Prelude-Admin Manual¶
Table of Contents¶
- Prelude-Admin Manual
Presentation¶
prelude-admin can be used to perform various operation involving agent profile.
Profile are required for a Prelude agent to run and communicate correctly with other agents. A profile include:
- An unique analyzer identity.
- A default, template configuration file.
- A private key, used for certificate request generation, and communication encryption.
- X509 certificates used for communication with remote agents.
Creating profile¶
The add command is used to create a new profile. The profile will be created using the permission of the user running the prelude-admin command, unless specific options are provided. The created profile include a failover spool directory, default configuration files, and a private key used for communication encryption.
Note: Private key generation might take a very long time. Information on speeding up the process are available in the Entropy Page.
prelude-admin add my-sensor
Available options¶
- --*uid*
UID or user used to create analyzer profile.
- --*gid*
GID or group used to create analyzer profile.
TLS specific options (default defined in the /etc/prelude/default/tls.conf template)¶
- --*key-len*
Profile private key length (default: 1024 bits).
Changing profile permission¶
The chown command allow to change a profile ownership.
prelude-admin chown my-sensor --uid username --gid 1500
Available options¶
- --*uid*
UID or user used as new profile permission.
- --*gid*
GID or group used as new profile permission.
Removing a profile¶
The del command will delete the specified profile.
prelude-admin del my-agent
Listing profile¶
The list command allow listing profiles available on the system.
Available options¶
l -*long*
Print detailed listing (include uid/gid, profile analyzerID).
prelude-admin list -l Profile UID GID [[AnalyzerID]] Permission Issuer [[AnalyzerID]] ----------------------------------------------------------------------------------- prelude-lml yoann yoann 383026397799329 idmef:w 2038315305918460 prelude-correlator yoann yoann 2052969743121519 idmef:rw admin:r 2038315305918460 idmef:rw 3952006679182968 prelude-manager yoann yoann 2038315305918460 idmef:r 3952006679182968 idmef:w admin:rw 522518306647497 idmef:w 2038315305918460 idmef:w 1426351250159626 idmef:w 1489495859346286
Renaming a profile¶
The rename command can be used to rename a profile.
prelude-admin rename my-agent-old my-agent-new
Profile registration¶
The register command is used to register the specified analyzer profile to a remote registration server. The analyzer profile will be created if it does not exist.
See the Agents Registration Page for details on registering agents.
prelude-admin register prelude-lml "idmef:w" 192.168.0.1
Available options¶
--uid=UID
UID or user used to create analyzer profile.
--gid=GID
GID or group used to create analyzer profile.
--passwd=PASSWD
Use provided password instead of prompting it.
--passwd-file=-|FILE
Read password from file (- for stdin).
TLS specific options (default defined in the /etc/prelude/default/tls.conf template)¶
- --*key-len*
Profile private key length (default: 1024 bits).
- --*cert-lifetime*=DAYS
Profile certificate lifetime (default: unlimited).
- --*ca-cert-lifetime*=DAYS
Authority certificate lifetime (default: unlimited).
Registration server¶
The registration-server command launch a registration server for the specified Prelude-Manager profile. The profile will be created if it does not exist. Registered analyzers will be able to communicate with Prelude-Manager instance using this profile.
See the Agents Registration Page for details on registering agents.
prelude-admin registration-server prelude-manager
Available options¶
--uid=UID
UID or user used to create analyzer profile.
--gid=GID
GID or group used to create analyzer profile.
--passwd=PASSWD
Use provided password instead of prompting it.
--passwd-file=-|FILE
Read password from file (- for stdin).
TLS specific options (default defined in the /etc/prelude/default/tls.conf template)¶
- --*key-len*
Profile private key length (default: 1024 bits).
- --*cert-lifetime*=DAYS
Profile certificate lifetime (default: unlimited).
- --*ca-cert-lifetime*=DAYS
Authority certificate lifetime (default: unlimited).
Revoking profile¶
The revoke command will revoke the analyzer using the given analyzerID from the specified profile. Analyzer using the revoked analyzerID won't be able to communicate with the profile it was revoked from anymore.
prelude-admin revoke prelude-manager 227879253605921
Miscellaneous usage¶
Sending messages¶
The send command allow to send the messages contained within a Prelude IDMEF binary file (example: failover file)
to the specified Prelude-Manager address. The specified profile is used for authentication.
prelude-admin send prelude-lml 192.168.0.1 /path/to/file1 /path/to/file2 /path/to/fileN
Available options¶
--*offset*=OFFSET
Skip processing until 'offset' events.
--*count*=COUNT
Process at most 'count' events.
Printing failover messages¶
Using the print command, you can print the messages within a Prelude IDMEF binary file (example: failover file) to stdout using an human readable format.
prelude-admin print /path/to/file1 /path/to/file2 /path/to/fileN
Available options¶
--*offset*=OFFSET
Skip processing until 'offset' events.
--*count*=COUNT
Process at most 'count' events.