[prelude-manager] Is there any way to write on a file only alerts coming from prelude-correlator?
Added by Marcus Smith over 4 years ago
I have a prelude infrastrcture with a prelude-manager, a prelude-correlator and multiple sensors that sends alerts to the manager. What I would like to achieve now is once the prelude-correlator generates a CorrelationAlerts, that is sent to the prelude-manager, the prelude-manage writes that alert into a file (which will then send it to a different machine through syslog).
To do that I used the TextMod plugin as follows:
[TextMod] # # The Debug plugin allows to report alerts as text in a file, # or to dump these alerts to /dev/stdout. # # The default behavior is to write output to /dev/stdout. # logfile = /dev/stdout logfile = /var/log/prelude.log
The problem I'm facing on is that the prelude-manager is writing all the alerts to that file, the alerts received from the sensors and the alerts received from the prelude-correlator, and I'm only interested in the alerts from the prelude-correlator. Is there a clean way to do that thorugh the configuration files or the only option I have is to do it manually from the python rules of the prelude-correlator?
Thank you in advance
RE: [prelude-manager] Is there any way to write on a file only alerts coming from prelude-correlator? - Added by Antoine LUONG about 4 years ago
You need to use the [idmef-criteria] section of the prelude-manager configuration, with a rule on the analyzer, e.g.:
[idmef-criteria] rule = alert.analyzer(-1).model == 'Prelude Correlator' hook = TextMod
RE: [prelude-manager] Is there any way to write on a file only alerts coming from prelude-correlator? - Added by Marcus Smith about 4 years ago
Thank you very much Antoine. It works!