[Solved] Prelude-LML Registration
Added by Romain Duperré over 9 years ago
Hello,
This question is quite long, so here is a tldr.
[TLDR]
Prelude-LML (A) runs on server A.
Prelude-LML (B) and all other Prelude components run on server B.
Server A and B are not in the same network.
I want the alerts from server A to be handled by Prelude-Manager on server B, stored in DB on server B, correlated on server B.
[/TLDR]
I have 3 servers :
- Server A1 (very high load)
- Server A2 (high load)
- Server B (normal load)
On Server B there is Prelude, PreludeDB, Prelude Manager, Prelude Correlator, Prelude LML, Prewikka.
On Server A1 I want only Prelude-LML.
On Server A2 I want only Prelude-LML.
I want the problems detected on A1/A2 to be stored in the DB of B (and that the correlation occurs on B, based on alert from A1, A2, B).
I'm looking for help in order to doing so.
Things I found over the net deels with the "localhost only" use case, but not for this "real world" use case.
First, I want to achieve a working configuration between A2 and B.
Then I will reproduce this configuration with A1 and B.
I tried a lot of configurations to handle this but nothing worked.
In order :
1 Register Prelude-LML (A2) on Prelude-Manager(B) with prelude-admin.
-> This is not working because prelude-admin(B) is only listening on localhost.
2 Install Prelude-Manager on A2.
Register Prelude-LML (A2) on Prelude-Manager(A2).
Disable the Prelude-Manager(A2) DB plugin.
Enable the Prelude-Manager(A2) Relaying Plugin.
Set B1 as the parent-manager of A2.
-> This is not working because B does not listen to A2. (timeout occus on both side)
3 Install Prelude-Manager on A2.
Register Prelude-LML (A2) on Prelude-Manager(A2).
Disable the Prelude-Manager(A2) DB plugin.
Set A2 as a child-manager of B.
-> This is not working because A2 does not say anything to B.
n Some variations of the previous configurations.
-> No result.
The best configuration for me would be 1.
When I try, (based on https://www.prelude-siem.org/projects/prelude/wiki/InstallingAgentRegistration#Prelude-LML-Registration-example) I got this :
Output of A2 (ip 63.211.203.84) :
$ sudo prelude-admin register prelude-lml "idmef:w admin:r" 6.136.138.79
[sudo] password for lzromain:
You now need to start "prelude-admin" registration-server on 6.136.138.79:
example: "prelude-admin registration-server prelude-manager"
Enter the one-shot password provided on 6.136.138.79:
Confirm the one-shot password provided on 6.136.138.79:
Connecting to registration server (6.136.138.79:5553)...
could not connect to 6.136.138.79 port 5553: Connection timed out.
Output of B (ip 6.136.138.79) :
$ sudo prelude-admin registration-server prelude-manager
The "dcn0chox" password will be requested by "prelude-admin register"
in order to connect. Please remove the quotes before using it.
Generating 1024 bits Diffie-Hellman key for anonymous authentication...
Waiting for peers install request on 0.0.0.0:5553...
Waiting for peers install request on :::5553...
Output of B (other test) :
$ sudo prelude-admin registration-server prelude-manager --listen 63.211.203.84
The "xlysn600" password will be requested by "prelude-admin register"
in order to connect. Please remove the quotes before using it.
Generating 1024 bits Diffie-Hellman key for anonymous authentication...
Waiting for peers install request on 63.211.203.84:5553...
could not bind to '63.211.203.84': Cannot assign requested address.
could not find any address to listen on.
Can you tell me what can be wrong ?
Regards
Replies (2)
RE: Prelude-LML Registration - Added by Antoine LUONG over 9 years ago
Hello,
In your second try the --listen parameter is wrong: it should be the address of B, that is --listen 6.136.138.79.
Anyway it seems like a network/firewall issue. Could you try the following command on A2 to check if a connection can be created?
telnet <IP-manager> 5553
If not, it is possible to use a port different from the default (5553) both in register and registration-server commands.
Regards
RE: Prelude-LML Registration - Added by Romain Duperré over 9 years ago
Thanks Antoine.
You were right ; I needed to use --listen 6.136.138.79
and to reconfigure the firewall.
The problem is solved thanks to your answer.
End of the story :
I also had to modify the firewall to authorize connections on port 4690 in order to make prelude-lml (server A) communicates with prelude-manager (server B).
And I added one line in /etc/prelude-manager/prelude-manager.conf
(server B):
# Multiple listen address are supported. # # listen = address:port # listen = unix:/tmp/prelude-manager.socket # listen = unix # listen = 127.0.0.1 listen = 6.136.138.79 <--- this one
Finally, I get something like (on server A):
# prelude-lml (process:xxxxx) INFO: Connecting to 6.136.138.79:4690 prelude Manager server. (process:xxxxx) INFO: TLS authentication succeed with Prelude Manager.
Now I can see the new prelude-lml in prewikka
PS : sorry for the belated answer.