# Configuring Native Node with the All-in-One Installer or Docker Image When deploying the self-hosted [Wallarm Native Node](https://docs.wallarm.com/5.x/installation/nginx-native-node-internals.md#native-node) using the all-in-one installer or the Docker image, you create the `.yaml` configuration file. In this file, you can specify node configiration, all the parameters for that are described in this document. To modify the settings after the node is running using the all-in-one installer: 1. Update the `/opt/wallarm/etc/wallarm/go-node.yaml` file. The initial configuration file is copied to this path during installation. 1. Restart the Wallarm service to apply changes: ``` sudo systemctl restart wallarm ``` If the node is deployed using a Docker image, it is recommended to update the configuration file on the host machine and restart the Docker container with the updated file. ## mode (required) The Wallarm node operation mode. It can be: * `connector-server` for [MuleSoft Mule Gateway](https://docs.wallarm.com/5.x/installation/connectors/mulesoft.md), [Cloudflare](https://docs.wallarm.com/5.x/installation/connectors/cloudflare.md), [Amazon CloudFront](https://docs.wallarm.com/5.x/installation/connectors/aws-lambda.md), [Broadcom Layer7 API Gateway](https://docs.wallarm.com/5.x/installation/connectors/layer7-api-gateway.md), [Fastly](https://docs.wallarm.com/5.x/installation/connectors/fastly.md), [IBM DataPower](https://docs.wallarm.com/5.x/installation/connectors/ibm-api-connect.md) connectors. * `tcp-capture` for [TCP traffic mirror analysis](https://docs.wallarm.com/5.x/installation/oob/tcp-traffic-mirror/deployment.md). * `envoy-external-filter` for [gRPC-based external processing filter](https://docs.wallarm.com/5.x/installation/connectors/istio.md) for APIs managed by Istio. **connector-server:** If you installed the Native Node for a Wallarm connector, the basic configuration looks as follows: ```yaml version: 4 mode: connector-server connector: address: ":5050" tls_cert: path/to/tls-cert.crt tls_key: path/to/tls-key.key blocking: true allowed_networks: - 0.0.0.0/0 allowed_hosts: - w.com - "*.test.com" mesh: discovery: dns name: native-node-mesh-discovery port: 9093 url_normalize: true external_health_check: enabled: true endpoint: /wallarm-external-health # per_connection_limits: # max_requests: 300 # max_received_bytes: 640_000 # max_duration: 1m proxy_headers: # Rule 1: Internal company proxies - trusted_networks: - 10.0.0.0/8 - 192.168.0.0/16 original_host: - X-Forwarded-Host real_ip: - X-Forwarded-For # Rule 2: External edge proxies (e.g., CDN, reverse proxy) - trusted_networks: - 203.0.113.0/24 original_host: - X-Real-Host real_ip: - X-Real-IP route_config: wallarm_application: 10 wallarm_mode: monitoring routes: - route: /example/api/v1 wallarm_mode: off - route: /example/extra_api wallarm_application: 2 - route: /example/testing wallarm_mode: off log: pretty: true level: debug log_file: stderr access_log: enabled: true verbose: true log_file: stderr ``` **tcp-capture:** If you installed the Native Node for TCP traffic mirror analysis, the basic configuration looks as follows: ```yaml version: 4 mode: tcp-capture goreplay: filter: extra_args: - -input-raw-engine - vxlan path: /opt/wallarm/usr/bin/gor parse_responses: true response_timeout: 5s url_normalize: true proxy_headers: # Rule 1: Internal company proxies - trusted_networks: - 10.0.0.0/8 - 192.168.0.0/16 original_host: - X-Forwarded-Host real_ip: - X-Forwarded-For # Rule 2: External edge proxies (e.g., CDN, reverse proxy) - trusted_networks: - 203.0.113.0/24 original_host: - X-Real-Host real_ip: - X-Real-IP route_config: wallarm_application: 10 wallarm_mode: monitoring routes: - route: /example/api/v1 wallarm_mode: off - route: /example/extra_api wallarm_application: 2 - route: /example/testing wallarm_mode: off log: pretty: true level: debug log_file: stderr access_log: enabled: true verbose: true log_file: stderr ``` **envoy-external-filter:** If you installed the Native Node as an Envoy external filter, the basic configuration looks as follows: ```yaml version: 4 mode: envoy-external-filter envoy_external_filter: address: ":5050" tls_cert: path/to/tls-cert.crt tls_key: path/to/tls-key.key proxy_headers: # Rule 1: Internal company proxies - trusted_networks: - 10.0.0.0/8 - 192.168.0.0/16 original_host: - X-Forwarded-Host real_ip: - X-Forwarded-For # Rule 2: External edge proxies (e.g., CDN, reverse proxy) - trusted_networks: - 203.0.113.0/24 original_host: - X-Real-Host real_ip: - X-Real-IP route_config: wallarm_application: 10 wallarm_mode: monitoring routes: - route: /example/api/v1 wallarm_mode: off - route: /example/extra_api wallarm_application: 2 - route: /example/testing wallarm_mode: off log: pretty: true level: debug log_file: stderr access_log: enabled: true verbose: true log_file: stderr ``` ## Connector-specific settings ### connector.address (required) Specifies the listening IP address and port separated by a colon (`:`). Ensure the port is not `80`, `8080`, `9000`, or `3313`, as these are used by other Wallarm processes. **IP address:Port:** ```yaml version: 4 connector: address: '192.158.1.38:5050' ``` **Specific port on all IPs:** ```yaml version: 4 connector: address: ':5050' ``` ### connector.tls_cert (recommended) Path to the TLS/SSL certificate (usually a `.crt` or `.pem` file) issued for the domain where the node is running. The certificate must be provided by a trusted Certificate Authority (CA) to ensure secure communication. ### connector.tls_key (recommended) Path to the private key corresponding to the TLS/SSL certificate (typically a `.key` file). ### connector.blocking Typically, you do not need to modify this parameter. Specific blocking behavior for malicious requests is controlled by the [`wallarm_mode`](#route_configwallarm_mode) parameter. This parameter enables the Native Node's general capability to block incoming requests, whether they are malicious, from denylisted IPs, or any other conditions that require blocking. Defalt: `true`. ### connector.allowed_networks A list of IP networks allowed to connect. Default: `0.0.0.0/0` (all IP networks are allowed). ### connector.allowed_hosts A list of allowed hostnames. Default: all hosts are allowed. This parameter supports wildcard matching: * `*` matches any sequence of non-separator characters * `?` matches any single non-separator character * `'[' [ '^' ] { character-range } ']'` ??? info "Wildcard matching syntax details" ``` // The pattern syntax is: // // pattern: // { term } // term: // '*' matches any sequence of non-Separator characters // '?' matches any single non-Separator character // '[' [ '^' ] { character-range } ']' // character class (must be non-empty) // c matches character c (c != '*', '?', '\\', '[') // '\\' c matches character c // // character-range: // c matches character c (c != '\\', '-', ']') // '\\' c matches character c // lo '-' hi matches character c for lo <= c <= hi // // Match requires pattern to match all of name, not just a substring. ``` For example: ```yaml version: 4 connector: allowed_hosts: - w.com - "*.test.com" ``` ### connector.mesh The mesh feature is used in `connector-server` mode for Wallarm nodes to ensure consistent traffic processing when multiple node replicas are deployed. It routes requests and their corresponding responses to the same node, even if initially handled by different replicas. This is critical when horizontally scaling, such as with auto-scaling or multiple replicas in ECS. !!! info "Kubernetes environments" In Kubernetes, use the [Helm chart for native Wallarm node deployment](https://docs.wallarm.com/5.x/installation/native-node/helm-chart.md). Mesh is automatically configured when auto-scaling or multiple replicas are detected, with no extra setup needed. To configure the mesh in ECS: 1. Set up service discovery (e.g., [AWS Cloud Map](https://docs.aws.amazon.com/cloud-map/latest/dg/what-is-cloud-map.html), [Google Cloud DNS](https://cloud.google.com/dns/), or similar services) to allow nodes in the mesh to dynamically find and communicate with each other. Without service discovery, the mesh will not function properly, as nodes will be unable to locate each other, leading to traffic routing issues. 1. Configure the Wallarm node to use the mesh by specifying the `connector.mesh` parameters in the configuration file as shown below: ```yaml version: 4 connector: mesh: discovery: dns name: native-node-mesh-discovery port: 9093 ``` #### discovery Defines how nodes in the mesh discover each other. Currently, only the `dns` value is allowed. Nodes discover each other using DNS. The DNS record must resolve to the IP addresses of all nodes participating in the mesh. #### name The DNS domain name used by nodes to resolve the IP addresses of other nodes in the mesh. This is typically set to a value that resolves to all the node instances in the ECS service. #### port Specifies the internal port used for communication between nodes in the mesh. This port is not exposed externally and is reserved for node-to-node traffic within the ECS cluster. ### connector.url_normalize Enables URL normalization before selecting route configurations and analyzing data with libproton. Default: `true`. ### connector.external_health_check Configures an additional external health check endpoint allowing external systems to verify the availability of the Wallarm Node. The endpoint is served on the same port as Node (parameter `connector.address`) and responds with HTTP 200 OK if the Node is running. Supported in: * Native Node 0.13.3 and higher 0.13.x versions * Native Node 0.14.1 and higher ```yaml version: 4 connector: external_health_check: enabled: true endpoint: /wallarm-external-health ``` #### enabled Turns the external health check endpoint on or off. If `true`, the endpoint becomes accessible at the specified endpoint, on the same port as Node. Default: `false`. #### endpoint Defines the URL path at which the external health check endpoint will be available. Must begin with a `/`. ### connector.per_connection_limits Defines limits for `keep-alive` connections. Once any of the specified limits is reached, the Node sends the `Connection: Close` HTTP header to the client, prompting it to close the current TCP session and establish a new one for subsequent requests. This mechanism helps with Level 4 load balancing by preventing clients from staying connected to a single Node instance after upscaling. By default, no limits are applied, which is the recommended configuration for most use cases. Supported in Native Node 0.13.4 and later 0.13.x versions. ```yaml version: 4 connector: per_connection_limits: max_requests: 300 max_received_bytes: 640_000 max_duration: 1m ``` #### max_requests Maximum number of requests a single connection can handle before being closed. #### max_received_bytes Maximum number of bytes that can be received through a connection. #### max_duration Maximum lifetime of a connection (e.g., `1m` for 1 minute). ## TCP mirror-specific settings ### goreplay.filter Specifies a network interface to capture traffic from. If no value is specified, it captures traffic from all network interfaces on the instance. The value should be the network interface and port separated by a colon (`:`), e.g.: **Interface:Port:** ```yaml version: 4 goreplay: filter: 'eth0:80' ``` To capture traffic from multiple interfaces and ports, use `goreplay.filter` along with `goreplay.extra_args`, e.g.: ```yaml version: 4 goreplay: filter: 'eth0:80' extra_args: - "-input-raw" - "eth0:8080" - "-input-raw" - "eth0:8081" - "-input-raw" - "eth1:80" ``` The `filter` sets GoReplay with the `-input-raw` argument, and `extra_args` allows for specifying additional `-input-raw` inputs. **All ports on interface:** ```yaml version: 4 goreplay: filter: 'eth0:' ``` **Specific port on all interfaces:** ```yaml version: 4 goreplay: filter: ':80' ``` **All interfaces and ports:** ```yaml version: 4 goreplay: filter: ':' ``` To check network interfaces available on the host, run: ``` ip addr show ``` ### goreplay.extra_args This parameter allows you to specify [extra arguments](https://github.com/buger/goreplay/blob/master/docs/Request-filtering.md) to be passed to GoReplay. * Typically, you will use it to define the types of mirrored traffic requiring analysis, such as VLAN, VXLAN. For example: **VLAN-wrapped mirrored traffic:** ```yaml version: 4 goreplay: extra_args: - -input-raw-vlan - -input-raw-vlan-vid # VID of your VLAN, e.g.: # - 42 ``` **VXLAN-wrapped mirrored traffic (common in AWS):** ```yaml version: 4 goreplay: extra_args: - -input-raw-engine - vxlan # Custom VXLAN UDP port, e.g.: # - -input-raw-vxlan-port # - 4789 # Specific VNI (by default, all VNIs are captured), e.g.: # - -input-raw-vxlan-vni # - 1 ``` If the mirrored traffic is not wrapped in additional protocols like VLAN or VXLAN, you can omit the `extra_args` configuration. Unencapsulated traffic is parsed by default. * You can extend `filter` with `extra_args` to capture additional interfaces and ports: ```yaml version: 4 goreplay: filter: 'eth0:80' extra_args: - "-input-raw" - "eth0:8080" - "-input-raw" - "eth0:8081" - "-input-raw" - "eth1:80" ``` The `filter` sets GoReplay with the `-input-raw` argument, and `extra_args` allows for specifying additional `-input-raw` inputs. ### goreplay.path The path to the GoReplay binary file. Typically, you do not need to modify this parameter. Default: `/opt/wallarm/usr/bin/gor`. ### goreplay.parse_responses Controls whether to parse mirrored responses. This enables Wallarm features that rely on response data, such as [vulnerability detection](https://docs.wallarm.com/5.x/about-wallarm/detecting-vulnerabilities.md) and [API discovery](https://docs.wallarm.com/5.x/api-discovery/overview.md). By default, `true`. Ensure response mirroring is configured in your environment to the target instance with the Wallarm node. In Node version 0.10.1 and earlier, this parameter is set as `middleware.parse_responses`. ### goreplay.response_timeout Specifies the maximum time to wait for a response. If a response is not received within this time, the Wallarm processes stop waiting the corresponding response. Default: `5s`. In Node version 0.10.1 and earlier, this parameter is set as `middleware.response_timeout`. ### goreplay.url_normalize Enables URL normalization before selecting route configurations and analyzing data with libproton. Default: `true`. In Node version 0.10.1 and earlier, this parameter is set as `middleware.url_normalize`. ## Envoy external filter-specific settings ### envoy_external_filter.address (required) Specifies the listening IP address and port separated by a colon (`:`). Ensure the port is not `80`, `8080`, `9000`, or `3313`, as these are used by other Wallarm processes. **IP address:Port:** ```yaml version: 4 envoy_external_filter: address: '192.158.1.38:5080' ``` **Specific port on all IPs:** ```yaml version: 4 envoy_external_filter: address: ':5080' ``` ### envoy_external_filter.tls_cert (required) Path to the TLS/SSL certificate (usually a `.crt` or `.pem` file) issued for the domain where the node is running. The certificate must be provided by a trusted Certificate Authority (CA) to ensure secure communication. ### envoy_external_filter.tls_key (required) Path to the private key corresponding to the TLS/SSL certificate (typically a `.key` file). ## Basic settings ### proxy_headers Configures how the Native Node extracts the original client IP and host when traffic passes through proxies or load balancers. * `trusted_networks`: trusted proxy IP ranges (CIDRs). Headers like `X-Forwarded-For` are only trusted if the request comes from these networks. If omitted, all networks are trusted (not recommended). * `original_host`: headers to use for the original `Host` value, if modified by a proxy. * `real_ip`: headers to use for extracting the real client IP address. You can define multiple rules for different proxy types or trust levels. !!! info "Rule evaluation order" Only the first matching rule is applied per request. Supported in Native Node 0.13.5 and later 0.13.x versions, and in 0.15.1 and later. Example: ```yaml version: 4 proxy_headers: # Rule 1: Internal company proxies - trusted_networks: - 10.0.0.0/8 - 192.168.0.0/16 original_host: - X-Forwarded-Host real_ip: - X-Forwarded-For # Rule 2: External edge proxies (e.g., CDN, reverse proxy) - trusted_networks: - 203.0.113.0/24 original_host: - X-Real-Host real_ip: - X-Real-IP ``` For Node 0.13.4 and earlier operating in [`tcp-capture`](https://docs.wallarm.com/5.x/installation/oob/tcp-traffic-mirror/deployment.md) mode, use the parameter `http_inspector.real_ip_header`. In later 0.13.x versions, the `proxy_headers` section replaces it. ### route_config Configuration section where you specify settings for specific routes. ### route_config.wallarm_application [Wallarm application ID](https://docs.wallarm.com/5.x/user-guides/settings/applications.md). This value can be overridden for specific routes. Default: `-1`. ### route_config.wallarm_mode General traffic [filtration mode](https://docs.wallarm.com/5.x/admin-en/configure-wallarm-mode.md): `block`, `safe_blocking`, `monitoring` or `off`. In OOB mode, traffic blocking is not supported. The mode can be [overridden for specific routes](#wallarm_mode). Default: `monitoring`. ### route_config.routes Sets route-specific Wallarm configuration. Includes Wallarm mode and application IDs. Example configuration: **connector-server:** ```yaml version: 4 route_config: wallarm_application: 10 wallarm_mode: monitoring routes: - host: example.com wallarm_application: 1 routes: - route: /app2 wallarm_application: 2 - host: api.example.com route: /api wallarm_application: 100 - route: /testing wallarm_mode: off ``` **tcp-capture:** ```yaml version: 4 route_config: wallarm_application: 10 wallarm_mode: monitoring routes: - host: example.com wallarm_application: 1 routes: - route: /app2 wallarm_application: 2 - host: api.example.com route: /api wallarm_application: 100 - route: /testing wallarm_mode: off ``` #### host Specifies the route host. This parameter supports wildcard matching similar to [`connector.allowed_hosts`](#connectorallowed_hosts). For example: **connector-server:** ```yaml version: 4 route_config: wallarm_application: 10 routes: - host: "*.host.com" ``` **tcp-capture:** ```yaml version: 4 route_config: wallarm_application: 10 routes: - host: "*.host.com" ``` #### routes.route or route Defines specific routes. Routes can be configured with NGINX-like prefixes: ```yaml - route: [ = | ~ | ~* | ^~ | ]/location # | | | | ^ prefix (lower priority than regexes) # | | | ^ prefix (higher priority than regexes) # | | ^re case insensitive # | ^re case sensitive # ^exact match ``` For example, to match only the exact route: ```yaml - route: =/api/login ``` To match routes with a regular expression: ```yaml - route: ~/user/[0-9]+/login.* ``` #### wallarm_application Sets the [Wallarm application ID](https://docs.wallarm.com/5.x/user-guides/settings/applications.md). Overrides the `route_config.wallarm_application` for specific endpoints. #### wallarm_mode Host-specific traffic [filtration mode](https://docs.wallarm.com/5.x/admin-en/configure-wallarm-mode.md): `block`, `safe_blocking`, `monitoring` or `off`. In OOB mode, traffic blocking is not supported. Default: `monitoring`. ### log.pretty Controls the error and access log format. Set to `true` for human-readable logs, or `false` for JSON logs. Default: `true`. ### log.level Log level, can be `debug`, `info`, `warn`, `error`, `fatal`. Default: `info`. ### log.log_file Specifies the destination for error log output. Options are `stdout`, `stderr`, or a path to a log file. Default: `stderr`. However, the node redirects `stderr` to the file `/opt/wallarm/var/log/wallarm/go-node.log`. ### log.access_log.enabled Controls whether to collect access logs. Default: `true`. ### log.access_log.verbose Controls whether to include detailed information about each request in the access log output. Default: `true`. ### log.access_log.log_file Specifies the destination for access log output. Options are `stdout`, `stderr`, or a path to a log file. Default: `stderr`. However, the node redirects `stderr` to the file `/opt/wallarm/var/log/wallarm/go-node.log`. If not set, the [`log.log_file`](#loglog_file) setting is used. ## Advanced settings **connector-server:** ```yaml version: 4 input_filters: inspect: - path: "^/api/v[0-9]+/.*" headers: Authorization: "^Bearer .+" bypass: - path: ".*\\.(png|jpg|css|js|svg)$" - headers: accept: "text/html" http_inspector: workers: auto libdetection_enabled: true api_firewall_enabled: true api_firewall_database: /opt/wallarm/var/lib/wallarm-api/2/wallarm_api.db wallarm_dir: /opt/wallarm/etc/wallarm shm_dir: /tmp wallarm_process_time_limit: 1s postanalytics_exporter: address: 127.0.0.1:3313 enabled: true log: proton_log_mask: info@* metrics: enabled: true listen_address: :9000 legacy_status: enabled: true listen_address: 127.0.0.1:10246 namespace: wallarm_gonode health_check: enabled: true listen_address: :8080 ``` **tcp-capture:** ```yaml version: 4 input_filters: inspect: - path: "^/api/v[0-9]+/.*" headers: Authorization: "^Bearer .+" bypass: - path: ".*\\.(png|jpg|css|js|svg)$" - headers: accept: "text/html" http_inspector: workers: auto libdetection_enabled: true api_firewall_enabled: true api_firewall_database: /opt/wallarm/var/lib/wallarm-api/2/wallarm_api.db wallarm_dir: /opt/wallarm/etc/wallarm shm_dir: /tmp wallarm_process_time_limit: 1s postanalytics_exporter: address: 127.0.0.1:3313 enabled: true log: proton_log_mask: info@* metrics: enabled: true listen_address: :9000 legacy_status: enabled: true listen_address: 127.0.0.1:10246 namespace: wallarm_gonode health_check: enabled: true listen_address: :8080 ``` ### input_filters Defines which incoming requests should be **inspected** or **bypassed** by the Native Node. This reduces CPU usage by ignoring irrelevant traffic such as static assets or health checks. By default, all requests are inspected. !!! warning "Requests skipped from inspection are not analyzed or sent to Wallarm Cloud" As a result, skipped requests do not appear in metrics, API Discovery, API sessions, vulnerability detection and so on. Wallarm features do not apply to them. **Compatibility** * Native Node 0.13.7 and higher 0.13.x versions * Native Node 0.16.0 and higher **Filtering logic** The filtering logic is based on 2 lists: * `inspect`: only requests matching at least one filter here are inspected. If omitted or empty, all requests are inspected, unless excluded by `bypass`. * `bypass`: requests matching any filter here are never inspected, even if they match `inspect`. **Filter format** Each filter is an object that can include: * `path` or `url`: regex for matching the request path (both are supported and equivalent). * `headers`: a map of header names to regex patterns for matching their values. All regular expressions must follow the [RE2 syntax](https://github.com/google/re2/wiki/Syntax). **Examples** **Allow requests by token, skip static content:** This configuration inspects only requests to versioned API endpoints (e.g. `/api/v1/...`) that include a `Bearer` token in the `Authorization` header. It bypasses requests for static files (images, scripts, styles) and browser-initiated HTML page loads. ```yaml input_filters: inspect: - path: "^/api/v[0-9]+/.*" headers: Authorization: "^Bearer .+" bypass: - path: ".*\\.(png|jpg|css|js|svg)$" - headers: accept: "text/html" ``` **Allow requests by domain, skip health checks:** This configuration inspects only requests with `Host: api.example.com`, skipping all others. Requests to the `/healthz` endpoint are always bypassed, even if they match the inspected host. ```yaml input_filters: inspect: - headers: host: "^api\\.example\\.com$" bypass: - path: "^/healthz$" ``` ### http_inspector.workers Wallarm worker number. Default: `auto`, which means the number of workers is set to the number of CPU cores. ### http_inspector.libdetection_enabled Whether to additionally validate the SQL Injection attacks using the [libdetection](https://docs.wallarm.com/5.x/about-wallarm/protecting-against-attacks.md#basic-set-of-detectors) library. Default: `true`. ### http_inspector.api_firewall_enabled Controls whether [API Specification Enforcement](https://docs.wallarm.com/5.x/api-specification-enforcement/overview.md) is enabled. Please note that activating this feature does not substitute for the required subscription and configuration through the Wallarm Console UI. Default: `true`. ### http_inspector.api_firewall_database Specifies the path to the database containing the API specifications you have uploaded for [API Specification Enforcement](https://docs.wallarm.com/5.x/api-specification-enforcement/overview.md). This database synchronizes with the Wallarm Cloud. Typically, you do not need to modify this parameter. Default: `/opt/wallarm/var/lib/wallarm-api/2/wallarm_api.db`. ### http_inspector.wallarm_dir Specifies the directory path for node configuration files. Typically, you do not need to modify this parameter. If you need assistance, please contact the [Wallarm support team](mailto:support@wallarm.com). Default: `/opt/wallarm/etc/wallarm`. ### http_inspector.shm_dir HTTP analyzer shared directory. Typically, you do not need to modify this parameter. Default: `/tmp`. ### http_inspector.wallarm_process_time_limit Defines the maximum time for processing a single HTTP request by the Wallarm Native Node. If the limit is exceeded, the request is marked as an [`overlimit_res`](https://docs.wallarm.com/5.x/attacks-vulns-list.md#resource-overlimit) attack and blocked. You can configure the limit in this parameter or [via the Wallarm Console](https://docs.wallarm.com/5.x/user-guides/rules/configure-overlimit-res-detection.md), which also controls whether to block such requests. Wallarm Console settings override local configurations. ### postanalytics_exporter.address Sets the address for the postanalytics service which handles statistical request analysis in Wallarm's request processing. Typically, you do not need to modify this parameter. Default: `127.0.0.1:3313`. In Node version 0.12.1 and earlier, this parameter is set as `tarantool_exporter.address`. ### postanalytics_exporter.enabled Controls whether the postanalytics service is enabled. This parameter must be set to `true` as the Wallarm node does not function without the postanalytics service. Default: `true`. In Node version 0.12.1 and earlier, this parameter is set as `tarantool_exporter.enabled`. ### log.proton_log_mask The mask for internal traffic logging. Typically, you do not need to modify this parameter. Default: `info@*`. ### metrics.enabled Controls whether [Prometheus metrics](https://docs.wallarm.com/5.x/admin-en/configure-statistics-service.md#usage) are enabled. This parameter must be set to `true` as the Wallarm node does not function properly without it. Default: `true`. ### metrics.listen_address Sets the address and port where Prometheus metrics will be exposed. To access these metrics, use the `/metrics` endpoint. Default: `:9000` (all network interfaces on the port 9000). ### metrics.legacy_status.enabled Controls whether the [`/wallarm-status`](https://docs.wallarm.com/5.x/admin-en/configure-statistics-service.md#usage) metrics service is enabled. This parameter must be set to `true` as the Wallarm node does not function properly without it. Default: `true`. ### metrics.legacy_status.listen_address Sets the address and port where `/wallarm-status` metrics in JSON format will be exposed. To access these metrics, use the `/wallarm-status` endpoint. Default: `127.0.0.1:10246`. ### metrics.namespace Defines the prefix for Prometheus metrics exposed by the `go-node` binary (the core processing service of the Native Node). Default: `wallarm_gonode`. All metrics emitted by `go-node` will use this prefix (e.g., `wallarm_gonode_requests_total`). Other components of the node, such as `wstore` and `wcli`, use their own fixed prefixes. Supported in Native Node 0.13.5 and later 0.13.x versions, and in 0.15.1 and later. ### health_check.enabled Controls whether health check endpoints are enabled. Default: `true`. ### health_check.listen_address Sets the address and port for the `/live` and `/ready` health check endpoints. Default: `:8080` (all network interfaces on the port 8080).