

distrib > Mandriva > 2010.2 > x86_64 > by-pkgid > 2523edbef5a232f3d9a4127cafc31da3 > files > 3


# Prelude Manager configuration file.
# Sections are importants, and things won't work correctly if they are
# not un-commented. For example you need to uncomment [db] if you want
# the database plugin to be loaded.

include = /etc/prelude/default/global.conf

# Address where the prelude-manager server is listening on.
# if value is unix, or unix:/path/to/unix/socket, an UNIX domain socket
# will be used.
# Multiple listen address are supported.
# listen = address:port
# listen = unix:/tmp/prelude-manager.socket
# listen = unix
listen =

# Sets the user/group ID as which prelude-manager will run.
# In order to use this option, prelude-manager must be run initially as
# root
# user = prelude
# group = prelude

# Number of second prelude-manager wait for an incoming client to
# successfully authenticate before droping the connection.
# connection-timeout = 10

# Scheduler settings for Prelude-Manager
# On systems with many concurrent sensors sending events to
# Prelude-Manager, Prelude-Manager might have an hard time keeping up
# with the demand for events reporting.
# The Prelude Manager scheduler allocate reporting time per sensor,
# allowing to define the maximum number of events processed for one
# sensor before processing others sensors events (in case a sensor is
# sending a continuous events burst, this prevent other sensors
# starvation).
# By default, for each sensor connected, a maximum of 100 events will
# be processed before processing others sensors events.
# Additionally, priority will be given to events depending on their
# priority. Assuming there is enough events of each priority, 50 high
# priority message will be processed, 30 medium, and 20 low (totalling
# the maximum of 100 described above).
# You might use the sched-priority option in order to change this
# setting:
# sched-priority = high:50 medium:30 low:20
# When the number of events waiting to be processed exceed the defined
# amount of reserved memory (default is 1 Megabyte), Prelude-Manager
# will start storing events on disk:
# sched-buffer-size = 1M

# TLS options (only available with GnuTLS 2.2.0 or higher):
# sets availables ciphers, key exchange methods, macs and compression
# methods.
# "NORMAL" option enables all "secure" ciphersuites, 256-bit ciphers
# included.
# "SECURE128" flag enables all "secure" ciphersuites with ciphers up to
# 128 bits.
# "SECURE256" flag enables all "secure" ciphersuites including the 256
# bit ciphers.
# "EXPORT" all the ciphersuites are enabled, including the low-security
# 40 bit ciphers.
# "NONE" nothing is enabled. This disables even protocols and
# compression methods.
# Note that much more settings might be enabled or disabled using this
# option: please see gnutls_priority_init(3) for more details.
# The default settings is "NORMAL".
# tls-options = NORMAL

# Number of bits of the prime used in the Diffie Hellman key exchange.
# Note that the value should be one of 768, 1024, 2048, 3072 or 4096.
# The default is 1024.
# dh-prime-length = 1024

# How often to regenerate the parameters used in the Diffie Hellman key
# exchange. These should be discarded and regenerated once a day, once
# a week or once a month. Depending on the security requirements.
# Generation is a CPU intensive operation. The value is in hours,
# 0 disables regeneration entirely. The default is 24 hours.
# dh-parameters-regenerate = 24

# If you want this Manager to retrieve message from another Manager
# (useful if the other Manager is located within a DMZ):
# child-managers = x.x.x.x
# This mean the messages should be gathered from x.x.x.x

# If you want a given reporting plugin to be protected against possible
# failure, use the failover option. Failover will prevent data sent to
# the report plugin to be lost in case this one fail.
# You might use this option multiple time for different plugins.
# failover = name_of_plugin

# Events normalization parameters
# Un-comment the following section in case you want to define any
# normalization parameters:
# [normalize]
# For each incoming events, Prelude-Manager will run a number of
# normalization routine: sanitize address, services information, etc.
# When the normalizer see an incoming IPv4 mapped IPv6 address, the
# default behavior is to map it back to raw IPv4. For example,
# ::ffff: will be mapped back to
# If you do not want IPv4 mapped IPv6 addresses, un-comment the
# following option:
# keep-ipv4-mapped-ipv6
# Alternatively, if you wish for any input IPv4 addresses to be
# converted to IPv6, un-comment the following option:
# ipv6-only

# Here start plugins configuration #

# [relaying]
# If you want the message caught by this manager to be relayed.
# You can use boolean AND and OR to make the rule.
# parent-managers = x.x.x.x || y.y.y.y && z.z.z.z
# This mean the emission should occur on x.x.x.x or, if it fail, on
# y.y.y.y and z.z.z.z (if one of the two host in the AND fail, the
# emission will be considered as failed involving saving the message
# locally).

# [db]

# The type of database: mysql, pgsql or sqlite3.
# type = mysql

# Only if you use sqlite3.
# file = /your/path/to/your/db/idmef-db.sql

# Host the database is listening on.
# host = localhost

# Port the database is listening on.
# port = 3306

# Name of the database.
# name = prelude

# Username to be used to connect the database.
# user = prelude

# Password used to connect the database.
# pass = xxxxxx

# [XmlMod]
# The Xmlmod plugin allow to report alert as IDMEF XML in a file,
# or to dump theses alert to stderr.
# The default behavior is to write output to stderr.
# Tell Xmlmod to disable output file buffering.
# This will prevent XML alerts to be truncated and thus make real-time
# parsing easier:
# disable-buffering
# Tell Xmlmod to check generated XML against IDMEF DTD:
# validate
# Tell Xmlmod to produce a pretty, human readable xml output:
# format
# logfile = stderr
# logfile = /var/log/prelude-xml.log

# [Debug]
# The Debug plugin allow to report alert as text in a file,
# or to dump theses alert to stderr.
# The default behavior is to write output to stderr.
# logfile = stderr
# logfile = /var/log/prelude.log
# You can specify the name of the IDMEF object to print (you might
# select multiple objects). If no object are provided, 'Debug' will
# print out the entire message.
# object = alert.classification.text, alert.source(0).node.address(0).address

# [TextMod]
# The Debug plugin allow to report alert as text in a file,
# or to dump theses alert to stderr.
# The default behavior is to write output to stderr.
# logfile = stderr
# logfile = /var/log/prelude.log

# Sender to use for the mail message.
# sender = prelude@myhostname.
# Who the mail should be sent to.
# recipients = recipient1@hostname, recipient2@hostname
# SMTP server to use for sending mail
# smtp-server = localhost
# By default, the SMTP plugin send mail containing the whole IDMEF
# event. If you wish to send a subset of the information, you may
# customize the content of the generated mail through several options:
# You can define a specific subject to use with mail notification.
# The subject can include information from the event using IDMEF path.
# subject = Alert: $alert.classification.text
# You can define a specific message body to use for mail notification.
# As with the "subject" option, the template can include information
# from the event using IDMEF path.
# (Template example available in /usr/share/doc/prelude-manager/smtp/template.example)
# template = /path/to/my/template
# You can provide your database settings here, so that the SMTP plugin
# retrieve alert linked to received CorrelationAlert from the database.
# dbtype = mysql
# dbname = prelude
# dbuser = prelude
# dbpass = passwd
# dbhost = localhost
# Other database options available include dbport, and dbfile (for
# sqlite3 database).
# If you have specified your database settings above, you can also
# use the correlated-alert-template option, which is like the "template"
# option but is specific to Correlated Alerts retrieved from database.
# (Template example available in /usr/share/doc/prelude-manager/smtp/template.example)
# correlated-alert-template = /path/to/my/template

# Filtering plugins configuration  #

# The idmef-criteria filtering plugin allow you to filter events based
# on specific IDMEF-Criteria.
# [idmef-criteria]
# rule = alert.classification.text == 'User login successful'
# hook = relaying[default]
# Will forward any events that match the defined criteria to the
# default instance of the relaying reporting plugin. The rule argument
# might also be a filename containing the rules. Example:
# rule = /path/to/rule.file

# The thresholding filtering plugin allow you to suppress events based
# on their value.
# [thresholding]
# path = alert.classification.text, alert.source.node.address.address
# limit = 3600
# count = 1
# hook = relaying[default]
# Will forward one event with the unique alert.classification.text,
# alert.source.node.address.address value combination to the 'default'
# instance of the 'relaying' reporting plugin. Further events with the
# same value will be suppressed for 3600 seconds.
# [thresholding]
# path = alert.classification.text, alert.source.node.address.address
# threshold = 3600
# count = 10
# hook = relaying[default]
# Will forward every tenth event per 3600 seconds with the unique
# alert.classification.text, alert.source.node.address.address value
# combination to the 'default' instance of the 'relaying' reporting
# plugin.
# Note that limit and threshold might be combined, allowing to setup a
# limit as soon as the first threshold is reached.

# Prelude generic configuration    #

# [prelude]
# This is the global prelude section, where you can define Prelude
# related options. Option of matter for Prelude-Manager, are, most
# specifically, in the context of relaying, the connection options:
# The following settings instruct the operating system when to consider
# a connection dead in case sent data is left unacknowledged.
# Theses option are operating system specific, and might not work on
# certain platform. In case you modify these settings on an unsupported
# system, a warning message will be issued when the agent starts.
# Under Linux, the default system wide configuration is:
# tcp-keepalive-time   = 7200
# tcp-keepalive-probes = 9
# tcp-keepalive-intvl  = 75
# tcp-keepalive-time represents the number of seconds the connection
# needs to be idle before TCP begins sending out keep-alive probes.
# tcp-keepalive-probes represent the number of not acknowledged probes
# to send before considering the connection dead.
# tcp-keepalive-intvl represents the interval between subsequent
# keepalive probes.
# The average time to notice a dead connection can be calculated using:
# tcp-keepalive-time + (tcp-keepalive-probes * tcp-keepalive-intvl)
# Here is an example configuration:
# tcp-keepalive-time   = 60
# tcp-keepalive-probes = 3
# tcp-keepalive-intvl  = 10
# Using the above settings, a dead connection will be detected within
# 90 seconds.