# Prelude Manager configuration file. # # # # Sections are importants, and things won't work correctly if they are not # un-commented. For example you need to uncomment [db] if you want the # database plugin to be loaded. # # include = @LIBPRELUDE_CONFIG_PREFIX@/default/global.conf # Address where the prelude-manager server is listening on. # if value is unix, or unix:/path/to/unix/socket, an UNIX domain # socket will be used. # # Multiple listen address are supported. # # listen = address:port # listen = unix:/tmp/prelude-manager.socket # listen = unix # listen = 127.0.0.1 # Sets the user/group ID as which prelude-manager will run. # In order to use this option, prelude-manager must be run initially as root # # user = prelude # group = prelude # Number of bits of the prime used in the Diffie Hellman key exchange. # Note that the bits value should be one of 768, 1024, 2048, 3072 or 4096. # The default is 1024. # # dh-prime-length = 1024 # How often to regenerate the parameters used in the Diffie Hellman key # exchange. These should be discarded and regenerated once a day, once a # week or once a month. Depending on the security requirements. # # Generation is a CPU intensive operation. The value is in hours, # 0 disables regeneration entirely. The default is 24 hours. # # dh-parameters-regenerate = 24 # If you want this Manager to retrieve message from another # Manager (useful if the other Manager is inside a DMZ): # # child-managers = x.x.x.x # # This mean the messages should be gathered from x.x.x.x # # If you want a given reporting plugin to be protected against # possible failure, use the failover option. Failover will prevent # the data sent to the report plugin to be lost in case this one fail. # # You might use this option multiple time for different plugins. # # failover = name_of_plugin # # Events normalization parameters # # Un-comment the following section in case you want to define any parameters: # [normalize] # # For each incoming events, Prelude-Manager will run a number of # normalization routine: sanitize address, services information, etc. # # When the normalizer see an incoming IPv4 mapped IPv6 address, the # default behavior is to map it back to raw IPv4. For example, # ::ffff:192.168.0.1 will be mapped back to 192.168.0.1 # # If you do not want IPv4 mapped IPv6 addresses, un-comment the following # option: # # keep-ipv4-mapped-ipv6 # # Alternatively, if you wish for any input IPv4 addresses to be converted to # IPv6, un-comment the following option: # # ipv6-only #################################### # Here start plugins configuration # #################################### # [relaying] # # If you want the message caught by this manager to be relayed. # You can use boolean AND and OR to make the rule. # # parent-managers = x.x.x.x || y.y.y.y && z.z.z.z # # This mean the emission should occur on x.x.x.x or, if it fail, # on y.y.y.y and z.z.z.z (if one of the two host in the AND fail, # the emission will be considered as failed involving saving the # message locally). # [db] # The type of database: mysql, pgsql or sqlite3. # type = mysql # Only if you use sqlite3. # file = /your/path/to/your/db/idmef-db.sql # Host the database is listening on. # host = localhost # Port the database is listening on. # port = 3306 # Name of the database. # name = prelude # Username to be used to connect the database. # user = prelude # Password used to connect the database. # pass = xxxxxx # [XmlMod] # # The Xmlmod plugin allow to report alert as IDMEF XML in a file, # or to dump theses alert to stderr. # # The default behavior is to write output to stderr. # # Tell Xmlmod to disable output file buffering. # This will prevent XML alerts to be truncated and thus make real-time # parsing easier: # # disable-buffering # # # Tell Xmlmod to check generated XML against IDMEF DTD: # validate # # Tell Xmlmod to produce a pretty, human readable xml output: # format # # logfile = stderr # logfile = /var/log/prelude-xml.log # [Debug] # # The Debug plugin allow to report alert as text in a file, # or to dump theses alert to stderr. # # The default behavior is to write output to stderr. # # logfile = stderr # logfile = /var/log/prelude.log # # You can specify the name of the IDMEF object to print (you might select multiple # objects). If no object are provided, 'Debug' will print out the entire message. # # object = alert.classification.text, alert.source(0).node.address(0).address # [TextMod] # # The Debug plugin allow to report alert as text in a file, # or to dump theses alert to stderr. # # The default behavior is to write output to stderr. # # logfile = stderr # logfile = /var/log/prelude.log #################################### # Filtering plugins configuration # #################################### # The idmef-criteria filtering plugin allow you to filter events basing on specific IDMEF-Criteria. # # [idmef-criteria] # rule = alert.classification.text == 'User login successful' # hook = relaying[default] # # Will forward any events that match the defined criteria to the default instance of the relaying # reporting plugin. The rule argument might also be a filename containing the rules. Example: # # rule = /path/to/rule.file # The thresholding filtering plugin allow you to suppress events based on their value. # # [thresholding] # path = alert.classification.text, alert.source.node.address.address # limit = 1 # seconds = 3600 # hook = relaying[default] # # Will forward one event with the unique alert.classification.text, alert.source.node.address.address # value combination to the 'default' instance of the 'relaying' reporting plugin. Further events with # the same value will be suppressed for 3600 seconds. # # # [thresholding] # path = alert.classification.text, alert.source.node.address.address # threshold = 1 # seconds = 3600 # hook = relaying[default] # # Will forward no more than one event per 3600 seconds with the unique alert.classification.text, # alert.source.node.address.address value combination to the 'default' instance of the 'relaying' # reporting plugin. Further events with the same value will be suppressed, until the threshold # expire. #################################### # Prelude generic configuration # #################################### # [prelude] # # This is the global prelude section, where you can define Prelude related # options. Option of matter for Prelude-Manager, are, most specifically, in # the context of relaying, the connection options: # # The following settings instruct the operating system when to consider # a connection dead in case sent data is left unacknowledged. # # Theses option are operating system specific, and might not work on # certain platform. In case you modify these settings on an unsupported # system, a warning message will be issued when the agent starts. # # Under Linux, the default system wide configuration is: # tcp-keepalive-time = 7200 # tcp-keepalive-probes = 9 # tcp-keepalive-intvl = 75 # # tcp-keepalive-time represents the number of seconds the connection needs # to be idle before TCP begins sending out keep-alive probes. # # tcp-keepalive-probes represent the number of not acknowledged probes to # send before considering the connection dead. # # tcp-keepalive-intvl represents the interval between subsequent keepalive # probes. # # The average time to notice a dead connection can be calculated using: # tcp-keepalive-time + (tcp-keepalive-probes * tcp-keepalive-intvl) # # Here is an example configuration: # tcp-keepalive-time = 60 # tcp-keepalive-probes = 3 # tcp-keepalive-intvl = 10 # # Using the above settings, a dead connection will be detected within 90 seconds.