Skip to content
Bastion EDR Docs

Backend Configuration

Backend configuration lives at config/backend.toml in the deployment directory.

Core settings

Section titled “Core settings”
[server]
# REST API bind address (default: 0.0.0.0:8080)
host = "0.0.0.0"
port = 8080


# gRPC bind address for agent connections (default: 0.0.0.0:50051)
grpc_host = "0.0.0.0"
grpc_port = 50051


# Environment: "development" or "production"
# production disables wildcard CORS and enables stricter security
env = "production"


[database]
# SurrealDB connection URL
url = "ws://localhost:8000"
username = "root"
password = "your-strong-password-here"


[auth]
# JWT signing secret (minimum 32 characters — use a random string)
# Generate: openssl rand -hex 32
jwt_secret = "change-me-to-a-random-32-char-string"


# Access token lifetime in minutes (default: 60)
access_token_expiry_minutes = 60


# Refresh token lifetime in days (default: 7)
refresh_token_expiry_days = 7

SMTP / email notifications

Section titled “SMTP / email notifications”
[smtp]
host = "smtp.yourprovider.com"
port = 587
username = "alerts@yourdomain.edu"
password = "your-smtp-password"
from_address = "alerts@yourdomain.edu"
from_name = "Bastion EDR"
use_tls = true

Once configured, create notification rules in the console under Notifications → Rules to send email alerts on specific threat severities or compliance events.

SIEM integration {#siem-integration}

Section titled “SIEM integration {#siem-integration}”

Splunk

Section titled “Splunk”
[siem.splunk]
enabled = true
hec_url = "https://splunk.yourorg.com:8088/services/collector"
hec_token = "your-splunk-hec-token"
index = "bastion"

Elasticsearch

Section titled “Elasticsearch”
[siem.elasticsearch]
enabled = true
url = "https://elasticsearch.yourorg.com:9200"
index = "bastion-events"
# api_key = "your-api-key"  # Optional
username = "elastic"
password = "your-password"

Microsoft Sentinel

Section titled “Microsoft Sentinel”
[siem.sentinel]
enabled = true
workspace_id = "your-workspace-id"
shared_key = "your-shared-key"
log_type = "BastionEDR"

TLS {#tls}

Section titled “TLS {#tls}”
[tls]
# Enable TLS on the REST API
enabled = true
cert_file = "/etc/bastion/certs/server.crt"
key_file = "/etc/bastion/certs/server.key"


# Require client certificates from agents (mTLS)
# require_client_cert = false
# ca_path = "/etc/bastion/certs/ca.crt"

Rate limiting

Section titled “Rate limiting”
[rate_limit]
# Requests per minute per IP (default: 1000)
requests_per_minute = 1000


# Auth endpoint limit (stricter — default: 20)
auth_requests_per_minute = 20


# Optional: Redis for distributed rate limiting (multi-instance deployments)
# redis_url = "redis://localhost:6379"

License configuration

Section titled “License configuration”
[license]
# Directory for RSA license key pair storage
# Generated automatically on first run
key_dir = "/etc/bastion/keys/license"

Logging

Section titled “Logging”
[logging]
# Log level: trace, debug, info, warn, error (default: info)
level = "info"


# Structured JSON logging (recommended for SIEM ingestion)
json = false

Environment variable overrides

Section titled “Environment variable overrides”

All config values can be overridden via environment variables with the prefix BASTION_:

Terminal window
BASTION_AUTH_JWT_SECRET="my-secret" \
BASTION_DB_URL="ws://db:8000" \
  bastion-backend