Configuration
Each Seer Box Sentinel can be configured independently to be paired to a specific traffic source. On a Linux system, the application's configuration can be saved permanently on a local file. The application will collect settings from the following files, in order of precedence:
- A file saved locally to a user's home directory in
/home/user/.config/seerbox_sentinel.toml
or, alternatively, a file saved in a custom location specified using command-line options (see below); - The global configuration file, located at the path
/etc/seerbox_sentinel.toml
.
In interactive, container-based and cloud environments however, the application will be typically configured using command-line parameters and environmnent variables. The following table lists all options available for the software's configuration; a detailed on-screen help text can be displayed at any moment by calling the executable using the --help
option.
Seer Box Sentinel Options
Parameter | Environment Variable | Description |
---|---|---|
--name or -n | SBX_NAME | A custom name which will be used to identify the traffic source |
--description | SBX_DESCRIPTION | A text which may be used to provide a longer description |
--config-file or -r | SBX_CONFIG_FILE | Read the initial configuration from the file located at the specified path |
--enabled | SBX_ENABLED | If set to false , incoming traffic will be ignored |
--cpus or -w | SBX_CPUS | Sets the maximum number of CPU threads (defaults to all available system CPUs) |
--listen-port or -p | SBX_LISTEN_PORT | Start listening for traffic data on this port |
--listen-address or -a | SBX_LISTEN_ADDRESS | Start listening on the interface matching the input address (default: 0.0.0.0 ) |
--protocol or -t | SBX_PROTOCOL | The transport layer protocol for the listener service (default: UDP , possible values: UDP , TCP ) |
--log-level | SBX_LOG_LEVEL | Set the maximum allowed level for log messages (default: info , possible values: error , warn , info , debug ) |
--accept-eula | SBX_ACCEPT_EULA | Accept the End User License Agreement. Possible values: yes , no |
--health-system-port | SBX_HEALTH_SYSTEM_PORT | Start the health system on this port |
--health-system-address | SBX_HEALTH_SYSTEM_ADDRESS | Start the health system on the interface matching the input address (default: 0.0.0.0 ) |
--input-format or -f | SBX_INPUT_FORMAT | Select an input format for the traffic source (default: ncsa_common_log , possible values: nginx_connector , oplon_adc_connector , apache_http_server_log , nginx_log , ha_proxy_log , ncsa_common_log , ncsa_extended_log , iis_w3c_log , custom_template , json_template ) |
--traffic-log-template | SBX_TRAFFIC_LOG_TEMPLATE | Specify a log template to parse a custom traffic log format |
--traffic-timestamp-format | SBX_TRAFFIC_TIMESTAMP_FORMAT | The timestamp (date + time) format used by the remote traffic source |
--traffic-date-format | SBX_TRAFFIC_DATE_FORMAT | The date format used by the remote traffic source |
--traffic-time-format | SBX_TRAFFIC_TIME_FORMAT | The time format used by the remote traffic source |
--traffic-timezone | SBX_TRAFFIC_TIMEZONE | The local UTC offset of the remote traffic source, specified according to ISO 8601 (±HH:MM ) |
--traffic-use-unix-timestamps | SBX_TRAFFIC_USE_UNIX_TIMESTAMPS | Set to true if the remote traffic source logs timestamps as UNIX epoch values |
--traffic-true-client-header | SBX_TRAFFIC_TRUE_CLIENT_HEADER | A custom header name which may optionally be specified to hold the original HTTP client addresses of requests coming from a proxy |
--detect-code-injection | SBX_DETECT_CODE_INJECTION | Detect code injection attempts (default: true ) |
--detect-command-injection | SBX_DETECT_COMMAND_INJECTION | Detect command injection attempts (default: true ) |
--detect-cross-site-scripting | SBX_DETECT_CROSS_SITE_SCRIPTING | Detect cross-site scripting (XSS) attacks (default: true ) |
--detect-sql-injection | SBX_DETECT_SQL_INJECTION | Detect SQL injection attempts (default: true ) |
--detect-jndi-injection | SBX_DETECT_JNDI_INJECTION | Detect Log4j JNDI injection attempts (default: true ) |
--detect-xml-external-entity | SBX_DETECT_XML_EXTERNAL_ENTITY | Detect XML External Entity (XXE) attacks (default: true ) |
--detect-drupal-probing | SBX_DETECT_DRUPAL_PROBING | Detect Drupal probing attempts (default: true ) |
--detect-path-traversal | SBX_DETECT_PATH_TRAVERSAL | Detect path traversal attempts (default: true ) |
--detect-wordpress-probing | SBX_DETECT_WORDPRESS_PROBING | Detect WordPress probing attempts (default: true ) |
--detect-fake-bots | SBX_DETECT_FAKE_BOTS | Activate the detection of fake bots (default: true ) |
--detect-malicious-scanners | SBX_DETECT_MALICIOUS_SCANNERS | Activate the detection of malicious scanners (default: true ) |
--detect-botnets | SBX_DETECT_BOTNETS | Activate botnet detection (default: true ) |
--detect-brute-force | SBX_DETECT_BRUTE_FORCE | Detect brute force attack attempts (default: true ) |
--engine-host | SBX_ENGINE_HOST | Specify the Seer Box Engine connection host |
--engine-port | SBX_ENGINE_PORT | Specify the Seer Box Engine connection port |
--engine-auth-key | SBX_ENGINE_AUTH_KEY | The authentication token required to connect to a remote Seer Box Engine |
--traffic-collector-host | SBX_TRAFFIC_COLLECTOR_HOST | The host string identifying a remote centralized traffic data collector |
--traffic-collector-port | SBX_TRAFFIC_COLLECTOR_PORT | The service port of the remote data collector |
--traffic-collector-username | SBX_TRAFFIC_COLLECTOR_USERNAME | Set a username to connect to the remote traffic data collector |
--traffic-collector-password | SBX_TRAFFIC_COLLECTOR_PASSWORD | Set a password to connect to the remote traffic data collector |
--help or -h | - | Display available command-line options |
--version | - | Print the software version |