Project

General

Profile

[PRELUDE_LML] How to export all entries from log file?

Added by Sebastian K over 1 year ago

Hello,

I'm trying to monitor all entries written into /var/log/messages, but no messages written in there show up in Prewikka.
The generated messages look like this:
Mar 19 10:12:59 iProc kern.notice root: System test message

The configuration file of prelude-lml looks like this (minus all comments):

include = /etc/prelude/default/idmef-client.conf

[prelude]
server-addr = 192.168.0.10

[format=syslog]
time-format = "%b %d %H:%M:%S" 
file = /var/log/messages

[Pcre]
ruleset=/etc/prelude-lml/ruleset/pcre.rules

What am I doing wrong?

Thanks in advance.

Best regards,


Replies (7)

RE: [PRELUDE_LML] How to export all entries from log file? - Added by Antoine LUONG over 1 year ago

Hello,

If you want specific logs (not handled by the predefined LML rules) to be converted into alerts and shown in Prewikka, you need to create your own LML rules.

See the documentation.

Regards

RE: [PRELUDE_LML] How to export all entries from log file? - Added by Sebastian K about 1 year ago

Hello,

thank you for the quick reply. I modified the single.rules file by adding the following piece of code as first rule:

#LOG:Mar 19 10:12:59 iProc kern.notice root: System test message
regex=iProc kern.notice root: System (\S+) message; \
 classification.text=Message manually added; \
 id=555; \
 analyzer(0).name=logd; \
 analyzer(0).class=Log analyzer; \
 assessment.impact.severity=medium; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=tested alarms; \
 source(0).node.address(0).address=192.168.0.1; \
 last;

After that I restarted prelude-lml. Unfortunately, after generating the message via logger -s "System test message", no alarm is shown in Prewikka.

Thanks again!

RE: [PRELUDE_LML] How to export all entries from log file? - Added by Sebastian K about 1 year ago

UPDATE: Prewikka showed me the alarm now, but between generating the log entry and displaying it, 3 or 4 hours have passed. Is this supposed to work this way? I would like to check the alarms immediately.

Regards,

RE: [PRELUDE_LML] How to export all entries from log file? - Added by Antoine LUONG about 1 year ago

What time period did you choose in Prewikka? What is your current timezone?

Regards

RE: [PRELUDE_LML] How to export all entries from log file? - Added by Sebastian K about 1 year ago

I used the default of 1 hour. I followed your hint with the timezones. Actually, the server machine uses CET while the sensor machine has a EDT timebase. Could this be the problem of the delay? Furthermore, do you know the approximate time it takes Prewikka to update its events?

RE: [PRELUDE_LML] How to export all entries from log file? - Added by Antoine LUONG about 1 year ago

Make sure also to set the appropriate timezone in the user preferences (ADMIN > Preferences > My account), the alerts should be seen immediately.

Regards

RE: [PRELUDE_LML] How to export all entries from log file? - Added by Sebastian K about 1 year ago

I finally got it to work. I'm reporting what I found, so maybe somebody else can save time. The fix took some time because the sensor machine is an embedded system which lacks things like /etc/localtime.

There were 2 issues that prevented Prewikka from showing the alerts.

1.) The time format wasn't the same on both machines. One of the machines used the US-time format while the other used the German formatting. I changed this by adding the line LC_TIME="en_US.UTF-8" to /etc/default/locale.

2.) Next I had to adjust the timezones. The server got the right timezone from the internet. On the embedded device I had to export the TZ-Variable. It seems to replace /etc/localtime on embedded Linux devices. Command Line on embedded device: export TZ=UTC-1. Also, I tried to use CET as timebase, but it didn't work for some reason. It may be a better solution to use just UTC.

Antoine LUONG wrote:

Make sure also to set the appropriate timezone in the user preferences (ADMIN > Preferences > My account), the alerts should be seen immediately.

Regards

I'm not really sure which user preferences you mean. Could you elaborate on this please?

Thank you for the support!

Regards,

    (1-7/7)