Sagan Intrusion Detection System Ubuntu\debian\zentyal

Linux > Sagan Intrusion Detection System Ubuntu\debian\zentyal
01.12.2014 18:27:28


Наиболее часто встречающиеся слова в статье:

[template] [timegenerated] [date-rfc3339] [aptitude] [install] ["rsyslog"] [configuration] [standard] ["input"] [Basically]


Статья:

sudo aptitude install sagan

Basic "rsyslog" configuration.

cd /etc/rsyslog.d


И создаём там файл с содержимым

# The standard "input" template Sagan uses.  Basically the message 'format' Sagan understands.  The template is _one_ line.
$template sagan,"%fromhost-ip%|%syslogfacility-text%|%syslogpriority-text%|%syslogseverity-text%|%syslogtag%|%timegenerated:1:10:date-rfc3339%|%timegenerated:12:19:date-rfc3339%|%programname%|%msg%\n"
# The FIFO/named pipe location.  This is what Sagan will read.
*.*     |/var/run/sagan/sagan.fifo;sagan

# mkfifo /var/run/sagan/sagan.fifo
# /etc/init.d/rsyslog restart

Проверка :# cat /var/run/sagan/sagan.fifo

Настройка  настройка вывода на snorby - mysql

# vi /etc/sagan.conf

  • sagan_hostname sagan
  • sagan_interface syslog
  • sagan_filter none
  • sagan_detail 1
  • output database: log, mysql, user=snort password=snort dbname=snort host=127.0.0.1