Forwarder Management API

You can use the Google Security Operations Forwarder Management API to do the following programmatically:

  • Create and manage forwarders.
  • Create and manage collectors.
  • Get the file contents for a Google Security Operations forwarder's configuration.(.conf) and authentication (_auth.conf) files.

Forwarders are composed of one or more collectors. Each collector's configuration specifies its ingestion mechanism (for example, File, Kafka, PCAP, Splunk, or Syslog) and log type.

Assuming hardware requirements are met, you can use many collectors on the same forwarder to ingest data from a variety of mechanisms and log types. For example, you can install a forwarder with two syslog collectors listening for PAN_FIREWALL and CISCO_ASA_FIREWALL data on separate ports, respectively.

The API lets you create forwarders and their collectors in your Google Security Operations instance. Once a forwarder is created, you can use the Generate Forwarder Files endpoint to get the file contents (as JSON payload) for a forwarder's configuration (.conf) and authentication (_auth.conf) files. These contents can then be written to their respective .conf files for deployment with the Google Security Operations Forwarder service on a Windows or Linux system.

For Python samples that use the Forwarder Management API, see the GitHub repository.

Create a forwarder and its collector(s)

A forwarder must be created before any of its collectors can be created.

To create a forwarder and its collector(s):

  1. Create a forwarder.
  2. Create a collector for the forwarder.
  3. (Optional) Repeat Step 2 to add more collectors.

How to authenticate with the Google Security Operations API

This Google Security Operations API uses the OAuth 2.0 protocol for authentication and authorization. Your application can complete these tasks using either of the following implementations:

  • Using the Google API Client Library for your computer language.

  • Directly interfacing with the OAuth 2.0 system using HTTP.

See the reference documentation for the Google Authentication library in Python.

Google Authentication libraries are a subset of the Google API client libraries. See other language implementations.

Getting API authentication credentials

Your Google Security Operations representative will provide you with a Google Developer Service Account Credential to enable the API client to communicate with the API.

You also must provide the Auth Scope when initializing your API client. OAuth 2.0 uses a scope to limit an application's access to an account. When an application requests a scope, the access token issued to the application is limited to the scope granted.

Use the following scope to initialize your Google API client:

https://www.googleapis.com/auth/chronicle-backstory

Python example

The following Python example demonstrates how to use the OAuth2 credentials and HTTP client using google.oauth2 and googleapiclient.

# Imports required for the sample - Google Auth and API Client Library Imports.
# Get these packages from https://pypi.org/project/google-api-python-client/ or run $ pip
# install google-api-python-client from your terminal
from google.auth.transport import requests
from google.oauth2 import service_account

SCOPES = ['https://www.googleapis.com/auth/chronicle-backstory']

# The apikeys-demo.json file contains the customer's OAuth 2 credentials.
# SERVICE_ACCOUNT_FILE is the full path to the apikeys-demo.json file
# ToDo: Replace this with the full path to your OAuth2 credentials
SERVICE_ACCOUNT_FILE = '/customer-keys/apikeys-demo.json'

# Create a credential using Google Developer Service Account Credential and Google Security Operations API
# Scope.
credentials = service_account.Credentials.from_service_account_file(SERVICE_ACCOUNT_FILE, scopes=SCOPES)

# Build a requests Session Object to make authorized OAuth requests.
http_session = requests.AuthorizedSession(credentials)

# Your endpoint GET|POST|PATCH|etc. code will vary below

# Reference List example (for US region)
url = 'https://backstory.googleapis.com/v2/lists/COLDRIVER_SHA256'

# You might need another regional endpoint for your API call; see
# https://cloud.google.com/chronicle/docs/reference/ingestion-api#regional_endpoints

# requests GET example
response = http_session.request("GET", url)

# POST example uses json
body = {
  "foo": "bar"
}
response = http_session.request("POST", url, json=body)

# PATCH example uses params and json
params = {
  "foo": "bar"
}
response = http_session.request("PATCH", url, params=params, json=body)

# For more complete examples, see:
# https://github.com/chronicle/api-samples-python/

Chronicle API query limits

The Chronicle API enforces limits on the volume of requests that can be made by any one customer against the Google Security Operations platform. If you reach or exceed the query limit, the Chronicle API server returns HTTP 429 (RESOURCE_EXHAUSTED) to the caller. When developing applications for the Chronicle API, Google recommends that you enforce rate limits within your system to avoid resource exhaustion. These limits apply to all of the Chronicle APIs, including the Search, Forwarder Management, and Tooling APIs.

See the detailed list of the Chronicle API quotas.

The following limit for the Chronicle Forwarder Management API is being enforced and is measured in queries per second (QPS):

Chronicle API API Endpoint Limit
Forwarder Management Create Forwarder 1 QPS
Get Forwarder 1 QPS
List Forwarders 1 QPS
Update Forwarder 1 QPS
Delete Forwarder 1 QPS
Collector Management Create Collector 1 QPS
Get Collector 1 QPS
List Collectors 1 QPS
Update Collector 1 QPS
Delete Collector 1 QPS

Forwarder API reference

This section describes the endpoints for creating and managing forwarders. For endpoints for creating and managing collectors, see the Collector API reference.

Create Forwarder

Creates a new forwarder in the Google SecOps instance. The new forwarder will include any forwarder configuration values provided in the request body. Configuration values for collectors must be specified using Create Collector after using Create Forwarder.

For certain settings, configuration values that are missing or zero-valued in the request body are set to default values. For details about forwarder fields and values, see Forwarder configuration fields.

Request

POST https://backstory.googleapis.com/v2/forwarders

Request body
{
  "display_name": string,
  "config": {
    object (ForwarderConfig)
  }
}
Body parameters
Field Type Required Description
display_name string Required The name of the forwarder. This name is displayed in the Google SecOps interface.
config object Optional The configuration settings for this forwarder. See Forwarder configuration fields.
Request example

This example shows the required key:value pairs in a Create Forwarder request. If a field isn't specified in the request and has a default value, the default value is applied during forwarder creation. For details about default values, see Forwarder configuration fields.

POST https://backstory.googleapis.com/v2/forwarders
{
  "display_name": "chronicle_forwarder"
}

Response

If the request is successful, the response returns an HTTP status code of 200 (OK).

The response shows the configuration values applied during creation of the forwarder. Default configuration values are applied for certain settings during resource creation if those fields are missing or zero-valued in the request body. For details, see Forwarder configuration fields.

Response fields

In addition to the fields specified in the request and the fields for which default values are applied, the response includes the following generated and output-only fields.

Field Type Description
name string The resource ID of the forwarder. The format is "forwarders/forwarderID". For example:

forwarders/12ab3cd4-56ef-7ghi-j89k-1l23m4nopq56
state enum

Specifies the current state of the forwarder. Valid values are:

  • ACTIVE: The forwarder is allowed to upload data.
  • SUSPENDED: The forwarder is not allowed to upload data.

The default value is ACTIVE.

Response example

This is an example of the response returned for the request example above.

{
  "name": "forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56",
  "displayName": "chronicle_forwarder",
  "config": {
    "uploadCompression": "false",
    "serverSettings": {
      "gracefulTimeout": 15,
      "drainTimeout": 10,
      "httpSettings": {
        "port": "8080",
        "host": "0.0.0.0",
        "readTimeout": "3",
        "readHeaderTimeout": "3",
        "writeTimeout": "3",
        "idleTimeout": "3"
        "routeSettings": {
          "availableStatusCode": "204",
          "readyStatusCode": "204",
          "unreadyStatusCode": "503"
        },
      },
    },
  },
  "state": "ACTIVE"
}

Get Forwarder

Returns a forwarder.

Request

GET https://backstory.googleapis.com/v2/forwarders/{forwarderID}

Request body

Don't include a request body.

Request example
GET https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56
Response example
{
  "name": "forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56",
  "displayName": "chronicle_forwarder",
  "config": {
    "uploadCompression": "false",
    "serverSettings": {
      "gracefulTimeout": 15,
      "drainTimeout": 10,
      "httpSettings": {
        "port": "8080",
        "host": "0.0.0.0",
        "readTimeout": "3",
        "readHeaderTimeout": "3",
        "writeTimeout": "3",
        "idleTimeout": "3"
        "routeSettings": {
          "availableStatusCode": "204",
          "readyStatusCode": "204",
          "unreadyStatusCode": "503"
        },
      },
    },
  },
  "state": "ACTIVE"
}

List Forwarders

Lists all of the forwarders for a Google SecOps instance.

Request

GET https://backstory.googleapis.com/v2/forwarders

Request example

GET https://backstory.googleapis.com/v2/forwarders

Response

Returns a list of forwarders.

Response example
{
  "forwarders": [
    {
      "name": "forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56",
      "displayName": "chronicle_forwarder_1",
      "config": {
        "uploadCompression": "false",
        "serverSettings": {
          "gracefulTimeout": 15,
          ...
         },
      },
      "state": "ACTIVE"
    },
    {
      "name": "forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde57",
      "displayName": "chronicle_forwarder_2",
      "config": {
        "uploadCompression": "false",
        "serverSettings": {
          "gracefulTimeout": 15,
       ...
       },
      },
      "state": "ACTIVE"
    }
  ]
}

Update Forwarder

You can update a forwarder by using the updateMask URL query parameter to specify the fields to update.

For example, to update the display name, you would use the updateMask query parameter as follows in the patch request:

?updateMask=displayName

The request body should only contain the fields that you wish to update (in their exact locations).

Request

PATCH https://backstory.googleapis.com/v2/forwarders/{forwarderID}?updateMask=<field_1,field_2>
Request body
{
  "display_name": string,
  "config": {
    object (ForwarderConfig)
  },
}
Body parameters
Field Type Required Description
display_name string Required The name of the forwarder. This name is displayed in the Google SecOps interface.
config object Optional The configuration settings for this forwarder. See Forwarder configuration fields.
Request example

This is an example of an Update Forwarder request where the request specifies new values for displayName and adds a Metadata label.

PATCH https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56?updateMask=displayName,config.metadata.labels
{
  "display_name": "UpdatedForwarder",
  "config": {
    "metadata": {
      "labels": [
        {
          "key": "office",
          "value": "corporate",
        }
      ]
    }
  }
}
Response example

This is an example of the response returned for the request example above.

{
  "name": "forwarders/{forwarderUUID}",
  "displayName": "UpdatedForwarder",
  "config": {
    "uploadCompression": "false",
    "metadata": {
      "labels": [
        {
          "key": "office",
          "value": "corporate"
        }
      ]
    }
  },
  "state": "ACTIVE"
}

Delete Forwarder

Deletes a forwarder.

Request

DELETE https://backstory.googleapis.com/v2/forwarders/{forwarderID}
Request body

Don't include a request body.

Request example
DELETE https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56
Response example

If the operation is successful, Delete Forwarder returns an empty response with an HTTP status code 200 (OK).

{}

Generate Forwarder Files

Generates and returns the contents of the forwarder's configuration (.conf) and authentication (_auth.conf) files.

Request

GET https://backstory.googleapis.com/v2/forwarders/{forwarderID}:generateForwarderFiles
Request body

Don't include a request body.

Request example
GET https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56:generateForwarderFiles
Response example

If the operation is successful, it returns an HTTP status code 200 (OK). It also returns the contents of a forwarder configuration file, including the configuration data for the forwarder's collectors, as well as the contents of the authentication (_auth.conf) file that is used by the forwarder to authenticate with the Google SecOps instance.

Forwarder configuration fields

The following table lists the forwarder configuration settings that you can specify using Create Forwarder and Update Forwarder. If you don't specify a value for a setting when you use Create Forwarder, the setting's default value (shown below) is applied.

The following fields can be provided in the config object of the request body.

Field Type Required Description
upload_compression bool Optional If true, batches of data are compressed before upload.

The default is false.
metadata.asset_namespace string Optional The namespace for identifying logs from this forwarder.

Note: This is a global setting that applies to the forwarder and the forwarder's collectors, unless it is overridden at the collector level. For more information, see Configure namespaces.
metadata.labels list Optional A list of arbitrary key:value pairs that can be specified in the forwarder configuration.

Note: This is a global setting that applies to the forwarder and the forwarder's collectors, unless it is overridden at the collector level.
metadata.labels.key string Optional The key for a field in the metadata labels list.
metadata.labels.value string Optional The value for a field in the metadata labels list.
regex_filters.description string Optional Describes what is being filtered and why.
regex_filters.regexp string Optional The regular expression used to match against each incoming line.
regex_filters.behavior enum Optional

Specifies the state of the server functionality. Valid values are:

  • ALLOW: This state allows the filtered line to be uploaded.
  • BLOCK: This state prevents the filtered line from being uploaded.
server_settings object Optional Settings that configure the forwarder's built-in HTTP server, which can be used to configure load balancing and high availability options for syslog collection on Linux.
server_settings.state enum Optional

Specifies the state of the server functionality. Valid values are:

  • ACTIVE: In this state, server settings are applied as specified.
  • SUSPENDED In this state, server settings are not applied.
server_settings.graceful_timeout integer Optional The number of seconds after which the forwarder returns a bad readiness/health check and still accepts new connections. This is also the time to wait between receiving a signal to stop and actually beginning the shutdown of the server itself. This allows the load balancer time to remove the forwarder from the pool.

The default value is 15.
server_settings.drain_timeout integer Optional The number of seconds after which the forwarder waits for active connections to successfully close on their own before being closed by the server.

The default value is 10.
server_settings.http_settings.port integer Optional The port number that the HTTP server listens on for health checks from the load balancer. Must be between 1024-65535.

The default is 8080.
server_settings.http_settings.host string Optional The IP address, or hostname that can be resolved to IP addresses, that the server should listen to.

The default value is 0.0.0.0 (the local system).
server_settings.http_settings.read_timeout integer Optional The maximum number of seconds allowed to read entire requests, which includes the header and the body.

The default value is 3.
server_settings.http_settings.read_header_timeout integer Optional The maximum number of seconds allowed to read request headers.

The default value is 3.
server_settings.http_settings.write_timeout integer Optional The maximum number of seconds allowed to send a response.

The default value is 3.
server_settings.http_settings.idle_timeout integer Optional The maximum number of seconds to wait for the next request when idle connections are enabled.

The default is 3.
server_settings.http_settings.route_settings.available_status_code integer Optional The status code returned when a liveness check is received and the forwarder is available.

The default is 204.
server_settings.http_settings.route_settings.ready_status_code integer Optional The status code returned when the forwarder is ready to accept traffic.

The default is 204.
server_settings.http_settings.route_settings.unready_status_code integer Optional The status code returned when the forwarder is not ready to accept traffic.

The default is 503.

Collector API reference

This section describes the endpoints for working with collectors.

When creating and updating collectors, note that each collector configuration can specify ingestion settings for one, but not more than one, of the following:

  • Log file data
  • Kafka topics
  • Packet data (pcap)
  • Splunk data
  • Syslog data

For endpoints for working with forwarders, see the Forwarder API reference.

Create Collector

Creates a new collector in the Google SecOps account. Configuration values for collectors must be specified using Create Collector after using Create Forwarder.

For certain settings, configuration values that are missing or zero-valued in the request body are set to default values. For details about collector configuration fields and values, see Collector configuration fields.

Request

POST https://backstory.googleapis.com/v2/forwarders/{forwarderID}/collectors
Request body
{
  "display_name": string,
  "config": {
    object (CollectorConfig)
  }
  "state": enum
}
Body parameters
Field Type Required Description
display_name string Required The name of the collector. This name is displayed in the Google SecOps interface.
config object Required The configuration settings for this collector. See Collector configuration fields.
state enum Optional

Specifies the current state of the collector. Valid values are:

  • ACTIVE: The collector is allowed to accept data.
  • SUSPENDED: The collector is not allowed to accept data.
Request example

This example shows the required key:value pairs in a Create Collector request. For any fields that aren't provided, default values are applied during collector creation.

In this example, the collector type is file, so the collector configuration includes file_settings to indicate the collector type and its settings. If the collector type is syslog, then the collector configuration includes syslog_settings. For more information, see Collector configuration fields.

POST https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56/collectors
{
  "display_name": "abc_collector",
  "config" {
    "log_type": "CS_EDR"
    "file_settings": {
      "file_path": "/opt/chronicle/edr/output/sample.txt",
    }
  }
}

Response

If the request is successful, the response returns an HTTP status code of 200 (OK).

The response shows the configuration values applied during creation of the collector. Default configuration values are applied for certain settings during resource creation if those fields are missing or zero-valued in the request body. For details, see Collector configuration fields.

Response fields

In addition to the fields specified in the request and the fields for which default values are applied, the response includes the following fields:

Field Type Description
name string The resource ID of the collector. The format is "forwarders/{forwarderID}/collectors/{collectorID}". For example:

forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56/collectors/98ab7cd6-54ef-3abc-d21e-1f23a4bcde56
Response example

This is an example of the response returned for the request example above.

{
  "name": "forwarders/12ab3cd4-56ef-7ghi-j89k-1l23m4nopq56/collectors/
     98ab7cd6-54ef-3abc-d21e-1f23a4bcde56",
  "displayName": "abc_collector",
  "config": {
    "logType": "tomcat",
    "maxSecondsPerBatch": "10",
    "maxBytesPerBatch": "1048576"
  }
}

Get Collector

Returns a collector.

Request

GET https://backstory.googleapis.com/v2/forwarders/{forwarderID}/collectors/{collectorID}
Request body

Don't include a request body.

Request example
GET
https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56/collectors/98ab7cd6-54ef-3abc-d21e-1f23a4bcde56
Response example
{
  "name": "?",
  "displayName": "abc_collector",
  "config": {
    "logType": "tomcat",
    "maxSecondsPerBatch": "10",
    "maxBytesPerBatch": "1048576"
  }
}

List Collectors

Lists the existing collectors for the specified forwarder.

Request

GET https://backstory.googleapis.com/v2/forwarders/{forwarderID}/collectors
Request example
GET https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56/collectors

Response

Returns multiple collectors.

Response example
{
  "collectors": [
    {
      "name": "?",
      "displayName": "abc_collector_1",
      "config": {
        "logType": "tomcat",
        "maxSecondsPerBatch": "10",
        "maxBytesPerBatch": "1048576"
      }
    },
    {
      "name": "?",
      "displayName": "abc_collector_2",
      "config": {
        "logType": "tomcat",
        "maxSecondsPerBatch": "10",
        "maxBytesPerBatch": "1048576"
      }
    }
  ]
}

Update Collector

When updating a collector with the API, you can choose to overwrite the entire collector configuration or to overwrite only specific fields of the collector configuration. It is usually best to overwrite specific fields, so you avoid accidentally overwriting all of your data. To overwrite specific fields, supply a FieldMask to your update request.

To supply a FieldMask to update the display name for a collector, supply the updateMask URL query parameter in the patch request. For example:

?updateMask=displayName

The request body should only contain the fields that you wish to update (in their exact locations).

Request

PATCH https://backstory.googleapis.com/v2/forwarders/{forwarderID}/collectors/{collectorID}?updateMask=<field_1,field_2>
Request body
{
  "display_name": string,
  "config": {
    object (CollectorConfig)
  },
}
Body parameters
Field Type Required Description
displayName string Required The name of the collector. This name is displayed in the Google SecOps interface.
config object Optional The configuration settings for this forwarder. See Collector configuration fields.
Request example

This is an example of an Update Collector request where the request specifies new values for displayName, logType, assetNamespace, and protocol.

PATCH https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56/collectors/98ab7cd6-54ef-3abc-d21e-1f23a4bcde56?updateMask=displayName,config.logType,config.metadata.assetNamespace,config.syslogSettings.protocol
{
  "display_name": "UpdatedCollector"
  "config": {
    "metadata": {
      "asset_namespace": "COLLECTOR",
      },
      "log_type": "CISCO_ASA_FIREWALL",
      "syslog_settings": {
        "protocol": "TCP",
      }
    }
  }
Response example

This is an example of the response returned for the request example above.

{
  "name": "forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56/collectors/98ab7cd6-54ef-3abc-d21e-1f23a4bcde56",
  "displayName": "UpdatedCollector",
  "config": {
    "logType": "CISCO_ASA_FIREWALL",
    "metadata": {
      "assetNamespace": "COLLECTOR"
    },
    "maxSecondsPerBatch": 10,
    "maxBytesPerBatch": "1048576",
    "syslogSettings": {
      "protocol": "TCP",
      "address": "0.0.0.0",
      "port": 10514,
    }
  },
  "state": "ACTIVE"
}

Delete Collector

Deletes a collector.

Request

DELETE https://backstory.googleapis.com/v2/forwarders/{forwarderID}/collectors/{collectorID}
Request body

Don't include a request body.

Request example
DELETE https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56/collectors/98ab7cd6-54ef-3abc-d21e-1f23a4bcde56
Response example

If the operation is successful, Delete Collector returns an empty response with an HTTP status code 200 (OK).

{}

Collector configuration fields

The following fields can be provided in the config object of the request body.

Field Type Required Description
log_type string Required A supported log type (one that can be ingested by Google SecOps). For a list of supported log types for which Google SecOps has a parser, see the the Ingestion Label column on the Supported default parsers page. To get a complete list of supported log types, use the logtypes endpoint.
metadata.asset_namespace object Optional The namespace for identifying logs from this collector.

Note: This is a global setting that applies to the forwarder and the forwarder's collectors, unless it is overridden at the collector level. For more information, see Configure namespaces.
metadata.labels list Optional A list of arbitrary key:value pairs that can be specified in the collector configuration.

Note: This is a global setting that applies to the forwarder and the forwarder's collectors, unless it is overridden at the collector level.
metadata.labels.key string Optional The key for a field in the metadata labels list.
metadata.labels.value string Optional The value for a field in the metadata labels list.
regex_filters.description string Optional Describes what is being filtered and why.
regex_filters.regexp string Optional The regular expression used to match against each incoming line.
regex_filters.behavior enum Optional

Specifies the state of the server functionality. Valid values are:

  • ALLOW: This state allows the filtered line to be uploaded.
  • BLOCK: This state prevents the filtered line from being uploaded.
disk_buffer.state enum Optional

Specifies the disk buffering state for the collector. Valid values are:

  • ACTIVE: Buffering is enabled.
  • SUSPENDED: Buffering is disabled.
disk_buffer.directory_path string Optional The directory path for files written.
disk_buffer.max_file_buffer_bytes integer Optional The maximum buffered file size.
max_seconds_per_batch integer Optional The number of seconds between batches.

The default is 10.
max_bytes_per_batch integer Optional The number of bytes queued before forwarder batch upload.

The default is 1048576.
<collector_type>_settings.<fields> Required Specifies a collector type and its settings. Every collector must specify one collector type and its fields. For example, to use the file collector type, the file_settings.file_path field must be added to the configuration and given a value. For example:

"file_settings": {
  "file_path": "/opt/chronicle/edr/output/sample.txt",
}


The collector types and their fields are listed in the subsequent rows of this table. The available collector types are:
  • file
  • kafka
  • pcap
  • splunk
  • syslog
file_settings.file_path string Optional The path of the file to monitor.
kafka_settings.authentication.username string Optional The username of an identity used for authentication.
kafka_settings.authentication.password string Optional The password of the account identified by the username.
kafka_settings.topic string Optional The Kafka topic from which to ingest data. For details, see Collect data from Kafka topics.
kafka_settings.group_id string Optional A group ID.
kafka_settings.timeout integer Optional The maximum number of seconds a dial will wait for a connect to complete.

The default is 60.
kafka_settings.brokers string Optional A repeated string listing Kafka brokers. For example:

"broker-1:9092", "broker-2:9093"

Note: All values are replaced during an update operation. Therefore, to update a list of brokers to add a new broker, specify all existing brokers and the new broker.
kafka_settings.tls_settings.certificate string Optional The path and certificate filename. For example:

/path/to/cert.pem
kafka_settings.tls_settings.certificate_key string Optional The path and certificate key filename. For example:

/path/to/cert.key
kafka_settings.tls_settings.minimum_tls_version string Optional The minimum TLS version.
kafka_settings.tls_settings.insecure_skip_verify bool Optional If true, enables SSL certification verification.

The default is false.
pcap_settings.network_interface string Optional The interface to listen to for PCAP data.
pcap_settings.bpf string Optional The Berkeley Packet Filter (BPF) for pcap.
splunk_settings.authentication.username string Optional The username of an identity used for authentication.
splunk_settings.authentication.password string Optional The password of the account identified by the username.
splunk_settings.host string Optional The host or IP address for the Splunk REST API.
splunk_settings.port integer Optional The port for the Splunk REST API.
splunk_settings.minimum_window_size integer Optional The minimum time range in seconds for a given Splunk search. For details, see Collect Splunk data.

The default is 10.
splunk_settings.maximum_window_size integer Optional The maximum time range in seconds for a given Splunk search. For details, see Collect Splunk data.

The default is 30.
splunk_settings.query_string string Optional The query used to filter records within Splunk.

For example: search index=* sourcetype=dns
splunk_settings.query_mode string Optional The query mode for Splunk.

For example: realtime
splunk_settings.cert_ignored bool Optional If true, the certificate is ignored.
syslog_settings.protocol enum Optional

Specifies the protocol the collector will use to listen for syslog data. Valid values are:

  • TCP
  • UDP
syslog_settings.address string Optional The target IP address or hostname where the collector resides and listens for syslog data.
syslog_settings.port integer Optional The target port where the collector resides and listens for syslog data.
syslog_settings.buffer_size integer Optional The size in bytes of the TCP socket's buffer.

The default for TCP is 65536.
The default for UDP is 8192.
syslog_settings.connecton_timeout integer Optional The number of seconds of inactivity after which the TCP connection is dropped.

The default is 60.
syslog_settings.tls_settings.certificate string Optional The path and certificate filename. For example:

/path/to/cert.pem
syslog_settings.tls_settings.certificate_key string Optional The path and certificate key filename. For example:

/path/to/cert.key
syslog_settings.tls_settings.minimum_tls_version string Optional The minimum TLS version.
syslog_settings.tls_settings.insecure_skip_verify bool Optional If true, enables SSL certification verification.

The default is false.