Project

General

Profile

[Solved] Prelude-LML Registration

Added by Romain Duperré over 9 years ago

Hello,

This question is quite long, so here is a tldr.

[TLDR]
Prelude-LML (A) runs on server A.
Prelude-LML (B) and all other Prelude components run on server B.
Server A and B are not in the same network.

I want the alerts from server A to be handled by Prelude-Manager on server B, stored in DB on server B, correlated on server B.
[/TLDR]

I have 3 servers :

- Server A1 (very high load)
- Server A2 (high load)
- Server B (normal load)

On Server B there is Prelude, PreludeDB, Prelude Manager, Prelude Correlator, Prelude LML, Prewikka.
On Server A1 I want only Prelude-LML.
On Server A2 I want only Prelude-LML.

I want the problems detected on A1/A2 to be stored in the DB of B (and that the correlation occurs on B, based on alert from A1, A2, B).

I'm looking for help in order to doing so.
Things I found over the net deels with the "localhost only" use case, but not for this "real world" use case.
First, I want to achieve a working configuration between A2 and B.
Then I will reproduce this configuration with A1 and B.

I tried a lot of configurations to handle this but nothing worked.
In order :

1 Register Prelude-LML (A2) on Prelude-Manager(B) with prelude-admin.
-> This is not working because prelude-admin(B) is only listening on localhost.

2 Install Prelude-Manager on A2.
Register Prelude-LML (A2) on Prelude-Manager(A2).
Disable the Prelude-Manager(A2) DB plugin.
Enable the Prelude-Manager(A2) Relaying Plugin.
Set B1 as the parent-manager of A2.
-> This is not working because B does not listen to A2. (timeout occus on both side)

3 Install Prelude-Manager on A2.
Register Prelude-LML (A2) on Prelude-Manager(A2).
Disable the Prelude-Manager(A2) DB plugin.
Set A2 as a child-manager of B.
-> This is not working because A2 does not say anything to B.

n Some variations of the previous configurations.
-> No result.

The best configuration for me would be 1.
When I try, (based on https://www.prelude-siem.org/projects/prelude/wiki/InstallingAgentRegistration#Prelude-LML-Registration-example) I got this :

Output of A2 (ip 63.211.203.84) :

$ sudo prelude-admin register prelude-lml "idmef:w admin:r" 6.136.138.79
[sudo] password for lzromain:
You now need to start "prelude-admin" registration-server on 6.136.138.79:
example: "prelude-admin registration-server prelude-manager"
Enter the one-shot password provided on 6.136.138.79:
Confirm the one-shot password provided on 6.136.138.79:
Connecting to registration server (6.136.138.79:5553)...
could not connect to 6.136.138.79 port 5553: Connection timed out.

Output of B (ip 6.136.138.79) :

$ sudo prelude-admin registration-server prelude-manager
The "dcn0chox" password will be requested by "prelude-admin register"
in order to connect. Please remove the quotes before using it.
Generating 1024 bits Diffie-Hellman key for anonymous authentication...
Waiting for peers install request on 0.0.0.0:5553...
Waiting for peers install request on :::5553...

Output of B (other test) :

$ sudo prelude-admin registration-server prelude-manager --listen 63.211.203.84
The "xlysn600" password will be requested by "prelude-admin register"
in order to connect. Please remove the quotes before using it.
Generating 1024 bits Diffie-Hellman key for anonymous authentication...
Waiting for peers install request on 63.211.203.84:5553...
could not bind to '63.211.203.84': Cannot assign requested address.
could not find any address to listen on.

Can you tell me what can be wrong ?

Regards


Replies (2)

RE: Prelude-LML Registration - Added by Antoine LUONG over 9 years ago

Hello,

In your second try the --listen parameter is wrong: it should be the address of B, that is --listen 6.136.138.79.

Anyway it seems like a network/firewall issue. Could you try the following command on A2 to check if a connection can be created?

telnet <IP-manager> 5553

If not, it is possible to use a port different from the default (5553) both in register and registration-server commands.

Regards

RE: Prelude-LML Registration - Added by Romain Duperré over 9 years ago

Thanks Antoine.

You were right ; I needed to use --listen 6.136.138.79 and to reconfigure the firewall.
The problem is solved thanks to your answer.

End of the story :
I also had to modify the firewall to authorize connections on port 4690 in order to make prelude-lml (server A) communicates with prelude-manager (server B).
And I added one line in /etc/prelude-manager/prelude-manager.conf (server B):

# Multiple listen address are supported.
#
# listen = address:port
# listen = unix:/tmp/prelude-manager.socket
# listen = unix
#
listen = 127.0.0.1
listen = 6.136.138.79   <--- this one

Finally, I get something like (on server A):

# prelude-lml
 (process:xxxxx) INFO: Connecting to 6.136.138.79:4690 prelude Manager server.
 (process:xxxxx) INFO: TLS authentication succeed with Prelude Manager.

Now I can see the new prelude-lml in prewikka ;)

PS : sorry for the belated answer.

    (1-2/2)