The Capsule8 Platform was designed with flexibility in mind to make it easy for users to consume Capsule8 Alert data in a way that fits in naturally with their existing workflows.
All alert output types can be configured to limit the number of alerts they emit over a specific period of time. See Managing Sensor resource usage for more details.
Getting Alerts via a file
The file output type writes alerts to a file on the Capsule8 Sensor's local file system. This output type is commonly used to integrate with existing log shippers that can read from a log file.
Configuration:
| Key | Required | Description |
type |
yes | The output type |
enabled |
yes | Enables/disables the output |
name |
yes | The file name |
max_size |
no | The max file size in MB that a log file can be before it is rotated. Default is 100. |
max_backups |
no | The max number of log files to retain. Default is to not delete any old log files. |
Example: Writing to two local files
alert_output:
outputs:
# Write the full Alert to a local log file
- type: file
enabled: true
name: /var/log/capsule8-alerts.json
# Write a truncated Alert summary to a different local log file
- type: file
enabled: true
template: "{{.UUID}} {{.StrategyName}} {{.ProcessInfo.Tgid}} {{.ProcessInfo.Program.Path}}"
name: /var/log/capsule8-alert-summaries.json
Getting Alerts via stdout
The stdout output type prints alerts to the Capsule8 Sensor's standard output. This output type is commonly used to quickly test new policy settings in development as well as to easily integrate with existing log shippers in containerized environments.
Note: Alerts will be mixed in with anything else printed to stdout by the Capsule8 Sensor such as initialization information or logged errors.
Configuration:
| Key | Required | Description |
type |
yes | The output type |
enabled |
yes | Enables/disables the output |
Example printing Alerts to stdout:
alert_output:
outputs:
- type: stdout
enabled: true
Getting Alerts via syslog
The syslog output type sends alerts to a syslog server.
| Key | Required | Description |
type |
yes | The output type |
enabled |
yes | Enables/disables the output |
url |
yes | The syslog server URL (local or remote) |
Example sending Alerts to a local syslog server:
alert_output:
outputs: # This could also be a remote syslog server
- type: syslog
enabled: true
url: tcp://127.0.0.1:514/capsule8-alertsConfiguring via environment variable
CAPSULE8_ALERT_SYSLOG_URL=tcp://syslog-server:514/capsule8alertsGetting Alerts via a webhook
The webhook output type sends alerts to a webhook endpoint with an HTTP request. This output type is incredibly powerful when combined with Alert Templates because it allows users to create ad hoc integrations with a number of third-party services. Some common use cases are to ship Alert summaries to Slack, automatically create Jira tickets when high priority Alerts are seen, or even to send Alerts directly to a Splunk Cloud instance.
| Key | Required | Description |
type |
yes | The output type |
enabled |
yes | Enables/disables the output. |
url |
yes | The URL to send the request to. |
headers |
no | The headers to pass along with the request. Default is “Content-Type: application/json”. |
method |
no | The HTTP method to use. Default is POST. |
timeout |
no | The timeout in seconds. Default is 30. |
Example:
alert_output:
outputs:
# Send Alerts to a local web server
- type: webhook
enabled: true
url: http://localhost:8080/alerts
# Send Alerts to an arbitrary service with all settings
- type: webhook
enabled: true
url: https://api.example-company.com/capsule8-alerts
template: "New Capsule8 Alert {{.UUID}}"
timeout: 5
method: PUT
headers:
"Content-Type": "text/plain"
"X-COMPANY-AUTH": "123456"
# Send Alerts to Slack using their webhook JSON format
- type: webhook
enabled: true
url: https://hooks.slack.com/services/123ABC/ab914B12eeigVh2xZ
template: '{"text": "🌶 New Capsule8 Alert {{.PolicyType}} {{.Description}}"}'
Comments
0 comments
Please sign in to leave a comment.