[Solved] Prelude-Manager : Prelude Heartbeat and SMTP plugin
Added by Romain Duperré over 8 years ago
Hello,
How can I prevent the SMTP plugin to send me "Prelude Heartbeat" emails ?
I tried this in /etc/prelude-manager/prelude-manager.conf
:
[textmod=null] logfile = /dev/null [thresholding] path = heartbeat limit = 3600 count = 1 limit = 1 hook = textmod[null] [idmef-criteria] rule = heartbeat.messageid != "" hook = textmod[null]
But I still receive tons of heartbeat emails.
This was not the case before...
I restart prelude-manager SMTP plugin after a long time and Prelude Heartbeat emails suddenly appeared.
Replies (4)
RE: Prelude-Manager : Prelude Heartbeat and SMTP plugin - Added by Song TRAN over 8 years ago
Hello,
Can you show us a mail containing Prelude Heartbeat ? (obfuscate your sensitive information)
If you enable smtp-plugin, you will receive all alerts IDMEF (without heartbeats), that's why a filter IDMEF must be set. Here is a example:
[idmef-criteria] rule = alert.classification.text == 'User login successful' rule = alert.assessment.impact.severity == medium hook = smtp[default]
Here, you will receive mails containing alerts with classification text = "User login successful" and severity = "medium"
Don't forget to restart prelude-manger.
RE: Prelude-Manager : Prelude Heartbeat and SMTP plugin - Added by Romain Duperré over 8 years ago
Thanks,
The mails body looks like this :
version: <empty> heartbeat: messageid: b09345b4-4b4c-12e5-b47a analyzer(0): analyzerid: 2891201279537359 name: prelude-manager manufacturer: http://www.prelude-ids.com model: Prelude Manager version: 1.0.1 class: Concentrator ostype: Linux osversion: ... node: category: unknown (0) name: name1 address(0): category: ipv4-addr (7) address: ip1 process: name: prelude-manager pid: 24940 path: /usr/sbin/prelude-manager analyzer(1): analyzerid: 772129246787006 name: prelude-lml manufacturer: http://www.prelude-ids.com model: Prelude LML version: 1.0.0 class: Log Analyzer ostype: Linux osversion: ... node: category: unknown (0) name: name2 process: name: prelude-lml pid: 477 path: /usr/bin/prelude-lml create_time: 24/08/2015 12:41:34.507148 +02:00 analyzer_time: 24/08/2015 15:30:01.539766 +02:00 heartbeat_interval: 600 additional_data(0): type: string (0) meaning: Analyzer status data: running additional_data(1): type: string (0) meaning: Analyzer SHA1 data: c81e8f49cfaff531abdf2d20844ezcd9f4597ba4
I already receive all alerts (there is no filter IDMEF on alert.*
) and this is ok ; I understand i can filter these ones.
But I receive the heartbeats too and this is a problem.
With the configuration I proposed, I tried to say "I don't want the heartbeat.*
messages".
Based on your example, i set this filter :
[idmef-criteria] rule = alert.assessment.impact.severity == medium hook = smtp[default]
I don't receive heartbeat messages anymore and this is great.
But what if I want to receive all alerts, not just with a medium severity ?
Regards,
RE: Prelude-Manager : Prelude Heartbeat and SMTP plugin - Added by Yoann VANDOORSELAERE over 8 years ago
Hello Romain,
If you only want to filter out heartbeat, then you can use :
[idmef-criteria]
rule = !heartbeat
hook = smtp[default]
RE: Prelude-Manager : Prelude Heartbeat and SMTP plugin - Added by Romain Duperré over 8 years ago
Hello Yoann,
This is what I need.
Thanks for your time.