[Prelude-manager] invalid section : "XmlMod"
Once the manager receives and idmef alert form a sensor/correlator I would like to print it in a log file in xml format. To do so there is the XmlMod plugin, but when I uncomment it from prelude-manager.conf and I run it, it says:
/usr/local/etc/prelude-manager/prelude-manager.conf:193: invalid section : "XmlMod".
/usr/local/etc/prelude-manager/prelude-manager.conf:213: invalid option "logfile" in "global" section.
/usr/local/etc/prelude-manager/prelude-manager.conf:214: invalid option "logfile" in "global" section.
Is this correct?
[XmlMod] # # The Xmlmod plugin allows to report alerts as IDMEF XML in a file, # or to dump these alerts to /dev/stdout. # # The default behavior is to write output to /dev/stdout. # # Tells Xmlmod to disable output file buffering. # This will prevent XML alerts to be truncated and thus make real-time # parsing easier: # # disable-buffering # # # Tells Xmlmod to check generated XML against IDMEF DTD: # validate # # Tells Xmlmod to produce a pretty, human-readable xml output: # format # logfile = /dev/stdout logfile = /var/log/prelude-xml.log
Is there anything else needed to allow this plugin?
Another question I would like to ask is if there is any way of writing a prelude-correlator python rule that once a imdef is generated it writes that alert in a json format. I've seen that according to libidmef it is possible
The print functions allow you to export IDMEF as : - pretty print stdout - JSON string - Binary string defined by libPrelude
But I cannot find a complete documentation of libPrelude, libidmef nor preludecorrelator in order to develop some rules. I would be very grateful if anyone can refer me to a good documentation.
I've check the result of ./configure and it says:
*** Dumping configuration *** - TCP wrapper support : no - XML plugin support : no - GeoIP support : no - Database plugin support: yes - Used libev : embedded
That's the reason of the invalid section. Furthermore at /usr/local/lib/prelude-manager/reports I cannot found the xmlmod.la nor xmlmod.so
Anyone knows what is needed?
I found out the reason. At the installation guide (https://www.prelude-siem.org/projects/prelude/wiki/InstallingPreludeManager) it says:
"If you'd like Prelude-Manager to be able to report incoming events using IDMEF XML, install the libxml2 library."
But I've already installed libxml2. You can install it with:
sudo apt-get install libxml2
But If you want to compile software from source based on libxml2 you need the development files:
sudo apt-get install libxml2-dev
For those who have same issue, I have succeeded to fix this problem by installing the packet "prelude-manager-xml-plugin" on CentOS 7/8 with Epel repository.