Skip to content

LogMan.io Warden configuration

LogMan.io Warden requires following dependencies:

  • Apache ZooKeeper
  • Apache Kafka
  • Elasticsearch
  • SeaCat Auth
  • LogMan.io Alerts
  • LogMan.io Library with /EventLanes and /Lookups/ foldera and a schema in /Schemas folder

Example

This is the most basic configuration required for each instance of LogMan.io Warden:

[tenant]
name=default

[ip]
lookup=ipbad

[zookeeper]
servers=zookeeper-1:2181,zookeeper-2:2181,zookeeper-3:2181

[library]
providers=zk:///library

[kafka]
bootstrap_servers=kafka-1:9092,kafka-2:9092,kafka-3:9092

[elasticsearch]
url=http://es01:9200/

[auth]
public_keys_url=http://localhost:8081/openidconnect/public_keys

Tenant

Specify the tenant which LogMan.io Warden is deployed and will run detections for. 

[tenant]
name=mytenant

It is recommended to run one instance of LogMan.io Warden per tenant.

Detections

IP

Specify the lookup that lists the IP addresses that should be detected.

[ip]
lookup=ipbad

The lookup's key MUST be the ip type in the lookup declaration, that is stored in /Lookups/ folder in the library.

---
define:
  type: lookup/ipaddress
  name: ipbad
  group: bad

keys:
  - name: sourceip
    type: ip  # The type of the key must be an IP

Zookeeper

Specify locations of the Zookeeper server in the cluster:

[zookeeper]
servers=zookeeper-1:2181,zookeeper-2:2181,zookeeper-3:2181

Hint

For non-production deployments, the use of a single Zookeeper server is possible.

Library

Specify the path(s) to the Library to load declarations from:

[library]
providers=zk:///library

Hint

Since ECS.yaml schema in /Schemas is utilized by default, consider using the LogMan.io Common Library.

Kafka

Define the Kafka cluster's bootstrap servers:

[kafka]
bootstrap_servers=kafka-1:9092,kafka-2:9092,kafka-3:9092

Hint

For non-production deployments, the use of a single Kafka server is possible.

ElasticSearch

Specify URLs of Elasticsearch master nodes.

Elasticsearch is necessary for using lookups, e.g. as a !LOOKUP expression or a lookup trigger.

[elasticsearch]
url=http://es01:9200
username=MYUSERNAME
password=MYPASSWORD