REQUIREMENTS | |
---|---|
This facility requires that you have compiled with the --with-prelude option to include support for prelude. Of course you need the libprelude client library for this to work. |
Note | |
---|---|
The following configuration options can only be used. They should be placed the [Misc] section of the configuration file, if you use them. The 'PreludeMapTo...' options do not affect in any way whether a message is reported by samhain to the prelude manager (for this there is 'PreludeSeverity' in the [Log] section); they only affect the 'Impact severity' shown on the prelude side. |
- PreludeProfile
PreludeProfile=
profile_name
Specify the profile to use. The default is 'samhain'.
- PreludeMapToInfo
PreludeMapToInfo=
list of samhain severities
The severities that should be mapped to impact severity 'info' for prelude. (default: none).
- PreludeMapToLow
PreludeMapToInfo=
list of samhain severities
The severities that should be mapped to impact severity 'low' for prelude. (default: debug, info).
- PreludeMapToMedium
PreludeMapToMedium=
list of samhain severities
The severities that should be mapped to impact severity 'medium' for prelude. (default: notice, warn, err).
- PreludeMapToHigh
PreludeMapToHigh=
list of samhain severities
The severities that should be mapped to impact severity 'high' for prelude. (default: crit, alert).
The following prelude-specific command-line options are accepted:
--prelude Prelude generic options are following. This option must be given before the following options are used.
--profile <arg> Profile to use for this analyzer
--heartbeat-interval <arg> Number of seconds between two heartbeats
--server-addr <arg> Address where this sensor should report to (addr:port)
--analyzer-name <arg> Name for this analyzer
Sensor name/profile | |
---|---|
The default sensor name/profile is 'samhain'.
However, version 2.0.6 of
samhain still
had 'Samhain' For versions of
samhain later
than 2.0.6, there is an option
PreludeProfile=
|
In order to register samhain as a Prelude sensor, you need to run on the sensor host and on the manager host the prelude-admin command.
sensor #
prelude-admin register samhain "idmef:w admin:r" <manager host> \ --uid=prelude --gid=prelude
You now need to start "prelude-admin" registration-server on 127.0.0.1: example: "prelude-admin registration-server prelude-manager" Enter the one-shot password provided on 127.0.0.1:
manager #
prelude-admin registration-server prelude-manager
The "76g4h8au" password will be requested by "prelude-admin register" in order to connect. Please remove the quotes before using it. Generating 1024 bits Diffie-Hellman key for anonymous authentication... Waiting for peers install request on 0.0.0.0:5553... Waiting for peers install request on :::5553...
You now have to type in the one-shot password generated on "manager" at the password prompt on "sensor", (twice, for confirmation). Then on "manager" you will be asked to approve the registration. Type 'y', and you are finished.
The configuration file for the samhain sensor is
/etc/prelude/profile/samhain/config