Collector configuration

For the Collector component, you need to create a configuration file named collector_config.yml. The table below describes the settings of the Collector component.

Example collector_config.yml configuration file

Collector component settings

Parameter		Description	Mandatory	Possible values

`service-url`		URL that the Collector component uses to connect to the MapApp component.	Yes	A valid URL up to 256 characters in the following format: `<protocol>://<domain name or IP address>` or `<protocol>://<domain name or IP address>:<port>` (if a non-standard port is used).
`log-poll-interval`		Interval for fetching events from the log, in seconds.	Yes	From 1 to 300.
`log-level`		Logging level for debugging.	Yes	`DEBUG` logs all events. `INFO` logs only messages about component startup and errors.
`max-batch-limit`		Maximum number of events that can be sent in a batch. If there are more events, multiple batches are formed and sent separately.	Yes	From 1 to 100,000.
`ram-storage-limit`		Maximum number of events that can be stored in RAM if the service is unavailable.	Yes	From 1000 to 1,000,000.
`filter-domain-list`		List of domains for filtering events that are sent to MapApp.	No	No value
	`include`	List of domains for which events must be sent.	No	List of domains.
	`exclude`	List of domains for which events must not be sent.	No	List of domains.
`filter-ip-ranges`		List of IP addresses for filtering events that are sent to MapApp.	No	No value
	`include`	List of IP addresses for which events must be sent.	No	List of IP addresses in CIDR format.
	`exclude`	List of IP addresses for which events must not be sent.	No	List of IP addresses in CIDR format.
`filter-accounts`		List of conditions for filtering events that are sent to MapApp by user name.	No	No value
	`include`	Conditions for user names for which events must be sent.	No	The following conditions are possible: `starts-with` means the user name starts with the specified string. No more than 256 characters. `ends-with` means the user name ends with the specified string. No more than 256 characters. A combination of `starts-with` and `ends-with` means the user name begins and ends with the specified strings. `exact` means the user name exactly matches the specified string.
	`exclude`	Conditions for user names for which events must not be sent.	No
`event-codes`		List of codes for event types that must be tracked.	Yes	One or more of the following values: `4768`, `4769`, `4770`, `4624`.
`dc`		List of domain controllers that the Collector component must contact, and the connection settings for each of these.	Yes	No value You must specify at least one domain controller and all its required connection settings.
	`address`	IP address or DNS name of the controller.	Yes	IP address or DNS name.
	`port`	The port used by WinRM.	Yes	From 1 to 65,535. We recommend specifying 5985 or 5986.
	`timeout`	The time after which the connection to the domain controller is terminated, in seconds.	No	Integer greater than 0. By default, 60.
	`timezone`	Timezone in GMT format.	Yes	From GMT-14 to GMT+12. Can be specified in the GMT±<hours> or GMT±<hours>:<minutes> format.
	`trust-ca-cert`	Path to the root certificate that was used to sign the server certificate.	Yes	Path to the file.
	`user-cert`	Path to the Collector component certificate file.	Yes	Path to the file.
	`user-cert-key`	Path to the key file that was used to sign the Collector certificate.	Yes	Path to the file.

Page top