diff --git a/warden3/contrib/connectors/hp-labrea/README b/warden3/contrib/connectors/hp-labrea/README new file mode 100644 index 0000000000000000000000000000000000000000..6c8be9c12a6816b6f89cfe80d4d44b97f4424440 --- /dev/null +++ b/warden3/contrib/connectors/hp-labrea/README @@ -0,0 +1,67 @@ +Warden LaBrea connector 0.1 for Warden 3.X +========================================== + +Introduction +------------ + +labrea-idea.py is a daemon, meant for continuous watching of LaBrea log files +and generation of Idea_ format of corresponding security events. It is +usually run in correspondence with warden_filer daemon, which picks the +resulting events up and feeds them to the Warden_ server. Connector supports +sliding window aggregation, so sets of connections with the same source are +reported as one event (within aggregation window). + + +Dependencies +------------ + + 1. Platform + + Python 2.7+ + + 2. Python packages + + warden_filer 3.0+ (recommended) + + +Usage +----- + + ./labrea-idea.py [options] logfile ... + + Options: + -h, --help show this help message and exit + -w WINDOW, --window=WINDOW + max detection window (default: 900) + -t TIMEOUT, --timeout=TIMEOUT + detection timeout (default: 300) + -n NAME, --name=NAME Warden client name + --test Add Test category + -o, --oneshot process files and quit (do not daemonize) + --poll=POLL log file polling interval + -d DIR, --dir=DIR Target directory (mandatory) + -p PID, --pid=PID create PID file with this name (default: /var/run + /labrea-idea.pid) + -u UID, --uid=UID user id to run under + -g GID, --gid=GID group id to run under + -v, --verbose turn on debug logging + --log=LOG syslog facility or log file name (default: local7) + --realtime use system time along with log timestamps (default) + --norealtime don't system time, use solely log timestamps + + +Configuration +------------- + +However, the daemon is usually run by init script (example one is a part of +the distribution, along with sample logrotate definition). Options then can +be configured by /etc/sysconfig/labrea-idea or /etc/defaults/labrea-idea, +depending on your distribution custom, where at least PARAMS variable has +to be specified (for others, see the init script). + +.. _Warden: https://warden.cesnet.cz/ +.. _Idea: https://idea.cesnet.cz/ + +------------------------------------------------------------------------------ + +Copyright (C) 2017 Cesnet z.s.p.o