Difference: SaganInstall (15 vs. 16)

Revision 162017-05-02 - ChampClark

Line: 1 to 1
 

Line: 25 to 25
 For this document, we'll need to install three Sagan prerequisites. They are:

  • PCRE - libpcre is used for rules that have regular expressions
Added:
>
>
  • Libyaml - Used to read in Sagan configuration files.
 
  • LibLogNorm - Used to extract useful information from logs.
  • libdnet - This is used for Unified2 output, which is used with Barnyard2 & writing to SQL databases.

3.1 Installing PCRE.

Changed:
<
<
That is PCRE (http://www.pcre.org) (libpcre). With only the PCRE library dependency meant, this will get the Sagan engine up and running with the most basic fuctionality.
>
>
That is PCRE (http://www.pcre.org) (libpcre). This is a required dependency.
 
Operating System Commands to install PCRE
Gentoo emerge -av libpcre
Changed:
<
<
Ubuntu apt-get install libpcre3-dev libpcre3
>
>
Debian / Ubuntu apt-get install libpcre3-dev libpcre3
 
FreeBSD/OpenBSD cd /usr/ports/devel/pcre && make && make install
CentOS / Redhat yum install pcre-devel
Changed:
<
<

3.2 Installing LibLogNorm.

>
>

3.2 Installing libyaml

"libyaml" is used by Sagan to read its configuration file. This is a required dependency.

Operating System Command to install PCRE
Gentoo emerge -av libyaml
Debian / Ubuntu apt-get install libyaml-dev
FreeBSD / OpenBSD cd /usr/ports/textproc/libyaml/ && make install
CentOS / Redhat yum install libyaml-devel

3.3 Installing LibLogNorm.

  LibLogNorm helps Sagan extract useful information for log messages. Sagan will operate without this library, but it may not always extract important information you may want. I the majority of cases, you probably want LibLogNorm installed.
Line: 51 to 60
 If you distribution doesn't have LibLogNorm, consider building from source. See the LibLogNorm for more information about building from source.

3.3 Installing libdnet.

Changed:
<
<
An optional, but typically desired dependency is the ability to write alerts to a SQL database. This is also required if you want to view Sagan events in consoles link Snorby, Squil, etc. This also lets Sagan correlate log events with your Snort or Suricata. In order to do this, you'll want Sagan to have the ability to write alerts in a Unified2 output format. In order to do this, Sagan requires libdnet (http://libdnet.sf.net).
>
>
An optional, but typically desired dependency is the ability to write alerts to a SQL database. This is also required if you want to view Sagan events in consoles link Snorby, Squil, etc. This also lets Sagan correlate log events with your Snort or Suricata. In order to do this, you'll want Sagan to have the ability to write alerts in a Unified2 output format. In order to do this, Sagan requires libdnet (http://libdnet.sf.net).
 
Deleted:
<
<

 
Operating System Commands to install libdnet
Gentoo emerge -av libdnet
Changed:
<
<
Ubuntu apt-get install libdumbnet1 libdumbnet-dev
>
>
Debian / Ubuntu apt-get install libdumbnet1 libdumbnet-dev
 
FreeBSD/OpenBSD cd /usr/ports/net/libdnet && make && make install
CentOS/Redhat Manual install from source (http://libdnet.sourceforge.net)
Deleted:
<
<
 If you require Sagan to other action on alerting (e-mailing, etc), check out the SaganPrerequisites page.

4. Compiling and installing Sagan.

Line: 136 to 138
 

6. Downloading and using Sagan rules.

You'll not need rules to tell Sagan "what" to trigger on. There are two branches of rules. The stable branch and the development branch. For this document, we'll be using the development branch.

Changed:
<
<
cd /usr/local/etc
sudo git clone https://github.com/beave/sagan-rules
>
>
cd /usr/local/etc
sudo git clone https://github.com/beave/sagan-rules
 
Changed:
<
<
Note: if you don't have "git" installed, you can download the source with wget. Type "wget https://github.com/beave/sagan-rules/archive/master.zip"
>
>
Note: if you don't have "git" installed, you can download the source with wget. Type "wget https://github.com/beave/sagan-rules/archive/master.zip"
 

7. Configuring the syslog-ng/rsyslog daemon.

7.1 Sagan rsyslog/syslog-ng configuration Youtube video

Line: 175 to 174
 # The standard "input" template Sagan uses. Basically the message 'format' Sagan understands. The template is one line. $template sagan,"%fromhost-ip%|%syslogfacility-text%|%syslogpriority-text%|%syslogseverity-text%|%syslogtag%|%timegenerated:1:10:date-rfc3339%|%timegenerated:12:19:date-rfc3339%|%programname%|%msg%\n" # The FIFO/named pipe location. This is what Sagan will read.
Changed:
<
<
. |/var/run/sagan.fifo;sagan
>
>
. |/var/run/sagan.fifo;sagan
 

7.4 FIFO and testing

Line: 212 to 209
 output database: log, mysql, user=sagan password=mypassword dbname=snort host=127.0.0.1, detail full

Note: Make sure you change the password, username, hostname and dbname!
Deleted:
<
<
 As the "root" user, test your configuration by running the following command. If all goes well, you should see a message "Waiting for new data". Then means that Barnyard2 is reading the data that Sagan is writing to the unified2 file.
Changed:
<
<
/usr/bin/barnyard2 -c /etc/barnyard2/barnyard2-sagan.conf
>
>
/usr/bin/barnyard2 -c /etc/barnyard2/barnyard2-sagan.conf
  To run "barnyard2" in the background, simply append the "-D" switch.
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback