Postgres Pro Enterprise Manager : Documentation: 2: ppem-manager.yml : Postgres Professional

`ppem-manager.yml`
Prev	Up	Configuration Parameters Reference	Home	Next

`ppem-manager.yml`

ppem-manager.yml — YAML configuration file for the manager

Overview #

The configuration file is located at /etc/ppem-manager.yml.

You can specify how the parameters are handled using the special use_storage_config parameter.

After making any changes to the configuration file, the manager service must be restarted:


systemctl restart ppem

The configuration file is organized into the following sections:

log: Logging parameters.
repo: Repository database parameters.
integrations: Integration parameters.
http: HTTP parameters.
jwt: JWT session parameters.
crypto: Encryption parameters.
backups: Backup integration parameters.
oidc: OIDC integration parameters.
ldap: LDAP integration parameters.
package_managers: Package manager parameters.
alerts: Alert and notification parameters.
executor: Executor parameters.
otlp: OpenTelemetry (OTLP) parameters.
metrics: Metrics collector parameters.
audit: Audit event log parameters.
agents_connection: Agent connection parameters.
Miscellaneous time interval and timeout parameters.

Configuring Parameter Handling #

The configuration file contains the special use_storage_config parameter.

If this parameter is set to true, values from the configuration storage override the ones from the configuration file.

Default value: false — the manager uses parameters from the configuration file.

Logging Parameters #

The log section allows configuring logging parameters for the manager.

For more information about configuring the audit event log and alert notifications, refer to the section called “Audit Event Log Parameters” and the section called “Alert and Notification Parameters”.

log:
  level: logging_level
  format: log_format
  options:
    csv_field_delimiter: delimiter_character
  file:
    path: absolute_path_to_log_file
    mode: log_file_access_mode

level (enum) #

The logging level.

Possible values:

debug
info
warn
error

Each logging level includes the previous one, for example, warn includes log messages of the info and debug levels.

format (enum, optional) #

The logging format.

Possible values:

json: The JSON format.
pretty: The prettified JSON format, such as the one the jq utility generates.
csv: The plaintext CSV format.
You can specify the CSV delimiter using the options.csv_field_delimiter parameter.

Default value: json.

options.csv_field_delimiter (string, optional) #

The single-character string that represents the CSV delimiter to use.

This parameter is only applicable if the format parameter is set to csv.

Default value: , (comma character).

file (object, optional) #

The file for writing logs. The manager must have the privilege to write to this file. If the file does not exist, the manager creates it.

If this parameter is not specified, PPEM writes logs to stdout.

path (string, not empty) #: The absolute path to the log file, for example, /var/log/ppem.log.
mode (string, not empty) #: The numeric string that represents the file access mode in the format similar to the one chmod uses, for example, 0644.

Repository Database Parameters #

The repo section allows configuring the repository database parameters.

Most of the parameters specify how to connect to the repository database, and the schema parameter specifies the name of the schema where to store the database objects.

repo:
  schema: schema_for_repository_objects
  url: connection_URL

  # Key/value connection string (alternative)
  host: host_name
  port: port
  name: database_name
  user: user_name
  password: user_password

  fallback_addresses: [list_of_fallback_host_addresses]
  target_session_attrs: target_session_attributes

  sslmode: secure_connection_mode
  sslrootcert: root_CA_certificate_file
  sslcert: public_certificate_file
  sslkey: private_key_file

  max_conns: maximum_number_of_connections
  max_conn_lifetime: active_connection_timeout
  max_conn_idle_time: idle_connection_timeout

  # Parameters of connections which relate to instance objects
  instance_objects_repo_pool:
    max_conns: maximum_number_of_connections
    max_conn_lifetime: active_connection_timeout
    max_conn_idle_time: idle_connection_timeout

schema (string) #

The name of the schema where to store the repository database objects.

For a new PPEM installation, you can simply specify the schema name. Changing the schema name for a running PPEM installation with multiple existing objects requires following a more complex procedure.

Default value: public.

url (string, optional) #

The connection URL for the repository database.

Example: postgres://ppem@dbms.example.org/ppem.

Default value: "" (empty string).

host (string, optional) port (port number, optional) name (string, optional) user (string, optional) password (string, optional) #

Keyword/value connection string parameters for the repository database.

If the connection URI is specified using the url parameter, it takes precedence over the keyword/value connection string.

Default value for port: 5432.

Default value for other parameters: "" (empty string).

fallback_addresses (list of strings, optional) #

The list of fallback addresses in the host:port format.

If a connection attempt that uses the connection strings above fails, other connection attempts are made using fallback addresses.

Example:

fallback_addresses:
  - prod.example.org:5432
  - dev.example.com:55432

Default value: [] (empty list).

target_session_attrs (string, optional) #

The target session attributes.

Default value: any.

sslmode (string, optional) sslrootcert (string, optional) sslcert (string, optional) sslkey (string, optional) #

The SSL parameters of the database connection.

Default value for sslmode: prefer.

Default value for other parameters: "" (empty string).

max_conns (integer, optional) max_conn_lifetime (time string, optional) max_conn_idle_time (time string, optional) #

The parameters of the connection pooler that is used when connecting to the repository database:

max_conns: The maximum number of allowed connections.
Default value: 4.
max_conn_lifetime: The active connection timeout.
Active connections that exceed the timeout are closed.
Default value: 1h.
max_conn_idle_time: The idle connection timeout.
Idle connections that exceed the timeout are closed.
Default value: 10m.

instance_objects_repo_pool (object, optional) #

The parameters of the connection pooler that is used when working with instance objects:

max_conns (integer, optional) max_conn_lifetime (time string, optional) max_conn_idle_time (time string, optional)

max_conns: The maximum number of allowed connections.
Default value: 4.
max_conn_lifetime: The active connection timeout.
Active connections that exceed the timeout are closed.
Default value: 1h.
max_conn_idle_time: The idle connection timeout.
Idle connections that exceed the timeout are closed.
Default value: 10m.

Integration Parameters #

The integrations section allows configuring PPEM integration with other Postgres Pro products and solutions.

integrations:
  askpostgres:
    enabled: true_or_false
    base_url: "https://ask.postgrespro.ru"
    source: "ppem"
    timeouts:
      base: non_streaming_HTTP_requests_timeout
      time_to_first_token: first_token_timeout
      idle: streaming_HTTP_requests_idle_timeout

askpostgres (object) #

Parameters of integration with Ask Postgres. For more information, refer to Chapter 65.

enabled (boolean) #

Specifies whether the AskPostgres chat integration is enabled.

If set to false, the chat icon is not displayed in the web application, and the remaining parameters are optional.

Default value: false — integration is disabled.

base_url (string) #

The base URL of the Ask Postgres service.

Do not change this parameter unless you are using a locally deployed Ask Postgres instance.

Default value: https://ask.postgrespro.ru/api/v1.

source (string) #

Important

This is a service parameter, do not change it.

The request source ID sent in the X-Source HTTP header to the Ask Postgres service.

Fixed value: ppem.

timeouts (object) #

The timeout parameters for requests to Ask Postgres:

base (time string) #

The timeout for non-streaming HTTP requests, such as creating a chat, retrieving messages, or canceling response generation.

Default value: 20s.

time_to_first_token (time string) #

The timeout for receiving the first token in the response stream. If the stream starts but no token is received within this time, the request fails with a timeout error.

Default value: 120s.

idle (time string) #

The idle timeout for the response stream, which resets whenever a new token is received. If no token is received within this time, the stream fails with a timeout error.

Default value: 60s.

HTTP Parameters #

The http section allows configuring HTTP server and client parameters, as well as multiple API-related parameters.

http:
  server:
    address: listen_network_address
    port: listen_network_port
    tls:
      cert_file: public_certificate_file
      key_file: private_key_file
    static_files_path: path_to_web_application_static_files
    timeout: HTTP_request_processing_timeout
    security:
      enabled: true_or_false
      csp_policy: content_security_policy_header
      cache_control: cache_control_header
      pragma: Pragma_header
      expires: expires_header
      frame_options: x_content_type_header
      content_type_options: x_content_type_options_header
      permissions_policy: permissions_policy_header
      referrer_policy: referrer_policy_header
      strict_transport_security: strict_transport_security_header
      cross_origin_embedder_policy: cross_origin_embedder_policy_header
      cross_origin_opener_policy: cross_origin_opener_policy_header
      cross_origin_resource_policy: cross_origin_resource_policy_header
    cors:
      allowed_origins: [list_of_allowed_origins]
      allowed_methods: [list_of_allowed_HTTP_methods]
      allowed_headers: [list_of_allowed_HTTP_headers]
      exposed_headers: [list_of_exposed_HTTP_headers]
      allow_credentials: access_control_allow_credentials_header
      max_age: access_control_max_age_header
    real_ip_header_name: header_with_originating_IP_address

  client:
    timeouts:
      http: HTTP_request_timeout
      tls_handshake: TLS_handshake_timeout
      dialer: HTTP_dialer_timeout
      response_header: HTTP_response_header_wait_timeout
    insecure_skip_verify: skip_server_certificate_verification
    root_ca_files: [list_of_root_CA_certificate_files]

  pagination:
    max_page_size: maximum_objects_in_single_response
  api:
    disabled: {object_with_disabled_API_endpoints}

HTTP Server Parameters #

address (string, optional) #

The network address to listen on.

If you specify an empty string, the server listens on all network interfaces.

Default value: localhost.

port (port number, optional) #

The network port to listen on.

Default value: 8080.

tls (object) #

The TLS certificate parameters that are required to enable HTTPS on the server.

If you do not specify any certificate and key files (empty strings), the web application is only available via HTTP.

cert_file (string) #

The absolute path to the public certificate file.

Default value: "" (empty string).

key_file (string) #

The absolute path to the private key file.

Default value: "" (empty string).

static_files_path (string) #

The path to the static files of the PPEM web application.

Default value: "" (empty string).

timeout (time string, optional) #

The processing timeout for an HTTP request.

Default value: 60s.

security (object) #

Security parameters of the HTTP server. These parameters are mostly used to set the values of the security-related HTTP headers.

You must configure the cross-origin-*-policy parameters manually because PPEM does not provide default values for them.

enabled (boolean, optional) #

Specifies whether the processing of the security-related HTTP headers is enabled.

Default value: false — processing is disabled.

csp_policy (string, optional) #

The value of the Content-Security-Policy HTTP response header. Helps to prevent XSS, clickjacking, and other code injection attacks.

Default value depends on whether the HTTP server is configured to handle HTTPS:

HTTP mode: default-src 'none'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; media-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; frame-src https://postgrespro.com/; object-src 'none'.
HTTPS mode: default-src 'none'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; media-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; frame-src https://postgrespro.com/; object-src 'none'; upgrade-insecure-requests.

cache_control (string, optional) #

The value of the Cache-Control HTTP header. Controls caching in browsers. The default value helps to prevent caching of API responses that may contain sensitive or dynamic data.

Default value: no-store, no-cache, must-revalidate.

pragma (string, optional) #

The value of the Pragma HTTP header.

This header is deprecated and provides backward compatibility with HTTP/1.0 caches that do not support the Cache-Control HTTP header.

Default value: no-cache.

expires (string, optional) #

The value of the Expires HTTP response header.

This header provides backward compatibility with HTTP/1.0 caches that do not support the Cache-Control HTTP header.

Default value: 0.

frame_options (string, optional) #

The value of the X-Frame-Options HTTP response header. Helps to prevent clickjacking attacks.

Default value: "" (empty string).

content_type_options (string, optional) #

The value of the X-Content-Type-Options HTTP response header. Helps to prevent MIME type sniffing attacks.

Default value: "" (empty string).

permissions_policy (string, optional) #

The value of the Permissions-Policy HTTP response header. Controls which browser features and device APIs can be used. The default value denies access to the features which may disclose sensitive information, such as camera, microphone, and geolocation.

Default value: "accelerometer=(), autoplay=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()".

referrer_policy (string, optional) #

The value of the Referrer-Policy HTTP response header. Controls how much referrer information to include with requests.

Default value: strict-origin-when-cross-origin.

strict_transport_security (string, optional) #

The value of the Strict-Transport-Security HTTP response header. Forces browsers to use HTTPS connections only. Applicable only if the HTTP server is configured to handle HTTPS, otherwise ignored.

Default value:

HTTP mode: "" (empty string) — not applicable.
HTTPS mode: max-age=31536000; includeSubDomains.

cross_origin_embedder_policy (string) #

The value of the Cross-Origin-Embedder-Policy HTTP response header.

Default value: "" (empty string).

cross_origin_opener_policy (string) #

The value of the Cross-Origin-Opener-Policy HTTP response header.

Default value: "" (empty string).

cross_origin_resource_policy (string) #

The value of the Cross-Origin-Resource-Policy HTTP response header.

Default value: "" (empty string).

cors (object) #

CORS-related security parameters of the HTTP server.

Most of these parameters are related to the Access-Control-* headers. For convenience, such parameters are represented as a list of strings. Then, depending on the header format, these strings are processed as follows:

If a single value can be specified in the header, then each string from the list is sent in the dedicated header.

Example:

allowed_origins:
- "example.com"               ->    Access-Control-Allow-Origin: example.com
- "prod.example.org"          ->    Access-Control-Allow-Origin: prod.example.org

If multiple values can be specified in the header, then the strings from the list are concatenated, and the resulting string is sent in the header.
Example:
```
exposed_headers:               -> Access-Control-Expose-Headers: Content-Encoding, X-Forwarded-For
- "Content-Encoding"
- "X-Forwarded-For"
```

allowed_origins (list of strings) #

The values of the Access-Control-Allow-Origin HTTP response headers.

Default value: [] (empty list).

allowed_methods (list of strings) #

The values of the Access-Control-Allow-Methods HTTP response header.

Default value: [] (empty list).

allowed_headers (list of strings) #

The values of the Access-Control-Allow-Headers HTTP response header.

Default value: [] (empty list).

exposed_headers (list of strings) #

The values of the Access-Control-Expose-Headers HTTP response header.

Default value: [] (empty list).

allow_credentials (boolean) #

The value of the Access-Control-Allow-Credentials HTTP response header.

Default value: false.

max_age (integer) #

The value of the Access-Control-Max-Age HTTP response header.

Default value: 0.

real_ip_header_name (string, optional) #

The name of the HTTP header which must be used for identifying the originating IP address of a client connecting to the HTTP server through a proxy server.

The X-Forwarded-For header is an example of such header.

Default value: "" (empty string).

HTTP Client Parameters #

timeouts (object) #

Timeouts for the HTTP client.

http (time string) #

The HTTP request timeout.

Default value: 60s.

tls_handshake (time string) #

The TLS handshake timeout.

Default value: 2s.

dialer (time string) #

The dialer timeout when the client tries to reach the server. A connection attempt must succeed within this time interval.

Default value: 2s.

response_header (time string) #

The timeout of waiting for the HTTP response headers after sending an HTTP request to a server.

Default value: 20s.

insecure_skip_verify (boolean, optional) #

Important

Using this parameter poses a security risk.

It is recommended to use it exclusively for testing and debugging purposes, but not in the production environment.

Specifies whether the verification of a server TLS certificate is disabled.

Default value: false — the certificate is verified.

root_ca_files (list of strings, optional) #

The list of absolute paths to root CA certificates used to verify a server certificate.

Default value: [] (empty list) — the certificates from the operating system store are used.

HTTP API Server Parameters #

pagination.max_page_size (integer, optional) #

The maximum number of entries in a single API response (the page size).

Default value: 100.

api.disabled (object, optional) #

The object that contains the disabled HTTP REST API endpoints. If a client requests a disabled endpoint, a server sends an error response with 503 Service Unavailable HTTP status code.

The object contains entries in the following format: api_endpoint: list_of_disabled_http_methods.

Example:

api:
  disabled:
    "/v1/endpoint": ["GET", "POST", "PUT", "DELETE", "PATCH"]
    "/v1/instances/{id}/endpoint": ["POST"]

Default value: {} (empty object) — all API endpoints are enabled.

JWT Session Parameters #

The jwt section allows configuring user session parameters and parameters related to JSON Web Tokens.

jwt:
  secret: secret_for_signing_JWTS

  lifetime:
    access: access_token_lifetime
    refresh: refresh_token_lifetime

  max_sessions_per_user: maximum_sessions_per_user
  max_failed_login_attempts: maximum_failed_login_attempts_per_user

  password_policy:
    length_min: minimum_password_length
    length_max: maximum_password_length
    allowed_symbols: allowed_characters_in_password
    entropy_min: minimum_entropy_of_password
    history_depth: size_of_stored_password_history

secret (string) #

The secret that is used to sign an issued token.

Refresh tokens are used to issue access tokens. Access tokens are used to authenticate users in PPEM.

For more information about these tokens, refer to Section 7.5.

Default value: secret.

lifetime (object) #

The token lifetime values. A token that is valid longer than the specified value is considered expired and cannot be used. In such case, a new token must be issued.

access (time string) #

The lifetime of an access token.

Default value: 30m.

refresh (time string) #

The lifetime of a refresh token.

Default value: 24h.

max_sessions_per_user (integer) #

The maximum number of active sessions per user.

Default value: 10.

max_failed_login_attempts (integer) #

The maximum number of failed attempts to log in to the web application, after which the user is automatically blocked from logging in again.

Users blocked due to too many failed log-in attempts are not unblocked automatically, but can be unblocked manually.

Default value: 0.

password_policy (object) #

The password policy that is applied for all objects that require a password to be specified. The policy is in effect for the entire PPEM installation.

length_min (integer) #

The minimum password length.

Default value: 8.

length_max (integer) #

The maximum password length.

Default value: 64.

allowed_symbols (string) #

Allowed password characters.

This parameter can be used for compliance with the organization security policies, for example, to exclude ambiguous characters from passwords.

Example:

abcdEFGHI123456$%^

Default value: "" (empty string) — any character is permitted.

entropy_min (integer) #

The minimum entropy value for passwords calculated as:

password_length × log₂(size_of(allowed_symbols))

The entropy value serves as the measure of the password complexity and its cryptographic strength. It is recommended to maintain an entropy value of 50–70 or higher.

Example:

If allowed characters are abcdefghijklmnopqrstuvwxyz, and the password is helloaaa, then the entropy is:

8 × log²(size_of(26)) = 37.6

Therefore, this password has low entropy value.

Default value: 0 — a password of any entropy can be used.

history_depth (integer) #

The number of previous passwords that PPEM stores.

If the hash of a new password of a user matches any of the stored previous password hashes, then PPEM rejects the new password, requiring it to differ from all previously used passwords.

This parameter can be used for compliance with the organization security policies, for example, to enforce users to rotate their passwords.

Default value: 0 — no previously used passwords are stored, a new password can be any.

Encryption Parameters #

The repository can contain sensitive information.

The crypto section allows configuring an additional protection level for such secrets.

crypto:
  enabled: true_or_false
  key: encryption_key
  salt: salt_string

enabled (boolean) #

Specifies whether the encryption of secrets is enabled.

Default value: false — encryption is disabled.

key (string) #

The encryption key.

Default value: "" (empty string).

salt (string, optional) #

The salt string that is added to the key prior to hashing and storing it.

This string helps to defend against attacks that use precomputed hash tables for the most common passwords.

Default value: "" (empty string) — salt is not added to the key.

Backup Integration Parameters #

PPEM does not provide the backup and restore capabilities. Instead, it integrates with a backup and restore solution which is installed on the DBMS servers.

The backups section allows configuring integration with backup solutions.

backups:
  scheduler:
    interval: interval_between_data_synchronization
  commands:
    timeout: timeout_of_backup_and_restore_commands

scheduler.interval (time string) #

The data synchronization interval between the manager and agents.

Default value: 10s.

commands.timeout (time string) #

The timeout of backup and restore commands that are executed on a DBMS server by the agent.

Default value: 5h.

OIDC Integration Parameters #

PPEM supports different authentication flows: it can authenticate users either locally or via third-party services.

The oidc section allows configuring integration with an OpenID Connect provider.

PPEM is the relying party (RP) from the provider point of view.

For a configuration example of the Keycloak provider, refer to Section 7.6.

oidc:
  issuer: OpenID_provider_URL
  client_id: relying_party_ID
  client_secret: relying_party_secret
  callback_host: relying_party_host
  login_timeout: authentication_timeout
  scopes: [OpenID_scopes]

issuer (string, not empty) #

The URL of the OpenID Connect provider.

client_id (string, not empty) #

The client ID of the relying party (RP).

This ID must be issued by the OpenID provider during the configuration process on the provider side.

client_secret (string, not empty) #

The client secret of the relying party (RP).

This secret must be issued by the OpenID provider during the configuration process on the provider side.

callback_host (string, not empty) #

The address and port of the manager.

After successful authentication of a user, the OpenID provider redirects the user back to PPEM using the callback URL to finish the authentication flow.

The callback URL is as follows:

scheme://callback_host/auth/oidc/callback

The scheme can be http or https depending on whether HTTPS is enabled for the PPEM HTTP server.

login_timeout (time string) #

The user authentication timeout.

If the timeout occurs, reauthentication is required.

Default value: 10m.

scopes (list of strings) #

The list of OpenID Connect scopes.

The openid and email scopes are mandatory for successful integration of PPEM with the OpenID Connect provider.

Default value: [openid, profile, email].

LDAP Integration Parameters #

PPEM supports different authentication flows: it can authenticate users either locally or via third-party services.

The ldap section allows configuring integration with the OpenLDAP and Microsoft Active Directory directory services.

For more information about configuring such integration, refer to Chapter 28.

ldap:
  type: directory_service_type
  url: directory_service_network_address
  bind_username: directory_service_username
  bind_password: directory_service_user_password
  base_dn: directory_service_base_DN
  prefix_user_dn: DN_prefix_for_users
  prefix_group_dn: DN_prefix_for_user_groups
  user_class: user_object_class
  user_name_attr: user_login_attribute
  user_first_name_attr: user_first_name_attribute
  user_last_name_attr: user_last_name_attribute
  user_display_name_attr: user_display_name_attribute
  user_email_attr: user_email_attribute
  user_phone_attr: user_phone_attribute
  user_job_title_attr: user_job_title_attribute
  user_id_attr: user_ID_attribute
  group_class: group_object_class
  group_name_attr: group_name_attribute
  group_filter: custom_group_filter
  group_list_size_limit: maximum_number_of_groups_in_single_request
  group_members_attr: group_member_attribute
  group_membership_filter: custom_group_membership_filter
  user_membership_attr: user_group_membership_attribute
  user_sync_interval: manager_and_directory_service_synchronization_time
  ssl_cert_skip_verify: skip_server_certificate_verification
  ssl_root_ca: root_CA_certificate_file

type (enum, not empty) #

The type of the directory service.

Possible values:

openldap: OpenLDAP.
ms_active_directory: Microsoft Active Directory.

url (string, not empty) #

The network address of the directory service.

bind_username (string, not empty) #

The user name that is used by PPEM to connect to the directory service.

The value format depends on the directory service:

For OpenLDAP, a complete distinguished name (DN) is usually specified. For example, cn=admin,ou=users,dc=example,dc=com.
For Microsoft Active Directory, a value in the username@domain format is usually specified. For example, admin@example.com.

bind_password (string, not empty) #

The password that is used by PPEM to connect to the directory service.

base_dn (string, not empty) #

The base distinguished name of the directory service.

prefix_user_dn (string, optional) #

The distinguished name prefix for users.

If this parameter is specified, users are searched using the base_user_dn=prefix_user_dn,base_dn distinguished name.

Default value: "" (empty string) — search for users in the entire directory.

prefix_group_dn (string, optional) #

The distinguished name prefix for user groups.

If this parameter is specified, groups are searched using the base_group_dn=prefix_group_dn,base_dn distinguished name.

Default value: "" (empty string) — search for groups in the entire directory.

user_class (string, not empty) #

The name of the user object class.

Required for OpenLDAP, optional for Microsoft Active Directory.

Default value for Microsoft Active Directory: "" (empty string).

user_name_attr (string) #

The name of the user login attribute.

Default values:

For OpenLDAP: cn.
For Microsoft Active Directory: sAMAccountName.

user_first_name_attr (string, optional) #

The name of the user first name attribute.

Default value: givenName.

user_last_name_attr (string, optional) #

The name of the user last name attribute.

Default value: sn.

user_display_name_attr (string, optional) #

The name of the user display name attribute.

Default value: displayName.

user_email_attr (string, optional) #

The name of the user email address attribute.

Default value: mail.

user_phone_attr (string, optional) #

The name of the user phone number attribute.

Default value: telephoneNumber.

user_job_title_attr (string, optional) #

The name of the user job title attribute.

Default value: title.

user_id_attr (string, optional) #

The name of the attribute that is used as a unique user ID.

Default value for Microsoft Active Directory: sAMAccountName.

group_class (string, not empty) #

The name of the group object class.

Default value for Microsoft Active Directory: group.

group_name_attr (string) #

The name of the group name attribute.

Default value: cn.

group_filter (string, optional) #

The filter for searching user groups.

Example:

(&(objectClass=group)(cn=*PPEM*))

Default value: "" (empty string).

group_list_size_limit (integer, optional) #

The maximum number of user groups that can be received from the directory service in a single query.

Default value: 0 — the number is determined by the directory service.

group_members_attr (string, optional) #

Important

Specify this parameter only if the corresponding attribute exists in the directory service.

The name of the group member list attribute.

This parameter is mutually exclusive with the user_membership_attr parameter.

Default value: "" (empty string).

group_membership_filter (string, optional) #

The filter to search for the groups the specified user is a member of.

Wrap the distinguished name of the user into the percent signs to use the name in the filter.

Overrides the group_members_attr parameter.

Example:

(&(objectClass=group)(uniqueMember=%target_user_DN%))

Default value: "" (empty string).

user_membership_attr (string, optional) #

Important

Specify this parameter only if the corresponding attribute exists in the directory service.

The name of the attribute that lists the distinguished names of all the groups the user belongs to.

This parameter is mutually exclusive with the group-members-attr parameter.

Default values:

For OpenLDAP: "" (empty string).
For Microsoft Active Directory: memberOf.

user_sync_interval (time string, optional) #

The interval in which PPEM synchronizes with the directory service.

Default value: 5m.

ssl_cert_skip_verify (boolean, optional) #

Important

Using this parameter poses a security risk.

It is recommended to use it exclusively for testing and debugging purposes, but not in the production environment.

Specifies whether the verification of a server TLS certificate is disabled.

Default value: false — the certificate is verified.

ssl_root_ca (string, optional) #

The absolute path to the root CA certificate used to verify a server certificate.

Default value: "" (empty string) — the certificates from the operating system store are used.

Package Manager Parameters #

The package_managers section allows configuring the parameters related to the package manager of the operating system of DBMS servers.

This allows maintaining package repositories and packages up to date.

package_managers:
  scheduler:
    interval: synchronization_time_interval
    initial_delay: initial_delay_before_starting_scheduler
  commands:
    timeout: timeout_of_package_manager_related_commands

scheduler (object) #

The PPEM scheduler parameters.

interval (time string) #

The time interval at which repositories are synchronized.

Default value: 10m.

initial_delay (time string) #

The initial delay before starting the scheduler.

Default value: 1m.

commands.timeout (time string) #

The timeout of package manager-related commands that are executed on a DBMS server by the agent.

Default value: 1h.

Metrics Collector Parameters #

The metrics section allows configuring the metric collector parameters.

For more information about the metric collection process, and monitoring architecture, refer to Section 3.4.

metrics:
  enabled: true_or_false
  timeout: metrics_request_timeout

enabled (boolean) #

Specifies whether the metrics collection is enabled.

Default value: true — metrics are collected.

timeout (time string) #

The metrics request timeout.

Default value: The same value as for HTTP client timeout.

Alert and Notification Parameters #

The alerts section allows configuring alert and notification parameters.

For more information about alerts, refer to Chapter 48.

alerts:
  metrics:
    request_chunk_size: number_of_instance_IDs
  logs:
    request_chunk_size: number_of_instance_IDs
  cleanup_grace_period: alert_cleanup_interval_if_no_data_is_received
  scheduler:
    interval: interval_for_checking_new_alerts
    initial_delay: delay_for_starting_alert_scheduler
    timeout: timeout_for_updating_alert_trigger_rules
  delayed_data:
    is_enabled: true_or_false
    data_delay: default_data_arrival_delay_for_all_sources
    datasource_delays:
      metrics: delay_for_metrics_arrival
      logs: delay_for_log_arrival
    max_delay: maximum_allowed_data_arrival_delay
    is_adaptive_delay: true_or_false
  notifier:
    num_workers: number_of_concurrent_workers
    worker_batch_size: number_of_alerts_in_one_batch
    worker_interval: interval_for_checking_new_alerts
    backoff_base: exponential_backoff_calculation_duration
    max_retries: maximum_number_of_alert_attempts
    notification_timeout: alert_timeout
    janitor_interval: janitor_worker_polling_interval
    stale_processing_timeout: stale_alert_processing_timeout
  email:
    is_enabled: true_or_false
    pool_size: maximum_number_of_concurrent_connections
    smtp:
      host: SMTP_server_hostname_or_IP
      port: SMTP_server_port
      username: username_for_SMTP_server_authentication
      password: password_for_SMTP_server_authentication
      from: alert_sender_email
      timeout: SMTP_server_connection_timeout
      use_starttls: true_or_false
      use_ssl: true_or_false
      tls:
        insecure_skip_verify: true_or_false
        root_ca_path: root_CA_certificate_file

metrics.request_chunk_size (integer) #

The maximum number of instance IDs contained within a single request when processing metrics.

Default value: 100.

logs.request_chunk_size (integer) #

The maximum number of instance IDs contained within a single request when processing logs.

Default value: 100.

cleanup_grace_period (time string) #

The interval after which alerts are cleaned up if no data is received.

Default value: 6h.

scheduler (object) #

The parameters of the scheduler that updates alerts in the manager memory.

interval (time string) #

The interval for the scheduler to check for new alerts to process.

Default value: 50s.

initial_delay (time string) #

The delay before starting the scheduler for the first time after the start of PPEM.

Default value: 10s.

timeout (time string) #

The scheduler timeout for updating alert trigger rules.

Default value: 10m.

delayed_data (object) #

The parameters for managing delayed metrics and logs with unknown delay time.

is_enabled (boolean) #

Specifies whether the checking of delayed metrics and logs is enabled.

Default value: false — PPEM does not check delayed metrics and logs.

data_delay (time string) #

The default data delay for all data sources when specific delays are not configured.

Default value: 180s.

datasource_delays (object) #

The data delay for specific data sources. This parameter allows specifying different delays for metrics and logs as they may arrive at different rates.

metrics (time string, not empty) #: The delay for the metrics arrival. Metrics typically have more consistent collection intervals but may be delayed due to network or processing issues.
logs (time string, not empty) #: The delay for the logs arrival. Logs may arrive more frequently but with higher variability in timing due to log rotation and processing.

max_delay (time string) #

The maximum allowed delay to prevent processing data that is too old. Data found earlier than this value is ignored to prevent false alerts from stale data.

Default value: 600s (10 minutes).

is_adaptive_delay (boolean) #

Specifies whether the adaptive delay learning based on observed data arrival patterns is enabled.

When enabled, PPEM learns on actual delays from data timestamps and adjusts the lookback window dynamically.

Default value: true — the learning is enabled.

notifier (object) #

The parameters of the notifier that sends alerts.

num_workers (integer) #

The number of concurrent workers that will send alerts.

Default value: 5.

worker_batch_size (integer) #

The number of alerts processed by workers in one batch.

Default value: 20.

worker_interval (time string) #

The polling interval for workers to check for new alerts in the repository database.

Default value: 30s.

backoff_base (time string) #

The base duration for the exponential backoff calculation when resending a failed alert.

The delay for resending the alert is calculated as:

backoff_base × 2^{number_of_retry_attempts}

Default value: 10s.

max_retries (integer) #

The maximum number of attempts to resend a failed alert.

Default value: 3.

notification_timeout (time string) #

The maximum amount of time for the notifier to wait for an alert to be sent before considering it failed.

Default value: 20s.

janitor_interval (time string) #

The polling interval for the janitor worker that cleans alerts stuck in the processing state.

Default value: 1m.

stale_processing_timeout (time string) #

The amount of time after which alerts stuck in the processing state are considered stale and must be reset by the janitor worker.

Default value: 10m.

email (object) #

The parameters for sending alerts via email.

is_enabled (boolean) #

Specifies whether the email notification channel is enabled.

If the email notification channel is disabled, then alerts are written to logs instead of being sent via email.

Default value: false — email notification channel is disabled.

pool_size (integer) #

The number of concurrent connections to SMTP servers.

Default value: 10.

smtp (object) #

The parameters of the SMTP server used for sending alerts.

host (string) #

The hostname or IP address of the SMTP server.

Default value: localhost.

port (port number) #

The port number of the SMTP server.

Default value: 25.

username (string) #

The username for authenticating in the SMTP server.

Default value: "" (empty string).

password (string) #

The password for authenticating in the SMTP server.

Default value: "" (empty string).

from (string) #

The email address of the alert sender.

Default value: admin@localdomain.local.

timeout (time string) #

The SMTP server connection timeout.

Default value: 10s.

use_starttls (boolean) #

Specifies whether the STARTTLS extension is enabled.

If enabled, then the STARTTLS command is issued after establishing an insecure connection to upgrade the connection to a secure one.

Default value: false — STARTTLS is disabled.

use_ssl (boolean) #

Specifies whether TLS is enabled.

If enabled, then the connection is secured from the beginning.

Default value: false — TLS is disabled.

tls (object) #

The TLS protocol parameters.

insecure_skip_verify (boolean) #

Important

Using this parameter poses a security risk.

It is recommended to use it exclusively for testing and debugging purposes, but not in the production environment.

Specifies whether the verification of a server TLS certificate is disabled.

Default value: false — the certificate is verified.

root_ca_path (string) #

The absolute path to the root CA certificate used to verify a server certificate.

Default value: "" (empty string) — the certificates from the operating system store are used.

Executor Parameters #

The executor section allows configuring the task executor parameters.

For more information about tasks, refer to Chapter 61.

executor:
  get_tasks_frequency: task_gathering_frequency
  get_tasks_timeout: task_gathering_timeout
  get_tasks_batch_size: task_gathering_batch_size
  processing_at_update_frequency: updating_processing_at_frequency
  stop_running_tasks_frequency: task_stopping_frequency

get_tasks_frequency (time string, not empty) #: The frequency at which scheduled tasks are gathered by the executor to be executed.
get_tasks_timeout (time string, not empty) #: The timeout of gathering scheduled tasks.
get_tasks_batch_size (integer, not empty) #: The number of tasks that can be gathered by the executor in a single request.
processing_at_update_frequency (time string, not empty) #: The frequency at which the processing_at parameter is updated for the active tasks.
stop_running_tasks_frequency (time string, not empty) #: The frequency at which the tasks are stopped.

OpenTelemetry (OTLP) Parameters #

The otlp section allows configuring parameters of the PPEM integration with the OpenTelemetry-compatible tracing tools.

otlp:
  traces:
    sampler_ratio: trace_sampling_ratio
    exporter:
      protocol: protocol_for_exporting_traces
      endpoint_url: collector_endpoint_URL_for_exporting_traces
      tls:
        insecure_skip_verify: skip_collector_certificate_verification

traces (object) #

The tracing parameters.

sampler_ratio (float, optional) #

The percentage of traces that are sampled.

Depending on the parameter value, traces are sampled as follows:

0.0 < sampler_ratio < 1.0: The specified percentage of traces is sampled.
For example, the 0.7 value means that 70% of traces are sampled.
sampler_ratio ≥ 1.0: All traces are sampled.
Example value: 1.8.
sampler_ratio ≤ 0.0: No traces are sampled.
Example value: -3.3.

Default value: 1.0 — all traces are sampled.

exporter (object) #

The exporter parameters.

protocol (enum, optional) #

The OpenTelemetry protocol to use for exporting traces.

Possible values:

http: OTLP over HTTP.
grpc: OTLP over gRPC.
Empty string: Trace exporting is disabled.

Default value: "" (empty string) — trace exporting is disabled.

endpoint_url (string, not empty) #

The endpoint URL of the collector to be used by the exporter for sending traces.

The URL can contain a port number and path, but not a full or partial query string.

Examples:

For OTLP over HTTP: http://localhost:4318/v1/traces.
For OTLP over gRPC: http://localhost:4317.

tls.insecure_skip_verify (boolean, optional) #

Important

Using this parameter poses a security risk.

It is recommended to use it exclusively for testing and debugging purposes, but not in the production environment.

Specifies whether the verification of a server TLS certificate is disabled.

Default value: false — the certificate is verified.

Audit Event Log Parameters #

The audit section allows configuring the audit event log parameters.

audit:
  enabled: true_or_false
  syslog:
    protocol: one_of_supported_transport_protocols
    address: address_of_Syslog_server
    port: port_of_Syslog_server
    facility: facility_of_Syslog_messages
    tag: tag_of_Syslog_messages
  log:
    path: path_to_log_file
    mode: access_mode_for_log_file

enabled (boolean) #

Specifies whether the audit event log is enabled.

If the log is enabled, PPEM adds the audit_events_housekeeping system housekeeping rule for the repository database.

By default, the auto-run schedule is not configured for this rule. Configure the schedule if necessary.

Default value: false — the log is disabled, PPEM does not log audit events.

syslog (object) #

The parameters for sending audit event log to a syslog server.

If omitted and the audit.enabled parameter is set to true, audit events are logged but not sent to a syslog server.

protocol (enum) #

The transport protocol used for the delivery of syslog messages.

Possible values:

local or '' (empty string): The messages are transported within the originating server and not sent over a network.
tcp, tcp4, or tcp6: Use TCP as the transport.
Specify tcp4 or tcp6 to explicitly use TCP over IPv4 or IPv6, respectively. Specify tcp to leave the protocol selection to PPEM.
udp, udp4, or udp6: Use UDP as the transport.
Specify udp4 or udp6 to explicitly use UDP over IPv4 or IPv6, respectively. Specify udp to leave the protocol selection to PPEM.
ip, ip4, or ip6: Use IP as the transport.
Specify ip4 or ip6 to explicitly use IPv4 or IPv6, respectively. Specify ip to leave the protocol selection to PPEM.
unix, unixgram, or unixpacket: Use a UNIX domain socket as the transport.
The values above are the types of UNIX domain sockets that use different semantics:
- The socket of the unix type uses SOCK_STREAM semantics.
- The socket of the unixgram type uses SOCK_DGRAM semantics.
- The socket of the unixpacket type uses SOCK_SEQPACKET semantics.

address (string) #

The network address of the syslog server, if required by the selected transport protocol.

port (port number) #

The port of the syslog server, if required by the selected transport protocol.

facility (enum) #

The facility of syslog messages.

Possible values:

kern: Kernel messages.
user: User-level messages.
mail: Mail system.
daemon: System daemons.
auth: Security/authorization messages.
syslog: Messages generated internally by syslogd.
lpr: Line printer subsystem.
news: Network news subsystem.
uucp: UUCP subsystem.
cron: Clock daemon.
authpriv: Security/authorization messages.
ftp: FTP daemon.
local0 to local7: Local use 0–7.

Default value: kern.

tag (string) #

The tag of syslog messages.

Default value: "" (empty string) — the ppem value is used as the tag.

log (object) #

The parameters for sending the audit event log to a plain text file.

If omitted and the audit.enabled parameter is set to true, audit events are logged but not sent to a plain text file.

path (string) #

The path to the plain text log file.

If the file does not exist, it is created automatically.

Example: /tmp/auth.log.

mode (string) #

The file mode of the log file specified using the path parameter.

The parameter format is 0xxx, the same as for the chmod command.

Example: 0644.

Agent Connection Parameters #

The agents_connection section allows configuring the agent connection parameters.

agents_connection:
  read_timeout: timeout_for_receiving_data
  write_timeout: timeout_for_sending_data
  max_connections_per_second: connection_rate_limit
  log_pings: true_or_false

read_timeout (time string) #

The timeout for receiving data from agents.

Default value: 30s.

write_timeout (time string) #

The timeout for sending data to agents.

Default value: 2s.

max_connections_per_second (integer) #

The connection rate limit.

If the number of connections to agents per second exceeds this value, then any new connections are rejected with the 429 Too Many Requests HTTP status code.

Default value: 100.

log_pings (boolean, optional) #

Specifies whether the collecting of debug logs for the manager-agent healthcheck pings is enabled.

Default value: false — ping logging is disabled.

Miscellaneous Time Interval and Timeout Parameters #

This section allows configuring miscellaneous time interval and timeout parameters.

collectors:
  agent_time_desync_allowance: maximum_allowed_time_skew

replication:
  worker:
    interval: interval_between_cluster_recalculation_cycles

operations:
  watcher_timeout: operation_state_checking_timeout

notifications:
  cleanup_age: retention_period_for_storing_read_notifications

commands:
  cleanup_age: retention_period_for_storing_completed_command_history

collectors.agent_time_desync_allowance (time string, optional) #

The maximum allowed time skew on the manager and agents.

If this time limit is exceeded, then a corresponding warning message is written in the PPEM logs.

Default value: 1m.

replication.worker.interval (time string, optional) #

The interval between the cluster recalculation cycles.

Default value: 5s.

operations.watcher_timeout (time string) #

The operation state checking timeout.

notifications.cleanup_age (time string, optional) #

The retention period for storing the read notifications.

After this period, the read notifications disappear from the notification area in the web application.

Default value: 168h (7 days).

commands.cleanup_age (time string, optional) #

The retention period for storing the completed command history.

After this period, the completed commands disappear from the notification area in the web application.

Default value: 720h (30 days).

Prev	Up	Next
Configuration Parameters Reference	Home	`ppem-agent.yml`

epub pdf