Capsule8 Docs
Capsule8 Docs
Help

Exporting Alerts

The Capsule8 Platform was designed with flexibility in mind to make it easy for users to consume Capsule8 Alert data in a way that fits in naturally with their existing workflows. Please choose from one of the following ways to retrieve alerts:

Getting Alerts via a file

The file output type writes alerts to a file on the Capsule8 Sensor’s local file system. This output type is commonly used to integrate with existing log shippers that can read from a log file.

Configuration:

Key Required Description
type yes The output type.
enabled yes Enables/disables the output.
name yes The file name.
max_size no The max file size in MB that a log file can be before it is rotated. Defaults to 100.
max_backups no The max number of log files to retain. Defaults to not deleting any old log files.

Example writing to two local files:

# Write the full Alert to a local log file
- type: file
  enabled: true
  name: /var/log/capsule8-alerts.json

# Write a truncated Alert summary a different local log file
- type: file
  enabled: true
  template: "{{.UUID}} {{.StrategyName}} {{.ProcessInfo.Pid}} {{.ProcessInfo.Program.Path}}"
  name: /var/log/capsule8-alert-summaries.json

### Configuring via environment variable
```bash
CAPSULE8_ALERT_SYSLOG_URL=tcp://syslog-server:514/capsule8alerts

Getting Alerts via stdout

The stdout output type prints alerts to the Capsule8 Sensor’s standard output. This output type is commonly used to quickly test new strategy settings in development as well as to easily integrate with existing log shippers in containerized environments.

Note that Alerts will be mixed in with anything else printed to stdout by the Capsule8 Sensor such as initialization information or logged errors.

Configuration:

Key Required Description
type yes The output type.
enabled yes Enables/disables the output.

Example printing Alerts to stdout:

- type: stdout
  enabled: true

Getting Alerts via syslog

The syslog output type sends alerts to a syslog server.

Key Required Description
type yes The output type.
enabled yes Enables/disables the output.
url yes The syslog server URL (local or remote).

Example sending Alerts to a local syslog server:

# This could also be a remote syslog server
- type: syslog
  enabled: true
  url: tcp://127.0.0.1:514/capsule8-alerts

Getting Alerts via a webhook

The webhook output type sends alerts to a webhook endpoint with an HTTP request. This output type is incredibly powerful when combined with Alert Templates because it allows users to create ad hoc integrations with a number of third-party services. Some common use cases are to ship Alert summaries to Slack, automatically create Jira tickets when high priority Alerts are seen, or even to send Alerts directly to a Splunk Cloud instance.

Key Required Description
type yes The output type.
enabled yes Enables/disables the output.
url yes The URL to send the request to.
headers no The headers to pass along with the request. Defaults to “Content-Type: application/json”.
method no The HTTP method to use. Defaults to POST.
timeout no The timeout in seconds. Defaults to 30.

Example:

# Send Alerts to a local web server
- type: webhook
  enabled: true
  url: http://localhost:8080/alerts

# Send Alerts to an arbitrary service with all settings
- type: webhook
  enabled: true
  url: https://api.example-company.com/capsule8-alerts
  template: "New Capsule8 Alert {{.UUID}}"
  timeout: 5
  method: PUT
  headers:
    "Content-Type": "text/plain"
    "X-COMPANY-AUTH": "123456"

# Send Alerts to Slack using their webhook JSON format
- type: webhook
  enabled: true
  url: https://hooks.slack.com/services/123ABC/ab914B12eeigVh2xZ
  template: '{"text": "🌶 New Capsule8 Alert {{.PolicyType}} {{.Description}}"}'