# Prelude Manager configuration file.

#

# <IMPORTANT>

#

# Sections are importants, and things won't work correctly if they are

# not un-commented. For example you need to uncomment [db] if you want

# the database plugin to be loaded.

#

# </IMPORTANT>

include = /etc/prelude/default/global.conf

# Address where the prelude-manager server is listening on.

# if value is unix, or unix:/path/to/unix/socket, an UNIX domain socket

# will be used.

#

# Multiple listen address are supported.

#

# listen = address:port

listen = unix:/tmp/prelude-manager.socket

# listen = unix

#

listen = 127.0.0.1

# Sets the user/group ID as which prelude-manager will run.

# In order to use this option, prelude-manager must be run initially as

# root

#

user = root

group = root

#

# Scheduler settings for Prelude-Manager

#

# On systems with many concurrent sensors sending events to

# Prelude-Manager, Prelude-Manager might have an hard time keeping up

# with the demand for events reporting.

#

# The Prelude Manager scheduler allocate reporting time per sensor,

# allowing to define the maximum number of events processed for one

# sensor before processing others sensors events (in case a sensor is

# sending a continuous events burst, this prevent other sensors

# starvation).

#

# By default, for each sensor connected, a maximum of 100 events will

# be processed before processing others sensors events.

#

# Additionally, priority will be given to events depending on their

# priority. Assuming there is enough events of each priority, 50 high

# priority message will be processed, 30 medium, and 20 low (totalling

# the maximum of 100 described above).

#

# You might use the sched-priority option in order to change this

# setting:

#

# sched-priority = high:50 medium:30 low:20

#

#

# When the number of events waiting to be processed exceed the defined

# amount of reserved memory (default is 1 Megabyte), Prelude-Manager

# will start storing events on disk:

#

# sched-buffer-size = 1M

#

# Number of bits of the prime used in the Diffie Hellman key exchange.

# Note that the value should be one of 768, 1024, 2048, 3072 or 4096.

# The default is 1024.

#

# dh-prime-length = 1024

# How often to regenerate the parameters used in the Diffie Hellman key

# exchange. These should be discarded and regenerated once a day, once

# a week or once a month. Depending on the security requirements.

#

# Generation is a CPU intensive operation. The value is in hours,

# 0 disables regeneration entirely. The default is 24 hours.

#

# dh-parameters-regenerate = 24

# If you want this Manager to retrieve message from another Manager

# (useful if the other Manager is located within a DMZ):

#

# child-managers = x.x.x.x

#

# This mean the messages should be gathered from x.x.x.x

#

# If you want a given reporting plugin to be protected against possible

# failure, use the failover option. Failover will prevent data sent to

# the report plugin to be lost in case this one fail.

#

# You might use this option multiple time for different plugins.

#

# failover = name_of_plugin

#

# Events normalization parameters

#

# Un-comment the following section in case you want to define any

# normalization parameters:

#

# [normalize]

#

# For each incoming events, Prelude-Manager will run a number of

# normalization routine: sanitize address, services information, etc.

#

# When the normalizer see an incoming IPv4 mapped IPv6 address, the

# default behavior is to map it back to raw IPv4. For example,

# ::ffff:192.168.0.1 will be mapped back to 192.168.0.1

#

# If you do not want IPv4 mapped IPv6 addresses, un-comment the

# following option:

#

# keep-ipv4-mapped-ipv6

#

# Alternatively, if you wish for any input IPv4 addresses to be

# converted to IPv6, un-comment the following option:

#

# ipv6-only

####################################

# Here start plugins configuration #

####################################

# [relaying]

#

# If you want the message caught by this manager to be relayed.

# You can use boolean AND and OR to make the rule.

#

# parent-managers = x.x.x.x || y.y.y.y && z.z.z.z

#

# This mean the emission should occur on x.x.x.x or, if it fail, on

# y.y.y.y and z.z.z.z (if one of the two host in the AND fail, the

# emission will be considered as failed involving saving the message

# locally).

[db]

# The type of database: mysql, pgsql or sqlite3.

type = mysql

# Only if you use sqlite3.

# file = /your/path/to/your/db/idmef-db.sql

# Host the database is listening on.

host = localhost

# Port the database is listening on.

port = 3306

# Name of the database.

name = prelude

# Username to be used to connect the database.

user = root

# Password used to connect the database.

pass = @pple

# [XmlMod]

#

# The Xmlmod plugin allow to report alert as IDMEF XML in a file,

# or to dump theses alert to stderr.

#

# The default behavior is to write output to stderr.

#

# Tell Xmlmod to disable output file buffering.

# This will prevent XML alerts to be truncated and thus make real-time

# parsing easier:

#

# disable-buffering

#

#

# Tell Xmlmod to check generated XML against IDMEF DTD:

# validate

#

# Tell Xmlmod to produce a pretty, human readable xml output:

# format

#

# logfile = stderr

# logfile = /var/log/prelude-xml.log

# [Debug]

#

# The Debug plugin allow to report alert as text in a file,

# or to dump theses alert to stderr.

#

# The default behavior is to write output to stderr.

#

# logfile = stderr

# logfile = /var/log/prelude.log

#

# You can specify the name of the IDMEF object to print (you might

# select multiple objects). If no object are provided, 'Debug' will

# print out the entire message.

#

# object = alert.classification.text, alert.source(0).node.address(0).address

# [TextMod]

#

# The Debug plugin allow to report alert as text in a file,

# or to dump theses alert to stderr.

#

# The default behavior is to write output to stderr.

#

# logfile = stderr

# logfile = /var/log/prelude.log

####################################

# Filtering plugins configuration  #

####################################

# The idmef-criteria filtering plugin allow you to filter events based

# on specific IDMEF-Criteria.

#

# [idmef-criteria]

# rule = alert.classification.text == 'User login successful'

# hook = relaying[default]

#

# Will forward any events that match the defined criteria to the

# default instance of the relaying reporting plugin. The rule argument

# might also be a filename containing the rules. Example:

#

# rule = /path/to/rule.file

# The thresholding filtering plugin allow you to suppress events based

# on their value.

#

# [thresholding]

# path = alert.classification.text, alert.source.node.address.address

# limit = 3600

# count = 1

# hook = relaying[default]

#

# Will forward one event with the unique alert.classification.text,

# alert.source.node.address.address value combination to the 'default'

# instance of the 'relaying' reporting plugin. Further events with the

# same value will be suppressed for 3600 seconds.

#

#

# [thresholding]

# path = alert.classification.text, alert.source.node.address.address

# threshold = 3600

# count = 10

# hook = relaying[default]

#

# Will forward every tenth event per 3600 seconds with the unique

# alert.classification.text, alert.source.node.address.address value

# combination to the 'default' instance of the 'relaying' reporting

# plugin.

#

# Note that limit and threshold might be combined, allowing to setup a

# limit as soon as the first threshold is reached.

####################################

# Prelude generic configuration    #

####################################

# [prelude]

#

# This is the global prelude section, where you can define Prelude

# related options. Option of matter for Prelude-Manager, are, most

# specifically, in the context of relaying, the connection options:

#

# The following settings instruct the operating system when to consider

# a connection dead in case sent data is left unacknowledged.

#

# Theses option are operating system specific, and might not work on

# certain platform. In case you modify these settings on an unsupported

# system, a warning message will be issued when the agent starts.

#

# Under Linux, the default system wide configuration is:

# tcp-keepalive-time   = 7200

# tcp-keepalive-probes = 9

# tcp-keepalive-intvl  = 75

#

# tcp-keepalive-time represents the number of seconds the connection

# needs to be idle before TCP begins sending out keep-alive probes.

#

# tcp-keepalive-probes represent the number of not acknowledged probes

# to send before considering the connection dead.

#

# tcp-keepalive-intvl represents the interval between subsequent

# keepalive probes.

#

# The average time to notice a dead connection can be calculated using:

# tcp-keepalive-time + (tcp-keepalive-probes * tcp-keepalive-intvl)

#

# Here is an example configuration:

# tcp-keepalive-time   = 60

# tcp-keepalive-probes = 3

# tcp-keepalive-intvl  = 10

#

# Using the above settings, a dead connection will be detected within

# 90 seconds.