Starter Configuration - Stdout Only

This is a simple configuration to get started with QTap without any external dependencies. Everything outputs to your console for immediate visibility.

Quick Start Configuration

Save this as qtap-starter.yaml:

version: 2

# Storage Configuration - Everything to console
services:
  # Event metadata goes to stdout
  event_stores:
    - type: stdout
  
  # Object data (headers) goes to stdout
  object_stores:
    - type: stdout

# Processing Stack - Simple HTTP capture
stacks:
  starter_stack:
    plugins:
      # HTTP Capture plugin - outputs to console
      - type: http_capture
        config:
          level: details  # Capture headers (use 'full' for bodies too)
          format: text    # Human-readable format (use 'json' for structured)

# Traffic Capture Settings
tap:
  direction: egress  # Capture outgoing traffic
  ignore_loopback: true  # Skip localhost traffic
  audit_include_dns: false  # Skip DNS queries for cleaner output
  http:
    stack: starter_stack

Running the Starter Config

Quick Test

# Install/Update QTap
curl -s https://get.qpoint.io/install | sudo sh

# Run with the config (runs in foreground by default)
sudo qtap --config=qtap-starter.yaml

Testing Your Configuration

Once QTap is running, test it with some HTTP requests on the same host:

# In another terminal, make test requests:

# Test 1: Simple GET request
curl https://httpbin.org/get

# Test 2: POST with headers
curl -X POST https://httpbin.org/post \
  -H "X-Test-Header: test-value" \
  -d "test=data"

You should see output in your QTap terminal showing the captured traffic.

Configuration Variations

Variation 1: Capture Everything (Including Bodies)

version: 2

services:
  event_stores:
    - type: stdout
  object_stores:
    - type: stdout

stacks:
  debug_stack:
    plugins:
      - type: http_capture
        config:
          level: full     # Capture everything including bodies
          format: json    # Structured output for parsing

tap:
  direction: all          # Capture both ingress and egress
  ignore_loopback: false  # Include localhost traffic
  audit_include_dns: true # Include DNS queries
  http:
    stack: debug_stack

Variation 2: With Filtering Rules

version: 2

services:
  event_stores:
    - type: stdout
  object_stores:
    - type: stdout

stacks:
  filtered_stack:
    plugins:
      - type: http_capture
        config:
          level: summary  # Default: just basic info
          format: text
          rules:
            # Capture headers for specific domains
            - name: "API calls"
              expr: http.req.host contains "api"
              level: details
            
            # Capture everything for errors
            - name: "Error debugging"
              expr: http.res.status >= 400
              level: full
            
            # Skip health checks entirely
            - name: "Ignore health"
              expr: http.req.path in ["/health", "/ping"]
              level: none

tap:
  direction: egress
  ignore_loopback: true
  audit_include_dns: false
  http:
    stack: filtered_stack

Variation 3: Using access_logs Plugin (Deprecated)

version: 2

services:
  event_stores:
    - type: stdout
  object_stores:
    - type: stdout

stacks:
  logging_stack:
    plugins:
      # Access logs plugin - old
      - type: access_logs
        config:
          mode: details      # Options: summary, details, full
          format: console    # Human-readable format
 
tap:
  direction: egress
  ignore_loopback: true
  audit_include_dns: false
  http:
    stack: logging_stack

Understanding the Output

With http_capture plugin (text format):

[HTTP] GET https://httpbin.org/get
Headers:
  User-Agent: curl/7.81.0
  Accept: */*
Status: 200 OK
Duration: 145ms

With http_capture plugin (json format):

{
  "timestamp": "2024-10-15T10:23:45Z",
  "http": {
    "method": "GET",
    "host": "httpbin.org",
    "path": "/get",
    "status": 200,
    "headers": {
      "user-agent": "curl/7.81.0"
    }
  },
  "direction": "egress"
}

With access_logs plugin:

2024-10-15T10:23:45Z [EGRESS] GET httpbin.org/get 200 145ms

Troubleshooting

No Output Appearing

  1. Check for errors:

    sudo qtap --config=qtap-starter.yaml --log-level=debug

Too Much Output

If you're seeing too much traffic, add filters:

tap:
  filters:
    groups:
      - kubernetes  # Ignore k8s system traffic
      - qpoint     # Ignore QTap itself
    custom:
      - exe: /usr/bin/prometheus
        strategy: exact

Wrong Traffic Direction

  • egress: Outgoing traffic from your system

  • ingress: Incoming traffic to your services

  • all: Both directions

For testing with curl, use egress. For monitoring a web server, use ingress.

Next Steps

Once you've confirmed QTap is working:

  1. Add filtering rules to focus on specific traffic

  2. Switch to JSON format for easier parsing

  3. Add S3 storage for long-term retention

  4. Deploy as a service using systemd

Minimal Test Config

The absolute minimum config to see if QTap works:

version: 2
services:
  event_stores:
    - type: stdout
  object_stores:
    - type: stdout
stacks:
  test:
    plugins:
      - type: access_logs
        config:
          mode: details
          format: console
tap:
  direction: egress
  ignore_loopback: true
  audit_include_dns: false
  http:
    stack: test

Save as test.yaml and run:

sudo qtap --config=test.yaml

Then in another terminal on same host:

curl https://example.com

You should immediately see the captured request in your QTap terminal.

PreviousComplete Guide - From Hello World to ProductionNextHTTPS Header Capture Without Proxies

Last updated