Configuration

Threat Bus uses a configuration file that contains both global and plugin-specific settings. This section discusses the general layout of the file and options you can configure.

Config File

Threat Bus' configuration file is formatted in YAML and requires two sections, logging and plugins. The following example explains the general structure.

logging:
console: true
console_verbosity: DEBUG
file: false
file_verbosity: DEBUG
filename: threatbus.log
plugins:
backbones:
inmem:
apps:
zeek:
host: "127.0.0.1"
port: 47761
module_namespace: Tenzir

Logging Configuration

Logging is configured globally. The main application forwards the logging settings to all installed plugins. Logging is supported via colored console logs and via file. File and console logging can be configured independently.

Plugin Configuration

The plugins section contains all plugin specific configuration settings. The section differentiates backbones and apps, depending on the plugin type.

Plugin configuration is managed via the plugin name. For example, the plugin threatbus-zeek has the name zeek and is an app plugin. Thus it is configured in a section called zeek, below the apps section in the config.

The options that can be configured per plugin are defined by the plugin itself. Check the plugin documentation for details on the individual plugins.

Disabling of Installed Plugins

Threat Bus automatically becomes aware of all plugins that are installed on the same host system or virtual environment. However, plugins must have a non-empty section in the config.yaml to get loaded. You can "disable" any installed plugin simply by not putting it into the config file.