# Trace

#### Protocol Support

The OTLP input can operate in two modes:

* **gRPC** - Uses the OTLP/gRPC protocol (recommended for production). Implements the `opentelemetry.proto.collector.trace.v1.TraceService` interface with full OTLP compliance.
* **HTTP** 1.1 - Uses the OTLP/HTTP protocol with RESTful endpoints. Supports both Protocol Buffers and JSON content types.

{% hint style="info" %}
**Namespace Support**\
The OTLP input supports multiple isolated namespaces, allowing you to run separate instances of the trace collector with different configurations. To create additional namespaces, use the pattern `EF_INPUT_OTLP_<NAMESPACE>_` where `<NAMESPACE>` is your namespace identifier (e.g., `EF_INPUT_OTLP_INTERNAL_`, `EF_INPUT_OTLP_PARTNER_`).
{% endhint %}

* [Server Configuration](#server-configuration)
* [Authentication Configuration](#authentication-configuration)
  * [Basic Authentication](#basic-authentication)
  * [Bearer Token Authentication](#bearer-token-authentication)
  * [OIDC Authentication](#oidc-authentication)
* [gRPC Health Check Server](#grpc-health-check-server)
* [HTTP Server Details](#http-server-details)
* [Config Examples](#configuration-examples)

### Server Configuration&#x20;

#### `EF_INPUT_OTLP_TRACE_SERVER_ENABLE`

Enable or disable the OTLP trace server.

*Valid Values*: `true`, `false`

*Default*: `true`

#### `EF_INPUT_OTLP_TRACE_WORKERS`

Specifies the number of concurrent worker goroutines to process incoming trace data. Increasing the number of workers will allow the collector to better handle high-volume trace ingestion.

*Default:* `3`

#### `EF_INPUT_OTLP_TRACE_BUFFER`

The size of the internal channel buffer that holds trace records before they are processed. A larger buffer can help handle traffic bursts but will consume more memory.

*Default:* `128`

#### `EF_INPUT_OTLP_TRACE_SERVER_TYPE`

Specifies the protocol type for the trace server.

When `EF_INPUT_OTLP_TRACE_SERVER_TYPE=http`, the following endpoint is available: ***POST /v1/traces** - Submit trace data*

The HTTP server accepts trace data in two formats:

* `Content-Type: application/x-protobuf` - Binary Protocol Buffers format
* `Content-Type: application/json` - JSON format

Valid Values: `grpc`, `http`

*Default* `grpc`

#### `EF_INPUT_OTLP_TRACE_SERVER_ADDR_HOST`

The IP address to bind the trace server to. Use `0.0.0.0` to listen on all network interfaces, or specify a specific IP address.

*Default*: `0.0.0.0`

#### `EF_INPUT_OTLP_TRACE_SERVER_ADDR_PORT`

The port number for the trace server to listen on. Standard OTLP ports are 4317 for gRPC and 4318 for HTTP.

*Default*: `4317`

#### `EF_INPUT_OTLP_TRACE_SERVER_TLS_ENABLE`

Enable or disable TLS encryption for the trace server.

*Valid Values*: `true`, `false`

*Default*: `false`

#### `EF_INPUT_OTLP_TRACE_SERVER_TLS_CERT_FILE`

The path to the TLS certificate file for the trace server.

#### `EF_INPUT_OTLP_TRACE_SERVER_TLS_KEY_FILE`

The path to the TLS private key file for the trace server.

#### `EF_INPUT_OTLP_TRACE_SERVER_TLS_VERIFICATION_TYPE`

The client certificate verification mode for TLS connections.

Valid Values

* `NoClientCert` (or `0`) - No client certificate required
* `RequestClientCert` (or `1`) - Request client certificate but don't verify
* `RequireAnyClientCert` (or `2`) - Require client certificate but don't verify CA
* `VerifyClientCertIfGiven` (or `3`) - Verify client certificate if provided
* `RequireAndVerifyClientCert` (or `4`) - Require and verify client certificate

*Default*: `NoClientCert`

### Authentication Configuration

The OTLP input supports multiple authentication mechanisms: none, basic, bearer token, and OIDC.

#### `EF_INPUT_OTLP_TRACE_SERVER_AUTH_TYPE`

Specifies the authentication mechanism to use for the trace server.

*Valid Values:* `none`, `basic`, `bearer`, `oidc`

*Default*: `none`

### Basic Authentication

#### `EF_INPUT_OTLP_TRACE_SERVER_AUTH_BASIC_USERNAME`

The username for HTTP Basic Authentication. Required when `EF_INPUT_OTLP_TRACE_SERVER_AUTH_TYPE=basic`.

Clients must include the Authorization header: `Authorization: Basic <base64-encoded-credentials>`

#### `EF_INPUT_OTLP_TRACE_SERVER_AUTH_BASIC_PASSWORD`

The password for HTTP Basic Authentication. Required when `EF_INPUT_OTLP_TRACE_SERVER_AUTH_TYPE=basic`. This value is redacted in logs.

### Bearer Token Authentication

#### `EF_INPUT_OTLP_TRACE_SERVER_AUTH_BEARER_TOKEN`

The static bearer token for authentication. Required when `EF_INPUT_OTLP_TRACE_SERVER_AUTH_TYPE=bearer` (unless using `AUTH_BEARER_TOKEN_FILE`). This value is redacted in logs.

Clients must include the Authorization header: `Authorization: Bearer <token>`

#### `EF_INPUT_OTLP_TRACE_SERVER_AUTH_BEARER_TOKEN_FILE`

Path to a file containing the bearer token. Required when `EF_INPUT_OTLP_TRACE_SERVER_AUTH_TYPE=bearer` (unless using `AUTH_BEARER_TOKEN`). This value is redacted in logs.

### OIDC Authentication

OpenID Connect (OIDC) authentication validates JWT tokens from an identity provider.

#### `EF_INPUT_OTLP_TRACE_SERVER_AUTH_OIDC_ISSUER_URL`

The OIDC issuer URL. Required when `EF_INPUT_OTLP_TRACE_SERVER_AUTH_TYPE=oidc`.

Clients must include the Authorization header with a valid JWT token: `Authorization: Bearer <jwt-token>`

#### `EF_INPUT_OTLP_TRACE_SERVER_AUTH_OIDC_AUDIENCE`

The expected audience claim in the JWT token. Required unless `EF_INPUT_OTLP_TRACE_SERVER_AUTH_OIDC_SKIP_AUDIENCE_CHECK=true`.

#### `EF_INPUT_OTLP_TRACE_SERVER_AUTH_OIDC_CLIENT_ID`

The OIDC client ID.

#### `EF_INPUT_OTLP_TRACE_SERVER_AUTH_OIDC_JWKS_URL`

The JWKS endpoint URL for validating JWT signatures. If not provided, the endpoint will be auto-discovered from the issuer URL.

#### `EF_INPUT_OTLP_TRACE_SERVER_AUTH_OIDC_SKIP_ISSUER_CHECK`

Skip validation of the issuer claim in JWT tokens.

*Valid Values*: `true`, `false`

*Default*: `false`

#### `EF_INPUT_OTLP_TRACE_SERVER_AUTH_OIDC_SKIP_AUDIENCE_CHECK`

Skip validation of the audience claim in JWT tokens.

*Valid Values*: `true`, `false`

*Default*: `false`

### gRPC Health Check Server

A separate health check server is provided for Kubernetes liveness and readiness probes. The health check server implements the gRPC Health Checking Protocol (`grpc.health.v1.Health`).

#### `EF_INPUT_OTLP_HEALTH_SERVER_ADDR_HOST`

The IP address to bind the health check server to.

*Default*: `0.0.0.0`

#### `EF_INPUT_OTLP_HEALTH_SERVER_ADDR_PORT`

The port number for the health check server to listen on.

*Default*: `9411`

#### `EF_INPUT_OTLP_HEALTH_SERVER_TLS_ENABLE`

Enable or disable TLS encryption for the health check server.

*Valid Values:* `true`, `false`

*Default*: `false`

#### `EF_INPUT_OTLP_HEALTH_SERVER_TLS_CERT_FILE`

The path to the TLS certificate file for the health check server.

#### `EF_INPUT_OTLP_HEALTH_SERVER_TLS_KEY_FILE`

The path to the TLS private key file for the health check server.

#### `EF_INPUT_OTLP_HEALTH_SERVER_TLS_VERIFICATION_TYPE`

The client certificate verification mode for the health check server.

*Valid Values*:

* `NoClientCert` (or `0`) - No client certificate required
* `RequestClientCert` (or `1`) - Request client certificate but don't verify
* `RequireAnyClientCert` (or `2`) - Require client certificate but don't verify CA
* `VerifyClientCertIfGiven` (or `3`) - Verify client certificate if provided
* `RequireAndVerifyClientCert` (or `4`) - Require and verify client certificate

*Default*: `NoClientCert`

### Configuration Examples

#### gRPC with TLS and OIDC

```yaml
EF_INPUT_OTLP_TRACE_SERVER_ENABLE: true
EF_INPUT_OTLP_TRACE_SERVER_TYPE: grpc
EF_INPUT_OTLP_TRACE_SERVER_ADDR_HOST: 0.0.0.0
EF_INPUT_OTLP_TRACE_SERVER_ADDR_PORTL: 4317
EF_INPUT_OTLP_TRACE_WORKERS: 5
EF_INPUT_OTLP_TRACE_BUFFER: 256

EF_INPUT_OTLP_TRACE_SERVER_TLS_ENABLE: true
EF_INPUT_OTLP_TRACE_SERVER_TLS_CERT_FILE: /etc/certs/server.crt
EF_INPUT_OTLP_TRACE_SERVER_TLS_KEY_FILE: /etc/certs/server.key

EF_INPUT_OTLP_TRACE_SERVER_AUTH_TYPE: oidc
EF_INPUT_OTLP_TRACE_SERVER_AUTH_OIDC_ISSUER_URL: https://auth.company.com
EF_INPUT_OTLP_TRACE_SERVER_AUTH_OIDC_AUDIENCE: trace-collector
EF_INPUT_OTLP_TRACE_SERVER_AUTH_OIDC_CLIENT_ID: otlp-collector

EF_INPUT_OTLP_HEALTH_SERVER_ADDR_HOST: 0.0.0.0
EF_INPUT_OTLP_HEALTH_SERVER_ADDR_PORT: 9411
```

#### HTTP Server with Basic Authentication

```yaml
EF_INPUT_OTLP_TRACE_SERVER_ENABLE: true
EF_INPUT_OTLP_TRACE_SERVER_TYPE: http
EF_INPUT_OTLP_TRACE_SERVER_ADDR_HOST: 0.0.0.0
EF_INPUT_OTLP_TRACE_SERVER_ADDR_PORT: 4318

EF_INPUT_OTLP_TRACE_SERVER_AUTH_TYPE: basic
EF_INPUT_OTLP_TRACE_SERVER_AUTH_BASIC_USERNAME: myuser
EF_INPUT_OTLP_TRACE_SERVER_AUTH_BASIC_PASSWORD: mysecretpassword
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.elastiflow.com/flowcoll/configuration/inputs/otel/trace.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.