Project

General

Profile

[Prelude-manager] invalid section : "XmlMod"

Added by Steven Shawn 7 months ago

Hello,

Once the manager receives and idmef alert form a sensor/correlator I would like to print it in a log file in xml format. To do so there is the XmlMod plugin, but when I uncomment it from prelude-manager.conf and I run it, it says:

/usr/local/etc/prelude-manager/prelude-manager.conf:193: invalid section : "XmlMod".
/usr/local/etc/prelude-manager/prelude-manager.conf:213: invalid option "logfile" in "global" section.
/usr/local/etc/prelude-manager/prelude-manager.conf:214: invalid option "logfile" in "global" section.

Is this correct?

[XmlMod]
#
# The Xmlmod plugin allows to report alerts as IDMEF XML in a file,
# or to dump these alerts to /dev/stdout.
#
# The default behavior is to write output to /dev/stdout.
#
# Tells Xmlmod to disable output file buffering.
# This will prevent XML alerts to be truncated and thus make real-time
# parsing easier:
#
# disable-buffering
#
#
# Tells Xmlmod to check generated XML against IDMEF DTD:
# validate
#
# Tells Xmlmod to produce a pretty, human-readable xml output:
# format
#
logfile = /dev/stdout
logfile = /var/log/prelude-xml.log

Is there anything else needed to allow this plugin?

Another question I would like to ask is if there is any way of writing a prelude-correlator python rule that once a imdef is generated it writes that alert in a json format. I've seen that according to libidmef it is possible

https://github.com/Prelude-SIEM/libidmef

It says:


The print functions allow you to export IDMEF as :
- pretty print stdout
- JSON string
- Binary string defined by libPrelude

But I cannot find a complete documentation of libPrelude, libidmef nor preludecorrelator in order to develop some rules. I would be very grateful if anyone can refer me to a good documentation.

Thank you

Steven


Replies (2)

RE: [Prelude-manager] invalid section : "XmlMod" - Added by Steven Shawn 7 months ago

I've check the result of ./configure and it says:

*** Dumping configuration ***
    - TCP wrapper support    : no
    - XML plugin support     : no
    - GeoIP support          : no
    - Database plugin support: yes
    - Used libev             : embedded

That's the reason of the invalid section. Furthermore at /usr/local/lib/prelude-manager/reports I cannot found the xmlmod.la nor xmlmod.so

Anyone knows what is needed?

Thank you

RE: [Prelude-manager] invalid section : "XmlMod" - Added by Steven Shawn 7 months ago

I found out the reason. At the installation guide (https://www.prelude-siem.org/projects/prelude/wiki/InstallingPreludeManager) it says:

"If you'd like Prelude-Manager to be able to report incoming events using IDMEF XML, install the libxml2 library."

But I've already installed libxml2. You can install it with:

sudo apt-get install libxml2

But If you want to compile software from source based on libxml2 you need the development files:

sudo apt-get install libxml2-dev
    (1-2/2)