Skip to main content

Configuration

Each Seer Box Sentinel can be configured independently to be paired to a specific traffic source. On a Linux system, the application's configuration can be saved permanently on a local file. The application will collect settings from the following files, in order of precedence:

  • A file saved locally to a user's home directory in /home/user/.config/seerbox_sentinel.toml or, alternatively, a file saved in a custom location specified using command-line options (see below);
  • The global configuration file, located at the path /etc/seerbox_sentinel.toml.

In interactive, container-based and cloud environments however, the application will be typically configured using command-line parameters and environmnent variables. The following table lists all options available for the software's configuration; a detailed on-screen help text can be displayed at any moment by calling the executable using the --help option.

Seer Box Sentinel Options

ParameterEnvironment VariableDescription
--name or -nSBX_NAMEA custom name which will be used to identify the traffic source
--descriptionSBX_DESCRIPTIONA text which may be used to provide a longer description
--config-file or -rSBX_CONFIG_FILERead the initial configuration from the file located at the specified path
--enabledSBX_ENABLEDIf set to false, incoming traffic will be ignored
--cpus or -wSBX_CPUSSets the maximum number of CPU threads (defaults to all available system CPUs)
--listen-port or -pSBX_LISTEN_PORTStart listening for traffic data on this port
--listen-address or -aSBX_LISTEN_ADDRESSStart listening on the interface matching the input address (default: 0.0.0.0)
--protocol or -tSBX_PROTOCOLThe transport layer protocol for the listener service (default: UDP, possible values: UDP, TCP)
--log-levelSBX_LOG_LEVELSet the maximum allowed level for log messages (default: info, possible values: error, warn, info, debug)
--accept-eulaSBX_ACCEPT_EULAAccept the End User License Agreement. Possible values: yes, no
--health-system-portSBX_HEALTH_SYSTEM_PORTStart the health system on this port
--health-system-addressSBX_HEALTH_SYSTEM_ADDRESSStart the health system on the interface matching the input address (default: 0.0.0.0)
--input-format or -fSBX_INPUT_FORMATSelect an input format for the traffic source (default: ncsa_common_log, possible values: nginx_connector, oplon_adc_connector, apache_http_server_log, nginx_log, ha_proxy_log, ncsa_common_log, ncsa_extended_log, iis_w3c_log, custom_template, json_template)
--traffic-log-templateSBX_TRAFFIC_LOG_TEMPLATESpecify a log template to parse a custom traffic log format
--traffic-timestamp-formatSBX_TRAFFIC_TIMESTAMP_FORMATThe timestamp (date + time) format used by the remote traffic source
--traffic-date-formatSBX_TRAFFIC_DATE_FORMATThe date format used by the remote traffic source
--traffic-time-formatSBX_TRAFFIC_TIME_FORMATThe time format used by the remote traffic source
--traffic-timezoneSBX_TRAFFIC_TIMEZONEThe local UTC offset of the remote traffic source, specified according to ISO 8601 (±HH:MM)
--traffic-use-unix-timestampsSBX_TRAFFIC_USE_UNIX_TIMESTAMPSSet to true if the remote traffic source logs timestamps as UNIX epoch values
--traffic-true-client-headerSBX_TRAFFIC_TRUE_CLIENT_HEADERA custom header name which may optionally be specified to hold the original HTTP client addresses of requests coming from a proxy
--detect-code-injectionSBX_DETECT_CODE_INJECTIONDetect code injection attempts (default: true)
--detect-command-injectionSBX_DETECT_COMMAND_INJECTIONDetect command injection attempts (default: true)
--detect-cross-site-scriptingSBX_DETECT_CROSS_SITE_SCRIPTINGDetect cross-site scripting (XSS) attacks (default: true)
--detect-sql-injectionSBX_DETECT_SQL_INJECTIONDetect SQL injection attempts (default: true)
--detect-jndi-injectionSBX_DETECT_JNDI_INJECTIONDetect Log4j JNDI injection attempts (default: true)
--detect-xml-external-entitySBX_DETECT_XML_EXTERNAL_ENTITYDetect XML External Entity (XXE) attacks (default: true)
--detect-drupal-probingSBX_DETECT_DRUPAL_PROBINGDetect Drupal probing attempts (default: true)
--detect-path-traversalSBX_DETECT_PATH_TRAVERSALDetect path traversal attempts (default: true)
--detect-wordpress-probingSBX_DETECT_WORDPRESS_PROBINGDetect WordPress probing attempts (default: true)
--detect-fake-botsSBX_DETECT_FAKE_BOTSActivate the detection of fake bots (default: true)
--detect-malicious-scannersSBX_DETECT_MALICIOUS_SCANNERSActivate the detection of malicious scanners (default: true)
--detect-botnetsSBX_DETECT_BOTNETSActivate botnet detection (default: true)
--detect-brute-forceSBX_DETECT_BRUTE_FORCEDetect brute force attack attempts (default: true)
--engine-hostSBX_ENGINE_HOSTSpecify the Seer Box Engine connection host
--engine-portSBX_ENGINE_PORTSpecify the Seer Box Engine connection port
--engine-auth-keySBX_ENGINE_AUTH_KEYThe authentication token required to connect to a remote Seer Box Engine
--traffic-collector-hostSBX_TRAFFIC_COLLECTOR_HOSTThe host string identifying a remote centralized traffic data collector
--traffic-collector-portSBX_TRAFFIC_COLLECTOR_PORTThe service port of the remote data collector
--traffic-collector-usernameSBX_TRAFFIC_COLLECTOR_USERNAMESet a username to connect to the remote traffic data collector
--traffic-collector-passwordSBX_TRAFFIC_COLLECTOR_PASSWORDSet a password to connect to the remote traffic data collector
--help or -h-Display available command-line options
--version-Print the software version