Skip to main content
OISP Sensor can be configured via a TOML file. By default, it looks for:
  1. ./config.toml (current directory)
  2. ~/.config/oisp/config.toml
  3. /etc/oisp/config.toml
Or specify a path: oisp-sensor record --config /path/to/config.toml

Complete Example

# OISP Sensor Configuration

[sensor]
name = "my-sensor"  # Optional name for this instance

[capture]
ssl = true          # Capture SSL/TLS traffic
process = true      # Capture process events
file = true         # Capture file operations
network = true      # Capture network connections

# Process filtering (empty = all processes)
process_filter = ["python", "node", "claude"]
pid_filter = []     # Specific PIDs to monitor

[redaction]
mode = "safe"       # safe, full, minimal

[export.jsonl]
enabled = true
path = "/var/log/oisp/events.jsonl"
append = true
pretty = false      # Compact JSON for smaller files
flush_each = true   # Flush after each event

[export.websocket]
enabled = true
port = 7777

[export.otlp]
enabled = false
endpoint = "http://localhost:4317"
protocol = "grpc"   # grpc or http
service_name = "oisp-sensor"
batch_size = 100
flush_interval_ms = 5000

[export.kafka]
enabled = false
brokers = "localhost:9092"
topic = "oisp-events"
batch_size = 100
flush_interval_ms = 1000

[export.webhook]
enabled = false
url = "https://example.com/webhook"
batch_size = 10
flush_interval_ms = 5000
headers = { "Authorization" = "Bearer xxx" }

[web]
enabled = true
host = "0.0.0.0"    # Use 127.0.0.1 to restrict to localhost
port = 7777

[correlation]
enabled = true
time_window_ms = 5000
max_trace_duration_ms = 300000  # 5 minutes
max_traces = 100

Section Reference

[sensor]

General sensor settings.
KeyTypeDefaultDescription
namestring”oisp-sensor”Instance name (for multi-sensor setups)

[capture]

Event capture configuration.
KeyTypeDefaultDescription
sslbooltrueCapture SSL/TLS traffic
processbooltrueCapture process exec/exit
filebooltrueCapture file operations
networkbooltrueCapture network connections
process_filterarray[]Process names to monitor (empty = all)
pid_filterarray[]Specific PIDs to monitor
ebpf_bytecode_pathstring?autoPath to eBPF bytecode (Linux)
ssl_binary_pathsarrayautoPaths to libssl.so

[redaction]

Sensitive data handling.
KeyTypeDefaultDescription
modestring”safe”Redaction mode: safe, full, minimal
See Redaction for details.

[export.jsonl]

JSONL file export.
KeyTypeDefaultDescription
enabledboolfalseEnable JSONL export
pathstringrequiredOutput file path
appendbooltrueAppend to existing file
prettyboolfalsePretty-print JSON
flush_eachbooltrueFlush after each event
rotate_size_mbint?noneRotate when file exceeds size
rotate_countint?5Number of rotated files to keep

[export.websocket]

WebSocket streaming (for Web UI).
KeyTypeDefaultDescription
enabledbooltrueEnable WebSocket export
portint7777WebSocket port

[export.otlp]

OpenTelemetry Protocol export.
KeyTypeDefaultDescription
enabledboolfalseEnable OTLP export
endpointstringrequiredOTLP endpoint URL
protocolstring”grpc”Protocol: grpc, http
service_namestring”oisp-sensor”Service name for traces
batch_sizeint100Events per batch
flush_interval_msint5000Max time between flushes
headersmapCustom headers
tls_cert_pathstring?noneTLS certificate path

[export.kafka]

Apache Kafka export.
KeyTypeDefaultDescription
enabledboolfalseEnable Kafka export
brokersstringrequiredComma-separated broker list
topicstring”oisp-events”Kafka topic
batch_sizeint100Events per batch
flush_interval_msint1000Max time between flushes
compressionstring”snappy”Compression: none, gzip, snappy, lz4
acksstring”all”Acknowledgment level

[export.webhook]

HTTP webhook export.
KeyTypeDefaultDescription
enabledboolfalseEnable webhook export
urlstringrequiredWebhook URL
methodstring”POST”HTTP method
batch_sizeint10Events per request
flush_interval_msint5000Max time between flushes
headersmapCustom headers
timeout_msint30000Request timeout
retry_countint3Retry attempts

[web]

Web UI configuration.
KeyTypeDefaultDescription
enabledbooltrueEnable web UI
hoststring”0.0.0.0”Bind address
portint7777HTTP port

[correlation]

Event correlation and trace building.
KeyTypeDefaultDescription
enabledbooltrueEnable trace building
time_window_msint5000Correlation time window
max_trace_duration_msint300000Max trace duration
max_tracesint100Max traces in memory

Environment Variables

Configuration can be overridden with environment variables: 
# General
OISP_CONFIG=/path/to/config.toml

# Capture
OISP_CAPTURE_SSL=true
OISP_CAPTURE_PROCESS=true

# Redaction
OISP_REDACTION_MODE=safe

# Exports
OISP_JSONL_PATH=/var/log/oisp/events.jsonl
OISP_OTLP_ENDPOINT=http://localhost:4317
OISP_KAFKA_BROKERS=localhost:9092

# Web
OISP_WEB_PORT=7777

# Logging
RUST_LOG=info
Environment variables take precedence over config file values.

CLI Override

CLI arguments override both config file and environment variables: 
oisp-sensor record \
  --config /etc/oisp/config.toml \
  --port 8080 \
  --process python,node \
  --output /tmp/events.jsonl

Validation

Validate your configuration: 
oisp-sensor config --validate /path/to/config.toml