##################################################################### # # Configuration file template for yule. # ##################################################################### # # NOTE: This is a log server-only configuration file TEMPLATE. # # NOTE: The log server ('yule') will look for THAT configuration file # that has been defined at compile time with the configure option # ./configure --with-config-file=FILE # The default is "/usr/local/etc/.samhainrc" (NOT "yulerc"). # ##################################################################### # # -- empty lines and lines starting with '#', ';' or '//' are ignored # -- you can PGP clearsign this file -- samhain will check (if compiled # with support) or otherwise ignore the signature # -- CHECK mail address # # To each log facility, you can assign a threshold severity. Only # reports with at least the threshold severity will be logged # to the respective facility (even further below). # ##################################################################### [Log] ## ## Switch on/OFF log facilities and set their threshold severity ## ## Values: debug, info, notice, warn, mark, err, crit, alert, none. ## 'mark' is used for timestamps. ## ## ## Use 'none' to SWITCH OFF a log facility ## ## By default, everything equal to and above the threshold is logged. ## The specifiers '*', '!', and '=' are interpreted as ## 'all', 'all but', and 'only', respectively (like syslogd(8) does, ## at least on Linux). Examples: ## MailSeverity=* ## MailSeverity=!warn ## MailSeverity==crit ## E-mail ## # MailSeverity=none ## Console ## PrintSeverity=none ## Logfile ## LogSeverity = warn ## Syslog ## # SyslogSeverity=none ## External script or program ## # ExternalSeverity = none ## Logging to a database ## # DatabaseSeverity = none # [Database] ## ## --- Logging to a relational database ## ## Database name # # SetDBName = samhain ## Database table # # SetDBTable = log ## Database user # # SetDBUser = samhain ## Database password # # SetDBPassword = (default: none) ## Database host # # SetDBHost = localhost ## Log the server timestamp for received messages # # SetDBServerTstamp = True ## Use a persistent connection # # UsePersistent = True # [External] ## ## Interface to call external scripts/programs for logging ## ## The absolute path to the command ## - Each invocation of this directive will end the definition of the ## preceding command, and start the definition of ## an additional, new command # # OpenCommand = (no default) ## Type (log or rv) ## - log for log messages, srv for messages received by the server # # SetType = log ## The command (full command line) to execute # # SetCommandLine = (no default) ## The environment (KEY=value; repeat for more) # # SetEnviron = TZ=(your timezone) ## The TIGER192 checksum (optional) # # SetChecksum = (no default) ## User who runs the command # # SetCredentials = (default: samhain process uid) ## Words not allowed in message # # SetFilterNot = (none) ## Words required (ALL of them) # # SetFilterAnd = (none) ## Words required (at least one) # # SetFilterOr = (none) ## Deadtime between consecutive calls # # SetDeadtime = 0 ## Add default environment (HOME, PATH, SHELL) # # SetDefault = no ##################################################### # # Miscellaneous configuration options # ##################################################### [Misc] # whether to become a daemon process Daemon=yes ## Interval between time stamp messages # # SetLoopTime = 60 SetLoopTime = 600 ## Normally, client messages are regarded as data within a ## server message of fixed severity. The following two ## options cause the server to use the original severity/class ## of client messages for logging. # # UseClientSeverity = False # UseClientClass = False ## The maximum time between client messages (seconds) ## This allows the server to flag clients that have exceeded ## the timeout limits; i.e. might have died for some reason. # # SetClientTimeLimit = 86400 ## Use client address as known to the communication layer (might be ## incorrect if the client is behind NAT). The default is to use ## the client name as claimed by the client, and verify it against ## the former (might be incorrect if the client has several ## interfaces, and its hostname resolves to the wrong interface). # # SetClientFromAccept = False ## If SetClientFromAccept is False (default), severity of a ## failure to resolve the hostname claimed by the client ## to the IP address of the socket peer. # # SeverityLookup = crit ## The console device (can also be a file or named pipe) ## - There are two console devices. Accordingly, you can use ## this directive a second time to set the second console device. ## If you have not defined the second device at compile time, ## and you don't want to use it, then: ## setting it to /dev/null is less effective than just leaving ## it alone (setting to /dev/null will waste time by opening ## /dev/null and writing to it) # # SetConsole = /dev/console ## Use separate logfiles for individual clients # # UseSeparateLogs = False ## Enable listening on port 514/udp for logging of remote syslog ## messages (if optionally compiled with support for this) # # SetUDPActive = False ## Activate the SysV IPC message queue # # MessageQueueActive = False ## If false, skip reverse lookup when connecting to a host known ## by name rather than IP address (i.e. trust the DNS) # # SetReverseLookup = True ## If true, open a Unix domain socket to listen for commands that should ## be passed to clients upon next connection. Only works on systems ## that support passing of peer credentials (for authentication) via sockets. ## Use yulectl to access the socket. # # SetUseSocket = False ## The UID of the user that is allowed to pass commands to the server ## via the Unix domain socket. # # SetSocketAllowUid = 0 ## --- E-Mail --- # Only highest-level (alert) reports will be mailed immediately, # others will be queued. Here you can define, when the queue will # be flushed (Note: the queue is automatically flushed after # completing a file check). # # SetMailTime = 86400 ## Maximum number of mails to queue # # SetMailNum = 10 ## Recipient (max. 8) # # SetMailAddress=root@localhost ## Mail relay (IP address) # # SetMailRelay = NULL ## Custom subject format # # MailSubject = NULL ## --- end E-Mail --- # The binary. Setting the path will allow # samhain to check for modifications between # startup and exit. # # SamhainPath=/usr/local/bin/yule ## The IP address of the time server # # SetTimeServer = (default: compiled-in) ## Trusted Users (comma delimited list of user names) # # TrustedUser = (no default; this adds to the compiled-in list) ## Custom format for message header. ## CAREFUL if you use XML logfile format. ## ## %S severity ## %T timestamp ## %C class ## ## %F source file ## %L source line # # MessageHeader="%S %T " ## Don't log path to config/database file on startup # # HideSetup = False ## The syslog facility, if you log to syslog # # SyslogFacility = LOG_AUTHPRIV ## The message authentication method ## - If you change this, you *must* change it ## on client *and* server # # MACType = HMAC-TIGER [Clients] ## ## This is a sample registry entry for a client at host 'HOSTNAME'. This entry ## is valid for the default password. ## You are STRONGLY ADVISED to reset te password (see the README) and ## compute your own entries using 'samhain -P ' ## ## Usually, HOSTNAME should be a fully qualified hostname, ## no numerical address. ## -- exception: if the client (samhain) cannot determine the ## fully qualified hostname of its host, ## the numerical address may be required. ## You will know if you get a message like: ## 'Invalid connection attempt: Not in ## client list what.ever.it.is' ## ## First entry is for challenge/response, second one for SRP authentication. # # Client=HOSTNAME@00000000@C39F0EEFBC64E4A8BBF72349637CC07577F714B420B62882 # Client=HOSTNAME@8F81BA58956F8F42@8932D08C49CA76BD843C51EDD1D6640510FA032A7A2403E572BBDA2E5C6B753991CF7E091141D20A2499C5CD3E14C1639D17482E14E1548E5246ACF4E7193D524CDDAC9C9D6A9A36C596B4ECC68BEB0C5BB7082224946FC98E3ADE214EA1343E2DA8DF4229D4D8572AD8679228928A787B6E5390D3A713102FFCC9D0B2188C92