Capsule8 Docs
Capsule8 Docs
Help

Alert Routing

Alert outputs can be configured to write only certain message types to their output. This allows for routing critical data like alerts and smart policy messages to a central system such as a SIEM for triage, and less critical messages such as audit to an archival store. By default alert outputs are setup to deliver alert and smart_policy messages, but this can be customized by adding a message_types key to the alert output definition:

alert_output:
  outputs:
    # write all message types to standard out
    - type: stdout
      enabled: true
      message_types:
      - alert
      - smart_policy
      - audit