forked from cisagov/Malcolm
-
Notifications
You must be signed in to change notification settings - Fork 60
/
opensearch.env.example
72 lines (70 loc) · 4.45 KB
/
opensearch.env.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Used in various services to define the connection to the OpenSearch document store.
# 'opensearch-local' indicates that Malcolm will maintain its own OpenSearch instance as its
# primary data store. Set to 'opensearch-remote' or 'elasticsearch-remote' if you're
# connecting to another cluster, in which case the other environment variables
# in this section must also be set with the connection parameters.
OPENSEARCH_PRIMARY=opensearch-local
# URL for connecting to OpenSearch instance. When using Malcolm's internal instance
# of OpenSearch (i.e., OPENSEARCH_PRIMARY is 'opensearch-local') this should be
# 'http://opensearch:9200', otherwise specify the primary remote instance URL
# in the format 'protocol://host:port'.
OPENSEARCH_URL=http://opensearch:9200
# Used when OPENSEARCH_PRIMARY is 'opensearch-remote' or 'elasticsearch-remote',
# the cURL-formatted config file contains login credentials for the primary
# OpenSearch instance. It can be generated for you by the ./scripts/auth_setup script.
# The notable parameters expected from this file would be user (with a "user:password"
# value) and "insecure" (if the certificate verification setting below is 'false').
# See cURL config file format at https://everything.curl.dev/cmdline/configfile.
# This file is bind mounted locally from .opensearch.primary.curlrc as
# /var/local/curlrc/.opensearch.primary.curlrc
OPENSEARCH_CREDS_CONFIG_FILE=/var/local/curlrc/.opensearch.primary.curlrc
# Whether or not connections to the primary remote OpenSearch instance require full
# TLS certificate validation for the connection (this may fail if using self-signed
# certificates).
OPENSEARCH_SSL_CERTIFICATE_VERIFICATION=false
# 'opensearch-remote' or 'elasticsearch-remote' indicate that Malcolm's Logstash instance
# should forward logs to a secondary remote OpenSearch instance in addition to the
# (local or remote) primary instance.
OPENSEARCH_SECONDARY=
# URL for connecting to the secondary remote OpenSearch instance, specified
# in the format 'protocol://host:port'.
OPENSEARCH_SECONDARY_URL=
# Used when OPENSEARCH_SECONDARY is 'true', the cURL-formatted config file contains login
# credentials for the secondary OpenSearch instance. The comments describing
# OPENSEARCH_CREDS_CONFIG_FILE above also apply here. This file is bind mounted locally
# from .opensearch.secondary.curlrc as /var/local/curlrc/.opensearch.secondary.curlrc
OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE=/var/local/curlrc/.opensearch.secondary.curlrc
# Whether or not connections to the secondary remote OpenSearch instance require full
# TLS certificate validation for the connection (this may fail if using self-signed
# certificates).
OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION=false
# OpenSearch memory allowance and other Java options
OPENSEARCH_JAVA_OPTS=-server -Xmx10g -Xms10g -Xss256k -XX:-HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom -Dlog4j.formatMsgNoLookups=true
# OpenSearch index patterns and timestamp fields
# Index pattern for network traffic logs written via Logstash (e.g., Zeek logs, Suricata alerts)
MALCOLM_NETWORK_INDEX_PATTERN=arkime_sessions3-*
# Default time field to use for network traffic logs in Logstash and Dashboards
MALCOLM_NETWORK_INDEX_TIME_FIELD=firstPacket
# Suffix used to create index to which network traffic logs are written
# (supports Ruby strftime strings in %{}; e.g.,
# hourly: %{%y%m%dh%H}, twice daily: %{%P%y%m%d}, daily: %{%y%m%d}, weekly: %{%yw%U}, monthly: %{%ym%m})
MALCOLM_NETWORK_INDEX_SUFFIX=%{%y%m%d}
# Index pattern for other logs written via Logstash (e.g., nginx, beats, fluent-bit, etc.)
MALCOLM_OTHER_INDEX_PATTERN=malcolm_beats_*
# Default time field to use for other logs in Logstash and Dashboards
MALCOLM_OTHER_INDEX_TIME_FIELD=@timestamp
# Suffix used to create index to which other logs are written (supports Ruby strftime strings in %{})
MALCOLM_OTHER_INDEX_SUFFIX=%{%y%m%d}
# Index pattern used specifically by Arkime (will probably match MALCOLM_NETWORK_INDEX_PATTERN, should probably be arkime_sessions3-*)
ARKIME_NETWORK_INDEX_PATTERN=arkime_sessions3-*
# Default time field used by for sessions in Arkime viewer
ARKIME_NETWORK_INDEX_TIME_FIELD=firstPacket
# Miscellaneous
logger.level=WARN
bootstrap.memory_lock=true
MAX_LOCKED_MEMORY=unlimited
discovery.type=single-node
cluster.routing.allocation.disk.threshold_enabled=false
cluster.routing.allocation.node_initial_primaries_recoveries=8
indices.query.bool.max_clause_count=4096
path.repo=/opt/opensearch/backup