Sguil deployment got you down? Having trouble figuring out how to make all the components play nice together? Want to see some spectacularly terrible technical writing? You need InstantNSM!
What is InstantNSM?
InstantNSM is a set of documents, scripts and software that simplify Sguil deployment by providing pre-tested components and automating common adminstrative tasks. With InstantNSM, Sguil deployment will be nearly a turnkey solution.
What can InstantNSM do for me?
InstantNSM has several functions:
- Configure a central Sguil server + MySQL database
- Create a new sensor
- Remove a specific sensor
- Start or stop a specific sensor
- Start or stop the central server
- Provide status information on the running sensor or server processes
Provided your hardware can handle the load, you can run any combination of server and/or sensors on a single system, or spread them out across several systems. InstantNSM is also able to configure a single computer to host multiple sensor instances.
About the only things InstantNSM won't do for you (yet) are:
- OS configuration You're responsible for these tasks, including installation and disk partitioning
- Software installation You'll still have to install the requisite software before you run the configuration script.
- Snort rule tuning and maintenance InstantNSM comes with a default set of Snort IDS rules, but you'll need to tune them to reduce false positives. You'll also need to update them on a regular basis, probably using a tool like Oinkmaster
The Sguil on RedHat HOWTO was originally written as part of the InstantNSM project, though it has since moved into the Main Page NSMWiki. It is still, however, the source document that the InstantNSM installation scripts follow. If you want to know what the installer is doing in detail, read the HOWTO.
Rfifarek is working on a repository of RPMs for the various software pieces, so you won't have to compile your own from scratch. It's not available yet, so for now you'll still have to use the steps in the HOWTO.
If your system is properly prepared, using InstantNSM to set up a sguil server or sensor is quite simple.
Your system must be running RedHat Enterprise Linux 4 (or a closely compatible version of Linux, like CentOS 4) and have all of the software that Sguil needs already installed (see the HOWTO for the list of software and where to install it). You should also have a disk partition set aside for storing the NSM data, usually mounted as '/nsm'.