[prev in list] [next in list] [prev in thread] [next in thread] 

List:       prelude-user
Subject:    Re: [prelude-user] prelude-lml
From:       Hiwi <ry209 () rz ! uni-karlsruhe ! de>
Date:       2009-04-14 12:43:51
Message-ID: 49E48507.1050205 () rz ! uni-karlsruhe ! de
[Download RAW message or body]

ry209@rz.uni-karlsruhe.de schrieb:
> I have a running prelude/prewikka system but prelude-lml is not working 
> properly on all but one sensor.
>
> The sensors as of now are a rishi client listenning to a nic and 
> prelude-lml for forwarding the analyzed logs to the prelude-manager.
>
> All the packages were build via source.
>
> This is what my prelude-lml.conf looks like.
>
> ----
> include = /usr/local/etc/prelude/default/idmef-client.conf
>
> [format=rishi]
> time-format = "%Y-%m-%d %H:%M:%S"
> prefix-regex = "^(?P<timestamp>.{19}),\d+ "
> file = /build/rishi/logs/stdout.log
>
> ruleset=/usr/local/etc/prelude-lml/ruleset/pcre.rules
> ----
>
> Rishi seems to be working alright and is writing logs with about 500 
> entries a day.
>
> Everytime I start prelude-lml on one of the non working sensors I get 
> this message.
>
> ----
> # prelude-lml 10 Apr 10:55:05 (process:2796) INFO: PCRE plugin loaded 
> 443 rules.
> 10 Apr 10:55:05 (process:2796) INFO: Connecting to 172.22.98.170:4690 
> prelude Manager server.
> 10 Apr 10:55:05 (process:2796) INFO: TLS authentication succeed with 
> Prelude Manager.
> 10 Apr 10:55:05 (process:2796) INFO: /build/rishi/logs/stdout.log: No 
> metadata available, starting from tail.
> ----
>
> I have a working sensor but the config looks the same compared to the 
> non working ones.
>
> Do you have any ideas what to look for next?
>
> Thanks
>
> Arthur
>
> _______________________________________________
> Prelude-user site list
> Prelude-user@prelude-ids.org
> http://lists.prelude-ids.org/mailman/listinfo/prelude-user
>   
Hi,

I figured it out myself.

prelude-lml --metadata=head   abort it and then
prelude-lml --metadata=last .

After that the sensor started to work as expected.

Arthur
_______________________________________________
Prelude-user site list
Prelude-user@prelude-ids.org
http://lists.prelude-ids.org/mailman/listinfo/prelude-user
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic