9. Prelude

9. Prelude
Prev	Chapter 4. Configuration of logging facilities	Next

9. Prelude

	REQUIREMENTS
	This facility requires that you have compiled with the --with-prelude option to include support for prelude. Of course you need the libprelude client library for this to work.

	Note
	The following configuration options can only be used. They should be placed the [Misc] section of the configuration file, if you use them. The 'PreludeMapTo...' options do not affect in any way whether a message is reported by samhain to the prelude manager (for this there is 'PreludeSeverity' in the [Log] section); they only affect the 'Impact severity' shown on the prelude side.

PreludeProfile

PreludeProfile= profile_name

Specify the profile to use. The default is 'samhain'.

PreludeMapToInfo

PreludeMapToInfo= list of samhain severities

The severities that should be mapped to impact severity 'info' for prelude. (default: none).

PreludeMapToLow

PreludeMapToInfo= list of samhain severities

The severities that should be mapped to impact severity 'low' for prelude. (default: debug, info).

PreludeMapToMedium

PreludeMapToMedium= list of samhain severities

The severities that should be mapped to impact severity 'medium' for prelude. (default: notice, warn, err).

PreludeMapToHigh

PreludeMapToHigh= list of samhain severities

The severities that should be mapped to impact severity 'high' for prelude. (default: crit, alert).

9.1. Prelude-specific command-line options

The following prelude-specific command-line options are accepted:

--prelude Prelude generic options are following. This option must be given before the following options are used.
--profile <arg> Profile to use for this analyzer
--heartbeat-interval <arg> Number of seconds between two heartbeats
--server-addr <arg> Address where this sensor should report to (addr:port)
--analyzer-name <arg> Name for this analyzer

9.2. Registering to a Prelude manager

	Sensor name/profile
	The default sensor name/profile is 'samhain'. However, version 2.0.6 of samhain still had 'Samhain' For versions of samhain later than 2.0.6, there is an option PreludeProfile= `profile` (in the [Misc] section) to set a user-defined name/profile.

In order to register samhain as a Prelude sensor, you need to run on the sensor host and on the manager host the prelude-admin command.

	  sensor # prelude-admin register samhain "idmef:w admin:r" <manager host> \
	  --uid=prelude --gid=prelude

	  You now need to start "prelude-admin" registration-server on 127.0.0.1:
	  example: "prelude-admin registration-server prelude-manager"

	  Enter the one-shot password provided on 127.0.0.1:

	  manager # prelude-admin registration-server prelude-manager

	  The "76g4h8au" password will be requested by "prelude-admin register"
	  in order to connect. Please remove the quotes before using it.

	  Generating 1024 bits Diffie-Hellman key for anonymous authentication...
	  Waiting for peers install request on 0.0.0.0:5553...
	  Waiting for peers install request on :::5553...

You now have to type in the one-shot password generated on "manager" at the password prompt on "sensor", (twice, for confirmation). Then on "manager" you will be asked to approve the registration. Type 'y', and you are finished.

The configuration file for the samhain sensor is /etc/prelude/profile/samhain/config

Prev	Up	Next
8. Console	Home	10. Using samhain with nagios