This page describes configuration using Puppet. For installations that do not use Puppet, such as installation on a clean CentOS or RHEL installation using YUM, this page is not applicable. |
The squirro.yaml file, located at /etc/squirro.yaml is a configuration file for a Squirro server. See the section Puppet for how this file is used by Puppet and how to apply its changes. This page lists all the configuration options in this file.
| Option | Category | Description |
|---|---|---|
| squirro::storage::heap_size | Elasticsearch | Elasticsearch memory usage |
| squirro::storage::allow_es_api_access | Elasticsearch | Allow direct access to Elasticsearch |
| squirro::cluster::public_uri | General | Public hostname |
| squirro::cluster::log_level | Monitoring | Log verbosity |
| squirro::services::configuration::signup | Security | Disable user signup |
| os::ssh_trusted_ips | Security | IP restriction for SSH access |
| squirro::nginx::ssl_certificate | Security | Custom SSL certificate |
| squirro::nginx::ssl_key | Security | Custom SSL certificate |
squirro::cluster::public_uri
For a few functions, such as sending out alert emails, Squirro needs to know the address where it is reachable by users. For that we recommend that the Squirro server is registered in the DNS system. Once you know the URL on which Squirro can be reached, it can be set with the following configuration:
squirro::cluster::public_uri: https://demo.squirro.net |
squirro::services::configuration::signup
By default users can create their own account on a Squirro installation. That is only recommended initially, for setting up of the administration account. Afterwards, this should be disabled:
squirro::services::configuration::signup: false |
os::ssh_trusted_ips
SSH access to the server is not restricted initially. But especially when your Squirro installation is accessible from the Internet, SSH access should be limited to known IP addresses. This configuration option takes a list of IP addresses and IP network ranges, that are allowed SSH access.
os::ssh_trusted_ips:
- 192.168.0.10 # Single IP
- 192.168.0.0/24 # IP range |
squirro::nginx::ssl_certificate, squirro::nginx::ssl_key
Squirro comes with a self-signed SSL certificate that will cause your browser to display a security warning.
Provide your own SSL certificate using these parameters. The SSL certificate should match the server's public host name.
squirro::storage::heap_size
The memory usage of Elasticsearch is one of the deciding factors for Squirro cluster performance. If set too low, the performance and amount of documents that can be indexed is limited. If set too high, it will starve the server of RAM which affects stability and performance of all the other services.
The following table shows the recommended sizing:
| System RAM | Storage size setting |
|---|---|
| 4 GB | squirro::storage::heap_size: 1g |
| 8 GB | squirro::storage::heap_size: 2g |
| 16 GB | squirro::storage::heap_size: 6g |
| 32 GB | squirro::storage::heap_size: 16g |
| 64 GB+ | squirro::storage::heap_size: 31g |
Its important to never give Elasticsearch more than 31 GB of RAM, as otherwise it will slow down.
squirro::storage::allow_es_api_access
Elasticsearch can be exposed for direct access on port 9200. Use this setting to enable that access:
squirro::storage::allow_es_api_access: true |
Elasticsearch is then accessible on http://yourip:9200. The head plugin is a helpful debugging tool, which is accessible at http://yourip:9200/_plugin/head.
Enabling direct access to Elasticsearch is insecure and will bypass all ACL rules. This should only be done for debugging and within a trusted environment. |
squirro::cluster::log_level
By default Squirro only write messages at the WARN level to its log files. So warnings and errors are reported, while generic debugging output is omitted.
The log level can be changed to increase the verbosity or decrease it even more.
Possible log levels are:
Example:
squirro::cluster::log_level: DEBUG |