Skip to main content
Version: VAST v3.1


Threat Bus uses a configuration file that contains both global and plugin-specific settings. This section discusses the general layout of the file and options you can configure.

Config File

Threat Bus' configuration file is formatted in YAML and consists of two sections, logging and plugins. The following example explains the general structure.

console: true
console_verbosity: DEBUG
file: false
file_verbosity: DEBUG
filename: threatbus.log

host: ""
port: 47761
module_namespace: Tenzir

For a comprehensive list of available options, see the config.yaml.example file that is shipped together with Threat Bus.

Logging Configuration

Logging is configured globally. The main application forwards the logging settings to all installed plugins. Threat Bus supports colored console logs and file logging. File and console logging are independent.

Plugin Configuration

The plugins section contains all plugin specific configuration settings. The section differentiates backbones and apps, depending on the plugin type.

Plugin configuration is managed via the plugin name. For example, the plugin threatbus-zeek has the name zeek and is an app plugin. Thus it is configured in a section called zeek, below the apps section in the config.

The options that can be configured per plugin are defined by the plugin itself. Check the plugin documentation for details on the individual plugins.

Disabling of Installed Plugins

Threat Bus automatically becomes aware of all plugins that are installed on the same host system or virtual environment. However, plugins must have a non-empty section in the config.yaml to get loaded. You can "disable" any installed plugin simply by not putting it into the config file.