NAME

Ixchel::Actions::lilith_config - Generates the config for Lilith.

VERSION

Version 0.2.0

CLI SYNOPSIS

ixchel -a lilith_config [-w] [-o <outfile>]

CODE SYNOPSIS

    use Data::Dumper;

    my $results=$ixchel->action(action=>'lilith_config', opts=>{});

    if ($results->{ok}) {
        print $results->{config};
    }else{
        die('Action errored... '.joined("\n", @{$results->{errors}}));
    }

FLAGS

-w

Write it out.

-o <outfile>

The file to write it out to.

Default :: /usr/local/etc/lilith.toml

CONFIG

.lilith.config is used for generating the config.

AUTO CONFIG

If .lilith.auto_config.enabled=1 is set, then it it will automatically fill out the monitored instances.

For single instances setups it is done as below.

    Suricata -> $hostname-pie      -> /var/log/suricata/alert.json
    Sagan    -> $hostname-lae      -> /var/log/sagan/alert.json
    CAPEv2   -> $hostname-malware  -> /opt/CAPEv2/log/eve.json

For multi-instance it is done as below.

    Suricata -> $hostname-$instance -> /var/log/suricata/alert-$instance.json
    Sagan    -> $hostname-$instance -> /var/log/sagan/alert-$instance.json
    CAPEv2   -> $hostname-malware   -> /opt/CAPEv2/log/eve.json (or wherever .cape.eve set to)

For hostname .lilith.auto_config.full=1 is set, then the full hostname is used. Otherwise it will use the shorthostname via removing everything after the first /\./ via s/\.+$//.

The variables used for checking which should be enabled are the usual enable ones as below.

    .suricata.enable
    .sagan.enable
    .cape.enable

This expects that the instane naming scheme does not overlap and will error if any of them do overlap, including if they are already defined in .lilith.config .

RESULT HASH REF

    .errors :: A array of errors encountered.
    .status_text :: A string description of what was done and the results.
    .ok :: Set to zero if any of the above errored.
    .config :: The generated config.