Project

General

Profile

Prelude Manager

Table of Contents

Introduction

Prelude-Manager is a high availability server that accepts secured connections from distributed sensors or other managers and saves received events to a media specified by the user (database, logfile, mail, etc). It is capable of handling large number of connections, and processing large amounts of events. It uses a per client scheduling queues in order to process events by severity fairly accross clients.

Prelude-Manager can listen on an UNIX domain socket, or on an IPv4 or IPv6 address. The default is to listen on an UNIX domain socket. You might change this using the listen command line option or configuration directive.

   listen = unix

Will listen on /tmp/.prelude-unix UNIX domain socket (this is the default).

   listen = unix:/tmp/myfilename

Will listen on /tmp/myfilename UNIX domain socket.

   listen = x.x.x.x

Will listen on the specified IP address.

You can customize the number of second Prelude-Manager wait for an incoming client to successfully authenticate before dropping a connection. The default value is 10 seconds.

 connection-timeout = 10

Prelude-Manager Plugins

Prelude-Manager provides three Plugin Categories in order to carry out different actions:

Reporting Plugins

Once an event has been processed, the Manager uses Reporting Plugins to convert alerts from Prelude binary IDMEF format, to various output formats.

A number of Reporting Plugins are available:

  • db - A database Plugin (MySQL and PostgreSQL).
  • xmlmod - An XML Reporting Plugin.
  • textmod - A text Reporting Plugin.
  • relaying - A plugin relaying alert to another set of manager.
  • smtp - Send textual alert through your SMTP server.
  • (check the prelude-manager --help output for others)

In order to learn how to use Reporting Plugins, see the Reporting Plugins Page

Filtering Plugins

Filtering events, event suppression and Thresholding

Two filtering plugins are available:

  • IDMEF Criteria Filtering Plugin - Filtering events
  • Thresholding Filtering Plugin - Event suppression and thresholding

In order to learn how to use Filtering Plugins, see the Filtering Plugins Page

Normalization Plugins

For each incoming events, Prelude-Manager will run a number of normalization routine: sanitize address, services information, etc.

In order to customize the normalization process, see the Normalization Plugins Page

Scheduler options

On systems with many concurrent sensors sending events to Prelude-Manager, Prelude-Manager might have an hard time keeping up with the demand for events reporting.

The Prelude Manager scheduler allocate reporting time slot per sensor, allowing to define the maximum number of events processed for one sensor before processing others sensors events (in case a sensor is sending a continuous events burst, this prevent other sensors starvation).

By default, for each sensor connected, a maximum of 100 events will be processed before processing others sensors events.

Additionally, priority will be given to events depending on their priority. Assuming there is enough events of each priority, 50 high priority message will be processed, 30 medium, and 20 low (totalling the maximum of 100 described above).

sched-priority = high:50 medium:30 low:20

You can define the maximum amount of reserved memory for storing incoming events before they are processed. When the number of events waiting to be processed exceed this amount of reserved memory (default is 1 Megabyte), Prelude-Manager will start storing events on disk. You can customize the amount of reserved memory using the sched-buffer-size option.

 sched-buffer-size = 1M

TLS options

On system using GnuTLS 2.2.0 or later, you might customize a number of TLS options, including setting available ciphers, key exchange methods, macs and compression methods.

Predefined sets of ciphersuites:
  • NORMAL option enables all "secure" ciphersuites, 256-bit ciphers included.
  • SECURE128 flag enables all "secure" ciphersuites with ciphers up to 128 bits.
  • SECURE256 flag enables all "secure" ciphersuites including the 256 bit ciphers.
  • EXPORT all the ciphersuites are enabled, including the low-security 40 bit ciphers.
  • NONE nothing is enabled. This disables even protocols and compression methods.

Note that much more options might be enabled or disabled using this setting: please see gnutls_priority_init(3) for more details. The default value for tls-option is NORMAL.

tls-options = NORMAL

You can customize the Diffie-Hellman parameters, for use with the Prelude-Manager server.

The number of bits of the prime might be defined using the dh-prime-length option. Note that the value should be one of 768, 1024, 2048, 3072 or 4096. The default is 1024.

dh-prime-length = 1024

How often to regenerate the parameters can be defined using the dh-parameters-regenerate option. These should be discarded and regenerated once a day, once a week or once a month, depending on the security requirements.

Generation is a CPU intensive operation. The value is in hours, 0 disables regeneration entirely. The default is 24 hours.

dh-parameters-regenerate = 24

Other Configuration Options

  • daemon : Start prelude-manager as a daemon.
  • pidfile : Write the prelude-manager PID to the specified file.
  • config : Specify an alernate configuration file.

Please check the prelude-manager --help output, or have a look to the prelude-manager configuration file for an exhaustive list.

TCP/IP related options

Using the global prelude section, where you can define Prelude related options, you can define option of matter for Prelude-Manager, and most specifically in the the context of relaying, TCP/IP options that influence the behavior of when the operating system should consider a connection dead in case sent data is left unacknowledged.

Theses option are operating system specific, and might not work on certain platform. In case you modify these settings on an unsupported system, a warning message will be issued when the agent starts.

  • tcp-keepalive-time represents the number of seconds the connection needs to be idle before TCP begins sending out keep-alive probes.
  • tcp-keepalive-probes represent the number of not acknowledged probes to send before considering the connection dead.
  • tcp-keepalive-intvl represents the interval between subsequent keepalive probes.

Under Linux, the default system wide configuration is:

[prelude]
tcp-keepalive-time   = 7200
tcp-keepalive-probes = 9
tcp-keepalive-intvl  = 75

The average time to notice a dead connection can be calculated using: tcp-keepalive-time + (tcp-keepalive-probes * tcp-keepalive-intvl).
Under Linux, the default settings thus instruct that a dead connection will be dropped after 7875 seconds.

This might be a problem if a network outage prevent relayed events from reaching their target, in this case, the Operating System won't report the dead connection before 7875 seconds elapse, and all data transmitted during this period will be lost because the failover is not yet activated.

You can improve this behavior using your own customized settings:

[prelude]
tcp-keepalive-time   = 60
tcp-keepalive-probes = 3
tcp-keepalive-intvl  = 10

Using the above settings, a dead connection will be detected within 90 seconds.