Alert outputs can be configured to write only certain message types to their output. This allows for routing critical data like alerts and smart policy messages to a central system such as a SIEM for triage, and less critical messages such as audit to an archival store. By default alert outputs are setup to deliver alert and smart_policy messages, but this can be customized by adding a message_types key to the alert output definition:
alert_output:
outputs:
# write all message types to standard out
- type: stdout
enabled: true
message_types:
- alert
- smart_policy
- audit
Comments
0 comments
Please sign in to leave a comment.