1##################################################################### 2# 3# Configuration file template for yule. 4# 5##################################################################### 6# 7# NOTE: This is a log server-only configuration file TEMPLATE. 8# 9# NOTE: The log server ('yule') will look for THAT configuration file 10# that has been defined at compile time with the configure option 11# ./configure --with-config-file=FILE 12# The default is "/usr/local/etc/.samhainrc" (NOT "yulerc"). 13# 14##################################################################### 15# 16# -- empty lines and lines starting with '#', ';' or '//' are ignored 17# -- you can PGP clearsign this file -- samhain will check (if compiled 18# with support) or otherwise ignore the signature 19# -- CHECK mail address 20# 21# To each log facility, you can assign a threshold severity. Only 22# reports with at least the threshold severity will be logged 23# to the respective facility (even further below). 24# 25##################################################################### 26 27 28[Log] 29## 30## Switch on/OFF log facilities and set their threshold severity 31## 32## Values: debug, info, notice, warn, mark, err, crit, alert, none. 33## 'mark' is used for timestamps. 34## 35## 36## Use 'none' to SWITCH OFF a log facility 37## 38## By default, everything equal to and above the threshold is logged. 39## The specifiers '*', '!', and '=' are interpreted as 40## 'all', 'all but', and 'only', respectively (like syslogd(8) does, 41## at least on Linux). Examples: 42## MailSeverity=* 43## MailSeverity=!warn 44## MailSeverity==crit 45 46## E-mail 47## 48# MailSeverity=none 49 50## Console 51## 52PrintSeverity=none 53 54## Logfile 55## 56LogSeverity = warn 57 58## Syslog 59## 60# SyslogSeverity=none 61 62## External script or program 63## 64# ExternalSeverity = none 65 66## Logging to a database 67## 68# DatabaseSeverity = none 69 70 71# [Database] 72## 73## --- Logging to a relational database 74## 75 76## Database name 77# 78# SetDBName = samhain 79 80## Database table 81# 82# SetDBTable = log 83 84## Database user 85# 86# SetDBUser = samhain 87 88## Database password 89# 90# SetDBPassword = (default: none) 91 92## Database host 93# 94# SetDBHost = localhost 95 96## Log the server timestamp for received messages 97# 98# SetDBServerTstamp = True 99 100## Use a persistent connection 101# 102# UsePersistent = True 103 104 105 106# [External] 107## 108## Interface to call external scripts/programs for logging 109## 110 111## The absolute path to the command 112## - Each invocation of this directive will end the definition of the 113## preceding command, and start the definition of 114## an additional, new command 115# 116# OpenCommand = (no default) 117 118## Type (log or rv) 119## - log for log messages, srv for messages received by the server 120# 121# SetType = log 122 123## The command (full command line) to execute 124# 125# SetCommandLine = (no default) 126 127## The environment (KEY=value; repeat for more) 128# 129# SetEnviron = TZ=(your timezone) 130 131## The TIGER192 checksum (optional) 132# 133# SetChecksum = (no default) 134 135## User who runs the command 136# 137# SetCredentials = (default: samhain process uid) 138 139## Words not allowed in message 140# 141# SetFilterNot = (none) 142 143## Words required (ALL of them) 144# 145# SetFilterAnd = (none) 146 147## Words required (at least one) 148# 149# SetFilterOr = (none) 150 151## Deadtime between consecutive calls 152# 153# SetDeadtime = 0 154 155## Add default environment (HOME, PATH, SHELL) 156# 157# SetDefault = no 158 159 160##################################################### 161# 162# Miscellaneous configuration options 163# 164##################################################### 165 166 167[Misc] 168# whether to become a daemon process 169Daemon=yes 170 171## Interval between time stamp messages 172# 173# SetLoopTime = 60 174SetLoopTime = 600 175 176## Normally, client messages are regarded as data within a 177## server message of fixed severity. The following two 178## options cause the server to use the original severity/class 179## of client messages for logging. 180# 181# UseClientSeverity = False 182# UseClientClass = False 183 184## The maximum time between client messages (seconds) 185## This allows the server to flag clients that have exceeded 186## the timeout limits; i.e. might have died for some reason. 187# 188# SetClientTimeLimit = 86400 189 190## Use client address as known to the communication layer (might be 191## incorrect if the client is behind NAT). The default is to use 192## the client name as claimed by the client, and verify it against 193## the former (might be incorrect if the client has several 194## interfaces, and its hostname resolves to the wrong interface). 195# 196# SetClientFromAccept = False 197 198## If SetClientFromAccept is False (default), severity of a 199## failure to resolve the hostname claimed by the client 200## to the IP address of the socket peer. 201# 202# SeverityLookup = crit 203 204## The console device (can also be a file or named pipe) 205## - There are two console devices. Accordingly, you can use 206## this directive a second time to set the second console device. 207## If you have not defined the second device at compile time, 208## and you don't want to use it, then: 209## setting it to /dev/null is less effective than just leaving 210## it alone (setting to /dev/null will waste time by opening 211## /dev/null and writing to it) 212# 213# SetConsole = /dev/console 214 215## Use separate logfiles for individual clients 216# 217# UseSeparateLogs = False 218 219## Enable listening on port 514/udp for logging of remote syslog 220## messages (if optionally compiled with support for this) 221# 222# SetUDPActive = False 223 224 225## Activate the SysV IPC message queue 226# 227# MessageQueueActive = False 228 229 230## If false, skip reverse lookup when connecting to a host known 231## by name rather than IP address (i.e. trust the DNS) 232# 233# SetReverseLookup = True 234 235## If true, open a Unix domain socket to listen for commands that should 236## be passed to clients upon next connection. Only works on systems 237## that support passing of peer credentials (for authentication) via sockets. 238## Use yulectl to access the socket. 239# 240# SetUseSocket = False 241 242## The UID of the user that is allowed to pass commands to the server 243## via the Unix domain socket. 244# 245# SetSocketAllowUid = 0 246 247## --- E-Mail --- 248 249# Only highest-level (alert) reports will be mailed immediately, 250# others will be queued. Here you can define, when the queue will 251# be flushed (Note: the queue is automatically flushed after 252# completing a file check). 253# 254# SetMailTime = 86400 255 256## Maximum number of mails to queue 257# 258# SetMailNum = 10 259 260## Recipient (max. 8) 261# 262# SetMailAddress=root@localhost 263 264## Mail relay (IP address) 265# 266# SetMailRelay = NULL 267 268## Custom subject format 269# 270# MailSubject = NULL 271 272## --- end E-Mail --- 273 274# The binary. Setting the path will allow 275# samhain to check for modifications between 276# startup and exit. 277# 278# SamhainPath=/usr/local/bin/yule 279 280## The IP address of the time server 281# 282# SetTimeServer = (default: compiled-in) 283 284## Trusted Users (comma delimited list of user names) 285# 286# TrustedUser = (no default; this adds to the compiled-in list) 287 288## Custom format for message header. 289## CAREFUL if you use XML logfile format. 290## 291## %S severity 292## %T timestamp 293## %C class 294## 295## %F source file 296## %L source line 297# 298# MessageHeader="%S %T " 299 300 301## Don't log path to config/database file on startup 302# 303# HideSetup = False 304 305## The syslog facility, if you log to syslog 306# 307# SyslogFacility = LOG_AUTHPRIV 308 309 310## The message authentication method 311## - If you change this, you *must* change it 312## on client *and* server 313# 314# MACType = HMAC-TIGER 315 316 317[Clients] 318## 319## This is a sample registry entry for a client at host 'HOSTNAME'. This entry 320## is valid for the default password. 321## You are STRONGLY ADVISED to reset te password (see the README) and 322## compute your own entries using 'samhain -P <password>' 323## 324## Usually, HOSTNAME should be a fully qualified hostname, 325## no numerical address. 326## -- exception: if the client (samhain) cannot determine the 327## fully qualified hostname of its host, 328## the numerical address may be required. 329## You will know if you get a message like: 330## 'Invalid connection attempt: Not in 331## client list what.ever.it.is' 332## 333## First entry is for challenge/response, second one for SRP authentication. 334# 335# Client=HOSTNAME@00000000@C39F0EEFBC64E4A8BBF72349637CC07577F714B420B62882 336# Client=HOSTNAME@8F81BA58956F8F42@8932D08C49CA76BD843C51EDD1D6640510FA032A7A2403E572BBDA2E5C6B753991CF7E091141D20A2499C5CD3E14C1639D17482E14E1548E5246ACF4E7193D524CDDAC9C9D6A9A36C596B4ECC68BEB0C5BB7082224946FC98E3ADE214EA1343E2DA8DF4229D4D8572AD8679228928A787B6E5390D3A713102FFCC9D0B2188C92 337