msys.dp_config.audit_series.messages

March 26, 2020 Contributors

This configuration table limits the message rate.

Find below the sample excerpt included in the dp_config.lua file.

msys.dp_config.audit_series.messages = {
  type = "cidr",
  interval = 900,
  buckets = 4,
  thresholds = {
    { check = true,
      key = "/32",
      startv = 0,
      endv = 3,
      threshold = 200,
      honor_whitelist = { "global" } },
    { check = true,
      key = "/24",
      startv = 0,
      endv = 3,
      threshold = 2000,
      honor_whitelist = { "global" } }
  },
  options = {
    persist = true
  }
};

The elements of this configuration table are as follows:

type

Legal values for this element are cidr and, as of version 3.4, cidr_ipv6.

interval

The time interval that you wish to look at measured in seconds. A reasonable value might be 900.

buckets

A bucket is a window of time of the length defined by "interval". A reasonable value might be 4.

thresholds

Define the different threshold maximums. thresholds is a nested table within this configuration option. The following list defines the attributes of the individual thresholds.

check

Whether or not to use this configuration item.

key

The CIDR mask length for the threshold (the leading forward slash is required).

startv

The starting bucket (0 is the current bucket) to query across.

endv

The ending bucket.

threshold

The threshold that triggers the associated action. In this case a code 421 is issued along with the message message rate limit exceeded.

honor_whitelist

A table listing any applicable whitelists set in the msys.dp_config.whitelist table.

options

This item is a table with the following possible keys:

serialize

Write audit series to log. The value may be true or false; false is the default.

When true, the log will be written to the directory defined by the serialize_dir option in the inbound_audit module. The default value for this option is /var/log/ecelerity/audit_series_persist.

replicate

Defaults to none, but can be cluster to send to all nodes, or manager to send only to cluster manager nodes. This requires explicit configuration in the cluster stanza to operate correctly. For more information see Data Replication.

persist

When set to true, the audit series will be persisted. The persisted series will be reloaded when the engine restarts. The default value is false.