Jibril Docs

Appearance

Runtime Settings

Create a configuration file first.

Configuration File

Add the following options to the configuration file:

yaml
run-time:
  log-level: simple      # Possible values: quiet, fatal, error, warn, info, debug
  health: true           # Enable health check endpoint (/health)
  cardinal: true         # Enable cardinal filters (skips known OS resources)
  stdout: stdout         # stdout destination (stdout, stderr, or file path)
  stderr: stderr         # stderr destination (stdout, stderr, or file path)

They control the basic operational behavior of Jibril.

Log Levels

Available logging verbosity levels:

  • quiet - Suppress most output
  • fatal - Only fatal errors
  • error - Errors only
  • warn - Warnings and errors
  • info - Informational messages
  • debug - Detailed debugging information
Choosing a Log Level

Production environments:
Use info, warn, or error for normal operations

Silent operations:
Use quiet or fatal for minimal output

Health Check Endpoint

Health Check Endpoint

When health: true, Jibril exposes a health check endpoint:

bash
curl http://localhost:6060/health

Useful for:

  • Kubernetes liveness/readiness probes
  • Load balancer health checks
  • Service orchestration

Cardinal Filters

Noise reduction for known system resources:

  • cardinal: true - Skips monitoring of well-known OS resources to reduce noise
  • cardinal: false - Monitor everything (may generate more events)

INFO

Cardinal works like the detection recipes arbitraries, but globally. They'll be customizable in a near future.

Should I enable or disable cardinal filters?

Disable cardinal filters when:

  • You need complete visibility into all system activity
  • Debugging detection rules
  • Investigating edge cases

Enable cardinal filters when:

  • Running in production
  • You want to reduce event volume
  • Focusing on application-level threats

Output Destinations

Control where stdout and stderr are directed:

yaml
run-time:
  stdout: stdout         # Options: stdout, stderr, or file path
  stderr: stderr         # Options: stdout, stderr, or file path

WARNING

These are OUT and ERROR output for the agent itself and not the events. For events, use the Printers configuration.

Examples

Default (standard output/error):

yaml
stdout: stdout
stderr: stderr

Both to stdout (for container logging):

yaml
stdout: stdout
stderr: stdout

To files:

yaml
stdout: /var/log/jibril-out.log
stderr: /var/log/jibril-err.log