Configuration Examples

Find an example below that matches your workload.

Default (Balanced)

Typical workload.

caches:
  rec-tasks: 32
  tasks: 64
  cmds: 32
  args: 32
  files: 32
  dirs: 16
  bases: 32
  task-file: 32
  file-task: 32
  task-ref: 32
  flows: 32
  task-flow: 32
  flow-task: 32
  flow-ref: 32

• Balanced for general use
• Handles moderate process count
• Suits containers and servers
• Default in standalone.yaml
• ️Heavy load: may need shorter cadence to prevent misses
• ️Small containers risk OOM

Small Devices

Low-resource systems.

caches:
  rec-tasks: 16
  tasks: 32
  cmds: 16
  args: 16
  files: 16
  dirs: 4
  bases: 8
  task-file: 256
  file-task: 256
  task-ref: 256
  flows: 64
  task-flow: 64
  flow-task: 64
  flow-ref: 64

• Minimal RAM for tiny containers
• Good for embedded/IoT/edge
• ️Raising cadence may cut misses (uses more CPU)
• ️Misses OK if other recipes cover gaps

Comprehensive Detection

Larger caches for more detection context.

caches:
  rec-tasks: 32
  tasks: 64
  cmds: 32
  args: 32
  files: 32
  dirs: 16
  bases: 32
  task-file: 512
  file-task: 512
  task-ref: 512
  flows: 128
  task-flow: 128
  flow-task: 128
  flow-ref: 128

• Higher RAM for large setups
• Supports longer cadence (lower CPU), less event loss
• Better event and flow correlation
• More context retention
• Fewer missed events
• For large, complex workloads

Heavy I/O

Max caches for busiest environments.

caches:
  rec-tasks: 64
  tasks: 128
  cmds: 64
  args: 64
  files: 64
  dirs: 32
  bases: 64
  task-file: 1024
  file-task: 1024
  task-ref: 1024
  flows: 256
  task-flow: 256
  flow-task: 256
  flow-ref: 256

• Heavy I/O may need custom tuning
• Larger task/file caches for more context
• Larger network caches for better tracking