Configuration

Bearer agent configuration options

Configuring the Agent

The Bearer Agent offers three configuration methods. The preferred method is directly in your code, however you can also use environment variables or a configuration file.

Directly in your code

Node.js
Ruby
Node.js

The Bearer Agent allows you to update the configuration in your code using the following syntax after installing and requiring the @bearer/node-agent package:

Bearer.init({
"logLevel": "RESTRICTED",
"disabled": false,
"secretKey": "your secret key",
"ignored": ["domain.com", "example.com"],
"filtered": "header-to-filter",
"stripSensitiveData": true,
"stripSensitiveKeys": ["^authorization$"],
"stripSensitiveRegex: "we have to keep it secret$"
})
Ruby

The Bearer Agent allows you to update the configuration in your code using the following syntax:

Bearer.init_config do |config|
config.secret_key = "YOUR_BEARER_SECRET_KEY" # Required, string: Your Bearer private key
config.disabled = false # Optional, boolean: enable/disable Bearer tracking globally
config.ignored = [] # Optional, string[]: ignore requests to specific domains
config.log_level = :ALL # Optional, "ALL" | "RESTRICTED": defaults to "ALL" set the level of information you want the agent to gather
config.strip_sensitive_data = true # Optional, boolean: Remove sensitive data before sending it to bearer.sh
config.strip_sensitive_keys = [/^authorization$/i, /^client.id$/i, /^access.token$/i, /^client.secret$/i] # Optional, Regexp[]: list of keys to strip.
config.strip_sensitive_regex = %r{[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*} # Optional, Regexp: Regular expression used for value stripping.
end

Using environment variables

All agents, regardless programming language, can be configured with the following environment variables:

Environment variable name

Role

BEARER_SECRET_KEY

Your Bearer Secret Key (required)

BEARER_AGENT_DISABLED

When set, the Bearer agent is disabled (whatever the value is)

BEARER_AGENT_IGNORE

Comma separated list of domains you do not want to be monitored by the agent

BEARER_AGENT_LOG_LEVEL

Set the level of information you want the agent to gather. Valid values are ALL (to send full request and response) or RESTRICTED (to send only the path and query string).

BEARER_AGENT_STRIP_SENSITIVE_DATA

Remove sensitive data before sending it to bearer.sh (defaults to true)

BEARER_AGENT_STRIP_SENSITIVE_KEYS

Comma separated list of keys to strip (default /^authorization$/i, /^client.id$/i, /^access.token$/i, /^client.secret$/i)

BEARER_AGENT_STRIP_SENSITIVE_REGEX

Regular expression used for value stripping (default email pattern)

Using configuration files

Node.js
Ruby
Node.js

You can update your node-agent configuration by creating bearer.json configuration file at the same level as the package.json file.

If you want to save the configuration file in another directory, you must tell Bearer agent where to find it. You can do this by using the BEARER_AGENT_CONFIG_FILE environment variable, like this:

BEARER_AGENT_CONFIG_FILE=/absolute/path/to/bearer.json node index.js

Below you can find configuration options that we currently support:

{
"logLevel": "RESTRICTED",
"disabled": false,
"secretKey": "your secret key",
"ignored": ["domain.com", "example.com"],
"stripSensitiveData": true,
"stripSensitiveKeys": ["^authorization$"],
"stripSensitiveRegex: "we have to keep it secret$"
}
Ruby

You can update your node-agent configuration by creating earer.yml configuration file in root source of your project or in ./config directory. If you have a project running in /usr/projects/my_integrations_project bearer will try to find bearer.yml file using the following paths:

  • /usr/projects/my_integrations_project/bearer.yml

  • /usr/projects/my_integrations_project/config/bearer.yml

If you want to save the configuration file in another directory, you must tell Bearer agent where to find it. You can do this by using the BEARER_AGENT_CONFIG_FILE environment variable, like this:

BEARER_AGENT_CONFIG_FILE=/absolute/path/to/bearer.yml ruby index.rb

Below you can find configuration options we currently support:

---
secret_key: secret <!-- Required, string: Your Bearer private key -->
disabled: false <!-- Optional, boolean: enable/disable Bearer tracking globally -->
ignored: [] <!-- Optional, string[]: ignore requests to specific domains -->
log_level: ALL <!-- Optional, "ALL" | "RESTRICTED": defaults to "ALL" set the level of information you want the agent to gather -->
strip_sensitive_data: true <!-- Optional, boolean: Remove sensitive data before sending it to bearer.sh -->
strip_sensitive_keys: [/^authorization$/i, /^client.id$/i, /^access.token$/i, /^client.secret$/i] <!-- Optional, Regexp[]: list of keys to strip. -->
strip_sensitive_regex: %r{[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*} <!-- Optional, Regexp: Regular expression used for value stripping. -->

Communication with Bearer

The Bearer agent communicates with Bearer servers through HTTPS. Thus, the agent requires your firewall to allow outgoing connections to agent.bearer.sh with port 443 (HTTPS).

Logs are sent in batch, using asynchronous requests.

By default, the agent sends to Bearer the full payload of each HTTP request (including both the request and the response). By default and for your own security, the Authorization header is filtered and will not be shared with Bearer. But the agent proposes more options to reduce the amount of sensitive information sent to Bearer, including:

  • BEARER_AGENT_IGNORE to ignore some domains (e.g. ["example.com", "secure.app"]);

  • BEARER_AGENT_LOG_LEVEL to only log the path and query string of the requests.

What if Bearer is experiencing a downtime? The Bearer agent has been built with resiliency in mind. If, for any reason, Bearer servers are experiencing unexpected latency, this will not affect your application.

On the Bearer platform, logs are ingested batch by batch. On average, it takes up to 10 seconds for a log to be processed and displayed on your Bearer dashboard.