection host/address
    #   Type:     string
    #   Values:   (hostname or IP address)
    #   Default:  127.0.0.1
    #   Override: the host token in the $SCOPE_METRIC_DEST URL
    #
    host: 127.0.0.1

    # Connection port
    #   Type:     integer or string
    #   Values:   IP port number or service name
    #   Default:  8125
    #   Override: the port token in the $SCOPE_METRIC_DEST URL
    #
    # The default 8125 is for normal statsd services.
    #
    port: 8125

    # File path / unix domain socket path
    #   Type:     string
    #   Values:   (directory path, or socket path)
    #   Default:  (none)
    #   Override: the path token in the $SCOPE_METRIC_DEST URL
    #
    # Applies when connection type is file or unix.
    #
    #path:

    # File buffering
    #   Type:     string
    #   Values:   line, full
    #   Default:  line
    #
    # Only applies when connection type is file
    #
    # Set this to line if there's a chance that multiple scoped processes will
    # be writing to the same file. This prevents interleaving of lines and
    # scrambling of the log file. Setting this to full may improve performance
    # in single-writer scenarios.
    #
    #buffer: line

    # TLS connection settings
    tls:

      # Enable TLS for the metrics backend
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $SCOPE_METRIC_TLS_ENABLE
      #
      # Only applies when the connection type is tcp.
      #
      enable: false

      # Validate the TLS server certificate
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $SCOPE_METRIC_TLS_VALIDATE_SERVER
      #
      # Set to false, works like the `curl -k` option. When set to true, the
      # connection will fail if the server certificate cannot be validated.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      validateserver: true

      # CA Certificate Path
      #   Type:     string
      #   Values:   (file path)
      #   Default:  (none)
      #   Override: $SCOPE_METRIC_TLS_CA_CERT_PATH
      #
      # Leave this blank when validateserver is set to true and the local
      # OS-provided trusted CA certificates are used to validate the server's
      # certificate. To use a PEM certificate file instead, specify its 
      # full path; useful with self-signed certificates.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      cacertpath: ''

# Settings for events
#
event:

  # Enable the events backend
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  true
  #   Override: $SCOPE_EVENT_ENABLE
  #
  # When the `cribl` backend is enabled, this is forced to true.
  #
  enable: true

  # Tags can be applied to events as with metrics. Settings are in
  # the `metric > tags` section. See the notes there for details.

  # Settings for the format of event data
  format:

    # Metric format type
    #   Type:     string
    #   Values:   ndjson
    #   Default:  ndjson
    #   Override: $SCOPE_EVENT_FORMAT
    #
    type: ndjson

    # Event rate limiter
    #   Type:     integer
    #   Values:   0+
    #   Default:  10000
    #   Override: $SCOPE_EVENT_MAXEPS
    #
    # Set this to 0 to disable the limiter.
    #
    maxeventpersec: 10000

    # Enable enhanced filesystem event data
    #   Type:     boolean
    #   Values:   true, false
    #   Default:  true
    #   Override: $SCOPE_ENHANCE_FS
    #
    # When set to true, `event > watch[*] > type=fs` is enabled. We add uid,
    # gid, and mode to open events.
    #
    enhancefs: true

  # The `event > watch[*]` array contains objects that enable different
  # categories of events. Their type property specifies the category. The
  # rest are filters, so only matching events are generated. Comment out an
  # array entry to disable the category.
  watch:

    # The file category includes writes to files. It's intended primarily for
    # monitoring log files but is capable of generating events to writes to any
    # file. The name and value properties are regular expressions applied to
    # the filename and written data, respectively. Events will be generated when
    # both match.
    #
    # Set $SCOPE_EVENT_LOGFILE to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $SCOPE_EVENT_LOGFILE_NAME and $SCOPE_EVENT_LOGFILE_VALUE.
    #
    - type: file
      name: (\/logs?\/)|(\.log$)|(\.log[.\d])
      value: .*

    # The console category includes writes to standard out and error and is
    # intended for monitoring console output, especially in containerized
    # environments where logging to files isn't commonly done. The name and
    # value properties are regular expressions applied to the filename and
    # written data, respectively. Events will be generated when both match.
    #
    # Set $SCOPE_EVENT_CONSOLE to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $SCOPE_EVENT_CONSOLE_NAME and $SCOPE_EVENT_CONSOLE_VALUE.
    #
    - type: console
      name: (stdout)|(stderr)
      value: .*

    # The net category includes network operations like listen, connect, close,
    # send, recv, etc. The name, field, and value properties are regular
    # expressions applied to the corresponding event properties. Events will be
    # generated when all match.
    #
    # Set $SCOPE_EVENT_NET to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $SCOPE_EVENT_NET_NAME, $SCOPE_EVENT_NET_FIELD, and $SCOPE_EVENT_NET_VALUE.
    #
    - type: net
      name: .*
      field: .*
      value: .*

    # The fs category includes filesystem operations like open, close, stat,
    # read, write, etc. The name, field, and value properties are regular
    # expressions applied to the corresponding event properties. Events will be
    # generated when all match.
    #
    # Set $SCOPE_EVENT_FS to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $SCOPE_EVENT_FS_NAME, $SCOPE_EVENT_FS_FIELD, and $SCOPE_EVENT_FS_VALUE.
    #
    - type: fs
      name: .*
      field: .*
      value: .*

    # The dns category includes DNS request and response events. The name, field,
    # and value properties are regular expressions applied to the corresponding
    # event properties. Events will be generated when all match.
    #
    # Set $SCOPE_EVENT_DNS to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $SCOPE_EVENT_DNS_NAME, $SCOPE_EVENT_DNS_FIELD, and $SCOPE_EVENT_DNS_VALUE.
    #
    - type: dns
      name: .*
      field: .*
      value: .*

    # The http category includes HTTP request and response events. It currently
    # only supports HTTP/1.x, not HTTP/2. The name, field, value, and headers
    # properties are regular expressions applied to the corresponding event
    # properties. Events will be generated when all match.
    #
    # Set $SCOPE_EVENT_HTTP to true or false to enable or disable this
    # category. The regular expressions can be set with $SCOPE_EVENT_HTTP_NAME,
    # $SCOPE_EVENT_HTTP_FIELD, $SCOPE_EVENT_HTTP_VALUE, and
    # $SCOPE_EVENT_HTTP_HEADER.
    #
    # When the `cribl` backend is enabled, this is disabled.
    #
    - type: http
      name: .*
      field: .*
      value: .*
      headers: .*                 # yes, this should be singular but it's not.

    # The metric category is very seldom used. It includes events for
    # operations that are included in the metric aggregation described earlier
    # in `metric > verbosity`. It essentially enables events the same way
    # that setting verbosity to 9 generates raw metrics. This is only ever used
    # as a last resort when tracking down a problem and should rarely, if ever,
    # be enabled. Fraught with peril!
    #
    # The name, field, and value properties are all regular expressions. Only
    # matching events will be generated.
    #
    # Warning: Enabling this may interfere with proper metric aggregation.
    #
    # Set $SCOPE_EVENT_METRIC to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $SCOPE_EVENT_METRIC_NAME, $SCOPE_EVENT_METRIC_FIELD, and
    # $SCOPE_EVENT_METRIC_VALUE.
    #
    #- type: metric
    #  name: .*
    #  field: .*
    #  value: .*

  # Backend connection for events
  #
  # When the `cribl` backend is enabled, these settings are ignored and events
  # are instead sent to the `cribl` backend.
  #
  transport:

    # Set $SCOPE_EVENT_DEST to override the type, host, port, and path configs
    # below.  The environment variable should be set to a URL.
    #
    #   file:///tmp/output.log  send to a file; note the triple slash
    #   file://stdout           send to standard out
    #   file://stderr           send to standard error
    #   udp://host:port         send to a network server (UDP protocol)
    #   tcp://host:port         send to a network server (TCP protocol)
    #   unix://@abstractname    send to a unix domain server w/abstract addr
    #   unix:///var/run/mysock  send to a unix domain server w/filesystem addr
    #
    # Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
    # set the $SCOPE_EVENT_TLS_* variables.

    # Connection type
    #   Type:     string
    #   Values:   udp, tcp, unix, and file
    #   Default:  tcp
    #   Override: the protocol token in the $SCOPE_EVENT_DEST URL
    #
    type: tcp

    # Connection host/address
    #   Type:     string
    #   Values:   (hostname or IP address)
    #   Default:  127.0.0.1
    #   Override: the host token in the $SCOPE_EVENT_DEST URL
    #
    host: 127.0.0.1

    # Connection port
    #   Type:     integer or string
    #   Values:   IP port number or service name
    #   Default:  9109
    #   Override: the port token in the $SCOPE_EVENT_DEST URL
    #
    port: 9109

    # File path / unix domain socket path
    #   Type:     string
    #   Values:   (directory path, or socket path)
    #   Default:  (none)
    #   Override: the path token in the $SCOPE_EVENT_DEST URL
    #
    # Applies when connection type is file or unix.
    #
    #path:

    # File buffering
    #   Type:     string
    #   Values:   line, full
    #   Default:  line
    #
    # Only applies when connection type is file.
    #
    # Set this to line if there's a chance that multiple scoped processes will
    # be writing to the same file. This prevents interleaving of lines and
    # scrambling of the log file. Setting this to full may improve performance
    # in single-writer scenarios.
    #
    #buffer: line

    # TLS connection settings
    tls:

      # Enable TLS for the events backend
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $SCOPE_EVENT_TLS_ENABLE
      #
      # Only applies when the connection type is tcp.
      #
      enable: false

      # Validate the TLS server certificate
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $SCOPE_EVENT_TLS_VALIDATE_SERVER
      #
      # Set to false, works like the `curl -k` option. When set to true, the
      # connection will fail if the server certificate cannot be validated.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      validateserver: true

      # CA Certificate Path
      #   Type:     string
      #   Values:   (file path)
      #   Default:  (none)
      #   Override: $SCOPE_EVENT_TLS_CA_CERT_PATH
      #
      # Leave this blank when validateserver is set to true and the local
      # OS-provided trusted CA certificates are used to validate the server's
      # certificate. To use a PEM certificate file instead, specify its 
      # full path; useful with self-signed certificates.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      cacertpath: ''

# Settings for payloads
#
payload:

  # Enable payload capture
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  false
  #   Override: $SCOPE_PAYLOAD_ENABLE
  #
  # This can produce large amounts of data from I/O-intensive programs and
  # should be considered carefully before being enabled.
  #
  # See `protocol` for a way to enable this for specific protocols instead of
  # all traffic.
  #
  enable: false

  # Directory for payload files
  #   Type:     string
  #   Values:   (directory path)
  #   Default:  /tmp
  #   Override: $SCOPE_PAYLOAD_DIR
  #
  # Consider using a performant filesystem to reduce I/O performance impacts.
  #
  dir: '/tmp'

# Setting the the library
#
libscope:

  # Enable the config-event message on the event or `cribl` backend
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  true
  #   Override: $SCOPE_CONFIG_EVENT
  #
  # The connect-event message is the first one set on the connection and
  # contains details identifying the scoped program and the runtime configs.
  # It's  more commonly referred to as the process-start message.
  #
  configevent: true

  # Metric summary interval
  #   Type:     integer
  #   Values:   1+ seconds
  #   Default:  10
  #   Override: $SCOPE_SUMMARY_PERIOD
  #
  # See also `metric > verbosity`.
  #
  summaryperiod : 10

  # Command directory 
  #   Type:     string
  #   Values:   (directory path)
  #   Default:  /tmp
  #   Override: $SCOPE_CMD_DIR
  #
  # The library looks here periodically (see `libscope > summaryperiod`) for a
  # file named scope.{pid} matching the current process. If found, it's loaded
  # and deleted. The file should contain environment variables, one per line.
  #
  #   SCOPE_METRIC_VERBOSITY=9
  #   SCOPE_EVENT_HTTP=false
  #
  # The given variables are applied to the running config just like startup.
  #
  commanddir : '/tmp'


  # Logging settings for the library
  #
  log:

    # Set logging verbosity
    #   Type:     string
    #   Values:   debug, info, warning, error, or none
    #   Default:  warning
    #   Override: $SCOPE_LOG_LEVEL
    #
    # When the `cribl` backend is enabled, this is forced to warning.
    #
    level: warning

    # Backend connection for logs
    #
    transport:

      # Set $SCOPE_LOG_DEST to override the type, host, port, and path configs
      # below.  The environment variable should be set to a URL.
      #
      #   file:///tmp/output.log  send to a file; note the triple slash
      #   file://stdout           send to standard out
      #   file://stderr           send to standard error
      #   udp://host:port         send to a network server (UDP protocol)
      #   tcp://host:port         send to a network server (TCP protocol)
      #   unix://@abstractname    send to a unix domain server w/abstract addr
      #   unix:///var/run/mysock  send to a unix domain server w/filesystem addr
      #
      # Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
      # set the $SCOPE_LOG_TLS_* variables.
  
      # Connection type
      #   Type:     string
      #   Values:   udp, tcp, unix, and file
      #   Default:  file
      #   Override: the protocol token in the $SCOPE_LOG_DEST URL
      #
      type: file

      # Connection host/address
      #   Type:     string
      #   Values:   (hostname or IP address)
      #   Default:  (none)
      #   Override: the host token in the $SCOPE_LOG_DEST URL
      #
      #host: 

      # Connection port
      #   Type:     integer or string
      #   Values:   IP port number or service name
      #   Default:  (none)
      #   Override: the port token in the $SCOPE_LOG_DEST URL
      #
      #port: 

      # File path / unix domain socket path
      #   Type:     string
      #   Values:   (directory path, or socket path)
      #   Default:  '/tmp/scope.log'
      #   Override: the path token in the $SCOPE_LOG_DEST URL
      #
      # Applies when connection type is file or unix.
      #
      path: '/tmp/scope.log'

      # File buffering
      #   Type:     string
      #   Values:   line, full
      #   Default:  line
      #
      # Only applies when connection type is file.
      #
      # Set this to line if there's a chance that multiple scoped processes will
      # be writing to the same file. This prevents interleaving of lines and
      # scrambling of the log file. Setting this to full may improve performance
      # in single-writer scenarios.
      #
      buffer: line

# Settings for the `cribl` backend
#
cribl:

  # Enable the `cribl` backend
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  false
  #
  # This is set to true if $SCOPE_CRIBL or $SCOPE_CRIBL_CLOUD is set to a valid
  # transport URL.
  #
  enable: false

  # Authentication token
  #   Type:     string
  #   Values:   (any)
  #   Default:  (none)
  #   Override: $SCOPE_CRIBL_AUTHTOKEN
  #
  # If set, the value is added as a top-level authToken property in the initial
  # config-event (header) sent to Cribl when the library connects.
  #
  #authtoken:

  # Backend connection for cribl
  #
  transport:

    # Set $SCOPE_CRIBL to override the type, host, and port configs below. The
    # environment variable should be set to a URL.
    #
    #   tcp://host:port         send to a TCP server
    #
    # Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
    # set the $SCOPE_CRIBL_TLS_* variables.
    #
    # Note: file:// is not supported here.
    #
    # Alternatively, set $SCOPE_CRIBL_CLOUD to the same URL and the library
    # sets $SCOPE_CRIBL_TLS_ENABLE=true, $SCOPE_CRIBL_TLS_VALIDATE_SERVER=true,
    # and $SCOPE_CRIBL_TLS_CA_CERT_PATH="" for you.

    # Connection type
    #   Type:     string
    #   Values:   tcp
    #   Default:  tcp
    #   Override: the protocol token in the $SCOPE_CRIBL or $SCOPE_CRIBL_CLOUD URL
    #
    type: tcp

    # Connection host/address
    #   Type:     string
    #   Values:   (hostname or IP address)
    #   Default:  127.0.0.1
    #   Override: the host token in the $SCOPE_CRIBL or $SCOPE_CRIBL_CLOUD URL
    #
    host: 127.0.0.1

    # Connection port
    #   Type:     integer or string
    #   Values:   IP port number or service name
    #   Default:  10090
    #   Override: the port token in the $SCOPE_CRIBL or $SCOPE_CRIBL_CLOUD URL
    #
    # Defaults to 10090, which is the TCP port on the AppScope Source
    # in LogStream. If you are using the cloud version, 10090 is the TLS port
    # on the client-facing load balancer which is proxied to the cloud instance's
    # TCP:10090 port, without TLS.
    #
    # Use 10091 here if you need to connect to Cribl Cloud without TLS and
    # are not making any changes in the AppScope Source.
    #
    port: 10090

    # TLS connection settings
    tls:

      # Enable TLS for the metrics backend
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $SCOPE_CRIBL_TLS_ENABLE or use $SCOPE_CRIBL_CLOUD
      #
      # Only applies when the connection type is tcp.
      #
      enable: false

      # Validate the TLS server certificate
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $SCOPE_CRIBL_TLS_VALIDATE_SERVER
      #
      # Set to false, works like the `curl -k` option. When set to true, the
      # connection will fail if the server certificate cannot be validated.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      validateserver: true

      # CA Certificate Path
      #   Type:     string
      #   Values:   (file path)
      #   Default:  (none)
      #   Override: $SCOPE_CRIBL_TLS_CA_CERT_PATH
      #
      # Leave this blank when validateserver is set to true and the local
      # OS-provided trusted CA certificates are used to validate the server's
      # certificate. To use a PEM certificate file instead, specify its 
      # full path; useful with self-signed certificates.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      cacertpath: ''

# Tags for events and metrics
#
tags:
  # `key: value` entries here become fields in generated events and metrics.
  #
  # Simple $EXAMPLE variables in the value will be replaced with the
  # corresponding environment variable values. The regex looks for dollar signs
  # followed by one or more alphanumeric or underscore characters. If the
  # corresponding environment variable is not set, the variable is left in the
  # value.
  #
  # Tags can also be added with environment variables prefixed with SCOPE_TAG_.
  # For example, SCOPE_TAG_service=eg is equivalent to the "service" example
  # below. The value of the environment variable may contain other variables
  # as described above too; i.e. SCOPE_TAG_user=\$USER.
  #
  #user: $USER
  #service: eg
  
# Protocol detection and handling
#
protocol:
  # Entries in this list define protocols that AppScope should detect in network
  # payloads and how to handle matches. The first packet seen on a channel is
  # checked against the regular expression in each entry in the order they
  # appear in this file. When one matches, later entries are skipped.
  #
  # Entries have the following properties:
  #
  #   name     String protocol name used in protocol-detect events and payload
  #            headers sent to LogStream (required)
  #   regex    The regular expression to use (required)
  #   binary   Boolean indicating whether the regex should be applied to a
  #            hex-string version of the payload instead of the binary payload
  #            (default: false)
  #   len      The number of bytes to convert to hex when `binary` is true
  #            (default: 256)
  #   detect   Boolean indicating whether protocol-detect events should be
  #            generated (default: true)
  #   payload  Boolean indicating whether payload-processing should be enabled
  #            for matching streams (default: false)
  #
  # When payloads are enabled globally (`payload > enable`), the payload
  # options here are ignored.
  #
  # Warning: The `name` value is currently inserted into the JSON header for
  # payloads sent to LogStream so it cannot contain double quotes or
  # back-slashes without breaking the JSON. It needs to be kept fairly short
  # too so the header doesn't exceed the 1k limit. If this becomes a problem,
  # we'll consider adding logging and validation.
  #

  # Example for the plain-text Redis protocol using the default detect and
  # payload settings
  #
  #- name: Redis
  #  regex: "^[*]\\d+|^[+]\\w+|^[$]\\d+"

  # Example for the MongoDB protocol showing how to detect a binary protocol
  #
  #- name: Mongo
  #  regex: "^240100000000000000000000d407"
  #  binary: true
  #  len: 14

  # AppScope uses an internally defined protocol detector for HTTP like the
  # example below automatically when the LogStream backend is enabled.
  #
  # Uncomment this and adjust as needed to override the defaults or to enable
  # HTTP detection when not using LogStream.
  #
  #- name: HTTP
  #  regex: " HTTP\\/1\\.[0-2]|PRI \\* HTTP\\/2\\.0\r\n\r\nSM\r\n\r\n"
  #  detect: true
  #  payload: true

  # AppScope uses another internally defined protocol detector for TLS like the
  # example below by default.
  #
  # Uncomment this entry to override the regex details or to set detect to
  # false.  The payload setting here is never used. AppScope never sends
  # encrypted payloads to disk and only sends payloads to LogSteam during TLS
  # negotiation.
  #
  #- name: TLS
  #  regex: "^16030[0-3].{4}0[12]"
  #  binary: true
  #  len: 6


# Custom configs
#
custom:
  # Entries here represent overrides of the settings defined above for scoped
  # processes that match a set of filters. Each has a name and `filter` and
  # `config` entries as shown below.
  #
  #   name:
  #     filter:
  #       ...
  #     config:
  #       ...
  #
  # Entries under `filter` are used to match aspects of a scoped process. There
  # must be at least one of them and all of them must match for the filter to
  # succeed. The following filters are supported.
  #
  #   procname: string
  #
  #     Matches if the given string value matches the basename of the scoped
  #     process.
  #
  #   arg: string
  #
  #     Matches if the given string value appears and a substring anywhere in
  #     the scoped process's full command line including an options and
  #     arguments.
  #
  #   hostname: string
  #
  #     Matches if the given string value matches the hostname of the machine
  #     where the scoped process is running.
  #     
  #   username: string
  #
  #     Matches if the given string value matches the username for the scoped
  #     process's UID.
  #     
  #   env: string
  #
  #     The string value is the name of an environment variable alone (i.e.
  #     "FOO") or with a value (i.e. "FOO=bar"). The filter matches if the
  #     environment variable is set and, in the later case, the value matches.
  #
  #   ancestor: string
  #
  #     Matches if given string matches the basename of the scoped process's
  #     partent, parent's parent, etc.
  #
  # The `config` section specifies the settings that should be overridden when
  # the filter matches. Entries under `config` use the same schema as the
  # top-level entries (without `custom`).
  #
  
  # Increase metric verbosity for processes owned by the "eg" user and running
  # on the "eg1" host.
  #
  #example:
  #  filter:
  #    username: eg
  #    hostname: eg1
  #  config:
  #    metric:
  #      format:
  #        verbosity: 7
  #    tags:
  #      service: eg

  # Enable the Cribl/Logstream destination for Nginx processes. Both this entry
  # and the `example` entry above would apply if both filters match so the
  # service tag here would override the one above.
  #
  #nginx:
  #  filter:
  #    procname: nginx
  #  config:
  #    tags:
  #      service: nginx
  #    cribl:
  #      enable: true
  #      transport:
  #        type: tcp
  #        host: in.my-instance.logstream.cribl.cloud
  #        port: 10090
  #        tls:
  #          enable: true

# EOF