Prelude/prelude-lml
Aus SchnallIchNet
< Prelude
initializing lml
This is an optional prelude-sensor that gets its information from various log files.
prelude-admin register prelude-lml "idmef:w admin:r" localhost --uid 0 --gid 0
activate the sensor
this may take some time to generate the key's
perhaps do something like find . -name '*.so' to help the kernel generating random data
prelude-admin registration-server prelude-manager
like done before, do it in an extra window
get the One-Time password and paste it into the 1st window
where you have benn promzed for the a pass!
config-file: prelude-lml.conf
[prelude] server-addr = 127.0.0.1
tell the sensor the address of the server.
now you will have to configure some files to monitor...
[format=syslog] time-format = "%b %d %H:%M:%S" prefix-regex = "^(?P<timestamp>.{15}) (?P<hostname>\S+) (?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?" file = /var/log/messages file = /var/log/auth.log
tell the sensor the time-stamp format of e.g. syslog
create an prefix-regex
and define the files that have that format an you want to monitor...
read the comments in the config-file AND pcrepattern(3) manpage for details about PCRE-Subpatterns