Capsule8 Docs
Capsule8 Docs
Help

Exporting Alerts

The Capsule8 Platform was designed with flexibility in mind to make it easy for users to consume Capsule8 Alert data in a way that fits in naturally with their existing workflows. Please choose from one of the following ways to retrieve alerts:

Getting Alerts via a file

The file output type writes alerts to a file on the Capsule8 Sensor’s local file system. This output type is commonly used to integrate with existing log shippers that can read from a log file.

Configuration:

Key Required Description
type yes The output type.
enabled yes Enables/disables the output.
name yes The file name.
max_size no The max file size in MB that a log file can be before it is rotated. Defaults to 100.
max_backups no The max number of log files to retain. Defaults to not deleting any old log files.

Example writing to two local files:

alert_output:
  outputs:
    # Write the full Alert to a local log file
    - type: file
      enabled: true
      name: /var/log/capsule8-alerts.json

    # Write a truncated Alert summary a different local log file
    - type: file
      enabled: true
      template: "{{.UUID}} {{.StrategyName}} {{.ProcessInfo.Pid}} {{.ProcessInfo.Program.Path}}"
      name: /var/log/capsule8-alert-summaries.json

Getting Alerts via stdout

The stdout output type prints alerts to the Capsule8 Sensor’s standard output. This output type is commonly used to quickly test new policy settings in development as well as to easily integrate with existing log shippers in containerized environments.

Note that Alerts will be mixed in with anything else printed to stdout by the Capsule8 Sensor such as initialization information or logged errors.

Configuration:

Key Required Description
type yes The output type.
enabled yes Enables/disables the output.

Example printing Alerts to stdout:

alert_output:
  outputs:
    - type: stdout
      enabled: true

Getting Alerts via syslog

The syslog output type sends alerts to a syslog server.

Key Required Description
type yes The output type.
enabled yes Enables/disables the output.
url yes The syslog server URL (local or remote).

Example sending Alerts to a local syslog server:

alert_output:
  outputs:
    # This could also be a remote syslog server
	  - type: syslog
      enabled: true
      url: tcp://127.0.0.1:514/capsule8-alerts

Configuring via environment variable

CAPSULE8_ALERT_SYSLOG_URL=tcp://syslog-server:514/capsule8alerts

Getting Alerts via a webhook

The webhook output type sends alerts to a webhook endpoint with an HTTP request. This output type is incredibly powerful when combined with Alert Templates because it allows users to create ad hoc integrations with a number of third-party services. Some common use cases are to ship Alert summaries to Slack, automatically create Jira tickets when high priority Alerts are seen, or even to send Alerts directly to a Splunk Cloud instance.

Key Required Description
type yes The output type.
enabled yes Enables/disables the output.
url yes The URL to send the request to.
headers no The headers to pass along with the request. Defaults to “Content-Type: application/json”.
method no The HTTP method to use. Defaults to POST.
timeout no The timeout in seconds. Defaults to 30.

Example:

alert_output:
  outputs:
    # Send Alerts to a local web server
	  - type: webhook
      enabled: true
      url: http://localhost:8080/alerts

    # Send Alerts to an arbitrary service with all settings
    - type: webhook
      enabled: true
      url: https://api.example-company.com/capsule8-alerts
      template: "New Capsule8 Alert {{.UUID}}"
      timeout: 5
      method: PUT
      headers:
        "Content-Type": "text/plain"
        "X-COMPANY-AUTH": "123456"

    # Send Alerts to Slack using their webhook JSON format
    - type: webhook
      enabled: true
      url: https://hooks.slack.com/services/123ABC/ab914B12eeigVh2xZ
      template: '{"text": "🌶 New Capsule8 Alert {{.PolicyType}} {{.Description}}"}'