Server Settings

LogZilla documentation for Server Settings

LogZilla uses a modern YAML-based configuration system that provides advanced settings not available through the web interface. These backend settings control core system behavior, performance parameters, and security features.

Warning: Changing these settings may cause system instability or data loss. Exercise extreme caution and test changes in a non-production environment first.

Modern Configuration System

LogZilla stores configuration in YAML files located in /etc/logzilla/settings/. Each file corresponds to a specific configuration group (e.g., smtp.yaml, ldap.yaml, generic.yaml).

Configuration Management

Use the logzilla settings command to manage configuration:

bash
# List all available settings
logzilla settings list

# List settings for a specific group
logzilla settings list ldap

# Update a setting value
logzilla settings update SETTING_NAME=new_value

# Update multiple settings at once
logzilla settings update SMTP_SERVER=mail.company.com SMTP_PORT=587

# Manage multiple instances (e.g., secondary LDAP server)
logzilla settings update --id 1 LDAP_ENABLED=true

Direct File Editing

Advanced users with root access can edit YAML files directly:

bash
# Navigate to settings directory
cd /etc/logzilla/settings/

# Edit a configuration file
vim smtp.yaml

Applying Changes

After making configuration changes, apply them using one of these methods:

Method 1: Automatic Application (Recommended)

The logzilla settings update command automatically applies changes to compatible modules.

Method 2: Manual Reload (After Direct Edits)

If editing YAML files directly, notify the system of changes:

bash
# Reload a specific configuration group
logzilla settings reload smtp
logzilla settings reload ldap

Method 3: Container Restart (When Required)

Some settings require container restarts to take effect:

bash
# Restart specific containers
docker restart lz_gunicorn_1 lz_celeryworker_1 lz_celerybeat_1

# Or restart all LogZilla services
logzilla restart

Note: API and Celery containers typically require restart for changes to take effect, while core processing modules support live reloading for most settings.

Configuration Files and Settings

The following sections organize settings by their configuration files in /etc/logzilla/settings/:

Generic Settings (generic.yaml)

SettingDescriptionDefaultRange
SEARCH_DEFAULT_LIMITDefault max results limit for search queries1000Integer
FREE_DISK_SPACE_SOFT_LIMIT_GBWarning threshold for free disk space10Integer (GB)
FREE_DISK_SPACE_HARD_LIMIT_GBCritical threshold for free disk space2Integer (GB)
EXTERNAL_BASE_URLExternal URL of the LogZilla instancenullValid URL
TIME_ZONEServer timezoneUTCTimezone string
RBAC_ENABLEDEnable Role Based Access Controltruetrue, false
TASKS_ENABLEDEnable Tasks featuretruetrue, false
AIR_GAPPEDDisable external service communicationfalsetrue, false
PRUNE_DOCKER_IMAGESRemove old Docker images during upgradestruetrue, false
SHOW_ADVANCED_SETTINGSShow advanced settings in UIfalsetrue, false

Search Settings (sphinx.yaml)

SettingDescriptionDefaultRange
SPHINX_MIN_WORD_LENGTHMinimum word length to index-Integer
SPHINX_MIN_PREFIX_LENGTHMinimum prefix length to index-Integer
SPHINX_MIN_INFIX_LENGTHMinimum infix length to index-Integer
SPHINX_MAX_DOCUMENTS_PER_INDEXMax documents per index-Integer
SPHINX_MAX_INDEXING_TIMEMax indexing time per chunk (seconds)-Integer
SPHINX_MIN_INDEX_LENMin events per indexing batch-Integer
SPHINX_REINDEX_PROC_MAXMax concurrent indexing processes-Integer
SPHINX_MERGING_PROC_MAXMax concurrent merging processes-Integer
SPHINX_REINDEX_DELAYDelay between reindexing (seconds)-Integer
SPHINX_MAX_MATCHESMaximum matches per query-Integer
SPHINX_MYSQL_PORTSphinx MySQL port (0 to disable)-Integer
SPHINX_HTTP_PORTSphinx HTTP port (0 to disable)-Integer
SPHINX_REALTIME_MODEEnable realtime mode (experimental)-true, false

Trigger Settings (triggers.yaml)

SettingDescriptionDefaultRange
TRIGGERS_ENABLEDEnable or disable triggerstruetrue, false
SEND_MAIL_PERIODEmail resend interval (seconds)60Integer
SEND_WEBHOOK_PERIODWebhook resend interval (seconds, 0=always)0Integer
EXEC_SCRIPT_PERIODScript rerun interval (seconds)60Integer

SMTP Settings (smtp.yaml)

SettingDescriptionDefaultRange
MAIL_SENDEREmail address used as senderlogzilla@localhostEmail address
SMTP_SERVERSMTP server addresslocalhostHostname/IP
SMTP_PORTSMTP server port25Integer
SMTP_AUTH_REQUIREDEnable SMTP authenticationfalsetrue, false
SMTP_USERSMTP username for authentication(empty)String
SMTP_PASSSMTP password for authentication(empty)String
SMTP_CRYPTEncryption methodNONETLS, SSL, NONE
SMTP_TIMEOUTConnection timeout (seconds)30Integer

Syslog Settings (syslogng.yaml)

SettingDescriptionDefaultRange
SYSLOG_BSD_TCP_PORTTCP port for BSD syslog (0 to disable)514Integer
SYSLOG_BSD_UDP_PORTUDP port for BSD syslog (0 to disable)514Integer
SYSLOG_RFC5424_PORTPort for RFC5424 syslog (0 to disable)601Integer
SYSLOG_JSON_PORTPort for JSON syslog (0 to disable)515Integer
SYSLOG_RAW_PORTPort for RAW TCP events (0 to disable)516Integer
SYSLOG_RAW_UDP_PORTPort for RAW UDP events (0 to disable)516Integer
SYSLOG_VMWARE_PORTTCP port for VMware events (0 to disable)1514Integer
SYSLOG_VMWARE_UDP_PORTUDP port for VMware events (0 to disable)1514Integer
SYSLOG_TLS_PORTPort for TLS syslog (0 to disable)6514Integer
SYSLOG_TLS_CERT_FILEPath to TLS certificate file/etc/logzilla/nginx/server.crtFile path
SYSLOG_TLS_KEY_FILEPath to TLS key file/etc/logzilla/nginx/server.keyFile path
SYSLOG_MAX_CONNECTIONSMaximum concurrent TCP connections500Integer
SYSLOG_FLOW_CONTROLEnable flow controltruetrue, false
SYSLOG_DISK_BUFFEREnable disk bufferfalsetrue, false
SYSLOG_BUFFER_RELIABLEEnable reliable disk bufferfalsetrue, false
SYSLOG_MEMORY_BUFFER_SIZE_MBMemory buffer size (MB)4Integer
SYSLOG_MEMORY_BUFFER_LENGTHMemory buffer length (messages)50000Integer
SYSLOG_DISK_BUFFER_SIZE_MBDisk buffer size (MB)1Integer
SYSLOG_DESTINATION_WORKERSNumber of destination workers2Integer
SYSLOG_DESTINATION_BATCH_LINESLines per batch10000Integer
SYSLOG_DESTINATION_BATCH_TIMEOUTBatch timeout (milliseconds)500Integer
SYSLOG_DEBUGEnable debug logging (TSV format)falsetrue, false
SYSLOG_DEBUG_JSONEnable debug logging (JSON format)falsetrue, false
PCI_COMPLIANT_LOGSEnable PCI compliant loggingfalsetrue, false

SNMP Trap Settings (snmptrapd.yaml)

SettingDescriptionDefaultRange
SNMPTRAPD_ENABLEDEnable SNMP trap daemon moduleFalseTrue, False
SNMPTRAPD_FORMATMessage field format (see snmptrapd(8))See below-
SNMPTRAPD_PROGRAMProgram field value for SNMP trap eventsSNMPTrap-
SNMPTRAPD_FACILITYFacility field value for SNMP trap eventsLOCAL0-
SNMPTRAPD_SEVERITYSeverity field value for SNMP trap eventsINFO-
SNMPTRAPD_PORTSNMP trap daemon port162-

Additional Configuration Files

Other important configuration files include:

  • storage.yaml: Event storage, deduplication, and archiving settings
  • parser.yaml: Message parsing engine configuration
  • logger.yaml: Logging levels for different components
  • forwarder.yaml: Event forwarding to external systems
  • sec.yaml: Simple Event Correlator (SEC) integration
  • front.yaml: Nginx frontend proxy configuration (HTTP/HTTPS ports)
  • ldap.yaml: LDAP/Active Directory integration (supports multiple instances)
  • ai.yaml: AI/ML feature settings
  • httpreceiver.yaml: HTTP event receiver configuration
  • influxdb.yaml: InfluxDB integration settings
  • django_login.yaml: Django authentication settings
  • license.yaml: License configuration
  • secrets.yaml: Sensitive configuration data

Configuration Management Best Practices

Multi-Instance Configuration

LogZilla supports multiple instances of certain configurations. For example, to configure a secondary LDAP server:

bash
# Configure primary LDAP server
logzilla settings update LDAP_ENABLED=true LDAP_SERVER=ldap1.company.com

# Configure secondary LDAP server
logzilla settings update --id 1 LDAP_ENABLED=true LDAP_SERVER=ldap2.company.com

This creates ldap.yaml and ldap__1.yaml files respectively.

Configuration Validation

The logzilla settings command validates all changes against predefined schemas before saving, preventing invalid configurations:

bash
# This will fail with validation error if port is invalid
logzilla settings update SMTP_PORT=invalid_port

Backup and Recovery

Before making significant configuration changes, backup the settings directory:

bash
# Create backup
cp -r /etc/logzilla/settings /etc/logzilla/settings.backup.$(date +%Y%m%d)

# Restore from backup if needed
cp -r /etc/logzilla/settings.backup.20241201 /etc/logzilla/settings
logzilla settings reload generic  # Reload as needed

Important Notes

Live Reloading vs Container Restart

Live Reloading: Core processing modules (parser, storage, query) support live reloading for most settings through the pub/sub mechanism.

Container Restart Required: API and Celery containers require restart for changes to take effect:

  • SMTP settings
  • LDAP configuration
  • Database connections
  • Security settings

SMTP Configuration

SMTP settings control outgoing email functionality for alerts and notifications. After changing SMTP settings, restart the API containers:

bash
docker restart lz_gunicorn_1 lz_celeryworker_1

Configuration File Access

To view the current settings in any configuration file:

bash
# View all settings in a specific file
logzilla settings list generic
logzilla settings list smtp

# View the raw YAML file
cat /etc/logzilla/settings/generic.yaml

SNMP Trap Format Default

The default SNMPTRAPD_FORMAT setting is:

text
Enterprise OID: %N, Trap Type: %W, Trap Sub-Type: %q,
Uptime: %T, Description: %W,
PDU Attribute/Value Pair Array: %v

Legacy Configuration Command

Deprecated: The logzilla config command is deprecated and should not be used. It lacks support for multi-instance configurations and validation. Use logzilla settings instead.

Server Settings | LogZilla Documentation