conf/modules.d/elastic.conf


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

# Please don't modify this file as your changes might be overwritten with
# the next update.
#
# You can modify 'local.d/elastic.conf' to add and merge
# parameters defined inside this section
#
# You can modify 'override.d/elastic.conf' to strictly override all
# parameters defined inside this section
#
# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories
# for details
#
# Module documentation can be found at  https://rspamd.com/doc/modules/elastic.html

elastic {
  enabled = false;
  # server = "localhost:9200";
  # user = "";
  # password = "";
  use_https = false;
  periodic_interval = 5.0;
  timeout = 5.0;
  no_ssl_verify = false;
  use_gzip = true;
  use_keepalive = true;
  version = {
    autodetect_enabled = true;
    autodetect_max_fail = 30;
    # override works only if autodetect is disabled
    override = {
      name = "opensearch";
      version = "2.17";
    }
  };
  limits = {
    max_rows = 500; # max logs in one bulk req to elastic and first reason to flush buffer to elastic
    max_interval = 60; # seconds, if first log in buffer older then interval - flush buffer
    max_fail = 10;
  };
  index_template = {
    managed = true;
    name = "rspamd";
    priority = 0;
    pattern = "%Y.%m.%d";
    shards_count = 3;
    replicas_count = 1;
    refresh_interval = 5; # seconds
    dynamic_keyword_ignore_above = 256;
    headers_count_ignore_above = 5; # record only N first same named headers, add "ignored above..." if reached, set 0 to disable limit
    headers_text_ignore_above = 2048; # strip specific header value and add "..." to the end; set 0 to disable limit
    symbols_nested = false;
    empty_value = "unknown"; # empty numbers, ips and ipnets are not customizable they will be always 0, :: and ::/128 respectively
  };
  index_policy = {
    enabled = true;
    managed = true;
    name = "rspamd"; # if you want use custom lifecycle policy, change name and set managed = false
    hot = {
      index_priority = 100;
    };
    warm = {
      enabled = true;
      after = "2d";
      index_priority = 50;
      migrate = true; # only supported with elastic distro, will not have impact elsewhere
      read_only = true;
      change_replicas = false;
      replicas_count = 1;
      shrink = false;
      shards_count = 1;
      max_gb_per_shard = 0; # zero - disabled by default, if enabled - shards_count is ignored
      force_merge = false;
      segments_count = 1;
    };
    cold = {
      enabled = true;
      after = "14d";
      index_priority = 0;
      migrate = true; # only supported with elastic distro, will not have impact elsewhere
      read_only = true;
      change_replicas = false;
      replicas_count = 1;
    };
    delete = {
      enabled = true;
      after = "30d";
    };
  };
  collect_headers = [
    "From";
    "To";
    "Subject";
    "Date";
    "User-Agent";
  ];
  # extra headers to collect, f.e.:
  # "Precedence";
  # "List-Id";
  extra_collect_headers = [];
  geoip = {
    enabled = true;
    managed = true;
    pipeline_name = "rspamd-geoip";
  };

  .include(try=true,priority=5) "${DBDIR}/dynamic/elastic.conf"
  .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/elastic.conf"
  .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/elastic.conf"
}