Qtap can be managed locally with a YAML config file. This guide explains how to create, deploy, and maintain a local configuration file for Qtap.
Configuration File Structure
The qpoint.yaml file consists of three main sections:
(Where processed data goes)
Here's the basic structure:
Copy version: 2
services:
event_stores:
# Event storage configuration
object_stores:
# Object storage configuration
stacks:
stack_1:
plugins:
# First plugin configuration
stack_2:
plugins:
# Second plugin configurations (optional)
tap:
# Global traffic capture settings Creating a Basic Configuration
Let's walk through creating a simple configuration file step by step.
Step 1: Set Version
Start by setting the configuration version:
Next, define where captured data will be stored:
Stdout S3 Endpoint
Copy services:
# For connection metadata (anonymized)
event_stores:
- id: console_stdout
- type: stdout
# For actual request/response content
object_stores:
- id: console_stdout
- type: stdout This configuration:
Outputs events (connection metadata) to the console for debugging
Outputs objects (request/response content) to the console for debugging
Copy services:
# For connection metadata (anonymized)
event_stores:
- id: console_stdout
type: stdout
# For actual request/response content
object_stores:
- id: minio
type: s3
endpoint: 127.0.0.1:9000
bucket: qpoint
region: us-east-1
access_url: http://localhost:9000/{{BUCKET}}/{{DIGEST}}
insecure: true
access_key:
type: env
value: S3_ACCESS_KEY
secret_key:
type: env
value: S3_SECRET_KEY This configuration:
Outputs events (connection metadata) to the console for debugging
Stores objects (request/response content) in a locally running MinIO S3-compatible store
Uses environment variables for S3 credentials (recommended for security)
Step 3: Set Up Processing Plugins
Define how captured data will be processed:
Copy stacks:
default_stack: # Stack Name
plugins:
- type: access_logs
config:
mode: details # Default action (summary|details|full)
format: console # (json|console)
rules:
- name: summary log example.com
expr: request.host == "example.com"
mode: summary
- name: details log on anything above 400
expr: response.status >= 400
mode: full This configuration:
Creates a stack named "default_stack"
The access logs plugin provides summary-level debug information with specific capture definitions for example.com, or full payload capture for traffic with a status code above 400
Finally, set up what traffic to capture and send to plugins:
Copy tap:
direction: egress
ignore_loopback: false
audit_include_dns: true
http:
stack: default_stack This configuration:
Captures all outgoing (egress) traffic
Includes loopback traffic
Includes DNS information in audit logs
Applies the default_stack to HTTP traffic for processing
Example
Putting it all together:
Copy version: 2
services:
event_stores:
- id: console_stdout
type: stdout
object_stores:
- id: console_stdout
type: stdout
stacks:
default_stack: # Stack Name
plugins:
- type: access_logs
config:
mode: details # Default action (summary|details|full)
format: console # (json|console)
rules:
- name: summary log example.com
expr: request.host == "example.com"
mode: summary
- name: details log on anything above 400
expr: response.status >= 400
mode: full
tap:
direction: egress
ignore_loopback: true
audit_include_dns: true
http:
stack: default_stack 