NAME
Ixchel::Actions::lilith_config - Generates the config for Lilith.
VERSION
Version 0.2.0
CLI SYNOPSIS
ixchel -a lilith_config [-w] [-o <outfile>]
CODE SYNOPSIS
use Data::Dumper;
my $results=$ixchel->action(action=>'lilith_config', opts=>{});
if ($results->{ok}) {
print $results->{config};
}else{
die('Action errored... '.joined("\n", @{$results->{errors}}));
}FLAGS
-w
Write it out.
-o <outfile>
The file to write it out to.
Default :: /usr/local/etc/lilith.toml
CONFIG
.lilith.config is used for generating the config.
AUTO CONFIG
If .lilith.auto_config.enabled=1 is set, then it it will automatically fill out the monitored instances.
For single instances setups it is done as below.
Suricata -> $hostname-pie -> /var/log/suricata/alert.json
Sagan -> $hostname-lae -> /var/log/sagan/alert.json
CAPEv2 -> $hostname-malware -> /opt/CAPEv2/log/eve.jsonFor multi-instance it is done as below.
Suricata -> $hostname-$instance -> /var/log/suricata/alert-$instance.json
Sagan -> $hostname-$instance -> /var/log/sagan/alert-$instance.json
CAPEv2 -> $hostname-malware -> /opt/CAPEv2/log/eve.json (or wherever .cape.eve set to)For hostname .lilith.auto_config.full=1 is set, then the full hostname is used. Otherwise it will use the shorthostname via removing everything after the first /\./ via s/\.+$//.
The variables used for checking which should be enabled are the usual enable ones as below.
.suricata.enable
.sagan.enable
.cape.enableThis expects that the instane naming scheme does not overlap and will error if any of them do overlap, including if they are already defined in .lilith.config .
RESULT HASH REF
.errors :: A array of errors encountered.
.status_text :: A string description of what was done and the results.
.ok :: Set to zero if any of the above errored.
.config :: The generated config.