All Prelude agents have a common set of options, provided through the Prelude framework. You might modify these options system wide or in the Prelude specific configuration file a client might provide.
All options defined system wide might be overriden in the client own Prelude configuration file. These are just template values that the client will use in case the values are not defined in the client own Prelude configuration file.
Once the Prelude library is installed, you can tune system wide options using the following configuration files (replace $PREFIX with your installation prefix, usually /usr or /usr/local):
$PREFIX/etc/prelude/default/client.conf $PREFIX/etc/prelude/default/global.conf $PREFIX/etc/prelude/default/idmef-client.conf
This is the common configuration file used by all Prelude programs (sensors, prelude-manager). It provides a system wide template for common IDMEF attributes used by sensors.
All of theses settings are optional, but keep in mind setting them will help you to keep track of where an event is coming from, especially in a distributed environment with a high number of sensors.
The heartbeat-interval option defines how often a Prelude client should send a heartbeat (the default is 600 seconds).
You can define IDMEF attributes to be carried by events emitted by the programs using the framework. All of these settings are optional, but keep in mind setting them will help you to keep track of where an event is coming from, especially in a distributed environment with a high number of sensors.
- analyzer-name: Name for the analyzer (By default, this is set to the profile name used by the sensor).
- node-name: Name of the equipment (usually the name of the machine this sensor is running on).
- node-location: Location of the equipment (could be a city, or a country).
- node-category: The type of node the clients are runing on (usually hosts).
You might also want to define one or several node-address section, containing the following options:
- address: The address of the equipment.
- netmask: Netmask for this address.
- vlan-name: Name of the Virtual Lan to which the address resides in.
- vlan-num: Number of the Virtual Lan to which the address resides in.
- category: Type of address represented (usually ipv4-addr or ipv6-addr).
In this configuration file, you can configure the connection string that clients, which need to connect to a Prelude Manager, will use. You can use boolean '\|\|' (OR) and '&&' (AND) to set up a redundant configuration environment.
Note that whatever you specify here, any events sent through the Prelude framework are saved in case the remote Manager goes down. In this case, all events will be saved and the client will periodically attempt to reconnect and flush saved events.
Here are a few configuration examples:
server-addr = x.x.x.x
Connect and send events to x.x.x.x.
server-addr = x.x.x.x && y.y.y.y
Connect and send events to both x.x.x.x and y.y.y.y.
server-addr = x.x.x.x || y.y.y.y
Connect and send events to x.x.x.x, or fallback to y.y.y.y if x.x.x.x failed.
This file includes both $PREFIX/etc/prelude/default/global.conf and $PREFIX/etc/prelude/default/client.conf.
It is often used as the template by clients that need to connect to a prelude-manager.
You probably should not modify this file directly (use global.conf and client.conf).