>
Nuhe is a log monitoring system, which is capable of action when rulesare matched againsts log(s) activity. Motive for Nuhe development started from security point of view and one purpose is to use it as a intrusion protection system that can react against certain kind of log activity. You can also use Nuhe as a vanilla "log filtering" system, that detects events from logs, logs them, but does not react against them.
gcc -g -O2 -Wall -o nuhed src/nuhed.o src/ruleparser.o src/slist.o src/event_handler.o src/d_array.o src/nuhesock.o src/nuheclient.o -lssl -lpthread -lpcre -lcrypto
Nuhe is a log monitoring system, which is capable of action when rules are matched againsts log(s) activity.
You'll find documentation (man pages) for Nuhe in './docs' directory. If man pages are installed correctly you should be able to 'man nuhe' after 'make install'.
You'll find detailed instructions about Nuhe rules and action handlers from man pages and should read them and modify rules and action handlers for your needs before you start using Nuhe.
As you see there are not many rules right now (rules are located at './rules' directory) and... Nuhe needs rule writers! Use you imagination and write interesting rules and action handlers for different purposes, applications and platforms and contribute them!
You should also check that log files which you want to monitor are specified in 'nuhed.conf'.
Motive for Nuhe development started from security point of view and one purpose is to use it as a intrusion protection system that can react against certain kind of log activity. You can also use Nuhe as a vanilla "log filtering" system, that detects events from logs, logs them, but does not react against them.
One example of Nuhe usage is to use rule that detects multiple SSH connection attemps and drops IP address (e.g. with Linux iptables) where connections are coming (see '/rules/openssh.rules'). Nuhe is very handy in this situation, because user can configure it to ignore important IP addresses, so they're not blocked by firewall and specify events to be indentified only by IP address information.
With that rule and action handler user can paralyze brute force attacks.
However Nuhe can be described as a general rule based monitoring system which can run system commands in phases based on time and event criteria and hopefully this gives many areas of use for it.
To install:
# ./configure (for nodemanager support ./configure --enable-nodemgr)
# make
# make install
If you want to use Nuhe with node manager, see './nuhemgr/INSTALL'.
/usr/local/etc/nuhed/nevents.asc
/usr/local/etc/nuhed/nuhed.key
/usr/local/etc/nuhed/CAnuhe.pem
/var/log/nuhed.log
/var/run/nuhed.pid
Let me know if you found bugs or have ideas how to improve Nuhe. You can send comments, suggestions, fixes, critics and Nuhe rules to me.
Tuomo Makinen
tjam@users.sourceforge.net
Browse and search your logfile content, create custom searches.Create actions based on rules defined in the rule editor.
Security
React to any log activity and trigger actions on target host based on defined rules. Automatically detect and filter logfile content based on severity.
Container
Features simplified docker container installation and fully automated sensor installer. The core software which contains Nuhed Manager, Nuhed Sensor and Nuhed Log Manager are all open source.