Config File

appview.yml is the sole library configuration file in AppView.

In Cribl Edge or Cribl Stream, you can use the AppView Config Editor to create your own variants of appview.yml and save them in the AppView Config Library.

appview.yml Config File

Below are the default contents of appview.yml:

#
# AppView Runtime Configuration
#
# The AppView library (`libappview.so`) starts with default configs that are
# mimicked here in this file. This means that if you run AppView with the
# stock version of this config, you get the same results as if you run without
# any config.
#
# After loading defaults, the library looks for a config in the following
# places in the order shown. The first readable file found is used and the rest
# are ignored. Entries in the config file override the defaults.
#
#   1. $APPVIEW_CONF_PATH
#   2. $APPVIEW_HOME/conf/appview.yml
#   3. $APPVIEW_HOME/appview.yml
#   4. /etc/appview/appview.yml
#   5. $HOME/conf/appview.yml
#   6. $HOME/appview.yml
#   7. ./conf/appview.yml
#   8. ./appview.yml
#
# Next, APPVIEW_* environment variables are used to override corresponding
# entries in the configs. Details are provided below for each setting and
# the corresponding environment variable names.
#
# Finally, if the `cribl > enable` config is true at this point, either from
# the config file or the $APPVIEW_CRIBL/$APPVIEW_CRIBL_CLOUD environment variable,
# the library forces the following:
#
#   - `metric > transport` is superseded by the `cribl` transport
#   - `metric > enable` is set to true
#   - `metric > format` is set to ndjson
#   - `event > transport` is superseded by the `cribl` transport
#   - `event > enable` is set to true
#   - `libappview > log > level` is set to warning
#   - `libappview > configevent` is set to true
#
# Use the `appview extract` command to get a copy of the default `appview.yml`.
#
# Use the command below to get a stripped-down version of this config.
#
#   egrep -v '^ *#.*$' appview.yml | sed '/^$/d' >appview-minimal.yml
#

# Settings for the `metrics` feature
#
metric:

  # Enable the `metrics` feature
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  true
  #   Override: $APPVIEW_METRIC_ENABLE
  #
  #
  enable: true

  # Settings for the format of metric data
  format:

    # Metric format type
    #   Type:     string
    #   Values:   statsd, ndjson
    #   Default:  statsd
    #   Override: $APPVIEW_METRIC_FORMAT
    #
    # When the `cribl` feature is enabled, this is forced to ndjson.
    #
    type: statsd

    # Prefix for StatsD metrics; ignored if type isn't statsd
    #   Type:     string
    #   Values:   (and string)
    #   Default:  (none)
    #   Override: $APPVIEW_STATSD_PREFIX
    #
    statsdprefix:

    # Maximum length of formatted StatsD metrics; ignored unless type is statsd
    #   Type:     integer
    #   Values:   (greater than zero)
    #   Default:  512
    #   Override: $APPVIEW_STATSD_MAXLEN
    #
    statsdmaxlen: 512

    # Metric verbosity level
    #   Type:     integer
    #   Values:   0-9
    #   Default:  4
    #   Override: $APPVIEW_METRIC_VERBOSITY
    #
    # This setting controls two different aspects of the metrics generated by
    # the library: tag cardinality and aggregation. Lower values reduce the
    # verbosity of metric data produced, while higher values increase it.
    #
    # Metrics have at a minimum name, value, and type properties. Optional tags
    # can be added to provide additional detail on the measurement. The library
    # adds expanded StatsD tags depending on the value of this setting as
    # described below. These affect the cardinality of the metrics data.
    #
    #   0  none
    #   1  adds data and unit
    #   2  adds class and proto
    #   3  adds op
    #   4  adds pid, host, proc, and http_status
    #   5  adds domain and file
    #   6  adds localip, remoteip, localp, port, and remotep
    #   7  adds fd and args
    #   8  adds duration, numops, req_per_sec, req, resp, and protocol
    #
    # The library counts various events and generates metrics for them
    # periodically. The verbosity config disables this metric aggregation for
    # groups of events. When disabled, events that would normally have been
    # summarized in an aggregate metric are instead sent as individual metrics
    # with a count of 1 and additional details from the event added, e.g.,
    # operation, filename, process, error code, etc.
    #
    #   0-4 full metric aggregation
    #   5   disable error metric aggregation
    #   6   disable filesystem open/close and DNS metric aggregation
    #   7   disable filesystem stat and network connect metric aggregation
    #   8   disable filesystem seek metric aggregation
    #   9   disable filesystem read/write and network send/recv metric aggregation
    #
    verbosity : 4

  # The `metric > watch[*]` array contains objects that enable different
  # categories of metrics. Their `type` property specifies the category.
  # Comment out an array entry to disable the category. If you comment
  # out `metric > watch` entirely, AppView will use the default metric
  # watch list, which enables all categories.
  #
  watch:
    # The statsd category creates metrics from StatsD network traffic that is
    # sent from or received by the viewed process. This includes extended
    # StatsD, where dimensions will be included in the metrics produced.
    # See the STATSD protocol detector for more info about how AppView
    # determines whether network traffic contains StatsD metric data.
    # Set $APPVIEW_METRIC_STATSD to true or false to enable or disable
    # this category.
    #
    - type: statsd

    # The filesystem category creates metrics from the viewed process' file reads,
    # writes, opens, closes, etc.
    #
    #   Type:     string
    #   Values:   fs
    #   Default:  fs
    #   Override: $APPVIEW_METRIC_FS
    #
    - type: fs

    # The network category creates metrics from the viewed process' network sends,
    # receives, socket opens, socket closes, etc.
    #
    #   Type:     string
    #   Values:   net
    #   Default:  net
    #   Override: $APPVIEW_METRIC_NET
    #
    - type: net

    # The HTTP category creates metrics from the viewed process' HTTP requests and
    # responses, including their timing, content length, etc.
    #   Type:     string
    #   Values:   http
    #   Default:  http
    #   Override: $APPVIEW_METRIC_HTTP
    #
    - type: http

    # The DNS category creates metrics from the viewed process' network DNS requests.
    #   Type:     string
    #   Values:   dns
    #   Default:  dns
    #   Override: $APPVIEW_METRIC_DNS
    #
    - type: dns

    # The process category creates metrics from the state of the viewed process,
    # e.g., number of open file descriptors, number of running threads,
    # memory usage, etc.
    #
    #   Type:     string
    #   Values:   process
    #   Default:  process
    #   Override: $APPVIEW_METRIC_PROC
    #
    - type: process

  # Settings for the `metrics` transport
  #
  # When the `cribl` feature is enabled, these settings are ignored,
  # and AppView sends metrics via the `cribl` transport rather than this one.
  #
  transport:

    # Set $APPVIEW_METRIC_DEST to override the type, host, port, and path configs
    # below. The environment variable should be set to a URL.
    #
    #   file:///tmp/output.log  send to a file; note the triple slash
    #   file://stdout           send to standard out
    #   file://stderr           send to standard error
    #   udp://host:port         send to a network server (UDP protocol)
    #   tcp://host:port         send to a network server (TCP protocol)
    #   unix://@abstractname    send to a unix domain server w/abstract addr
    #   unix:///var/run/mysock  send to a unix domain server w/filesystem addr
    #   edge                    send to cribl edge (over unix domain)
    #
    # Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
    # set the $APPVIEW_METRIC_TLS_* variables.

    # Connection type
    #   Type:     string
    #   Values:   udp, tcp, unix, file, and edge
    #   Default:  udp
    #   Override: the protocol token in the $APPVIEW_METRIC_DEST URL
    #
    type: udp

    # Connection host/address
    #   Type:     string
    #   Values:   (hostname or IP address)
    #   Default:  127.0.0.1
    #   Override: the host token in the $APPVIEW_METRIC_DEST URL
    #
    host: 127.0.0.1

    # Connection port
    #   Type:     integer or string
    #   Values:   port number or service name
    #   Default:  8125
    #   Override: the port token in the $APPVIEW_METRIC_DEST URL
    #
    # The default 8125 is for normal StatsD services.
    #
    port: 8125

    # File path / UNIX domain socket path
    #   Type:     string
    #   Values:   (directory path, or socket path)
    #   Default:  (none)
    #   Override: the path token in the $APPVIEW_METRIC_DEST URL
    #
    # Applies when connection type is file or unix.
    #
    #path: ''

    # File buffering
    #   Type:     string
    #   Values:   line, full
    #   Default:  line
    #
    # Only applies when connection type is file
    #
    # Set this to line if there's a chance that multiple viewed processes will
    # be writing to the same file. This prevents interleaving of lines and
    # scrambling of the log file. Setting this to full may improve performance
    # in single-writer scenarios.
    #
    #buffer: line

    # TLS connection settings
    tls:

      # Enable TLS for the `metrics` transport
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $APPVIEW_METRIC_TLS_ENABLE
      #
      # Only applies when the connection type is tcp.
      #
      enable: false

      # Validate the TLS server certificate
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $APPVIEW_METRIC_TLS_VALIDATE_SERVER
      #
      # Set to false, works like the `curl -k` option. When set to true, the
      # connection will fail if the server certificate cannot be validated.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      validateserver: true

      # CA certification path
      #   Type:     string
      #   Values:   (file path)
      #   Default:  (none)
      #   Override: $APPVIEW_METRIC_TLS_CA_CERT_PATH
      #
      # Leave this blank when validateserver is set to true and the local
      # OS-provided trusted CA certificates are used to validate the server's
      # certificate. To use a PEM certificate file instead, specify its
      # full path; useful with self-signed certificates.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      cacertpath: ''

# Settings for the `events` feature
#
event:

  # Enable the `events` feature
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  true
  #   Override: $APPVIEW_EVENT_ENABLE
  #
  #
  enable: true

  # Settings for the format of event data
  format:

    # Metric format type
    #   Type:     string
    #   Values:   ndjson
    #   Default:  ndjson
    #   Override: $APPVIEW_EVENT_FORMAT
    #
    type: ndjson

    # Event rate limiter
    #   Type:     integer
    #   Values:   0+
    #   Default:  10000
    #   Override: $APPVIEW_EVENT_MAXEPS
    #
    # Set this to 0 to disable the limiter.
    #
    maxeventpersec: 10000

    # Enable enhanced filesystem event data
    #   Type:     boolean
    #   Values:   true, false
    #   Default:  true
    #   Override: $APPVIEW_ENHANCE_FS
    #
    # When set to true, `event > watch[*] > type=fs` is enabled. We add uid,
    # gid, and mode to open events.
    #
    enhancefs: true

  # The `event > watch[*]` array contains objects that enable different
  # categories of events. Their `type` property specifies the category.
  # Comment out an array entry to disable the category. If you comment
  # out `event > watch` entirely, AppView will use the default event
  # watch list, which enables all categories except metric.
  #
  watch:

    # The file category includes writes to files. It's intended primarily for
    # monitoring log files, but is capable of generating events from writes to any
    # file. The name and value properties are regular expressions applied to
    # the filename and written data, respectively. Events will be generated when
    # both match.
    #
    # Set $APPVIEW_EVENT_LOGFILE to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $APPVIEW_EVENT_LOGFILE_NAME and $APPVIEW_EVENT_LOGFILE_VALUE.
    #
    - type: file
      name: (\/logs?\/)|(\.log$)|(\.log[.\d]) # matches the filename
      value: .*                               # matches data read or written

    # The console category includes writes to standard out and error and is
    # intended for monitoring console output, especially in containerized
    # environments where logging to files isn't commonly done. The name and
    # value properties are regular expressions applied to the filename and
    # written data, respectively. Events will be generated when both match.
    #
    # Set $APPVIEW_EVENT_CONSOLE to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $APPVIEW_EVENT_CONSOLE_NAME and $APPVIEW_EVENT_CONSOLE_VALUE.
    #
    # Set $APPVIEW_ALLOW_BINARY_CONSOLE to true or false to allow or disallow
    # emitting binary data for console events.
    #
    - type: console
      name: (stdout)|(stderr) # matches the output stream
      value: .*               # matches data written
      allowbinary: true

    # The net category includes open and close events on network connections.
    # The name, field, and value properties are regular expressions applied
    # to the corresponding event properties. Events will be generated when
    # all match.
    #
    # Set $APPVIEW_EVENT_NET to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $APPVIEW_EVENT_NET_NAME, $APPVIEW_EVENT_NET_FIELD, and $APPVIEW_EVENT_NET_VALUE.
    #
    - type: net
      name: .*
      field: .*
      value: .*

    # The fs category includes filesystem operations like open, close,
    # and delete. The name, field, and value properties are regular
    # expressions applied to the corresponding event properties. Events
    # will be generated when all match.
    #
    # Set $APPVIEW_EVENT_FS to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $APPVIEW_EVENT_FS_NAME, $APPVIEW_EVENT_FS_FIELD, and $APPVIEW_EVENT_FS_VALUE.
    #
    - type: fs
      name: .*
      field: .*
      value: .*

    # The dns category includes DNS request and response events. The name,
    # field, and value properties are regular expressions applied to the
    # corresponding event properties. Events will be generated when all
    # match.
    #
    # Set $APPVIEW_EVENT_DNS to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $APPVIEW_EVENT_DNS_NAME, $APPVIEW_EVENT_DNS_FIELD, and $APPVIEW_EVENT_DNS_VALUE.
    #
    - type: dns
      name: .*
      field: .*
      value: .*

    # The http category includes HTTP request and response events. The name,
    # field, and value properties are regular expressions applied to the
    # corresponding event properties. Events will be generated when all match.
    #
    # The headers entry is a list of regular expressions that are applied to
    # the HTTP headers in request and response events. Matches are applied to
    # the whole header line, not just the name. Headers that match are included
    # in the generated events. Note that headers named `host`, `user-agent`,
    # `x-forwarded-for`, and `x-appview` are included by default.
    #
    # Set $APPVIEW_EVENT_HTTP to true or false to enable or disable this
    # category. The regular expressions can be set with $APPVIEW_EVENT_HTTP_NAME,
    # $APPVIEW_EVENT_HTTP_FIELD, $APPVIEW_EVENT_HTTP_VALUE, and
    # $APPVIEW_EVENT_HTTP_HEADER. Note that $APPVIEW_EVENT_HTTP_HEADER only sets
    # a single entry in the `headers` array.
    #
    - type: http
      name: .*         # event name; http.req or http.resp
      field: .*        # matches field names; duration, http_status, etc
      value: .*        # matches field values
      headers:         # list of filters matched against header names
        #- (?i)Accept                # example of case-insensitive filter
        #- "x-content-type-.*: no.*" # example of required quotes

    # The metric category is very seldom used.
    # If turned on, AppView sends non-aggregated metrics out the event channel.
    # By non-aggregated, we mean metrics with verbosity set to the maximum.
    # This is only ever used as a last resort when tracking down a problem.
    # Enable rarely, if ever. Fraught with peril!
    #
    # The name, field, and value properties are all regular expressions. Only
    # matching events will be generated.
    #
    # Warning: Enabling this may interfere with proper metric aggregation.
    #
    # Set $APPVIEW_EVENT_METRIC to true or false to enable or disable this
    # category. The regular expressions can be set with
    # $APPVIEW_EVENT_METRIC_NAME, $APPVIEW_EVENT_METRIC_FIELD, and
    # $APPVIEW_EVENT_METRIC_VALUE.
    #
    #- type: metric
    #  name: .*
    #  field: .*
    #  value: .*

  # Settings for the `events` transport
  #
  # When the `cribl` feature is enabled, these settings are ignored,
  # and AppView sends events via the `cribl` transport rather than this one.
  #
  transport:

    # Set $APPVIEW_EVENT_DEST to override the type, host, port, and path configs
    # below. The environment variable should be set to a URL.
    #
    #   file:///tmp/output.log  send to a file; note the triple slash
    #   file://stdout           send to standard out
    #   file://stderr           send to standard error
    #   udp://host:port         send to a network server (UDP protocol)
    #   tcp://host:port         send to a network server (TCP protocol)
    #   unix://@abstractname    send to a unix domain server w/abstract addr
    #   unix:///var/run/mysock  send to a unix domain server w/filesystem addr
    #   edge                    send to cribl edge (over unix domain)
    #
    # Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
    # set the $APPVIEW_EVENT_TLS_* variables.

    # Connection type
    #   Type:     string
    #   Values:   udp, tcp, unix, file, and edge
    #   Default:  tcp
    #   Override: the protocol token in the $APPVIEW_EVENT_DEST URL
    #
    type: tcp

    # Connection host/address
    #   Type:     string
    #   Values:   (hostname or IP address)
    #   Default:  127.0.0.1
    #   Override: the host token in the $APPVIEW_EVENT_DEST URL
    #
    host: 127.0.0.1

    # Connection port
    #   Type:     integer or string
    #   Values:   port number or service name
    #   Default:  9109
    #   Override: the port token in the $APPVIEW_EVENT_DEST URL
    #
    port: 9109

    # File path / UNIX domain socket path
    #   Type:     string
    #   Values:   (directory path, or socket path)
    #   Default:  (none)
    #   Override: the path token in the $APPVIEW_EVENT_DEST URL
    #
    # Applies when connection type is file or unix.
    #
    #path: ''

    # File buffering
    #   Type:     string
    #   Values:   line, full
    #   Default:  line
    #
    # Only applies when connection type is file.
    #
    # Set this to line if there's a chance that multiple viewed processes will
    # be writing to the same file. This prevents interleaving of lines and
    # scrambling of the log file. Setting this to full may improve performance
    # in single-writer scenarios.
    #
    #buffer: line

    # TLS connection settings
    tls:

      # Enable TLS for the `events` transport
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $APPVIEW_EVENT_TLS_ENABLE
      #
      # Only applies when the connection type is tcp.
      #
      enable: false

      # Validate the TLS server certificate
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $APPVIEW_EVENT_TLS_VALIDATE_SERVER
      #
      # Set to false, works like the `curl -k` option. When set to true, the
      # connection will fail if the server certificate cannot be validated.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      validateserver: true

      # CA certification path
      #   Type:     string
      #   Values:   (file path)
      #   Default:  (none)
      #   Override: $APPVIEW_EVENT_TLS_CA_CERT_PATH
      #
      # Leave this blank when validateserver is set to true and the local
      # OS-provided trusted CA certificates are used to validate the server's
      # certificate. To use a PEM certificate file instead, specify its
      # full path; useful with self-signed certificates.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      cacertpath: ''

# Settings for the `payloads` feature
#
payload:

  # Enable payload capture
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  false
  #   Override: $APPVIEW_PAYLOAD_ENABLE
  #
  # This can produce large amounts of data from I/O-intensive programs and
  # should be considered carefully before being enabled.
  #
  # See `protocol` for a way to enable this for specific protocols instead of
  # all traffic.
  #
  enable: false

  # Directory for payload files
  #   Type:     string
  #   Values:   (directory path)
  #   Default:  /tmp
  #   Override: $APPVIEW_PAYLOAD_DIR
  #
  # Consider using a performant filesystem to reduce I/O performance impacts.
  #
  dir: '/tmp'

# Setting up the AppView library
#
libappview:

  # Enable the config-event message
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  true
  #   Override: $APPVIEW_CONFIG_EVENT
  #
  # The config-event message is the first one set on the connection and
  # contains details identifying the viewed program and the runtime configs.
  # It's more commonly referred to as the process-start message.
  #
  configevent: true

  # Metric summary interval
  #   Type:     integer
  #   Values:   1+ seconds
  #   Default:  10
  #   Override: $APPVIEW_SUMMARY_PERIOD
  #
  # See also `metric > verbosity`.
  #
  summaryperiod : 10

  # Command directory
  #   Type:     string
  #   Values:   (directory path)
  #   Default:  /tmp
  #   Override: $APPVIEW_CMD_DIR
  #
  # The library looks here periodically (see `libappview > summaryperiod`) for a
  # file named appview.{pid} matching the current process. If found, it's loaded
  # and deleted. The file should contain environment variables, one per line.
  #
  #   APPVIEW_METRIC_VERBOSITY=9
  #   APPVIEW_EVENT_HTTP=false
  #
  # The given variables are applied to the running config just like startup.
  # This entire mechanism is what the AppView docs call Dynamic Configuration.
  #
  commanddir : '/tmp'


  # Logging settings for the library
  #
  log:

    # Set logging verbosity
    #   Type:     string
    #   Values:   debug, info, warning, error, or none
    #   Default:  warning
    #   Override: $APPVIEW_LOG_LEVEL
    #
    # When the `cribl` feature is enabled, this is forced to warning.
    #
    level: warning

    # Connection settings for the `logs` transport
    #
    # The `logs` transport is independent of all other transports, because
    # AppView log data (which is in neither JSON nor StatsD format) should normally
    # be sent to a different destination than events or metrics.
    #
    transport:

      # Set $APPVIEW_LOG_DEST to override the type, host, port, and path configs
      # below. The environment variable should be set to a URL.
      #
      #   file:///tmp/output.log  send to a file; note the triple slash
      #   file://stdout           send to standard out
      #   file://stderr           send to standard error
      #   udp://host:port         send to a network server (UDP protocol)
      #   tcp://host:port         send to a network server (TCP protocol)
      #   unix://@abstractname    send to a unix domain server w/abstract addr
      #   unix:///var/run/mysock  send to a unix domain server w/filesystem addr
      #   edge                    send to cribl edge (over unix domain)
      #
      # Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
      # set the $APPVIEW_LOG_TLS_* variables.

      # Connection type
      #   Type:     string
      #   Values:   udp, tcp, unix, file, and edge
      #   Default:  file
      #   Override: the protocol token in the $APPVIEW_LOG_DEST URL
      #
      type: file

      # Connection host/address
      #   Type:     string
      #   Values:   (hostname or IP address)
      #   Default:  (none)
      #   Override: the host token in the $APPVIEW_LOG_DEST URL
      #
      #host:

      # Connection port
      #   Type:     integer or string
      #   Values:   port number or service name
      #   Default:  (none)
      #   Override: the port token in the $APPVIEW_LOG_DEST URL
      #
      #port:

      # File path / UNIX domain socket path
      #   Type:     string
      #   Values:   (directory path, or socket path)
      #   Default:  '/tmp/appview.log'
      #   Override: the path token in the $APPVIEW_LOG_DEST URL
      #
      # Applies when connection type is file or unix.
      #
      path: '/tmp/appview.log'

      # File buffering
      #   Type:     string
      #   Values:   line, full
      #   Default:  line
      #
      # Only applies when connection type is file.
      #
      # Set this to line if there's a chance that multiple viewed processes will
      # be writing to the same file. This prevents interleaving of lines and
      # scrambling of the log file. Setting this to full may improve performance
      # in single-writer scenarios.
      #
      buffer: line

  # Settings for the `crash analysis` feature, which writes a snapshot to
  # the snapshot directory, which is /tmp/appview/<pid>/.
  # The snapshot consists of either a core dump, a backtrace (i.e., stack trace),
  # or both.
  # - If APPVIEW_SNAPSHOT_COREDUMP=true, AppView generates a core dump and writes
  # it to the snapshot directory as core_<timestamp>.
  # - If APPVIEW_SNAPSHOT_BACKTRACE=true, AppView generates a core dump and writes
  # it to the snapshot directory as backtrace_<timestamp>.
  # - In either case, AppView writes two additional files to the snapshot directory,
  # namely info_<timestamp> and cfg_<timestamp>.
  #
  snapshot:

    # Enable core dump generation
    #   Type:     boolean
    #   Values:   true, false
    #   Default:  false
    #   Override: $APPVIEW_SNAPSHOT_COREDUMP
    #
    coredump: false

    # Enable backtrace generation
    #   Type:     boolean
    #   Values:   true, false
    #   Default:  false
    #   Override: $APPVIEW_SNAPSHOT_BACKTRACE
    #
    backtrace: false

# Settings for the `cribl` feature.
# When you enable this feature, AppView sends both events and metrics over the
# same transport and connection, in NDJSON format, with log level set to warning
# and configevent set to true, overriding previously-defined settings.
#
cribl:

  # Enable the `cribl` feature
  #   Type:     boolean
  #   Values:   true, false
  #   Default:  true
  #   Override: $APPVIEW_CRIBL_ENABLE
  #
  enable: true

  # Authentication token
  #   Type:     string
  #   Values:   (any)
  #   Default:  (none)
  #   Override: $APPVIEW_CRIBL_AUTHTOKEN
  #
  # If set, the value is added as a top-level authToken property in the initial
  # config-event (header) sent to Cribl when the library connects.
  #
  #authtoken:

  # Connection settings for the `cribl` transport
  #
  transport:

    # Set $APPVIEW_CRIBL to override the type, host, port and socket path configs below.
    # The environment variable should be set to a URL.
    #
    #   tcp://host:port         send to a TCP server
    #   unix://@abstractname    send to a unix domain server w/abstract addr
    #   unix:///var/run/mysock  send to a unix domain server w/filesystem addr
    #   edge                    send to cribl edge (over unix domain)
    #
    # Note: tls:// is not an option here. For TLS/SSL, use tcp://host:port and
    # set the $APPVIEW_CRIBL_TLS_* variables.
    #
    # Note: file:// is not supported here.
    #
    # Alternatively, set $APPVIEW_CRIBL_CLOUD to the same URL and the library
    # sets $APPVIEW_CRIBL_TLS_ENABLE=true, $APPVIEW_CRIBL_TLS_VALIDATE_SERVER=true,
    # and $APPVIEW_CRIBL_TLS_CA_CERT_PATH="" for you.

    # Connection type
    #   Type:     string
    #   Values:   tcp, unix, and edge
    #   Default:  edge
    #   Override: the protocol token in the $APPVIEW_CRIBL or $APPVIEW_CRIBL_CLOUD URL
    #
    type: edge

    # Connection host/address
    #   Type:     string
    #   Values:   (hostname or IP address)
    #   Default:  127.0.0.1
    #   Override: the host token in the $APPVIEW_CRIBL or $APPVIEW_CRIBL_CLOUD URL
    #
    # Only applies when the connection type is tcp.
    #
    host: 127.0.0.1

    # Connection port
    #   Type:     integer or string
    #   Values:   port number or service name
    #   Default:  10090
    #   Override: the port token in the $APPVIEW_CRIBL or $APPVIEW_CRIBL_CLOUD URL
    #
    # Defaults to 10090, which is the TCP port on the AppView Source
    # in Cribl Stream or Cribl Edge. If you are using the cloud version,
    # 10090 is the TLS port on the client-facing load balancer which is
    # proxied to the cloud instance's TCP:10090 port, without TLS.
    #
    # Use 10091 here if you need to connect to Cribl.Cloud without TLS and
    # are not making any changes in the AppView Source.
    #
    # Only applies when the connection type is tcp.
    #
    port: 10090

    # Unix domain socket path
    #   Type:     string
    #   Values:   socket path
    #   Default:  (none)
    #   Override: the socket_path token in the $APPVIEW_CRIBL or $APPVIEW_CRIBL_CLOUD URL
    #
    # Only applies when the connection type is unix.
    #
    #path: ''

    # TLS connection settings
    tls:

      # Enable TLS for the `cribl` transport
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $APPVIEW_CRIBL_TLS_ENABLE or use $APPVIEW_CRIBL_CLOUD
      #
      # Only applies when the connection type is tcp.
      #
      enable: false

      # Validate the TLS server certificate
      #   Type:     boolean
      #   Values:   true, false
      #   Default:  false
      #   Override: $APPVIEW_CRIBL_TLS_VALIDATE_SERVER
      #
      # Set to false, works like the `curl -k` option. When set to true, the
      # connection will fail if the server certificate cannot be validated.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      validateserver: true

      # CA certification path
      #   Type:     string
      #   Values:   (file path)
      #   Default:  (none)
      #   Override: $APPVIEW_CRIBL_TLS_CA_CERT_PATH
      #
      # Leave this blank when validateserver is set to true and the local
      # OS-provided trusted CA certificates are used to validate the server's
      # certificate. To use a PEM certificate file instead, specify its
      # full path; useful with self-signed certificates.
      #
      # Only applies if the connection type is tcp and TLS is enabled.
      #
      cacertpath: ''

# Tags for events and metrics
#
tags:
  # `key: value` entries here become fields in generated events and metrics.
  #
  # Simple $EXAMPLE variables in the value will be replaced with the
  # corresponding environment variable values. The regex looks for dollar signs
  # followed by one or more alphanumeric or underscore characters. If the
  # corresponding environment variable is not set, the variable is left in the
  # value.
  #
  # Tags can also be added with environment variables prefixed with APPVIEW_TAG_.
  # For example, APPVIEW_TAG_service=eg is equivalent to the "service" example
  # below. The value of the environment variable may contain other variables
  # as described above too; e.g., APPVIEW_TAG_user=\$USER.
  #
  #user: $USER
  #service: eg

# Protocol detection and handling
#
protocol:
  # Entries in this list define protocols that AppView should detect in network
  # payloads and how to handle matches. The first packet seen on a channel is
  # checked against the regular expression in each entry in the order they
  # appear in this file. When one matches, later entries are skipped.
  #
  # Entries have the following properties:
  #
  #   name     String protocol name used in protocol-detect events and payload
  #            headers sent to Cribl Stream or Cribl Edge (required)
  #   regex    The regular expression to use (required)
  #   binary   Boolean indicating whether the regex should be applied to a
  #            hex-string version of the payload instead of the binary payload
  #            (default: false)
  #   len      The number of bytes to convert to hex when `binary` is true
  #            (default: 256)
  #   detect   Boolean indicating whether protocol-detect events should be
  #            generated (default: true)
  #   payload  Boolean indicating whether payload-processing should be enabled
  #            for matching streams (default: false)
  #
  # When payloads are enabled globally (`payload > enable`), the payload
  # options here are ignored.
  #
  # Warning: The `name` value is currently inserted into the JSON header for
  # payloads sent to Cribl Stream or Cribl Edge, so it cannot contain double
  # quotes or backslashes without breaking the JSON. It needs to be kept fairly
  # short, too, so the header doesn't exceed the 1k limit. If this becomes a
  # problem, we'll consider adding logging and validation.
  #

  # Example for the plain-text Redis protocol using the default detect and
  # payload settings
  #
  #- name: Redis
  #  regex: "^[*]\\d+|^[+]\\w+|^[$]\\d+"

  # Example for the MongoDB protocol showing how to detect a binary protocol
  #
  #- name: Mongo
  #  regex: "^240100000000000000000000d407"
  #  binary: true
  #  len: 14

  # AppView uses an internally defined protocol detector for HTTP like the
  # example below by default.
  #
  # Uncomment this and adjust as needed to override the defaults.
  #
  #- name: HTTP
  #  regex: "HTTP\\/1\\.[0-2]|PRI \\* HTTP\\/2\\.0\r\n\r\nSM\r\n\r\n"

  # By default, AppView uses an internally-defined protocol detector for
  # StatsD, similar to the example below.
  #
  # Uncomment this and adjust as needed to override the defaults.
  #
  #- name: STATSD
  #  regex: "^([^:]+):([\\d.]+)\\|(c|g|ms|s|h)"

  # AppView uses another internally defined protocol detector for SSL/TLS like
  # the example below by default.
  #
  # Uncomment this entry to override the regex details or to set detect to
  # false. The payload setting here is never used. AppView never sends
  # encrypted payloads to disk, to Cribl Stream, or to Cribl Edge.
  #
  #- name: TLS
  #  regex: "^(?:(?:16030[0-3].{4})|(?:8[0-9a-fA-F]{3}01))"
  #  binary: true
  #  len: 5

# Custom configs
# Use this area of the config file to specify settings to override,
# and what new settings to override them with, for processes that match
# criteria you define as filters.
#
custom:
  # Each custom entry has a name, a `filter` element, and a `config` element.
  # When a viewed process matches the filter(s), the setting defined
  # in the `config` element overrides previously-defined settings.
  #
  #   name:
  #     filter:
  #       ...
  #     config:
  #       ...
  #
  # Entries under `filter` are used to match aspects of a viewed process. There
  # must be at least one of them and all of them must match for the filter to
  # succeed. The following filters are supported.
  #
  #   procname: string
  #
  #     Matches if the given string value matches the basename of the viewed
  #     process.
  #
  #   arg: string
  #
  #     Matches if the given string value appears and a substring anywhere in
  #     the viewed process's full command line including an options and
  #     arguments.
  #
  #   hostname: string
  #
  #     Matches if the given string value matches the hostname of the machine
  #     where the viewed process is running.
  #
  #   username: string
  #
  #     Matches if the given string value matches the username for the viewed
  #     process's UID.
  #
  #   env: string
  #
  #     The string value is the name of an environment variable alone (i.e.
  #     "FOO") or with a value (i.e. "FOO=bar"). The filter matches if the
  #     environment variable is set and, in the later case, the value matches.
  #
  #   ancestor: string
  #
  #     Matches if given string matches the basename of the viewed process's
  #     parent, parent's parent, etc.
  #
  # The `config` section specifies the settings that should be overridden when
  # the filter matches. Entries under `config` use the same schema as the
  # top-level entries (without `custom`).
  #

  # Increase metric verbosity for processes owned by the "eg" user and running
  # on the "eg1" host.
  #
  #example:
  #  filter:
  #    username: eg
  #    hostname: eg1
  #  config:
  #    metric:
  #      format:
  #        verbosity: 7
  #    tags:
  #      service: eg

  # Enable the Cribl Stream destination for Nginx
  # processes. Both this entry and the `example` entry above would
  # apply if both filters match – so the service tag here would
  # override the one above. In this example, we use a Cribl.Cloud-managed
  # Cribl Stream instance.
  #
  #nginx:
  #  filter:
  #    procname: nginx
  #  config:
  #    tags:
  #      service: nginx
  #    cribl:
  #      enable: true
  #      transport:
  #        type: tcp
  #        host: in.main-default-<organization>.cribl.cloud
  #        port: 10090
  #        tls:
  #          enable: true

# EOF