This collector enable to ingest multiple files by watching a directory. This collector can be configured to search for PCAP files or DNSTAP files. Make sure the PCAP is complete before moving the file to the directory so that file data is not truncated.
If you are in PCAP mode, the collector search for files with the .pcap extension.
If you are in DNSTap mode, the collector search for files with the .fstrm extension.
For config examples, take a look to the following links:
Options:
-
watch-dir(str)Specifies the directory where pcap files are monitored for ingestion.
-
watch-mode(str)Watch the directory pcap or dnstap file.
*.pcapextension or dnstap stream with*.fstrmextension are expected. -
pcap-dns-port(int)Expects a source or destination port number use for DNS communication.
-
delete-after:(boolean)Determines whether the pcap file should be deleted after ingestion.
-
chan-buffer-size(int)Specifies the maximum number of packets that can be buffered before discard additional packets. Set to zero to use the default global value.
Defaults:
- name: ingest
file-ingestor:
watch-dir: /tmp
watch-mode: pcap
pcap-dns-port: 53
delete-after: false
chan-buffer-size: 0