Alert outputs can be configured to write only certain message types to their output. This allows for routing critical data like alerts and smart policy messages to a central system such as a SIEM for triage, and less critical messages such as audit to an archival store. By default alert outputs are setup to deliver
smart_policy messages, but this can be customized by adding a
message_types key to the alert output definition:
alert_output: outputs: # write all message types to standard out - type: stdout enabled: true message_types: - alert - smart_policy - audit
Please sign in to leave a comment.