Aus SchnallIchNet
Wechseln zu: Navigation, Suche


config-file of prelude-manager

global options

listen =

this is ok if you have a manager per host
if you want this manager to collect data from other hosts
you will have to bind him to an other address

# user = prelude
# group = prelude

User and group are commented out!
For testing ok, but change if everythis is configured propperly


since i'm running IPv6 i will set 'ipv6-only' for gathered addresses.
this causes the manager to convert all addresses to an ipv6-address
for raw ipv4 addresses this will cause converting to ::ffff:

section [db]

i will not explain database-settings in here.
well documented in the config file and nothing special!

section [XmlMod]

logfile = /var/log/prelude-xml.log

tells the XmlMod-module to validate xml
format human readable
and write it to log-file instead to stderr

section [Debug]

logfile = /var/log/prelude.log

turns on debug-log and setting it to a file since i dont want that on stderr

section [TextMod]

logfile = /var/log/prelude.log

not sure what it will do. same description as for section [Debug]
but has only one value to configure; the log-file. i think i want that ... so configuring it! ;-)

section [smtp]

sender = prelude-manager@myhost.tld
recipients = admin@myhost.tld
smtp-server = localhost
subject = Prelude-Alert: $alert.classification.text
template = /etc/prelude-manager/email.template
dbtype = mysql
dbname = prelude
dbuser = prelude
dbpass = sUp3RsEcur3
dbhost = db-hostname

copied /usr/share/doc/prelude-manager/smtp/template.example to /etc/prelude-manager/email.template
the rest is self-explaining i think
if the smtp-server is NOT running on localhost please give aproppriate ip/hostname
the db*-parameters are for the smtp-plugin to get a CorrelationAlert from the database.

section [prelude]

here the main prelude-options/config-vals are set!
i'll keep the default-vals which come from systemOS

Achtung.jpeg Not all OS'es allow to overwrite OS-settings. Prelude will display a WARNING if so!

Filtering plugins configuration

from here the base-config is ready!
configuring the filtering-plugins now...
nothing to configure here for now...

Final config-steps

prelude-admin add prelude-manager --uid 0 --gid 0

generate an prelude admin-user
this may take a long time generating the key's
debian-lenny did that allready for me... no need to do that by hand!

/etc/init.d/prelude-manager start

starts the manager-daemon

audisp (optional)

if you want to use audisp, first register audisp-sensor
in prelude, and then activate it in audisp

audisp-prelude sensor

prelude-admin register auditd "idmef:w" localhost --uid 0 --gid 0

Then in another window, run

prelude-admin registration-server prelude-manager

this creates a One-Time password to be used for the 1st command
which will prompt you for one...

You should be ready to use the new plugin.
Now you will have to configure audisp itself, which is quite easy!

audisp activation

You will need to edit the file /etc/audisp/plugins.d/au-prelude.conf

active = no

find the above line and change to 'yes'

active = yes

If you are in an environment where you have many machines reporting to a
single prelude-manager, you will probably want your audit logs to include the
node information. Go into /etc/audit/auditd.conf change name_format to
something that makes sense to your environment. Look at the auditd.conf man
page. For this howto, just change it to "name_format = hostname".

The default configuration of the audit daemon is a best effort delivery of
events to the event dispatcher. If you want to make sure all events get
reviewed, change disp_qos to lossless. You should also probably set the
priority_boost to 4 or 5 to make sure auditd and its children get higher
priority in the scheduler.

It also might be a good idea to bump up the internal queue size of audispd.
This is done by editing /etc/audisp/audispd.conf. You want to change q_depth
to something like 512.

Then run

/etc/init.d/auditd restart