These docs are under active development and cover the v0.20 Kobicha security model.
On this page
§12.1

Configuration Keys

All configuration keys live under Machine\System\eventd\. eventd ignores unknown keys in this subtree. Invalid values are ignored and the compiled-in default is retained. eventd MUST emit a synthetic eventd.config_change event when a valid configuration change is applied.

§12.1.1 Required keys

These keys MUST exist for eventd to start. There are no compiled-in defaults.

Key Type Description
EventStorePath REG_SZ Directory path for event shard databases.
LogStorePath REG_SZ File path for the log store database.
MetricStorePath REG_SZ File path for the metric store database.
QuerySocketPath REG_SZ Unix socket path for query access.
LogSocketPath REG_SZ Unix socket path for log ingestion.
MetricSocketPath REG_SZ Unix socket path for metric ingestion.

§12.1.2 Event ingestion

Key Type Default Valid range Description
StorageShards REG_DWORD 0 0--256 Number of event shard databases. 0 = CPU count.
MaxBatchSize REG_DWORD 10000 100--100000 Maximum events per event writer transaction.
MaxBatchLatencyMs REG_DWORD 100 10--5000 Maximum ms before an event batch is committed.

§12.1.3 Log ingestion

Key Type Default Valid range Description
LogMaxBatchSize REG_DWORD 5000 100--100000 Maximum log records per transaction.
LogMaxBatchLatencyMs REG_DWORD 500 10--5000 Maximum ms before a log batch is committed.

§12.1.4 Adaptive indexing (events)

Key Type Default Valid range Description
AdaptiveIndexWindowHours REG_DWORD 24 1--168 Rolling window for query frequency measurement.
AdaptiveIndexCreateThreshold REG_DWORD 100 10--10000 Queries on a field required to trigger index creation.
AdaptiveIndexDropThreshold REG_DWORD 10 1--1000 Queries below which an index is removed from the desired set. MUST be less than create threshold.

§12.1.5 Adaptive rollups (metrics)

Key Type Default Valid range Description
AdaptiveRollupWindowHours REG_DWORD 48 1--168 Rolling window for rollup query frequency measurement.
AdaptiveRollupCreateThreshold REG_DWORD 50 10--10000 Queries required to trigger rollup computation.
AdaptiveRollupDropThreshold REG_DWORD 5 1--1000 Queries below which a rollup pair is removed. MUST be less than create threshold.

§12.1.6 Retention

Key Type Default Valid range Description
EventRetentionDays REG_DWORD 30 1--3650 Maximum age of events in days.
EventRetentionMaxBytes REG_QWORD 0 0--2^64-1 Maximum total size of event shard databases. 0 = no limit.
LogRetentionDays REG_DWORD 14 1--3650 Maximum age of log entries in days.
LogRetentionMaxBytes REG_QWORD 0 0--2^64-1 Maximum size of log store database. 0 = no limit.
MetricRetentionDays REG_DWORD 90 1--3650 Maximum age of metric samples in days.
MetricRetentionMaxBytes REG_QWORD 0 0--2^64-1 Maximum size of metric store database. 0 = no limit.
RetentionCheckIntervalMinutes REG_DWORD 60 1--1440 How often the retention process runs.

§12.1.7 Querying

Key Type Default Valid range Description
QueryTimeoutMs REG_DWORD 30000 1000--300000 Maximum query execution time in ms.

§12.1.8 Cross-type filtering

Key Type Default Valid range Description
CrossTypeWindowMs REG_DWORD 15000 1000--300000 Time window for cross-type event/log existence checks.

§12.1.9 Security subtree

SDs for read-path access control are stored under Machine\System\eventd\Security\:

Machine\System\eventd\Security\Events\*
Machine\System\eventd\Security\Events\<pattern>
Machine\System\eventd\Security\Logs\*
Machine\System\eventd\Security\Logs\<pattern>
Machine\System\eventd\Security\Metrics\*
Machine\System\eventd\Security\Metrics\<pattern>

See §9.1 for SD structure and default values.

§12.1.10 Runtime vs restart

Change Effect
Tuning parameters (batch sizes, latencies, retention, adaptive thresholds, query timeout, cross-type window) Applied immediately.
Socket paths Requires restart.
Store paths Requires restart.
StorageShards Requires restart.
Security SDs Applied on next query (SD cache invalidated by registry watch).