search
Ctrlk

Trace

The OTLP (OpenTelemetry Protocol) input enables the ingestion of trace data from any OTel compatible source

hashtag
Protocol Support

The OTLP input can operate in two modes:

  • gRPC - Uses the OTLP/gRPC protocol (recommended for production). Implements the opentelemetry.proto.collector.trace.v1.TraceService interface with full OTLP compliance.

  • HTTP 1.1 - Uses the OTLP/HTTP protocol with RESTful endpoints. Supports both Protocol Buffers and JSON content types.

circle-info

Namespace Support The OTLP input supports multiple isolated namespaces, allowing you to run separate instances of the trace collector with different configurations. To create additional namespaces, use the pattern EF_INPUT_OTLP_<NAMESPACE>_ where <NAMESPACE> is your namespace identifier (e.g., EF_INPUT_OTLP_INTERNAL_, EF_INPUT_OTLP_PARTNER_).

hashtag
Server Configuration

hashtag
EF_INPUT_OTLP_TRACE_SERVER_ENABLE

Enable or disable the OTLP trace server.

Valid Values: true, false

Default: true

hashtag
EF_INPUT_OTLP_TRACE_WORKERS

Specifies the number of concurrent worker goroutines to process incoming trace data. Increasing the number of workers will allow the collector to better handle high-volume trace ingestion.

Default: 3

hashtag
EF_INPUT_OTLP_TRACE_BUFFER

The size of the internal channel buffer that holds trace records before they are processed. A larger buffer can help handle traffic bursts but will consume more memory.

Default: 128

hashtag
EF_INPUT_OTLP_TRACE_SERVER_TYPE

Specifies the protocol type for the trace server.

When EF_INPUT_OTLP_TRACE_SERVER_TYPE=http, the following endpoint is available: POST /v1/traces - Submit trace data

The HTTP server accepts trace data in two formats:

  • Content-Type: application/x-protobuf - Binary Protocol Buffers format

  • Content-Type: application/json - JSON format

Valid Values: grpc, http

Default grpc

hashtag
EF_INPUT_OTLP_TRACE_SERVER_ADDR_HOST

The IP address to bind the trace server to. Use 0.0.0.0 to listen on all network interfaces, or specify a specific IP address.

Default: 0.0.0.0

hashtag
EF_INPUT_OTLP_TRACE_SERVER_ADDR_PORT

The port number for the trace server to listen on. Standard OTLP ports are 4317 for gRPC and 4318 for HTTP.

Default: 4317

hashtag
EF_INPUT_OTLP_TRACE_SERVER_TLS_ENABLE

Enable or disable TLS encryption for the trace server.

Valid Values: true, false

Default: false

hashtag
EF_INPUT_OTLP_TRACE_SERVER_TLS_CERT_FILE

The path to the TLS certificate file for the trace server.

hashtag
EF_INPUT_OTLP_TRACE_SERVER_TLS_KEY_FILE

The path to the TLS private key file for the trace server.

hashtag
EF_INPUT_OTLP_TRACE_SERVER_TLS_VERIFICATION_TYPE

The client certificate verification mode for TLS connections.

Valid Values

  • NoClientCert (or 0) - No client certificate required

  • RequestClientCert (or 1) - Request client certificate but don't verify

  • RequireAnyClientCert (or 2) - Require client certificate but don't verify CA

  • VerifyClientCertIfGiven (or 3) - Verify client certificate if provided

  • RequireAndVerifyClientCert (or 4) - Require and verify client certificate

Default: NoClientCert

hashtag
Authentication Configuration

The OTLP input supports multiple authentication mechanisms: none, basic, bearer token, and OIDC.

hashtag
EF_INPUT_OTLP_TRACE_SERVER_AUTH_TYPE

Specifies the authentication mechanism to use for the trace server.

Valid Values: none, basic, bearer, oidc

Default: none

hashtag
Basic Authentication

hashtag
EF_INPUT_OTLP_TRACE_SERVER_AUTH_BASIC_USERNAME

The username for HTTP Basic Authentication. Required when EF_INPUT_OTLP_TRACE_SERVER_AUTH_TYPE=basic.

Clients must include the Authorization header: Authorization: Basic <base64-encoded-credentials>

hashtag
EF_INPUT_OTLP_TRACE_SERVER_AUTH_BASIC_PASSWORD

The password for HTTP Basic Authentication. Required when EF_INPUT_OTLP_TRACE_SERVER_AUTH_TYPE=basic. This value is redacted in logs.

hashtag
Bearer Token Authentication

hashtag
EF_INPUT_OTLP_TRACE_SERVER_AUTH_BEARER_TOKEN

The static bearer token for authentication. Required when EF_INPUT_OTLP_TRACE_SERVER_AUTH_TYPE=bearer (unless using AUTH_BEARER_TOKEN_FILE). This value is redacted in logs.

Clients must include the Authorization header: Authorization: Bearer <token>

hashtag
EF_INPUT_OTLP_TRACE_SERVER_AUTH_BEARER_TOKEN_FILE

Path to a file containing the bearer token. Required when EF_INPUT_OTLP_TRACE_SERVER_AUTH_TYPE=bearer (unless using AUTH_BEARER_TOKEN). This value is redacted in logs.

hashtag
OIDC Authentication

OpenID Connect (OIDC) authentication validates JWT tokens from an identity provider.

hashtag
EF_INPUT_OTLP_TRACE_SERVER_AUTH_OIDC_ISSUER_URL

The OIDC issuer URL. Required when EF_INPUT_OTLP_TRACE_SERVER_AUTH_TYPE=oidc.

Clients must include the Authorization header with a valid JWT token: Authorization: Bearer <jwt-token>

hashtag
EF_INPUT_OTLP_TRACE_SERVER_AUTH_OIDC_AUDIENCE

The expected audience claim in the JWT token. Required unless EF_INPUT_OTLP_TRACE_SERVER_AUTH_OIDC_SKIP_AUDIENCE_CHECK=true.

hashtag
EF_INPUT_OTLP_TRACE_SERVER_AUTH_OIDC_CLIENT_ID

The OIDC client ID.

hashtag
EF_INPUT_OTLP_TRACE_SERVER_AUTH_OIDC_JWKS_URL

The JWKS endpoint URL for validating JWT signatures. If not provided, the endpoint will be auto-discovered from the issuer URL.

hashtag
EF_INPUT_OTLP_TRACE_SERVER_AUTH_OIDC_SKIP_ISSUER_CHECK

Skip validation of the issuer claim in JWT tokens.

Valid Values: true, false

Default: false

hashtag
EF_INPUT_OTLP_TRACE_SERVER_AUTH_OIDC_SKIP_AUDIENCE_CHECK

Skip validation of the audience claim in JWT tokens.

Valid Values: true, false

Default: false

hashtag
gRPC Health Check Server

A separate health check server is provided for Kubernetes liveness and readiness probes. The health check server implements the gRPC Health Checking Protocol (grpc.health.v1.Health).

hashtag
EF_INPUT_OTLP_HEALTH_SERVER_ADDR_HOST

The IP address to bind the health check server to.

Default: 0.0.0.0

hashtag
EF_INPUT_OTLP_HEALTH_SERVER_ADDR_PORT

The port number for the health check server to listen on.

Default: 9411

hashtag
EF_INPUT_OTLP_HEALTH_SERVER_TLS_ENABLE

Enable or disable TLS encryption for the health check server.

Valid Values: true, false

Default: false

hashtag
EF_INPUT_OTLP_HEALTH_SERVER_TLS_CERT_FILE

The path to the TLS certificate file for the health check server.

hashtag
EF_INPUT_OTLP_HEALTH_SERVER_TLS_KEY_FILE

The path to the TLS private key file for the health check server.

hashtag
EF_INPUT_OTLP_HEALTH_SERVER_TLS_VERIFICATION_TYPE

The client certificate verification mode for the health check server.

Valid Values:

  • NoClientCert (or 0) - No client certificate required

  • RequestClientCert (or 1) - Request client certificate but don't verify

  • RequireAnyClientCert (or 2) - Require client certificate but don't verify CA

  • VerifyClientCertIfGiven (or 3) - Verify client certificate if provided

  • RequireAndVerifyClientCert (or 4) - Require and verify client certificate

Default: NoClientCert

hashtag
Configuration Examples

hashtag
gRPC with TLS and OIDC

hashtag
HTTP Server with Basic Authentication

PreviousOTelNextFlow Processing

Last updated

Was this helpful?