Installing on OpenSuSE with packages¶
Since Prelude is back in OpenSuSE, this guide is for OpenSuSE Leap 42.2
First of all, install the packages :
linux-5vrr:~ # zypper install prelude-manager-db-plugin prelude-lml prelude-lml-rules prelude-correlator prewikka libpreludedb-mysql prelude-tools preludedb-tools Loading repository data... Reading installed packages... Resolving package dependencies... The following 26 NEW packages are going to be installed: libmysqlclient18 libprelude23 libpreludecpp8 libpreludedb-mysql libpreludedb-plugins libpreludedb7 libpreludedbcpp2 mariadb mariadb-client mariadb-errormessages prelude-correlator prelude-lml prelude-lml-rules prelude-manager prelude-manager-db-plugin prewikka python-Babel python-Cheetah python-dateutil python-libprelude python-libpreludedb python-netaddr python-pytz python-setuptools prelude-tools preludedb-tools 26 new packages to install. Overall download size: 18.3 MiB. Already cached: 0 B. After the operation, additional 140.2 MiB will be used. Continue? [y/n/? shows all options] (y):
Prelude need a SQL database, this tutorial use MariaDB as an example.
Start the database :
linux-5vrr:~ # systemctl start mysql
Initialize the database :
linux-5vrr:~ # mysql_secure_installation
Create two databases, one for IDMEF alerts, one for the Web interface :
linux-5vrr:~ # mysql -u root MariaDB [(none)]> CREATE DATABASE prelude; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> CREATE DATABASE prewikka; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> CREATE USER 'prelude'@'localhost' IDENTIFIED BY 'prelude'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON prelude.* TO 'prelude'@'localhost'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON prewikka.* TO 'prelude'@'localhost'; Query OK, 0 rows affected (0.00 sec)
Initialize the database :
linux-5vrr:~ # mysql -u prelude -p prelude < /usr/share/libpreludedb/classic/mysql.sql
Configure the database into web interface configuration :
linux-5vrr:~ # vim /etc/prewikka/prewikka.conf # Events DB [idmef_database] type: mysql host: localhost user: prelude pass: prelude name: prelude # Prewikka DB [database] type: mysql host: localhost user: prelude pass: prelude name: prewikka
Configure the database into prelude-manager configuration (for IDMEF alerts):
linux-5vrr:~ # vim /etc/prelude-manager/prelude-manager.conf [db] type = mysql host = localhost name = prelude user = prelude pass = prelude
Now, you have to initialize the communication between all prelude modules (prelude-manager, prelude-lml and prelude-correlator) as explained in InstallingAgentRegistration. Here is a short logs of standard initialization.
Register Prelude Manager¶
Registration :
linux-5vrr:~ # prelude-admin add "prelude-manager" --uid 0 --gid 0
Start the service :
linux-5vrr:~ # systemctl start prelude-manager
Check the service :
linux-5vrr:~ # systemctl status prelude-manager ▒ prelude-manager.service - Prelude-Manager service Loaded: loaded (/usr/lib/systemd/system/prelude-manager.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2016-12-13 07:59:39 CET; 7s ago Process: 8039 ExecStart=/usr/bin/prelude-manager -d -P /run/prelude-manager/prelude-manager.pid (code=exited, status=0/SUCCESS) Main PID: 8042 (prelude-manager) Tasks: 2 (limit: 512) CGroup: /system.slice/prelude-manager.service ▒▒8042 /usr/bin/prelude-manager -d -P /run/prelude-manager/prelude-manager.pid Dec 13 07:59:39 linux-5vrr systemd[1]: Starting Prelude-Manager service... Dec 13 07:59:39 linux-5vrr prelude-manager[8042]: INFO: server started (listening on 127.0.0.1 port 4690). Dec 13 07:59:39 linux-5vrr systemd[1]: Started Prelude-Manager service. Dec 13 07:59:39 linux-5vrr prelude-manager[8042]: INFO: Subscribing db[default] to active reporting plugins. Dec 13 07:59:39 linux-5vrr prelude-manager[8042]: INFO: Subscribing Thresholding to filtering plugin with category hook 0. Dec 13 07:59:39 linux-5vrr prelude-manager[8042]: INFO: Generating 1024 bits Diffie-Hellman key for TLS...
Register Prelude Correlator¶
Registration, prelude-manager side :
linux-5vrr:~ # prelude-admin registration-server prelude-manager The "h6cdm63i" password will be requested by "prelude-admin register" in order to connect. Please remove the quotes before using it. Generating 1024 bits Diffie-Hellman key for anonymous authentication... Waiting for peers install request on 0.0.0.0:5553... Waiting for peers install request on :::5553... Connection from 127.0.0.1:54968... Registration request for analyzerID="581192161139905" permission="idmef:rw". Approve registration? [y/n]: y 127.0.0.1:54968 successfully registered.
Registration, prelude-correlator side :
linux-5vrr:~ # prelude-admin register "prelude-correlator" "idmef:rw" 127.0.0.1 --uid 0 --gid 0 Generating 2048 bits RSA private key... This might take a very long time. [Increasing system activity will speed-up the process]. Generation in progress... You now need to start "prelude-admin" registration-server on 127.0.0.1: example: "prelude-admin registration-server prelude-manager" Enter the one-shot password provided on 127.0.0.1: Confirm the one-shot password provided on 127.0.0.1: Connecting to registration server (127.0.0.1:5553)... Authentication succeeded. Successful registration to 127.0.0.1:5553.
Start the service :
linux-5vrr:~ # systemctl start prelude-correlator
Check the service :
linux-5vrr:~ # systemctl status prelude-correlator ▒ prelude-correlator.service - Prelude-Correlator service Loaded: loaded (/usr/lib/systemd/system/prelude-correlator.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2016-12-13 08:02:16 CET; 4s ago Process: 8812 ExecStart=/usr/bin/prelude-correlator -d -P /run/prelude-correlator/prelude-correlator.pid (code=exited, status=0/SUCCESS) Main PID: 8816 (prelude-correla) Tasks: 2 (limit: 512) CGroup: /system.slice/prelude-correlator.service ▒▒8816 /usr/bin/python /usr/bin/prelude-correlator -d -P /run/prelude-correlator/prelude-correlator.pid Dec 13 08:02:15 linux-5vrr prelude-correlator[8812]: 13 Dec 08:02:15 preludecorrelator.plugins.DshieldPlugin (pid:8812) INFO: Loaded DShield data from a previous run (age=0.02 hours) Dec 13 08:02:15 linux-5vrr preludecorrelator.plugins.DshieldPlugin[8812]: INFO: Loaded DShield data from a previous run (age=0.02 hours) Dec 13 08:02:16 linux-5vrr prelude-correlator[8812]: 13 Dec 08:02:16 preludecorrelator.plugins.SpamhausDropPlugin (pid:8812) INFO: Loaded SpamhausDrop data from a previous run (age=0.02 hours) Dec 13 08:02:16 linux-5vrr preludecorrelator.plugins.SpamhausDropPlugin[8812]: INFO: Loaded SpamhausDrop data from a previous run (age=0.02 hours) Dec 13 08:02:16 linux-5vrr prelude-correlator[8812]: 13 Dec 08:02:16 preludecorrelator.main (pid:8812) INFO: 9 plugins have been loaded. Dec 13 08:02:16 linux-5vrr preludecorrelator.main[8812]: INFO: 9 plugins have been loaded. Dec 13 08:02:16 linux-5vrr systemd[1]: prelude-correlator.service: PID file /run/prelude-correlator/prelude-correlator.pid not readable (yet?) after start: No such file or directory Dec 13 08:02:16 linux-5vrr systemd[1]: Started Prelude-Correlator service. Dec 13 08:02:16 linux-5vrr libprelude[8816]: INFO: Connecting to 127.0.0.1:4690 prelude Manager server. Dec 13 08:02:17 linux-5vrr libprelude[8816]: INFO: TLS authentication succeed with Prelude Manager.
Register Prelude LML¶
Registration, prelude-manager side:
linux-5vrr:~ # prelude-admin registration-server prelude-manager The "syikvtdu" password will be requested by "prelude-admin register" in order to connect. Please remove the quotes before using it. Generating 1024 bits Diffie-Hellman key for anonymous authentication... Waiting for peers install request on 0.0.0.0:5553... Waiting for peers install request on :::5553... Connection from 127.0.0.1:54972... Registration request for analyzerID="1824705452416373" permission="idmef:w". Approve registration? [y/n]: y 127.0.0.1:54972 successfully registered.
Registration, prelude-lml side :
linux-5vrr:~ # prelude-admin register "prelude-lml" "idmef:w" 127.0.0.1 --uid 0 --gid 0 Generating 2048 bits RSA private key... This might take a very long time. [Increasing system activity will speed-up the process]. Generation in progress... You now need to start "prelude-admin" registration-server on 127.0.0.1: example: "prelude-admin registration-server prelude-manager" Enter the one-shot password provided on 127.0.0.1: Confirm the one-shot password provided on 127.0.0.1: Connecting to registration server (127.0.0.1:5553)... Authentication succeeded. Successful registration to 127.0.0.1:5553.
Note : With the package 3.0.1, a directory is missing:
linux-5vrr:~ # mkdir /var/lib/prelude-lml
Replace systemd-logger with rsyslog :
linux-5vrr:~ # zypper install rsyslog Loading repository data... Reading installed packages... Resolving package dependencies... Problem: systemd-logger-228-13.1.x86_64 conflicts with namespace:otherproviders(syslog) provided by rsyslog-8.4.0-4.6.x86_64 Solution 1: deinstallation of systemd-logger-228-13.1.x86_64 Solution 2: do not install rsyslog-8.4.0-4.6.x86_64 Choose from above solutions by number or cancel [1/2/c] (c): 1
And start it
linux-5vrr:~ # systemctl start rsyslog
Note: With rsyslog, you have to update the prelude-lml patern.
Edit the file /etc/prelude-lml/prelude-lml.conf :
time-format = "%Y-%m-%dT%H:%M:%S" prefix-regex = "^(?P<timestamp>.{20}).{12} (?P<hostname>\S+) (?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?"
Start the service :
linux-5vrr:~ # systemctl start prelude-lml
Check the service :
linux-5vrr:~ # systemctl status prelude-lml ● prelude-lml.service - Prelude-LML service Loaded: loaded (/usr/lib/systemd/system/prelude-lml.service; static; vendor preset: disabled) Active: active (running) since Tue 2016-12-13 08:23:50 CET; 3s ago Process: 16943 ExecStart=/usr/bin/prelude-lml -d -P /run/prelude-lml/prelude-lml.pid (code=exited, status=0/SUCCESS) Main PID: 16946 (prelude-lml) Tasks: 1 (limit: 512) CGroup: /system.slice/prelude-lml.service └─16946 /usr/bin/prelude-lml -d -P /run/prelude-lml/prelude-lml.pid
Web interface¶
Start the web interface :
linux-5vrr:~ # prewikka-httpd -p 80
Tests¶
Generate some logs to test the alerts. For example, try to connect to ssh in localhost and failed the password
linux-5vrr:~ # ssh localhost Password: Password: Password: Permission denied (publickey,keyboard-interactive). linux-5vrr:~ # ssh localhost Password: Password: Password: Permission denied (publickey,keyboard-interactive).