Environment Variables Reference
This file documents all supported .env entries for the Frafos monitoring stack. Place your .env file in the same directory as your docker-compose.yml or manifest files to configure your deployment.
Example .env File
Show example .env file
⬇️ Download env.example
.env
# --- Generic ---
# NODE_ENV=production # Specifies the current environment for the application. Affects configuration, logging, and feature toggles throughout the app. Defaults to 'production'. | required | enum: [dev, test, production]
# MOKI_DEBUG=false # Enable verbose debug logging and additional diagnostic output for Moki. Useful for troubleshooting and development. | DEPRECATED | required
# ADDR=:: # IP address or hostname for the Express.js server to bind to. Must be a valid IPv4 or IPv6 address. | required
# SERVER_PORT=5000 # Port number for the server to listen on. | required | min: 0 (exclusive), max: 65535
# PORT= # Port number for the server to listen on, used for compatibility. Will be deprecated in future versions and will be replaced by SERVER_PORT. Still has the higher priority for the server port. | DEPRECATED | optional | min: 0 (exclusive), max: 65535
# PUBLIC_URL= # Publicly accessible URL of the application. Used for generating links and references. Must be a valid URL. | optional
# STATIC_DOC_FILES_PATH=/moki/documentations # Filesystem path to static documentation files served by the application. Used for hosting and accessing documentation. | required
# GUI_TLS_CERT_PATH= # The absolute filesystem path to the TLS/SSL certificate file used to secure the web interface (GUI) with HTTPS. The file must exist, have a valid '.pem' or '.crt' extension, and contain a valid certificate. | optional
# GUI_TLS_KEY_PATH= # The absolute filesystem path to the private key file corresponding to the TLS/SSL certificate for the web interface (GUI). The file must exist, have a valid '.pem', '.crt', or '.key' extension, and contain a valid private key. | optional
# TLS_MIN_VERSION=TLSv1.3 # Minimum TLS version accepted by the GUI HTTPS server. Allowed values: 'TLSv1.3', 'TLSv1.2', 'TLSv1.1', 'TLSv1'. | required | enum: [, TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
# TLS_MAX_VERSION= # Maximum TLS version accepted by the GUI HTTPS server. Allowed values: 'TLSv1.3', 'TLSv1.2', 'TLSv1.1', 'TLSv1'. | optional | enum: [, TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
# TLS_CIPHERS= # List of OpenSSL cipher names used by the GUI HTTPS server. Example: ['ECDHE-ECDSA-AES256-GCM-SHA384', '...']. | optional
# LOG_PATH=/var/log/moki # Filesystem path where application log files are stored. Used for tracking server and application events. | required
# MAX_LOGS=10000 # Maximum number of log entries to read when fetching logs. Helps limit memory usage when dealing with large log files. | required | min: 1
# LOG_LEVEL=info # Logging level for application output. Controls verbosity: trace (most detailed), debug, info, warn, error, fatal (least detailed). | required | enum: [trace, debug, info, warn, error, fatal]
# LOG_FILESIZE=100m # Maximum log file size before rotation (e.g., '1k', '10m', '100g'). Log will rotate when either interval or file size is reached, whichever comes first. | required
# LOG_INTERVAL=daily # Log rotation interval: 'daily', 'hourly', or a positive number (milliseconds). Log will rotate when either interval or file size is reached, whichever comes first. | required
# LOG_RETAIN_NUMBER=30 # Number of rotated log files to retain. Older log files beyond this number will be deleted. | required | min: 1
# BROWSER_URL=http://chrome:9222/ # URL of the browser endpoint used for remote browser automation or debugging. Must be a valid URL. | required
# PDF_RENDER_URL= # URL that headless Chrome uses to render report pages for PDF generation. Set to your docker-compose service name. | optional
# PYTHON_PATH=python3 # Filesystem path or command to the Python executable used for running Python scripts or integrations. | required
# EVENT_GENERATOR_PATH=event-generator-cli # Filesystem path or command to the event generator CLI tool. Used for generating events in the application. | required
# WEB_PUSH_VAPID_PUB=BDMDdcui_F0YkNqSG6y-OJdm_rCluBUXm7g8Bz02BShFoi4knfKPRX-YiILV6l0mi1BwHBif6r-RhfMNYgLeFd0 # Public VAPID key used for authenticating web push notifications sent to clients. Must be a valid VAPID public key string, typically generated for your push service. | required
# WEB_PUSH_VAPID_PRV=m_zagbTESoDoxQVFg00EbbHLPt0zLI28f9FoXzU3Uj0 # Private VAPID key used for signing web push notifications sent to clients. Must be a valid VAPID private key string, kept secret and paired with the public key. | required
# START_PERIODIC_JOBS_ON_BOOT=true # Enable periodic job scheduling on boot | required
# DOCS_PROXY_URL= # URL of the external documentation service to proxy requests to. If set, documentation is hosted externally and `STATIC_DOC_FILES_PATH` is ignored. | optional
# REMOTE_SYSLOG_ENABLED=false # Enable remote syslog transport for forwarding server logs to a remote syslog server. Requires a full server restart to take effect. | required
# REMOTE_SYSLOG_HOST= # Hostname or IP address of the remote syslog server. Required when REMOTE_SYSLOG_ENABLED is true. | optional
# REMOTE_SYSLOG_PORT=514 # Port number of the remote syslog server. Defaults to 514. | required | min: 0 (exclusive), max: 65535
# REMOTE_SYSLOG_PROTOCOL=udp # Transport protocol for syslog: 'udp' or 'tcp'. Defaults to 'udp'. | required | enum: [udp, tcp]
# --- Auth ---
# JWT_required=false # Require JWT authentication for SIP user access. If true, users must provide a valid JWT token to authenticate. | required
# BYPASS_AUTH=false # If true, the login page is displayed for user authentication; if false, users are redirected directly to the dashboard without authentication. | DEPRECATED | required
# CCM= # IP address or hostname of the CCM server used for SIP communications. Must be a valid IPv4, IPv6, or hostname. | optional
# SBC_AUTH_TOKEN= # SBC API authentication token for Monitor configuration. Generate via SBC web interface or API token endpoint. | optional
# CCM_AUTH_TOKEN= # CCM API authentication token for Monitor configuration to resolve 401 Unauthorized errors. Generate via CCM web interface or tokens.php endpoint. | optional
# --- Elasticsearch ---
# ES= # URL of the Elasticsearch server to override the value from database. Must be a valid URL. Used for connecting to the Elasticsearch instance. | optional
# ES_USERNAME= # Username for authenticating with the Elasticsearch server. Required if ES_PASSWORD is provided. | optional
# ES_PASSWORD= # Password for authenticating with the Elasticsearch server. Required if ES_USERNAME is provided. | optional
# ES_TLS_CA= # Elasticsearch CA certificate used by clients to verify TLS connections. Can be a file path or PEM content. | optional
# ES_RECOVERY_CONFIRMATION_COUNT=3 # Number of confirmations required to complete the recovery process in Elasticsearch operations. Controls how many successful confirmations are needed before recovery is considered complete. | required
# --- Vector ---
# VECTOR_RUNNER=local # Specify your desired runner | required | enum: [podman, docker, local]
# VECTOR_ES_ENDPOINT= # Override Elasticsearch URL from value config.ES with credentials if needed. eg. http://elastic:password@localhost:9200 | optional
# VECTOR_SYSLOG_ENABLED= # Enable syslog | optional
# VECTOR_SYSLOG_PORT=514 # Vector SYSLOG port used for communication | optional | min: 0 (exclusive), max: 65535
# VECTOR_SYSLOG_TLS_ENABLED= # Force using GUI TLS key and cert | optional
# VECTOR_SYSLOG_TRANSPORT_PROTOCOL= # Vector SYSLOG transport layer protocol | optional | enum: [tcp, udp]
# VECTOR_SYSLOG_CRT_FILE= # Path to the certificate file used for SSL/TLS for syslog source | optional
# VECTOR_SYSLOG_KEY_FILE= # Path to the certificate-key file used for SSL/TLS for syslog source | optional
# VECTOR_SOCKET_PORT=5044 # Vector TCP port used for communication | optional | min: 0 (exclusive), max: 65535
# VECTOR_SOCKET_TLS_PORT=5045 # Vector TCP port used for TLS communication | optional | min: 0 (exclusive), max: 65535
# VECTOR_SOCKET_ADDR=:: # Vector host address used for communication | required
# INPUT_TLS_ONLY= # Enable TLS for Vector | optional
# VECTOR_LOG= # The vector log. Default will be handled by vector start script | optional | enum: [trace, debug, info, warn, error, off]
# VECTOR_API_ADDRESS=[::]:8686 # Vector API Address. Only used for health check. It should be `IP:PORT` format, support IPv4 and IPv6 | required
# VECTOR_RECOVERY_CONFIRMATION_COUNT=3 # Number of confirmations required for recovery | required
# EVENT_TLS_CACERT= # Path to the CA file used for SSL/TLS | optional
# EVENT_TLS_CERT= # Path to the certificate file used for SSL/TLS | optional
# EVENT_TLS_KEY= # Path to the certificate-key file used for SSL/TLS | optional
# EVENT_TLS_KEY_PASS= # Passphrase for certificate key | optional
# TLS_CERT_VERIFY_LEVEL=false # Peer certificate verification level | required
# VECTOR_WATCH_CONFIG=true # When this option is enabled, vector will restart on any config change | required
# VECTOR_GRACEFUL_SHUTDOWN_LIMIT_SECS=60 # Set the duration in seconds to wait for graceful shutdown after SIGINT or SIGTERM are received. After the duration has passed, Vector will force shutdown. default is 60 | required
# VECTOR_SYSLOG_FILE_SINK_ENABLED=false # Enable syslog file sink | required
# VECTOR_TIMEZONE= # Timezone for Vector. Default is machine timezone | optional
# --- AA ---
# ADVANCED_ALERTS= # Enable advanced alerts for enhanced monitoring and notification features | optional
# ADVANCED_ALERTS_URL= # The endpoint URL used for advanced alerts when ADVANCED_ALERTS is enabled. Must be a valid URL. | optional
# AA_RECOVERY_CONFIRMATION_COUNT=3 # Number of confirmations required to complete the recovery process. Controls how many successful confirmations are needed before recovery is considered complete. | required | min: 1, max: 100
# --- Redis ---
# REDIS_ENDPOINT= # Redis endpoint. eg: redis://redis:6379/0 | optional
# REDIS_RECOVERY_CONFIRMATION_COUNT=3 # Number of confirmations required for recovery | required
# --- S3 ---
# UPLOAD_API_S3_FORCE_PATH_STYLE=false # Force path-style access for S3 buckets in the upload API. Useful for S3-compatible services or custom endpoints. | required
# AWS_REGION=auto # AWS region for S3 storage operations. Used to select the correct S3 endpoint. | required
# AWS_ENDPOINT_URL_S3= # Custom endpoint URL for S3 storage. Must be a valid URL. Used for S3-compatible services or local testing. | optional
# AWS_ACCESS_KEY_ID= # AWS Access Key ID for authenticating S3 storage operations. | optional
# AWS_SECRET_ACCESS_KEY= # AWS Secret Access Key for authenticating S3 storage operations. | optional
# --- Upload API ---
# UPLOAD_API_PORT=3042 # Port number for the upload API server to listen on. | required | min: 0 (exclusive), max: 65535
# UPLOAD_API_TLS_KEY_PATH= # Filesystem path to the TLS key file used for HTTPS connections in the upload API. | optional
# UPLOAD_API_USE_SAME_TLS_AS_EVENTS=false # Use the same TLS certificate and key for the Upload API as the ones used for event input. When this option is enabled, the fields for Upload API TLS certificate and key will be ignored. | required
# UPLOAD_API_TLS_CERT_PATH= # Filesystem path to the TLS certificate file used for HTTPS connections in the upload API. | optional
# UPLOAD_API_TLS_CA_PATH= # Filesystem path to the TLS CA certificate file for validating client certificates in mutual TLS setups. | optional
# UPLOAD_API_MUTUAL_AUTH=false # Enable mutual TLS authentication for the upload API. If true, both client and server must present valid certificates. | required
# UPLOAD_API_RSYNC_PORT=873 # Port number for the rsync server used by the upload API for file synchronization. | required | min: 0 (exclusive), max: 65535
# UPLOAD_API_RSYNC_USER=sbcsync # Username for authenticating with the rsync server in the upload API. | required
# UPLOAD_API_RSYNC_PASSWORD=ZJaqCW6zwznD # Password for authenticating with the rsync server in the upload API. | required
# UPLOAD_API_STORAGE_TYPE=file # Type of storage backend used by the upload API. | required | enum: [s3, file, null]
# STORAGE_LOCATION=/data/abc-monitor/upload-storage # Filesystem path or S3 bucket name where uploaded files are stored. | required
# DECAP_PATH=decap # Path to the decap binary path | required
# FS_EVENTS_PATH=fs-events # Path to the fs-events binary path | required
# --- Client ---
# ALLOWED_HOSTS=localhost,127.0.0.1,::1 # List of hostnames or IP addresses allowed for the UI to connect to the server and used in SSL certificate validation. | optional
# UI_PORT=3000 # Port number for the user interface (UI) to listen on. | required | min: 0 (exclusive), max: 65535
# --- Channel ---
# DEFAULT_CHANNEL_ID= # Unique identifier for the notification channel. Used to reference and manage the channel in the system. Must be alphanumeric with dashes/underscores only. | optional | min: 5, pattern: /^[a-zA-Z0-9_-]+$/
# DEFAULT_CHANNEL_TYPE= # Type of the notification channel. | optional | enum: [email, snmp, api, matrix]
# DEFAULT_CHANNEL_NAME= # Human-readable name for the channel. Used for display and identification purposes. Must not have leading or trailing spaces. | optional | min: 5
# DEFAULT_CHANNEL_PARAMS= # JSON string containing channel-specific configuration parameters; each key maps to a parameter object with a 'type' and 'value'. | optional
Ports
- SERVER_PORT: 5000
- PORT: DEPRECATED
- REMOTE_SYSLOG_PORT: 514
- VECTOR_SYSLOG_PORT: 514
- VECTOR_SOCKET_PORT: 5044
- VECTOR_SOCKET_TLS_PORT: 5045
- UPLOAD_API_PORT: 3042
- UPLOAD_API_RSYNC_PORT: 873
- UI_PORT: 3000
Variable Definitions
- Generic
- Auth
- Elasticsearch
- Vector
- AA
- Redis
- S3
- Upload API
- Client
- Channel
Generic environment variables used for core application configuration, debugging, server address, ports, URLs, and paths. These variables control the main behavior and entry points of the monitoring stack.
| Variable | Type | Default Value | Restrictions | Description |
|---|---|---|---|---|
| NODE_ENV | enum [dev, test, production] | production | enum: [dev, test, production] | Specifies the current environment for the application. Affects configuration, logging, and feature toggles throughout the app. Defaults to 'production'. |
| MOKI_DEBUG | [DEPRECATED] boolean | false | - | Enable verbose debug logging and additional diagnostic output for Moki. Useful for troubleshooting and development. |
| ADDR | string | :: | - | IP address or hostname for the Express.js server to bind to. Must be a valid IPv4 or IPv6 address. |
| SERVER_PORT | number | 5000 | min: 0 (exclusive), max: 65535 | Port number for the server to listen on. |
| PORT | [DEPRECATED] number | - | min: 0 (exclusive), max: 65535 | Port number for the server to listen on, used for compatibility. Will be deprecated in future versions and will be replaced by SERVER_PORT. Still has the higher priority for the server port. |
| PUBLIC_URL | string | - | - | Publicly accessible URL of the application. Used for generating links and references. Must be a valid URL. |
| STATIC_DOC_FILES_PATH | string | /moki/documentations | - | Filesystem path to static documentation files served by the application. Used for hosting and accessing documentation. |
| GUI_TLS_CERT_PATH | string | - | - | The absolute filesystem path to the TLS/SSL certificate file used to secure the web interface (GUI) with HTTPS. The file must exist, have a valid '.pem' or '.crt' extension, and contain a valid certificate. |
| GUI_TLS_KEY_PATH | string | - | - | The absolute filesystem path to the private key file corresponding to the TLS/SSL certificate for the web interface (GUI). The file must exist, have a valid '.pem', '.crt', or '.key' extension, and contain a valid private key. |
| TLS_MIN_VERSION | enum [, TLSv1.3, TLSv1.2, TLSv1.1, TLSv1] | TLSv1.3 | enum: [, TLSv1.3, TLSv1.2, TLSv1.1, TLSv1] | Minimum TLS version accepted by the GUI HTTPS server. Allowed values: 'TLSv1.3', 'TLSv1.2', 'TLSv1.1', 'TLSv1'. |
| TLS_MAX_VERSION | enum [, TLSv1.3, TLSv1.2, TLSv1.1, TLSv1] | - | enum: [, TLSv1.3, TLSv1.2, TLSv1.1, TLSv1] | Maximum TLS version accepted by the GUI HTTPS server. Allowed values: 'TLSv1.3', 'TLSv1.2', 'TLSv1.1', 'TLSv1'. |
| TLS_CIPHERS | array | - | - | List of OpenSSL cipher names used by the GUI HTTPS server. Example: ['ECDHE-ECDSA-AES256-GCM-SHA384', '...']. |
| LOG_PATH | string | /var/log/moki | - | Filesystem path where application log files are stored. Used for tracking server and application events. |
| MAX_LOGS | number | 10000 | min: 1 | Maximum number of log entries to read when fetching logs. Helps limit memory usage when dealing with large log files. |
| LOG_LEVEL | enum [trace, debug, info, warn, error, fatal] | info | enum: [trace, debug, info, warn, error, fatal] | Logging level for application output. Controls verbosity: trace (most detailed), debug, info, warn, error, fatal (least detailed). |
| LOG_FILESIZE | string | 100m | - | Maximum log file size before rotation (e.g., '1k', '10m', '100g'). Log will rotate when either interval or file size is reached, whichever comes first. |
| LOG_INTERVAL | string | number | daily | - |
| LOG_RETAIN_NUMBER | number | 30 | min: 1 | Number of rotated log files to retain. Older log files beyond this number will be deleted. |
| BROWSER_URL | string | http://chrome:9222/ | - | URL of the browser endpoint used for remote browser automation or debugging. Must be a valid URL. |
| PDF_RENDER_URL | string | - | - | URL that headless Chrome uses to render report pages for PDF generation. Set to your docker-compose service name. |
| PYTHON_PATH | string | python3 | - | Filesystem path or command to the Python executable used for running Python scripts or integrations. |
| EVENT_GENERATOR_PATH | string | event-generator-cli | - | Filesystem path or command to the event generator CLI tool. Used for generating events in the application. |
| WEB_PUSH_VAPID_PUB | string | BDMDdcui_F0YkNqSG6y-OJdm_rCluBUXm7g8Bz02BShFoi4knfKPRX-YiILV6l0mi1BwHBif6r-RhfMNYgLeFd0 | - | Public VAPID key used for authenticating web push notifications sent to clients. Must be a valid VAPID public key string, typically generated for your push service. |
| WEB_PUSH_VAPID_PRV | string | m_zagbTESoDoxQVFg00EbbHLPt0zLI28f9FoXzU3Uj0 | - | Private VAPID key used for signing web push notifications sent to clients. Must be a valid VAPID private key string, kept secret and paired with the public key. |
| START_PERIODIC_JOBS_ON_BOOT | boolean | true | - | Enable periodic job scheduling on boot |
| DOCS_PROXY_URL | string | - | - | URL of the external documentation service to proxy requests to. If set, documentation is hosted externally and STATIC_DOC_FILES_PATH is ignored. |
| REMOTE_SYSLOG_ENABLED | boolean | false | - | Enable remote syslog transport for forwarding server logs to a remote syslog server. Requires a full server restart to take effect. |
| REMOTE_SYSLOG_HOST | string | - | - | Hostname or IP address of the remote syslog server. Required when REMOTE_SYSLOG_ENABLED is true. |
| REMOTE_SYSLOG_PORT | number | 514 | min: 0 (exclusive), max: 65535 | Port number of the remote syslog server. Defaults to 514. |
| REMOTE_SYSLOG_PROTOCOL | enum [udp, tcp] | udp | enum: [udp, tcp] | Transport protocol for syslog: 'udp' or 'tcp'. Defaults to 'udp'. |
Authentication-related variables. Configure JWT requirements, login bypass, and CCM server integration for secure access and user management.
| Variable | Type | Default Value | Restrictions | Description |
|---|---|---|---|---|
| JWT_required | boolean | false | - | Require JWT authentication for SIP user access. If true, users must provide a valid JWT token to authenticate. |
| BYPASS_AUTH | [DEPRECATED] boolean | false | - | If true, the login page is displayed for user authentication; if false, users are redirected directly to the dashboard without authentication. |
| CCM | string | - | - | IP address or hostname of the CCM server used for SIP communications. Must be a valid IPv4, IPv6, or hostname. |
| SBC_AUTH_TOKEN | string | - | - | SBC API authentication token for Monitor configuration. Generate via SBC web interface or API token endpoint. |
| CCM_AUTH_TOKEN | string | - | - | CCM API authentication token for Monitor configuration to resolve 401 Unauthorized errors. Generate via CCM web interface or tokens.php endpoint. |
Elasticsearch configuration. Set connection details, credentials, and recovery options for the main data store powering search and analytics.
| Variable | Type | Default Value | Restrictions | Description |
|---|---|---|---|---|
| ES | string | - | - | URL of the Elasticsearch server to override the value from database. Must be a valid URL. Used for connecting to the Elasticsearch instance. |
| ES_USERNAME | string | - | - | Username for authenticating with the Elasticsearch server. Required if ES_PASSWORD is provided. |
| ES_PASSWORD | string | - | - | Password for authenticating with the Elasticsearch server. Required if ES_USERNAME is provided. |
| ES_TLS_CA | string | - | - | Elasticsearch CA certificate used by clients to verify TLS connections. Can be a file path or PEM content. |
| ES_RECOVERY_CONFIRMATION_COUNT | number | 3 | - | Number of confirmations required to complete the recovery process in Elasticsearch operations. Controls how many successful confirmations are needed before recovery is considered complete. |
Vector database configuration. Define connection settings, credentials, and recovery options for vector-based data storage and retrieval.
| Variable | Type | Default Value | Restrictions | Description |
|---|---|---|---|---|
| VECTOR_RUNNER | enum [podman, docker, local] | local | enum: [podman, docker, local] | Specify your desired runner |
| VECTOR_ES_ENDPOINT | string | - | - | Override Elasticsearch URL from value config.ES with credentials if needed. eg. http://elastic:password@localhost:9200 |
| VECTOR_SYSLOG_ENABLED | boolean | - | - | Enable syslog |
| VECTOR_SYSLOG_PORT | number | 514 | min: 0 (exclusive), max: 65535 | Vector SYSLOG port used for communication |
| VECTOR_SYSLOG_TLS_ENABLED | boolean | - | - | Force using GUI TLS key and cert |
| VECTOR_SYSLOG_TRANSPORT_PROTOCOL | enum [tcp, udp] | - | enum: [tcp, udp] | Vector SYSLOG transport layer protocol |
| VECTOR_SYSLOG_CRT_FILE | string | - | - | Path to the certificate file used for SSL/TLS for syslog source |
| VECTOR_SYSLOG_KEY_FILE | string | - | - | Path to the certificate-key file used for SSL/TLS for syslog source |
| VECTOR_SOCKET_PORT | number | 5044 | min: 0 (exclusive), max: 65535 | Vector TCP port used for communication |
| VECTOR_SOCKET_TLS_PORT | number | 5045 | min: 0 (exclusive), max: 65535 | Vector TCP port used for TLS communication |
| VECTOR_SOCKET_ADDR | string | :: | - | Vector host address used for communication |
| INPUT_TLS_ONLY | boolean | - | - | Enable TLS for Vector |
| VECTOR_LOG | enum [trace, debug, info, warn, error, off] | - | enum: [trace, debug, info, warn, error, off] | The vector log. Default will be handled by vector start script |
| VECTOR_API_ADDRESS | string | [::]:8686 | - | Vector API Address. Only used for health check. It should be IP:PORT format, support IPv4 and IPv6 |
| VECTOR_RECOVERY_CONFIRMATION_COUNT | number | 3 | - | Number of confirmations required for recovery |
| EVENT_TLS_CACERT | string | - | - | Path to the CA file used for SSL/TLS |
| EVENT_TLS_CERT | string | - | - | Path to the certificate file used for SSL/TLS |
| EVENT_TLS_KEY | string | - | - | Path to the certificate-key file used for SSL/TLS |
| EVENT_TLS_KEY_PASS | string | - | - | Passphrase for certificate key |
| TLS_CERT_VERIFY_LEVEL | boolean | false | - | Peer certificate verification level |
| VECTOR_WATCH_CONFIG | boolean | true | - | When this option is enabled, vector will restart on any config change |
| VECTOR_GRACEFUL_SHUTDOWN_LIMIT_SECS | number | 60 | - | Set the duration in seconds to wait for graceful shutdown after SIGINT or SIGTERM are received. After the duration has passed, Vector will force shutdown. default is 60 |
| VECTOR_SYSLOG_FILE_SINK_ENABLED | boolean | false | - | Enable syslog file sink |
| VECTOR_TIMEZONE | string | - | - | Timezone for Vector. Default is machine timezone |
Analytics and Alerts (AA) configuration. Enable advanced alerting, set endpoints, and control confirmation requirements for alert workflows.
| Variable | Type | Default Value | Restrictions | Description |
|---|---|---|---|---|
| ADVANCED_ALERTS | boolean | - | - | Enable advanced alerts for enhanced monitoring and notification features |
| ADVANCED_ALERTS_URL | string | - | - | The endpoint URL used for advanced alerts when ADVANCED_ALERTS is enabled. Must be a valid URL. |
| AA_RECOVERY_CONFIRMATION_COUNT | number | 3 | min: 1, max: 100 | Number of confirmations required to complete the recovery process. Controls how many successful confirmations are needed before recovery is considered complete. |
Redis environment.
| Variable | Type | Default Value | Restrictions | Description |
|---|---|---|---|---|
| REDIS_ENDPOINT | string | - | - | Redis endpoint. eg: redis://redis:6379/0 |
| REDIS_RECOVERY_CONFIRMATION_COUNT | number | 3 | - | Number of confirmations required for recovery |
S3 storage configuration. Manage region, endpoint, and credentials for file storage and backup.
| Variable | Type | Default Value | Restrictions | Description |
|---|---|---|---|---|
| UPLOAD_API_S3_FORCE_PATH_STYLE | boolean | false | - | Force path-style access for S3 buckets in the upload API. Useful for S3-compatible services or custom endpoints. |
| AWS_REGION | string | auto | - | AWS region for S3 storage operations. Used to select the correct S3 endpoint. |
| AWS_ENDPOINT_URL_S3 | string | - | - | Custom endpoint URL for S3 storage. Must be a valid URL. Used for S3-compatible services or local testing. |
| AWS_ACCESS_KEY_ID | string | - | - | AWS Access Key ID for authenticating S3 storage operations. |
| AWS_SECRET_ACCESS_KEY | string | - | - | AWS Secret Access Key for authenticating S3 storage operations. |
Manage upload API, TLS, rsync, storage type.
| Variable | Type | Default Value | Restrictions | Description |
|---|---|---|---|---|
| UPLOAD_API_PORT | number | 3042 | min: 0 (exclusive), max: 65535 | Port number for the upload API server to listen on. |
| UPLOAD_API_TLS_KEY_PATH | string | - | - | Filesystem path to the TLS key file used for HTTPS connections in the upload API. |
| UPLOAD_API_USE_SAME_TLS_AS_EVENTS | boolean | false | - | Use the same TLS certificate and key for the Upload API as the ones used for event input. When this option is enabled, the fields for Upload API TLS certificate and key will be ignored. |
| UPLOAD_API_TLS_CERT_PATH | string | - | - | Filesystem path to the TLS certificate file used for HTTPS connections in the upload API. |
| UPLOAD_API_TLS_CA_PATH | string | - | - | Filesystem path to the TLS CA certificate file for validating client certificates in mutual TLS setups. |
| UPLOAD_API_MUTUAL_AUTH | boolean | false | - | Enable mutual TLS authentication for the upload API. If true, both client and server must present valid certificates. |
| UPLOAD_API_RSYNC_PORT | number | 873 | min: 0 (exclusive), max: 65535 | Port number for the rsync server used by the upload API for file synchronization. |
| UPLOAD_API_RSYNC_USER | string | sbcsync | - | Username for authenticating with the rsync server in the upload API. |
| UPLOAD_API_RSYNC_PASSWORD | string | ZJaqCW6zwznD | - | Password for authenticating with the rsync server in the upload API. |
| UPLOAD_API_STORAGE_TYPE | enum [s3, file, null] | file | enum: [s3, file, null] | Type of storage backend used by the upload API. |
| STORAGE_LOCATION | string | /data/abc-monitor/upload-storage | - | Filesystem path or S3 bucket name where uploaded files are stored. |
| DECAP_PATH | string | decap | - | Path to the decap binary path |
| FS_EVENTS_PATH | string | fs-events | - | Path to the fs-events binary path |
Client-side configuration. Specify allowed hosts and frontend settings for application access and security.
| Variable | Type | Default Value | Restrictions | Description |
|---|---|---|---|---|
| ALLOWED_HOSTS | array | localhost,127.0.0.1,::1 | - | List of hostnames or IP addresses allowed for the UI to connect to the server and used in SSL certificate validation. |
| UI_PORT | number | 3000 | min: 0 (exclusive), max: 65535 | Port number for the user interface (UI) to listen on. |
Channel creation configuration. Define the unique ID, type (e.g., email, sms, webhook), human-readable name, and any custom parameters for the channel setup.
| Variable | Type | Default Value | Restrictions | Description |
|---|---|---|---|---|
| DEFAULT_CHANNEL_ID | string | - | min: 5, pattern: /^[a-zA-Z0-9_-]+$/ | Unique identifier for the notification channel. Used to reference and manage the channel in the system. Must be alphanumeric with dashes/underscores only. |
| DEFAULT_CHANNEL_TYPE | enum [email, snmp, api, matrix] | - | enum: [email, snmp, api, matrix] | Type of the notification channel. |
| DEFAULT_CHANNEL_NAME | string | - | min: 5 | Human-readable name for the channel. Used for display and identification purposes. Must not have leading or trailing spaces. |
| DEFAULT_CHANNEL_PARAMS | object | - | - | JSON string containing channel-specific configuration parameters; each key maps to a parameter object with a 'type' and 'value'. |
Usage Notes
info
- Add or override variables as needed for your deployment.
- For sensitive values, consider using
Docker secretsorKubernetes secrets. - Not all variables are required for every service; check your compose/manifest for usage.
Config Adapters
Under the hood we are allowing different sources for configurations. This is done smoothly using Config Adapters:
| Priority | Adapter | Definition | How it works | Source | Overrides |
|---|---|---|---|---|---|
| 1 | Default settings adapter | Provides baseline configuration | Loads values from defaults.json | defaults.json file | None (lowest priority) |
| 2 | Sqlite settings adapter | Project-level stored settings | Reads key/value pairs from SQLite table | SQLite DB | Defaults |
| 3 | dotEnv adapter for .env | Environment file overrides | Parses .env and merges variables | .env file | Defaults, Sqlite |
| 4 | dotEnv adapter for .env.{NODE_ENV} | Environment-specific overrides | Parses .env.dev, .env.production, etc. | .env.{NODE_ENV} file | All lower priorities (1–3) |
| 5 | systemEnv adapter | System-level overrides | Reads from actual OS environment variables | Process environment | All lower priorities (1–4) |
Adapter Priority
Adapters are evaluated in order, from lowest to highest priority.
- Lower-priority adapters (smaller numbers) provide defaults or fallbacks.
- Higher-priority adapters (larger numbers) can override values from lower-priority ones.
- The highest-priority adapter always wins if multiple adapters define the same key.
- After all adapters are applied in sequence, the final result is validated against the Zod schema rules.