Skip to content

Config Reference

The primary configuration file for RockNSM is found at /etc/rocknsm/config.yml.

This file defines key information that drives the Ansible deployment playbook like network interface setup, cpu cores assignment, and much more. There are a lot of options to tune here so take time to familiarize.

A template of this file in it's entirety can be found [here on github], but for greater clarity let's break it down into it's major sections:

Network Interface

As mentioned previously, ROCK takes the interface with an ip address / gateway and will use that as the management NIC. config.yml displays the remaining interfaces that will be used to MONITOR traffic.

Let's run through a basic example:

[admin@rock ~]$ ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether ...
    inet brd scope global noprefixroute dynamic enp0s3
3: enp0s4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether ...

The demo box above has 2 NICs:
1. enp0s3 - is plugged in for install and deployment with an ip address from local dhcp. This will be used to manage the sensor
2. enp0s4 - will be unused (not connected) during install and deployment and be listed as a rock_monif in the config file

The config file shows the other interface (enp0s3) is listed as MONITOR interface.

# interfaces that should be configured for sensor applications
    - enp0s3

Sensor Resource

# Set the hostname of the sensor:
rock_hostname: rocknsm_sensor_1

# Set the Fully Qualified Domain Name:
rock_fqdn: rocknsm_sensor_1.rocknsm.lan

# Set the number of CPUs assigned to Bro:
bro_cpu: 2

# Set the Elasticsearch cluster name:
es_cluster_name: rocknsm

# Set the Elasticsearch cluster node name:
es_node_name: localhost

# Set the value of Elasticsearch memory:
es_mem: 5

Installation Source

We've taken into consideration that your sensor won't always have internet access. Currently the default value is set to rock_online_install: True:

  # The primary installation variable defines the ROCK installation method:
  # ONLINE:   used if the system may reach out to the internet
  # OFFLINE:  used if the system may *NOT* reach out to the internet
  # The default value "False" will deploy using OFFLINE (local) repos.
  # A value of "True" will perform an install using ONLINE mirrors.

  rock_online_install: True


Does your sensor has access to upstream online repositories? If so, then make sure that this value is set to rock_online_install: True.


If you are in an offline environment, then set it to rock_online_install: False. Ansible will deploy using the locally cached files found in /srv/rocknsm.

Note: In our next release the default behavior will be changed to an offline install (reference Issue #376)

Data Retention

This section controls how long NSM data stay on the sensor:

# Set the interval in which Elasticsearch indexes are closed:
elastic_close_interval: 15

# Set the interval in which Elasticsearch indexes are deleted:
elastic_delete_interval: 60

# Set value for Kafka retention (in hours):
kafka_retention: 168

# Set value for Bro log retention (in days):
bro_log_retention: 0

# Set value for Bro statistics log retention (in days):
bro_stats_retention: 0

# Set how often logrotate will roll Suricata log (in days):
suricata_retention: 3

# Set value for FSF log retention (in days):
fsf_retention: 3

Component Options

This is a critical section that provides boolean options to choose what components of ROCK are installed and enabled during deployment.

# The following "with_" statements define what components of RockNSM are
# installed when running the deploy script:

with_stenographer: True
with_docket: True
with_bro: True
with_suricata: True
with_snort: True
with_suricata_update: True
with_logstash: True
with_elasticsearch: True
with_kibana: True
with_zookeeper: True
with_kafka: True
with_lighttpd: True
with_fsf: True

# The following "enable_" statements define what RockNSM component services
# are enabled (start automatically on system boot):

enable_stenographer: True
enable_docket: True
enable_bro: True
enable_suricata: True
enable_snort: True
enable_suricata_update: True
enable_logstash: True
enable_elasticsearch: True
enable_kibana: True
enable_zookeeper: True
enable_kafka: True
enable_lighttpd: True
enable_fsf: True

A good example for changing this section would involve Stenographer. Collecting raw PCAP is resource and storage intensive. You're machine may not be able to handle that and if you just wanted to focus on network logs, then you would set both options in the config file to disable installing and enabling Stenographer:

with_stenographer: False
enable_stenographer: False