Skip to content

Configuration

Config Push Protocol

Users can customize the information sent from the controller to get different settings based on their department. The information should include fields like guid, hostname, version, ip_addresses, mac_address, os, and label.

watchdog_config

  1. Label Matching: This is the highest priority. If the controller's label field matches the label specified in the mapping.conf file, the department associated with that label is selected immediately.
  2. Hostname Matching: If no label match is found, the system checks if the controller's hostname matches the pattern defined for a department. A wildcard (*) can be used in the hostname pattern to allow for partial matching.
  3. IP Address Matching: If neither label nor hostname matches, the IP address is compared. The controller's IP addresses are checked to see if any of them fall within the subnet ranges specified for a department.
  4. MAC Address Matching: If the IP address does not match, the system will try to match the controller's MAC address using a pattern that can include wildcards.
  5. Operating System (OS) Matching: As the last option, the controller's OS is compared against the OS specified for the department. The system performs a partial match if a wildcard (*) is used, ensuring that different versions of the same OS can be grouped together.

The matching process in NOT case-sensitive.

The process follows a first-match-wins strategy. As soon as a match is found, the department associated with that match is selected, and the remaining conditions are ignored.

Example Workflow of Matching

Here’s a simple example to illustrate how the matching process works:

  • Controller Information:
  • Label: "hr"
  • Hostname: "newyork-hr1"
  • IP Addresses: ["123.11.219.5"]
  • MAC Address: "23:ab:123:45:67:89"

  • OS: "linux"

  • Matching Process:

  • Label Matching: The system checks the label "hr". It finds that the HR department has a matching label, so it immediately selects the HR department.
  • Hostname, IP, MAC, and OS: Since the label matched, the system does not proceed to check the other conditions (hostname, IP, MAC, or OS).

The HR department is selected based on the label match, even though other conditions might also match.

mappings.conf

This file contains mappings for different departments, specifying conditions like the hostname pattern, label, operating system, IP address range, and MAC address pattern.

# mappings.conf
# File to define groups for the browsermon controllers
# based on any criteria (guid, hostname, mac, version, ip, os, label)

[Staff]
host=austin-*
label=staff
os=windows

[HR]
host=newyork-*
os=linux
label=hr
address=123.11.219.0/24
mac=23:ab:123:*

[Accounts]
host=sunnyvale-*
os=linux

[CEO]
host=chicago-ceo*
label=ceo
os=windows

watchdog.conf

Watchdog relies on the watchdog.conf configuration file for essential settings. Here are the key configuration parameters: 

[default]
mode=local
bmkey= 
authcode=
blacklist=None
logdir=logs
loglevel=INFO
maxBytes=5242880
backupCount=5 Set the rotating copies count of the logs (default: 5)
limit=True Enable the rate limiting.
rate=100/m Give the rate at which API is accessible.
allowedhosts=['*']
[eti]
eti_index_ttl=90
[GunicornConfig]
watchdog_port=8900
certfile=./cert/cacert.crt
keyfile=./cert/private.key
sslconfig=/etc/watchdog/ssl-config.ini

Configuration Explanation

  • mode: Set the mode to either ‘local’ or ‘cloud’ based on your deployment.
  • bmkey: Provide the Base64-encoded license key.
  • authcode: Add the Base64-encoded authorization code.
  • blacklist: Specify the blacklist configuration.
  • logdir: Defines the path to the log dir
  • loglevel: Set the desired log level. Set it to DEBUG if the program doesn’t work the intended way.
  • maxbytes: Set the rotating size of logs in Bytes (default: 5242880)
  • backupCount: Set the rotating copies count of the logs (default: 5)
  • limit: Enable the rate limiting.
  • rate: Give the rate at which API is accessible.
  • allowedhosts: List of hosts that can access default to all if leave empty
  • eti_index_ttl: Time-to-live (TTL) in days for Elasticsearch threat index before deletion (default: 90)
  • watchdog_port: Port number where watchdog runs
  • certfile: Path to the SSL Certificate File
  • keyfile: Path to the SSL Key File

browsermon-watchdog.conf

This file defines the settings for each department, including the browser type, mode, schedule window, log directory, log mode, rotation interval, Kafka mode, elastic_search_mode, cache_ttl and cache_max_size.

[HR]
browser=firefox
mode=scheduled
schedule_window=1m
logdir=/opt/browsermon/logs
logmode=json
rotation=1h
kafka_mode=false
eti_mode=false
cache_ttl=30d
cache_max_size=1000

[Accounts]
browser=chrome
mode=scheduled
schedule_window=1m
logdir=/opt/browsermon/logs
logmode=csv
rotation=1h
kafka_mode=true
eti_mode=false
cache_ttl=30d
cache_max_size=1000

[CEO]
browser=firefox
mode=scheduled
schedule_window=1m
logdir=C:\\browsermon\\history
logmode=csv
rotation=1h
kafka_mode=true
eti_mode=false
cache_ttl=30d
cache_max_size=1000
Configuration Explanation

  • browser: Specifies the browser(s) to monitor, such as Firefox, Chrome, or Edge.
  • mode: Determines whether BrowserMon operates in scheduled mode (default) or real-time mode.
  • schedule_window: Sets the interval between each browser data collection iteration.
  • logdir: Defines the directory where browser history log files are stored.
  • logmode: Specifies the format of the history log files (CSV or JSON).
  • rotation: Sets the interval for rotating history log files.
  • kafka_mode: Enables (true) or disables (false) Kafka integration for centralized logging.
  • eti_mode: Enables (true) or disables (false) Eunomatix Threat Intel service.
  • cache_ttl: Amount of time for which url will remain in cache
  • cache_max_size: Upper bound the cache can grow to e.g if set to 100 that means 100 urls will be cached