1. 资源限制

1.1 CPU 限制

• Unit: number of logical cores. Default: 1. Range: [1, 100000]
• Note: deepflow-agent uses cgroups to limit CPU usage. But please note that deepflow-agent running in K8s Pod cannot be limited by this value, please configure it through K8s Limit.
• max_cpus: 1

1.2 内存限制

• Unit: M bytes. Default: 768. Range: [128, 100000]
• Note: deepflow-agent uses cgroups to limit memory usage. But please note that deepflow-agent running in K8s Pod cannot be limited by this value, please configure it through K8s Limit.
• max_memory: 768

1.3 系统空闲内存限制

• Unit: %. Default: 0. Range: [0, 100]
• Note: The limit of the percentage of system free memory. When the free percentage is lower than 90% of this value, the agent will automatically restart.
• sys_free_memory_limit: 0

1.4 采集包速率

• Unit: Kpps. Default: 200. Range: [1, 1000000]
• max_collect_pps: 200

1.5 日志发送速率

• Unit: lines/hour. Default: 300. Range: [0, 10000]
• Note: deepflow-agent will send logs to deepflow-server, 0 means no limit.
• log_threshold: 300

1.6 日志打印等级

• Default: INFO. options: DEBUG, INFO, WARNING, ERROR
• log_level: INFO

1.7 日志文件大小

• Unit: M bytes. Default: 1000. Range: [10, 10000]
• log_file_size: 1000

1.8 线程数限制

• Default: 500. Range: [1, 1000]
• Note: Maximum number of threads that deepflow-agent is allowed to launch.
• thread_threshold: 500

1.9 进程数限制

• Default: 10. Range: [1, 100]
• Note: Maximum number of processes that deepflow-agent is allowed to launch.
• process_threshold: 10

2. 基础配置

2.1 采集网口

• Length: [0, 65535]
• Default:

  Localhost: lo
  Common NIC: eth.*|en[osipx].*
  QEMU VM NIC: tap.*
  Flannel: veth.*
  Calico: cali.*
  Cilium: lxc.*
  Kube-OVN: [0-9a-f]+_h$
  

• Note: Regular expression of NIC name for collecting traffic
• tap_interface_regex: ^(tap.*|cali.*|veth.*|eth.*|en[osipx].*|lxc.*|lo|[0-9a-f]+_h)$

2.2 流量过滤

• Length: [1, 512]
• Note: If not configured, all traffic will be collected. Please refer to BPF syntax: https://biot.com/capstats/bpf.html
• capture_bpf:

2.3 采集 NETNS

• Default: "", means no extra network namespace (default namespace only)
• Description: Traffic will be captured in regex matched namespaces besides the default namespace. NICs captured in extra namespaces are also filtered with tap_interface_regex.
• extra_netns_regex:

2.4 采集包长

• Unit: bytes. Default: 65535. Range: [128, 65535]
• Note: DPDK environment does not support this configuration.
• capture_packet_size: 65535

2.5 流量采集模式

• Default: 0, means local. Options: 0, 1 (virtual mirror), 2 (physical mirror, aka. analyzer mode)
• Note: Mirror mode is used when deepflow-agent cannot directly capture the traffic from the source. For example:
  • in the K8s macvlan environment, capture the Pod traffic through the Node NIC
  • in the Hyper-V environment, capture the VM traffic through the Hypervisor NIC
  • in the ESXi environment, capture traffic through VDS/VSS local SPAN
  • in the DPDK environment, capture traffic through DPDK ring buffer
  • Use Analyzer mode when deepflow-agent captures traffic through physical switch mirroring.
• tap_mode: 0

2.6 流量采集 API

• Default: 0, means adaptive. Options: 0, 2 (AF_PACKET V2), 3 (AF_PACKET V3)
• Description: Traffic capture API in Linux environment
• capture_socket_type: 0

2.7 解封装隧道类型

• Default: [1, 3], means VXLAN and IPIP. Options: 1 (VXLAN), 2 (GRE), 3 (IPIP)
• decap_type:
  • 1
  • 3

2.8 虚拟网卡 MAC 解析

• Default: 0
• Options:
  • 0: extracted from tap interface MAC address
  • 1: extracted from tap interface name
  • 2: extracted from the XML file of the virtual machine
• Note: How to extract the real MAC address of the virtual machine when the agent runs on the KVM host
• if_mac_source: 0

2.9 最大同步间隔

• Unit: second. Default: 60. Range: [10, 3600]
• Note: The interval at which deepflow-agent actively requests configuration and tag information from deepflow-server.
• sync_interval: 60

2.10 最长逃逸时间

• Unit: seconds. Default: 3600. Range: [600, 2592000]
• Note: The maximum time that the agent is allowed to work normally when it cannot connect to the server. After the timeout, the agent automatically enters the disabled state.
• max_escape_seconds: 3600

2.11 UDP 最大 MTU

• Unit: bytes, default value: 1500, value range [500, 10000]
• Note: Maximum MTU allowed when using UDP to transfer data.
• Attention: Public cloud service providers may modify the content of the tail of the UDP packet whose packet length is close to 1500 bytes. When using UDP transmission, it is recommended to set a slightly smaller value.
• mtu: 1500

2.12 裸 UDP 外层 VLAN

• Default: 0, means no VLAN tag. Range: [0, 4095]
• Note: When using Raw Socket to transmit UDP data, this value can be used to set the VLAN tag
• output_vlan: 0

2.13 是否请求 NAT IP

• Default: 0. Options: 0, 1
• Note: Used when deepflow-agent uses an external IP address to access deepflow-server. For example, when deepflow-server is behind a NAT gateway, or the host where deepflow-server is located has multiple node IP addresses and different deepflow-agents need to access different node IPs, you can set an additional NAT IP for each deepflow-server address, and modify this value to 1.
• nat_ip_enabled: 0

2.14 日志存储时长

• Unit: days. Default: 30. Range: [7, 365]
• log_retention: 300

2.15 控制器通信端口

• Default: 30035. Range: 1-65535
• Note: The control plane port used by deepflow-agent to access deepflow-server. The default port within the same K8s cluster is 20035, and the default port of deepflow-agent outside the cluster is 30035.
• proxy_controller_port: 30035

2.16 数据节点通信端口

• Default: 30033. Range: 1-65535
• Note: The data plane port used by deepflow-agent to access deepflow-server. The default port within the same K8s cluster is 20033, and the default port of deepflow-agent outside the cluster is 30033.
• analyzer_port: 30033

2.17 控制器 IP

• Note: When this value is set, deepflow-agent will use this IP to access the control plane port of deepflow-server, which is usually used when deepflow-server uses an external load balancer.
• proxy_controller_ip:

2.18 数据节点 IP

• Note: When this value is set, deepflow-agent will use this IP to access the data plane port of deepflow-server, which is usually used when deepflow-server uses an external load balancer.
• analyzer_ip:

3. 控制配置

3.1 数据套接字

• Default: TCP. Options: TCP, UDP, FILE
• Note: It can only be set to FILE in standalone mode, in which case l4_flow_log and l7_flow_log will be written to local files.
• collector_socket_type: TCP

3.2 HTTP 日志 X-Forwarded-For

• Default: X-Forwarded-For
• Note: It is used to extract the real client IP field in the HTTP header, such as X-Forwarded-For, etc. Leave it empty to disable this feature.
• http_log_proxy_client: X-Forwarded-For

3.3 HTTP 日志 X-Request-ID

• Default: X-Request-ID
• Note: It is used to extract the fields in the HTTP header that are used to uniquely identify the same request before and after the gateway, such as X-Request-ID, etc. This feature can be turned off by setting it to empty.
• http_log_x_request_id: X-Request-ID

3.4 应用调用日志 Trace-ID

• Default: traceparent, sw8
• Note: Used to extract the TraceID field in HTTP and RPC headers, supports filling in multiple values separated by commas. This feature can be turned off by setting it to empty.
• http_log_trace_id: traceparent, sw8

3.5 应用调用日志 Span-ID

• Default: traceparent, sw8
• Note: Used to extract the SpanID field in HTTP and RPC headers, supports filling in multiple values separated by commas. This feature can be turned off by setting it to empty.
• http_log_span_id: traceparent, sw8

3.6 应用日志解析包长

• Default: 1024. Range: [256, 8192]
• Note: The maximum data length used for application protocol identification, note that the effective value is less than or equal to the value of capture_packet_size.
• l7_log_packet_size: 1024

3.7 流日志采集器速率

• Default: 10000. Range: [100, 1000000]
• Note: The maximum number of rows of l4_flow_log sent per second, when the actual number of rows exceeds this value, sampling is triggered.
• l4_log_collect_nps_threshold: 10000

3.8 调用日志采集速率

• Default: 10000. Range: [100, 1000000]
• Note: The maximum number of rows of l7_flow_log sent per second, when the actual number of rows exceeds this value, sampling is triggered.
• l7_log_collect_nps_threshold: 10000

4. 管理配置

4.1 同步资源信息

• Default: 0, means disabled. Options: 0 (disabled), 1 (enabled).
• Note: When enabled, deepflow-agent will automatically synchronize virtual machine and network information on the KVM (or Host) to deepflow-server.
• platform_enabled: 0

4.2 日志发送

• Default: 1, means enabled. Options: 0 (disabled), 1 (enabled).
• Note: When enabled, deepflow-agent will send its own logs to deepflow-server.
• rsyslog_enabled: 1

4.3 时钟同步

• Default: 0, means enabled. Options: 0 (disabled), 1 (enabled).
• Note: Whether to synchronize the clock to the deepflow-server, this behavior will not change the time of the deepflow-agent running environment.
• ntp_enabled: 0

4.4 云平台资源信息下发

• Default: 0, which means all domains, or can be set to a list of lcuuid of a series of domains, you can get lcuuid through 'deepflow-ctl domain list'.
• Note: The list of MAC and IP addresses is used by deepflow-agent to inject tags into data. This configuration can reduce the number and frequency of MAC and IP addresses delivered by deepflow-server to deepflow-agent. When there is no cross-domain service request, deepflow-server can be configured to only deliver the information in the local domain to deepflow-agent.
• domains:
  • 0

4.5 容器集群内部 IP 下发

• Default: 0, which means all K8s cluster.
• Options: 0 (all K8s cluster), 1 (local K8s cluster).
• Note: The list of MAC and IP addresses is used by deepflow-agent to inject tags into data. This configuration can reduce the number and frequency of MAC and IP addresses delivered by deepflow-server to deepflow-agent. When the Pod IP is not used for direct communication between the K8s cluster and the outside world, deepflow-server can be configured to only deliver the information in the local K8s cluster to deepflow-agent.
• pod_cluster_internal_ip: 0

5. 控制开关

5.1 指标数据

• Default: 1. Options: 0 (disabled), 1 (enabled).
• Note: When disabled, deepflow-agent will not send metrics and logging data collected using eBPF and cBPF.
• collector_enabled: 1

5.2 非活跃端口指标数据

• Default: 1. Options: 0 (disabled), 1 (enabled).
• Note: When closed, deepflow-agent will not generate detailed metrics for each inactive port (ports that only receive data, not send data), and the data of all inactive ports will be aggregated into the metrics with a tag 'server_port = 0'.
• inactive_server_port_enabled: 1

5.3 非活跃 IP 指标数据

• Default: 1. Options: 0 (disabled), 1 (enabled).
• Note: When closed, deepflow-agent will not generate detailed metrics for each inactive IP address (IP addresses that only receive data, not send data), and the data of all inactive IP addresses will be aggregated into the metrics with a tag 'ip = 0'.
• inactive_ip_enabled: 1

5.4 网络性能指标数据

• Default: 1. Options: 0 (disabled), 1 (enabled).
• Note: When closed, deepflow-agent only collects some basic throughput metrics.
• l4_performance_enabled: 1

5.5 应用性能指标数据

• Default: 1. Options: 0 (disabled), 1 (enabled).
• Note: When closed, deepflow-agent will not collect RED (request/error/delay) metrics.
• l7_metrics_enabled: 1

5.6 秒粒度指标数据

• Default: 1. Options: 0 (disabled), 1 (enabled).
• vtap_flow_1s_enabled: 1

5.7 流日志开启网络位置

• Default: 0, which means all TAPs. Options: -1 (disabled), 0 (all TAPs).
• Note: The list of TAPs to collect l4_flow_log, you can also set a list of TAPs to be collected.
• l4_log_tap_types:
  • 0

5.8 调用日志开启网络位置

• Default: 0, which means all TAPs. Options: -1 (disabled), 0 (all TAPs).
• Note: The list of TAPs to collect l7_flow_log, you can also set a list of TAPs to be collected.
• l7_log_store_tap_types:
  • 0

5.9 流日志忽略观测点

• Default: [], stores everything.
• Note: Use the value of tap_side to control which l4_flow_log should be ignored for collection. This configuration also applies to tcp_sequence and pcap data in the Enterprise Edition.
• Supported values:
  • 0 (Rest)
  • 1 (Client)
  • 2 (Server)
  • 4 (Local)
  • 9 (ClientNode)
  • 10 (ServerNode)
  • 17 (ClientHypervisor)
  • 18 (ServerHypervisor)
  • 25 (ClientGatewayHypervisor)
  • 26 (ServerGatewayHypervisor)
  • 33 (ClientGateway)
  • 34 (ServerGateway)
  • 41 (ClientProcess)
  • 42 (ServerProcess)
  • 48 (App)
  • 49 (ClientApp)
  • 50 (ServerApp)
• l4_log_ignore_tap_sides: []

5.10 调用日志忽略观测点

• Default: [], stores everything.
• Note: Use the value of tap_side to control which l7_flow_log should be ignored for collection.
• Supported values: See l4_log_ignore_tap_sides.
• l7_log_ignore_tap_sides: []

5.11 数据集成服务

• Default: 1. Options: 0 (disabled), 1 (enabled).
• Note: Whether to enable receiving external data sources such as Prometheus, Telegraf, OpenTelemetry, and SkyWalking.
• external_agent_http_proxy_enabled: 1

5.12 数据集成端口

• Default: 38086. Options: [1, 65535].
• external_agent_http_proxy_port: 38086

5.13 Prometheus API 地址

• Note: Get target from Prometheus and synchronize to the deepflow-server.
• Example:
  • prometheus_http_api_addresses:
    • http://10.96.1.8:9090

6. 高级配置

static_config:

  #########
  # K8s apiserver #
  #########
  # K8s Namespace
  # Note: Used when deepflow-agent has only one k8s namespace query permission.
  kubernetes-namespace:

  # K8s api list limit
  # Default: 1000. Options: [10, 4294967296)
  # Note: Used when limit k8s api list entry size.
  kubernetes-api-list-limit: 1000

  # K8s api list interval
  # Default: 10m. Must be larger than or equal to 10m.
  # Note: Interval of listing resource when watcher idles
  kubernetes-api-list-interval: 10m

  # K8s api resources
  # Note: Specify kubernetes resources to watch.
  #    The schematics of entries in list is:
  #    {
  #        name: string
  #        group: string
  #        version: string
  #        disabled: bool
  #    }
  #
  #    Agent will watch the following resources by default:
  #    - namespaces
  #    - nodes
  #    - pods
  #    - replicationcontrollers
  #    - services
  #    - daemonsets
  #    - deployments
  #    - replicasets
  #    - statefulsets
  #    - ingresses
  #
  #    To disable a resource, add an entry to the list with `disabled: true`:
  #
  #        kubernetes-resources:
  #        - name: services
  #          disabled: true
  #
  #    To enable a resource, add an entry of this resource to the list. Be advised that
  #    this setting overrides the default of the same resource. For example, to enable
  #    `statefulsets` in both group `apps` (the default) and `apps.kruise.io` will require
  #    two entries:
  #
  #        kubernetes-resources:
  #        - name: statefulsets
  #          group: apps
  #        - name: statefulsets
  #          group: apps.kruise.io
  #          version: v1beta1
  #
  #    The old `ingress-flavour` setting is deprecated. Watching `routes` in openshift will
  #    use these settings:
  #
  #        kubernetes-resources:
  #        - name: ingresses
  #         disabled: true
  #         - name: routes

  kubernetes-resources: []

  # [Deprecated] Type of Ingress
  # Note: This config is deprecated. Use `kubernetes-resources` instead.
  ingress-flavour: kubernetes

  # Pod MAC/IP Address Query Method
  # Default: adaptive. Options: adaptive, active, passive.
  # Note: In active mode, deepflow-agent enters the netns of other Pods through
  #   setns syscall to query the MAC and IP addresses. In this mode, the setns
  #   operation requires the SYS_ADMIN permission. In passive mode deepflow-agent
  #   calculates the MAC and IP addresses used by Pods by capturing ARP/ND traffic.
  #   When set to adaptive, active mode will be used first.
  kubernetes-poller-type: adaptive

  ############
  # Debug Configuration #
  ############
  # Golang Profiler
  # Note: Only available for Trident (Golang version of Agent).
  profiler: false

  # Client Port for deepflow-agent-ctl
  # Default: 0, which means use a random client port number.
  # Note: Only available for Trident (Golang version of Agent).
  debug-listen-port: 0

  # StatsD Counters For Sniffer
  # Note: Only available for Trident (Golang version of Agent).
  enable-debug-stats: false

  #######
  # AF_PACKET #
  #######
  # AF_PACKET Blocks Switch
  # Note: When tap_mode != 2, you need to explicitly turn on this switch to
  #   configure 'afpacket-blocks'.
  afpacket-blocks-enabled: false

  # AF_PACKET Blocks
  # Default: 128, Range: [8, +oo)
  # Note: deepflow-agent will automatically calculate the number of blocks
  #   used by AF_PACKET according to max_memory, which can also be specified
  #   using this configuration item. The size of each block is fixed at 1MB.
  afpacket-blocks: 128

  #########
  # Analyzer Mode #
  #########
  # Mirror Traffic Dedup
  # Note: Whether to enable mirror traffic deduplication when tap_mode = 2.
  analyzer-dedup-disabled: false

  # Buffer block size used to store raw packet.
  # Larger value will reduce memory allocation for raw packet, but will also
  # delay memory free.
  # Default: 65536, Range: [65536: +oo)
  analyzer-raw-packet-block-size: 65536

  # Default TAP for Mirror Traffic
  # Default: 3, means Cloud Network
  # Options: 1-2,4-255 (IDC Network), 3 (Cloud Network)
  # Note: deepflow-agent will mark the TAP (Traffic Access Point) location
  #   according to the outer vlan tag in the mirrored traffic of the physical
  #   switch. When the vlan tag has no corresponding TAP value, or the vlan
  #   pcp does not match the 'mirror-traffic-pcp', it will assign the TAP value.
  #   This configuration item.
  default-tap-type: 3

  # Mirror Traffic PCP
  # Note: Calculate TAP value from vlan tag only if vlan pcp matches this value.
  mirror-traffic-pcp: 0

  # NFVGW Traffic
  # Note: Whether it is the mirrored traffic of NFVGW (cloud gateway).
  cloud-gateway-traffic: false

  ######
  # Sender #
  ######
  # RAW_UDP Sender Performance Optimization
  # Note: When sender uses RAW_UDP to send data, this feature can be enabled to
  #   improve performance. Linux Kernel >= 3.14 is required. Note that the data
  #   sent when this feature is enabled cannot be captured by tcpdump.
  enable-qos-bypass: false

  ##########
  # NPB/PCAP Policy #
  ##########
  # Fast Path Map Size
  # Note: When set to 0, deepflow-agent will automatically adjust the map size
  #   according to max_memory.
  fast-path-map-size: 0

  # Fast Path Disabled
  # Note: When set to true, deepflow-agent will not use fast path.
  fast-path-disabled: false

  # Forward Table Capacity
  # Default: 16384. Range: [16384, +oo)
  # Note: When this value is larger, the more memory usage may be
  forward-capacity: 16384

  # Fast Path Level
  # Default: 8. Range: [1, 16]
  # Note: When this value is larger, the memory overhead is smaller, but the
  #   performance of policy matching is worse.
  first-path-level: 8

  ########
  # Dispatcher #
  ########
  # TAP NICs when tap_mode != 0
  # Note: Deprecated and instead use tap_interface_regex
  src-interfaces:
  - dummy0
  - dummy1

  ##########
  # InMemory Queue #
  ##########
  # Queue Size of FlowGenerator Output
  # Default: 65536. Range: [65536, +oo)
  # Note: the length of the following queues:
  #   - 1-tagged-flow-to-quadruple-generator
  #   - 1-tagged-flow-to-app-protocol-logs
  #   - 0-{flow_type}-{port}-packet-to-tagged-flow, flow_type: sflow, netflow
  flow-queue-size: 65536

  # Queue Size of QuadrupleGenerator Output
  # Default: 262144. Range: [262144, +oo)
  # Note: the length of the following queues:
  #   - 2-flow-with-meter-to-second-collector
  #   - 2-flow-with-meter-to-minute-collector
  quadruple-queue-size: 262144

  # Queue Size of Collector Output
  # Default: 65536. Range: [65536, +oo)
  # Note: the length of the following queues:
  #   - 2-doc-to-collector-sender
  collector-sender-queue-size: 65536

  # Queue Count of Collector Output
  # Default: 1. Range: [1, +oo)
  # Note: The number of replicas for each output queue of the collector.
  collector-sender-queue-count: 1

  # Queue Size of tcp option address info sync queue size
  # Default: 65536. Range: [1, +oo)
  # Note: The number of replicas for each output queue of the collector.
  toa-sender-queue-size: 65536

  # Queue Size of FlowAggregator/SessionAggregator Output
  # Default: 65536. Range: [65536, +oo)
  # Note: the length of the following queues:
  #   - 3-flow-to-collector-sender
  #   - 3-protolog-to-collector-sender
  flow-sender-queue-size: 65536

  # Queue Count of FlowAggregator/SessionAggregator Output
  # Default: 1. Range: [1, +oo)
  # Note: The number of replicas for each output queue of the
  #   FlowAggregator/SessionAggregator.
  flow-sender-queue-count: 1

  # Queue Size for Analyzer Mode
  # Default: 131072. Range: [65536, +oo)
  # Note: the length of the following queues (only for tap_mode = 2):
  #   - 0.1-bytes-to-parse
  #   - 0.2-packet-to-flowgenerator
  #   - 0.3-packet-to-pipeline
  analyzer-queue-size: 131072

  ####
  # LRU #
  ####

  # Size of tcp option address info cache size
  # Default: 65536. Range: [1, +oo)
  toa-lru-cache-size: 65536

  #############
  # Time Window Tolerance #
  #############
  # Extra Tolerance for QuadrupleGenerator Receiving 1s-FlowLog
  # Format: ${number}${time_unit}
  # Example: 1s, 2m, 10h
  second-flow-extra-delay-second: 0s

  # Maximum Tolerable Packet Delay
  # Default: 1s
  # Format: $number$time_unit
  # Example: 1s, 2m, 10h
  # Note: The timestamp carried by the packet captured by AF_PACKET may be delayed
  #   from the current clock, especially in heavy traffic scenarios, which may be
  #   as high as nearly 10s.
  packet-delay: 1s

  # l7_flow_log Aggregate Window
  # Default: 120s. Range: [20s, 300s]
  # Format: $number$time_unit
  # Example: 1s, 2m, 10h
  l7-log-session-aggr-timeout: 120s

  #####
  # PCAP #
  #####
  pcap:
    # Queue Size to PCAP Generator
    # Default: 65536. Range: [65536, +oo)
    # Note: the length of the following queues:
    #   - 1-mini-meta-packet-to-pcap
    queue-size: 65536

    # Pcap buffer size for each flow
    # Default: 64K
    # Note: buffer flushes when one of the flows reach this limit
    flow-buffer-size: 65536

    # Total pcap buffer size
    # Default: 96K
    # Note: buffer flushes when total data size reach this limit
    #       cannot exceed sender buffer size 128K
    buffer-size: 98304

    # Flow flush interval
    # Default: 1m
    # Note: flushes a flow if its first packet were older then this interval
    flush-interval: 1m

  ##############
  # FlowMap (FlowGenerator) #
  ##############
  flow:
    # HashSlot Size of FlowMap
    # Default: 131072
    # Note: Since FlowAggregator is the first step in all processing, this value
    #   is also widely used in other hash tables such as QuadrupleGenerator,
    #   Collector, etc.
    flow-slots-size: 131072

    # Maximum Flow
    # Default: 1048576
    # Note: Maximum number of flows that can be stored in FlowMap, It will also affect the capacity of
    #   the RRT cache, Example: rrt-cache-capacity = flow-count-limit / 4. When rrt-cache-capacity is
    #   not enough, it will be unable to calculate the rrt of l7.
    flow-count-limit: 1048576

    # Queue Size of FlowAggregator (1s->1m)
    # Default: 65536. Range: [65536, +oo)
    # Note: the length of the following queues:
    #   - 2-second-flow-to-minute-aggrer
    flow-aggr-queue-size: 65535

    # Flush Interval of FlowMap Output Queue
    # Format: $number$time_unit
    # Example: 1s, 2m, 10h
    # Note: Flush interval of the queue connected to the collector.
    flush-interval: 1s

    # Ignore MAC when Generate Flow
    # Note: When the MAC addresses of the two-way traffic collected at the same
    #   location are asymmetrical, the traffic cannot be aggregated into a Flow.
    #   You can set this value at this time. Only valid for Cloud (not IDC) traffic.
    ignore-tor-mac: false

    # Ignore L2End when Generate Flow
    # Note: For Cloud traffic, only the MAC address corresponding to the side with
    #   L2End = true is matched when generating the flow. Set this value to true to
    #   force a double-sided MAC address match and only aggregate traffic with
    #   exactly equal MAC addresses.
    ignore-l2-end: false

    # Ignore VLAN when Generate Flow
    # Note: When the VLAN of the two-way traffic collected at the same location
    #   are asymmetrical, the traffic cannot be aggregated into a Flow. You can
    #   set this value at this time. Only valid for IDC (not Cloud) traffic.
    ignore-idc-vlan: false

    # Timeouts for TCP State Machine
    # Format: $number$time_unit
    # Example: 1s, 2m, 10h
    established-timeout: 300s
    closing-rst-timeout: 35s
    others-timeout: 5s
    opening-rst-timeout: 1s

    # Size of memory pool used in flow_map
    # Default: 65536
    # Note: This value is used to set max length of memory pool in FlowMap
    #   Memory pools are used for frequently create and destroy objects like
    #   FlowNode, FlowLog, etc.
    memory-pool-size: 65536

  # Max size of batched buffer
  # Default: 131072. Range: [1024, +oo)
  # Note: Only TaggedFlow allocation is affected at the moment.
  #   Structs will be allocated in batch to minimalize malloc calls.
  #   Total memory size of a batch will not exceed this limit.
  #   A number larger than 128K is not recommended because the default
  #   MMAP_THRESHOLD is 128K, allocating chunks larger than 128K will
  #   result in calling mmap and more page faults.
  batched-buffer-size-limit: 131072

  ##########
  # DPDK RecvEngine #
  ##########
  # Enable for DPDK RecvEngine
  # Note: The DPDK RecvEngine is only started when this configuration item is turned on.
  #   Note that you also need to set tap_mode to 1. Please refer to
  #   https://dpdk-docs.readthedocs.io/en/latest/prog_guide/multi_proc_support.html
  ovs-dpdk-enable: false

  # Dedicated Core for DPDK RecvEngine
  # Default: 0, means disabled. Range: [1, 63]
  # Note: Setting this value makes deepflow-agent use dedicated CPU cores to capture traffic.
  dpdk-pmd-core-id: 0

  # DPDK Ring Port
  # Note: Mirror port to capture DPDK traffic.
  dpdk-ring-port: "dpdkr0"

  ############
  # Libpcap RecvEngine #
  ############
  # Enable for Libpcap RecvEngine
  # Note: Supports running on Windows and Linux, Low performance when using multiple interfaces.
  #   Default to true in Windows, false in Linux.
  libpcap-enabled: false

  ################
  # sFlow / NetFlow / NetStream #
  ################
  # sFlow & NetFlow Server Ports
  xflow-collector:
    sflow-ports:
    - 6343
    netflow-ports:
    - 2055

  ####
  # NPB #
  ####
  # Server Port for NPB
  npb-port: 4789

  # Reserve Flags for VXLAN
  # Default: 0xff. Range: [0x00, 0xff], except 0x8.
  # Note: NPB uses the first byte of the VXLAN Flag to identify the sending traffic to
  #   prevent the traffic sent by NPB from being collected by deepflow-agent. To ensure
  #   that the VNI bit is set, the value configured here will be used after |= 0x8.
  vxlan-flags: 0xff

  ######
  # Tunnel #
  ######
  # Remove ERSPAN Header
  # Note: Whether to remove the ERSPAN header in mirrored traffic. It is applicable to
  #   the ERSPAN protocol used by physical switch traffic mirroring and the TEB
  #   (Transport Ethernet Bridging) protocol used by VMware remote mirroring.
  decap-erspan: false

  #####
  # gRPC #
  #####
  # gRPC Socket Buffer Size
  # Default: 5. Unit: MB
  grpc-buffer-size: 5

  ##############
  # TAP MAC Address Mapping #
  ##############
  # TAP MAC Mapping Script
  # Note: The MAC address mapping relationship of TAP NIC in complex environment can be
  #   constructed by writing a script. The following conditions must be met to use this
  #   script:
  #   1. if_mac_source = 2
  #   2. tap_mode = 0
  #   3. The name of the TAP NIC is the same as in the virtual machine XML file
  #   4. The format of the script output is as follows:
  # tap2d283dfe,11:22:33:44:55:66
  # tap2d283223,aa:bb:cc:dd:ee:ff
  tap-mac-script: ""

  ####
  # BPF #
  ####
  # BPF Filter
  # Note: It is found that there may be bugs in BPF traffic filtering under some
  #   versions of Linux Kernel. After this configuration is enabled, deepflow-agent
  #   will not use the filtering capabilities of BPF, and will filter by itself after
  #   capturing full traffic. Note that this may significantly increase the resource
  #   overhead of deepflow-agent.
  bpf-disabled: false

  ######
  # plugin #
  ######
  # wasm plugin need to load in agent
  wasm-plugins: []

  # so plugin need to load in agent
  # Note: so plugin use dlopen flag RTLD_LOCAL and RTLD_LAZY to open the so file, it mean that
  # the so must solve the link problem by itself
  so-plugins: []

  ########
  # L7 Protocol #
  ########
  # L7 perf rrt calculate timeout
  # Note: the timeout of l7 log info rrt calculate, when rrt exceed the value will act as timeout and will not
  #   calculate the sum and average and will not merge the request and response in session aggregate. the value
  #   must greater than session aggregate SLOT_TIME(const 10s) and less than 3600 on tcp or 300 on udp.
  rrt-tcp-timeout: 1800s
  rrt-udp-timeout: 150s

  # Maximum Fail Count
  # Note: deepflow-agent will mark the long live stream and application protocol for each
  #   <vpc, ip, protocol, port> tuple, when the traffic corresponding to a tuple fails
  #   to be identified for many times (for multiple packets, Socket Data, Function Data),
  #   the tuple will be marked as an unknown type to avoid deepflow-agent continuing to
  #   try (incurring significant computational overhead) until the duration exceeds
  #   l7-protocol-inference-ttl.
  l7-protocol-inference-max-fail-count: 5

  # TTL of Protocol Identification
  # Unit: second
  # Note: deepflow-agent will mark the application protocol for each
  #   <vpc, ip, protocol, port> tuple. In order to avoid misidentification caused by IP
  #   changes, the validity period after successfully identifying the protocol will be
  #   limited to this value.
  l7-protocol-inference-ttl: 60

  # List of Application Protocols
  # Note: Turning off some protocol identification can reduce deepflow-agent resource consumption.
  l7-protocol-enabled:
  - HTTP # for both HTTP and HTTP_TLS
  - HTTP2 # for HTTP2, HTTP2_TLS and gRPC
  - SofaRPC
  - FastCGI
  - Dubbo
  - MySQL
  - PostgreSQL
  - Oracle
  - Redis
  - MongoDB
  - Kafka
  - MQTT
  - DNS
  - Custom # custom protocol from plugin

  # Application Protocol Port Numbers
  # Default: 53 for DNS, 1-65535 for other Protocols.
  # Format: map<protocol-name, port-list>
  # Example: "HTTP": 80,1000-2000
  l7-protocol-ports:
    "HTTP": "1-65535"  for both HTTP and HTTP_TLS
    "HTTP2": "1-65535"  for HTTP2, HTTP2_TLS and gRPC
    "Custom": "1-65535"  plugins
    "SofaRPC": "1-65535"
    "FastCGI": "1-65535"
    "Dubbo": "1-65535"
    "MySQL": "1-65535"
    "PostgreSQL": "1-65535"
    "Oracle": "1-65535"
    "Redis": "1-65535"
    "MongoDB": "1-65535"
    "Kafka": "1-65535"
    "MQTT": "1-65535"
    "DNS": "53"

  ############
  # L4 Packet Sequence #
  ############
  # Block Size
  # Default: 256. Unit: Byte.
  # Note: When generating TCP header data, each flow uses one block to compress and
  #   store multiple TCP headers, and the block size can be set here.
  packet-sequence-block-size: 256

  # Queue Size of PacketSequence Output
  # Default: 65536. Range: [65536, +oo)
  # Note: the length of the following queues (to UniformCollectSender):
  #   - 1-packet-sequence-block-to-uniform-collect-sender
  packet-sequence-queue-size: 65536

  # Queue Count of PacketSequence Output
  # Default: 1. Range: [1, +oo)
  # Note: The number of replicas for each output queue of the PacketSequence.
  packet-sequence-queue-count: 1

  # Reported Header Fields
  # Default: 0, means to disable this feature.
  # Note: packet-sequence-flag determines which fields need to be reported, the default
  #   value is 0, which means the feature is disabled, and 255, which means all fields
  #   need to be reported all fields corresponding to each bit:
  #   | FLAG | SEQ | ACK | PAYLOAD_SIZE | WINDOW_SIZE | OPT_MSS | OPT_WS | OPT_SACK |
  #   8      7     6     5              4             3         2        1          0
  packet-sequence-flag: 0

  ########
  # Integration #
  ########
  # Compress Integration Data
  # Note: Whether to compress the integrated data received by deepflow-agent. Currently,
  #   only opentelemetry data is supported, and the compression ratio is about 5:1~10:1.
  #   Turning on this feature will result in higher CPU consumption of deepflow-agent.
  external-agent-http-proxy-compressed: false

  # Prometheus Extra Labels
  # Note: Support for getting extra labels from headers in http requests from remoteWrite.
  prometheus-extra-config:
    # Note: Prometheus Extra Labels Switch
    enabled: false
    # Note: Labels list. Labels in this list are sent. Label is a string matching the regular expression [a-zA-Z_][a-zA-Z0-9_]*
    labels:
      - label1
      - label2
    # Note: The size limit of the parsed key
    # Default: 1024. Unit: B. Range: [1024, 1048576]
    labels-limit: 1024
    # Note: The size limit of the parsed value
    # Default: 4096. Unit: B. Range: [4096, 4194304]
    values-limit: 4096

  ############
  # eBPF Configuration #
  ############
  ebpf:
    # eBPF Switch
    # Default: false
    disabled: false

    # Log file
    log-file: ""

    # Regex for Process Name
    # Note: The name of the process where each feature of ebpf uprobe takes effect,
    #   which is configured using regular expressions
    uprobe-process-name-regexs:

      # Note: Process name to enable Golang-specific symbol table parsing. The default
      #   value is "", which means that this feature is not enabled for any process.
      #   This feature acts on Golang processes that have trimmed the standard symbol
      #   table. For example, the management process of K8s generally belongs to this
      #   category. When this feature is enabled, for processes with Golang
      #   version >= 1.13 and < 1.18, when the standard symbol table is missing, the
      #   Golang-specific symbol table will be parsed to complete uprobe data collection.
      #   Note that enabling this feature may cause the eBPF initialization process to
      #   take ten minutes.
      golang-symbol: ""

      # Note: The name of the Golang process that enables HTTP2/HTTPS protocol data collection
      #   and auto-tracing. go auto-tracing also dependent go-tracing-timeout.
      #   The default value is "", which means it is disabled for all Golang processes.
      golang: ""

      # Note: The name of the process that uses the openssl library to enable HTTPS
      #   protocol data collection. The default is "", which means that it is disabled for
      #   all processes that use the openssl library.
      openssl: ""

    kprobe-blacklist:
      # TCP&UDP Port Blacklist, Priority higher than kprobe-whitelist.
      # Default: null, means no port
      # Format: x-y, z
      port-list:

    kprobe-whitelist:
      # TCP&UDP Port Whitelist, Priority lower than kprobe-blacklist.
      # Default: null, means no port
      # Format: x-y, z
      port-list:

    # eBPF work-thread number
    # Default: 1. Range: [1, Number of CPU logical cores on the host]
    # Note: The number of worker threads refers to how many threads participate in data processing in user-space.
    thread-num: 1

    # eBPF perf pages count
    # Default: 128. Range: [32, 8192]
    # Note: The number of page occupied by the shared memory of the kernel. The value is 2^n ( n range [5, 13] ). Used for perf data transfer.
    #   If the value is between 2^n and 2^(n+1), it will be automatically adjusted by the ebpf configurator to the minimum value (2^n).
    perf-pages-count: 128

    # eBPF dispatch ring size
    # Default: 65536. Range: [8192, 131072]
    # Note: The size of the ring cache queue, The value is 2^n ( n range [13, 17] ).
    #   If the value is between 2^n and 2^(n+1), it will be automatically adjusted by the ebpf configurator to the minimum value (2^n).
    ring-size: 65536

    # eBPF max socket entries
    # Default: 524288. Range: [100000, 2000000]
    # Note: Set the maximum value of hash table entries for socket tracking, depending on the number of concurrent requests in the actual scenario
    max-socket-entries: 524288

    # eBPF socket map max reclaim
    # Default: 520000. Range: [100000, 2000000]
    # Note: The maximum threshold for cleaning socket map table entries.
    socket-map-max-reclaim: 520000

    # eBPF max trace entries
    # Default: 524288. Range: [100000, 2000000]
    # Note: Set the maximum value of hash table entries for thread/coroutine tracking sessions.
    max-trace-entries: 524288

    # eBPF go trace timeout
    # Default: 120 second[s]. Range: [0, +]
    # Note: The expected maximum time interval between the server receiving the request and returning the response,
    #   If the value is 0, this feature is disabled. Tracing only considers the thread number.
    go-tracing-timeout: 120

    # eBPF IO event collect mode
    # Default: 1 . Range: [0, 1, 2]
    # Note:
    #   0: Indicates that no IO events are collected.
    #   1: Indicates that only IO events within the request life cycle are collected.
    #   2: Indicates that all IO events are collected.
    io-event-collect-mode: 1

    # eBPF IO event minimal duration
    # Default: 1ms. Range: [1ns, 1s]
    # Note: Only collect IO events with delay exceeding this threshold, the default value is 1ms.
    io-event-minimal-duration: 1ms

    # on-cpu profile configuration
    on-cpu-profile:
      # eBPF on-cpu Profile Switch
      # Default: false
      disabled: false

      # Sampling frequency
      # Default: 99
      frequency: 99

      # Whether to obtain the value of CPUID and decide whether to participate in aggregation.
      # Set to 1:
      #    Obtain the value of CPUID and will be included in the aggregation of stack trace data.
      # Set to 0:
      #    It will not be included in the aggregation. Any other value is considered invalid,
      #    the CPU value for stack trace data reporting is a special value (CPU_INVALID:0xfff)
      #    used to indicate that it is an invalid value.
      # Default: 0
      cpu: 0

      # Sampling process name
      # Default: ^deepflow-.*
      regex: ^deepflow-.*

      # The maximum limit space in the root directory of each Java process. deepflow-agent will
      # automatically create a `/deepflow/` directory to temporarily store the symbol files of the
      # Java process. The space occupied by the files written by deepflow-agent will not exceed this
      # configured value. All files are stored temporarily and are immediately cleared once the Java
      # symbol files are obtained.
      # Default: 10. Range: [2, 100]
      # Which means it falls within the interval of 2Mi to 100Mi. If the configuration value is outside
      # this range, the default value of 10(10Mi), will be used.
      java-symbol-file-max-space-limit: 10


      # When deepflow-agent finds that an unresolved function name appears in the function call stack
      # of a Java process, it will trigger the regeneration of the symbol file of the process.
      # Because Java utilizes the Just-In-Time (JIT) compilation mechanism, to obtain more symbols for
      # Java processes, the regeneration will be deferred for a period of time.
      # Default: 60s. Range: [5, 3600]s
      # The unit of measurement used is seconds.
      java-symbol-file-refresh-defer-interval: 60s

  ###################
  # Agent Running in Standalone Mode #
  ###################
  # Data File Size
  # Default: 200. Unit: MB.
  # Note: When deepflow-agent runs in standalone mode, it will not be controlled by
  #   deepflow-server, and the collected data will only be written to the local file.
  #   Currently supported data types for writing are l4_flow_log and l7_flow_log. Each
  #   type of data is written to a separate file. This configuration can be used to
  #   specify the maximum size of the data file, and rotate when it exceeds this size.
  #   A maximum of two files are kept for each type of data.
  standalone-data-file-size: 200

  # Directory of Data File
  # Note: Directory where data files are written to.
  standalone-data-file-dir: /var/log/deepflow-agent/

  # Log File Path
  # Note: Note that this configuration is only used in standalone mode.
  log-file: /var/log/deepflow-agent/deepflow-agent.log

  ##########
  # Proc Monitoring #
  ##########
  # whether to sync os socket and proc info
  # Default: false
  # Note: only make sense when agent type is one of CHOST_VM, CHOST_BM, K8S_VM, K8S_BM
  os-proc-sync-enabled: false

  # To sync tagged processed only
  # Default: false
  os-proc-sync-tagged-only: false

  # The proc fs mount path
  # Default: /proc
  os-proc-root: /proc

  # Socket scan and sync interval
  # Default: 10
  # Note: Note that the value unit is second.
  os-proc-socket-sync-interval: 10

  # Socket and Process uptime threshold
  # Default: 3
  # Note: Note that the value unit is second.
  os-proc-socket-min-lifetime: 3

  # The command execute and read the yaml from stdout
  # Default: []
  # Note: Execute the command every time when scan the process, expect get the process tag from stdout in yaml format,
  # the example yaml format as follow:
  #  - pid: 1
  #    tags:
  #    - key: xxx
  #      value: xxx
  #  - pid: 2
  #    tags:
  #    - key: xxx
  #      value: xxx
  os-app-tag-exec: ["cat", "/tmp/tag.yaml"]

  # The user who should execute the `os-app-tag-exec` command
  # Default: deepflow
  os-app-tag-exec-user: deepflow

  # the regular expression use for match process and replace the process name
  # Note: will traverse over the entire array, so the previous ones will be matched first.
  #   when match-type is parent_process_name, will recursive to match parent proc name, and rewrite-name field will ignore.
  #   rewrite-name can replace by regexp capture group and windows style environment variable, for example:
  #   `$1-py-script-%HOSTNAME%` will replace regexp capture group 1 and HOSTNAME env var.
  #   if proc not match any regexp will be accepted (essentially will auto append '- match-regex: .*' at the end).
  #
  # Example:
  #   os-proc-regex:
  #     - match-regex: python3 (.*)\.py
  #       match-type: cmdline
  #       action: accept
  #       rewrite-name: $1-py-script
  #     - match-regex: (?P<PROC_NAME>nginx)
  #       match-type: process_name
  #       rewrite-name: ${PROC_NAME}-%HOSTNAME%
  #     - match-regex: "nginx"
  #       match-type: parent_process_name
  #       action: accept
  #     - match-regex: .*sleep.*
  #       match-type: process_name
  #       action: drop
  #     - match-regex: .+  match after concatenating a tag key and value pair using colon, i.e., an regex `app:.+` can match all processes has a `app` tag
  #       match-type: tag
  #       action: accept
  os-proc-regex:

    # The regexp use for match the process
    # Default: .*
    - match-regex:

      # Regexp match field
      # Default: process_name
      # Note: Options: process_name, cmdline, parent_process_name.
      match-type:

      # Action when RegExp match
      # Default: accept
      # Note: Options: accept, drop.
      action:

      # The name will replace the process name or cmd use regexp replace
      # Default: ""
      # Note: null string will not replace.
      rewrite-name:

  ##########
  # Guard Interval #
  ##########
  # Time interval for the agent to detect its own state.
  # Default: 10s. Unit: s. Range: [1s, 3600s].
  # Note: The agent will detect:
  #   1. System free memory;
  #   2. Get the number of threads of the agent itself by reading the file information under the /proc directory;
  #   3. Size and number of log files generated by the agent.
  guard-interval: 10s

  ########
  # Memory trim #
  ########
  # Note:
  #   Using memory trimming can effectively reduce memory usage, but there may be performance loss
  memory-trim-disabled: false

  ##########
  # Check core file #
  ##########
  # Note:
  #   When the host has an invalid NFS file system or a docker is running, Sometime program hang when checking the
  #   core file, so the core file check provides a switch to prevent the process hang.
  #   Additional links:
  #     https://serverfault.com/questions/367438/ls-hangs-for-a-certain-directory
  #     https://unix.stackexchange.com/questions/495854/processes-hanging-when-trying-to-access-a-file
  check-core-file-disabled: false

  #########
  # CPU Affinity #
  #########
  # Note:
  #   CPU affinity is the tendency of a process to run on a given CPU for as long as possible without being migrated
  #   to other processors
  # Example:
  #   cpu-affinity: 1,3,5,7,9,11,13,15
  cpu-affinity:

  ################
  # Process scheduling priority #
  ################
  # Note:
  #   The smaller the value of process scheduling priority, the higher the priority of the process,
  #   and the larger the priority, the lower the priority
  #   Default: 0. Range: [-20, 19].
  # Example:
  #   process-scheduling-priority: -15
  process-scheduling-priority: 0

  ###########
  # External Signals #
  ###########
  # Note:
  #   When it is false, it supports the integration of java-async-profiler, golang-pprof and other profile data by instrumentation
  external-profile-integration-disabled: false

  # Note:
  #   When it is false, it supports the integration of OpenTelemetry, SkyWalking and other tracking data in accordance with the OTLP protocol
  external-trace-integration-disabled: false

  # Note:
  #   When it is false, it supports the integration of metrics data of Prometheus, InfluxDB and other protocols
  external-metric-integration-disabled: false

  ###########
  # NTP Configuration #
  ###########
  # Note:
  #   When the timestamp fallback exceeds this value, the agent will restart.
  # Default: 300s
  ntp-max-interval = 300s

  # Note:
  #   When the time difference exceeds this value, the timestamp will be corrected.
  # Default: 10s
  ntp-min-interval = 10s

  ########
  # FeatureFlag #
  ########
  # Note: Unreleased deepflow-agent features can be turned on by setting this switch.
  feature-flags: