Table of Contents¶
- PreludeDB-Admin Manual
preludedb-admin can be used to perform various operation on the Prelude IDMEF database. It support moving/copying data between database, exporting event from a database, restoring event in a database, events deletion and printing.
Run preludedb-admin with no argument to get a listing of available commands. By specifying a command with no argument, you can get a detailed help and example concerning the command.
All preludedb-admin command require database settings to be provided, in order for the tool to access the database. Database settings are a string of key=value pair, made of the following key:
Type of the database (mysql, pgsql, sqlite).
Name of the database
Username to use to access the database
Password to use to access the database
Optional host where the database should be contacted (default is localhost).
Optional port where the database should be contacted (default depend on the selected database type).
Database settings example, to access a MySQL database named prelude:
"type=mysql name=prelude user=prelude pass=prelude"
A number of options, compatible with all preludedb-admin command, are available:
Skip processing until 'offset' events.
Process at most this number of events.
Log SQL query to the specified file.
Only process events that match the provided criteria.
By default, preludedb-admin will surround multiples write/deletion command to the database by a transaction, allowing to rollback in case of error. The number of events to process before flushing the transaction can be controlled using this option. Higher value provide improved performance, at the price of an higher memory pressure. The default is to process 1000 events per transaction.
In order to delete events from a specific database, you might use the delete command. Note that the criteria argument is mandatory for the delete command, since providing no criteria would result in the whole database being deleted.
Example for flushing any event created before a specific date:
preludedb-admin delete alert --criteria "alert.create_time < YYYY-MM-DD" "type=mysql name=prelude user=prelude pass=prelude"
Note: If you are using the MySQL InnoDB database engine, keep in mind that deletion of old events does not shrink the database size. In order to shrink an InnoDB database, you can save the whole database using the mysqldump tool, drop the database, and rebuild it using the previously generated backup.
Automatically removing events older than ..¶
As explained above, you to use preludedb-admin with a 'string' of parameters that perform the wanted actions, amongst other delete given alerts from the database. This is a manual task, and the following bash script allows to automate these tasks for the given context: Remove alerts older than ...
Please note that the bash script is only an example for deleting alerts older than 30 days. When added to a cron job running daily for example, your alerts dataase will only contain alerts younger than 30 days. and is only valid for Linux based systems that can use the date command.
#!/bin/sh DATE=$(date -d "last month" +"%Y-%m-%d") preludedb-admin delete alert "type=pgsql name=prelude user=prelude pass=prelude" --criteria "alert.create_time < $DATE"
How it works: date
d "last month" will take the current date and substract 30 days, the +"%Y%m-%d" formats the output of the date command in the right format for libpreludedb-admin.
Date examples: -d "10 days", -d "2 weeks", -d "last year", ...
Adjust the prelude-db admin command to suit your needs and your configuration.
Copy or Move events to another database¶
Using preludedb-admin, it is possible to easily copy or move data between database. Additional option might be specified, for example, you might want to provide an IDMEFCriteria using the --*criteria* option, or define a specific limit or offset.
preludedb-admin copy alert "type=mysql name=prelude user=prelude pass=prelude" "host=pgsql.host type=pgsql name=prelude pass=prelude" preludedb-admin copy heartbeat "type=mysql name=prelude user=prelude pass=prelude" "host=pgsql.host type=pgsql name=prelude pass=prelude"
The command used to move data to another database is mostly the same:
preludedb-admin move alert "type=mysql name=prelude user=prelude pass=prelude" "host=pgsql.host type=pgsql name=prelude pass=prelude" preludedb-admin move heartbeat "type=mysql name=prelude user=prelude pass=prelude" "host=pgsql.host type=pgsql name=prelude pass=prelude"
Save event to a file¶
Using the preludedb-admin save command, you can retrieve events from a database and store them in a file. The format is a binary, machine independant Prelude format, thus the generated file can be transfered on another machine without compatibility issue. If you do not specify an output filename on the command line, then then data will be directly written to the standard output.
Example to retrieve every database alerts, and store them in the alert.out file:
$ preludedb-admin save alert "type=mysql name=prelude user=prelude pass=prelude" alert.out
Load event from a file¶
Event saved through the preludedb-admin save command can be imported into the Prelude database again. If no filename is provided, preludedb-admin will attempt to read from standard input.
$ preludedb-admin load "type=mysql user=root pass=root name=xlr" alert.out
Print database events¶
$ preludedb-admin print alert "type=mysql user=prelude pass=prelude name=prelude" --count 1 alert: messageid: 898ac484-4bd2-11dd-a208 analyzer(0): analyzerid: 2012219155818466 name: prelude-manager manufacturer: http://www.prelude-ids.com model: Prelude Manager version: 0.9.12.1 class: Concentrator ostype: Linux osversion: 220.127.116.11-85.fc8 node: category: hosts (6) location: Paris ...