Routing Alerts
You can configure alert outputs to write only certain message types to their output. This allows for routing critical data like alerts and smart policy messages to a central system, such as a SIEM for triage, and less critical messages ,such as audit, to an archival store. By default alert outputs are setup to deliver alert
and smart_policy
messages, but this can be customized by adding a message_types
key to the alert output definition.
Here's an example:
alert_output:
outputs:
# write all message types to standard out
- type: stdout
enabled: true
template: 'Alert triggered: {{ .StrategyName}}'
message_types:
- alert
- smart_policy
- audit