net-analyzer/prelude-lml: New package

Prelude-LML is a log analyser that allows Prelude to collect and
analyze information from all kind of applications emitting logs or
syslog messages in order to detect suspicious activities and transform
them into Prelude-IDMEF alerts.

9 files changed, 198 insertions, 0 deletions

diff --git a/net-analyzer/prelude-lml/Manifest b/net-analyzer/prelude-lml/Manifest
new file mode 100644
index 000000000000..021270e8ad2a
--- /dev/null
+++ b/net-analyzer/prelude-lml/Manifest
@@ -0,0 +1 @@
+DIST prelude-lml-3.0.0.tar.gz 1391203 SHA256 53e3ccba2e3842e583739234366b6a5241dc6a8d18da501e6c9ff5e2b9792814 SHA512 f206407f99df394186466566608b434a94d4fdce3e5e8991a4236f2ee670f6ae2573adea22bc248fdfea760588e94160faa7260257aeaeb35c938e1bb886ee6c WHIRLPOOL 2b8ff99576e502461625897251726dd7c1e3a849e27816c64e931548d0ae76f12c125f444096f1aa1894c5f0fce206a7aa436de754a0ff8a3cc25fd475913fc6
diff --git a/net-analyzer/prelude-lml/files/prelude-lml-3.0.0-conf.patch b/net-analyzer/prelude-lml/files/prelude-lml-3.0.0-conf.patch
new file mode 100644
index 000000000000..dab4ea8a6bb1
--- /dev/null
+++ b/net-analyzer/prelude-lml/files/prelude-lml-3.0.0-conf.patch
@@ -0,0 +1,22 @@
+--- a/prelude-lml.conf
++++ b/prelude-lml.conf
+@@ -92,7 +92,7 @@
+ time-format = "%b %d %H:%M:%S"
+ prefix-regex = "^(?P<timestamp>.{15}) (?P<hostname>\S+) (?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?"
+ file = /var/log/messages
+-file = /var/log/secure
++file = /var/log/auth.log
+ # udp-server = 0.0.0.0
+ # tcp-server = 0.0.0.0
+ # tcp-tls-server = 0.0.0.0
+--- a/prelude-lml.conf.in
++++ b/prelude-lml.conf.in
+@@ -92,7 +92,7 @@
+ time-format = "%b %d %H:%M:%S"
+ prefix-regex = "^(?P<timestamp>.{15}) (?P<hostname>\S+) (?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?"
+ file = /var/log/messages
+-file = /var/log/secure
++file = /var/log/auth.log
+ # udp-server = 0.0.0.0
+ # tcp-server = 0.0.0.0
+ # tcp-tls-server = 0.0.0.0
diff --git a/net-analyzer/prelude-lml/files/prelude-lml-3.0.0-configure.patch b/net-analyzer/prelude-lml/files/prelude-lml-3.0.0-configure.patch
new file mode 100644
index 000000000000..154a261eb5ad
--- /dev/null
+++ b/net-analyzer/prelude-lml/files/prelude-lml-3.0.0-configure.patch
@@ -0,0 +1,35 @@
+--- a/configure.in
++++ b/configure.in
+@@ -107,10 +107,13 @@
+ dnl **************************************************
+ GNUTLS_MIN_VERSION=1.0.17
+ 
+-PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= $GNUTLS_MIN_VERSION], [],
+-                  [AM_PATH_LIBGNUTLS($GNUTLS_MIN_VERSION, enable_gnutls=yes, enable_gnutls=no)])
+-
+-AC_CHECK_HEADER(gnutls/gnutls.h, enable_gnutls=yes, enable_gnutls=no)
++AC_ARG_ENABLE(gnutls, AC_HELP_STRING(--enable-gnutls, Define whether GnuTLS provides gnutls_hash_get_len function), , enable_gnutls="yes")
++if test x$enable_gnutls = xyes; then
++	PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= $GNUTLS_MIN_VERSION], [],
++	                  [AM_PATH_LIBGNUTLS($GNUTLS_MIN_VERSION, enable_gnutls=yes, enable_gnutls=no)])
++	
++	AC_CHECK_HEADER(gnutls/gnutls.h, enable_gnutls=yes, enable_gnutls=no)
++fi
+ 
+ if test x$enable_gnutls = xyes; then
+         AC_DEFINE_UNQUOTED(HAVE_GNUTLS, , Tell whether GnuTLS is available for TCP-TLS support)
+@@ -125,8 +128,12 @@
+ dnl * Check for libICU                               *
+ dnl **************************************************
+ 
+-PKG_CHECK_MODULES([ICU], [icu >= 3.0], [enable_icu=yes],
+-                  [AC_CHECK_ICU(3.8, enable_icu=yes, enable_icu=no)])
++AC_ARG_ENABLE(icu, AC_HELP_STRING(--enable-icu, Tell whether libicu is available for encoding convertion), , enable_icu="yes")
++
++if test x$enable_icu = xyes; then
++	PKG_CHECK_MODULES([ICU], [icu >= 3.0], [enable_icu=yes],
++        	          [AC_CHECK_ICU(3.8, enable_icu=yes, enable_icu=no)])
++fi
+ if test x$enable_icu = xyes; then
+         AC_DEFINE_UNQUOTED(HAVE_LIBICU, , Tell whether libicu is available for encoding convertion)
+ fi
diff --git a/net-analyzer/prelude-lml/files/prelude-lml-3.0.0-run.patch b/net-analyzer/prelude-lml/files/prelude-lml-3.0.0-run.patch
new file mode 100644
index 000000000000..8b4e65216cca
--- /dev/null
+++ b/net-analyzer/prelude-lml/files/prelude-lml-3.0.0-run.patch
@@ -0,0 +1,14 @@
+--- a/configure.in
++++ b/configure.in
+@@ -187,9 +187,9 @@
+ configdir=$SYSCONFDIR/prelude-lml
+ prelude_lml_conf=$configdir/prelude-lml.conf
+ regex_conf=$configdir/plugins.rules
+-metadata_dir=$LOCALSTATEDIR/lib/prelude-lml
++metadata_dir=$LOCALSTATEDIR/prelude-lml
+ plugindir=$LIBDIR/prelude-lml
+-lml_run_dir=$LOCALSTATEDIR/run/prelude-lml
++lml_run_dir=/run/prelude-lml
+ 
+ AC_DEFINE_UNQUOTED(PRELUDE_LML_CONF, "$prelude_lml_conf", Path to the LML configuration file)
+ AC_DEFINE_UNQUOTED(LOG_PLUGIN_DIR, "$plugindir", Prelude-LML report plugin directory)
diff --git a/net-analyzer/prelude-lml/files/prelude-lml.initd b/net-analyzer/prelude-lml/files/prelude-lml.initd
new file mode 100755
index 000000000000..411e02762455
--- /dev/null
+++ b/net-analyzer/prelude-lml/files/prelude-lml.initd
@@ -0,0 +1,27 @@
+#!/sbin/runscript
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+BIN_LML=/usr/bin/prelude-lml
+PID_LML=/run/prelude-lml/prelude-lml.pid
+
+depend() {
+  need net
+  after prelude-manager
+}
+
+start() {
+  ebegin "Starting prelude-lml"
+  checkpath -d -m 0755 -o root:root /run/prelude-lml
+  start-stop-daemon --start --exec $BIN_LML \
+    --pidfile $PID_LML -- -d -P $PID_LML
+  eend $?
+}
+
+stop() {
+  ebegin "Stopping prelude-lml"
+  start-stop-daemon --stop --exec $BIN_LML \
+    --pidfile $PID_LML
+  eend $?
+}
diff --git a/net-analyzer/prelude-lml/files/prelude-lml.run b/net-analyzer/prelude-lml/files/prelude-lml.run
new file mode 100644
index 000000000000..75f2ef89adda
--- /dev/null
+++ b/net-analyzer/prelude-lml/files/prelude-lml.run
@@ -0,0 +1,4 @@
+# Configuration to create /run/prelude-lml directory
+# Used as part of systemd's tmpfiles
+
+d /run/prelude-lml 0755 root root
diff --git a/net-analyzer/prelude-lml/files/prelude-lml.service b/net-analyzer/prelude-lml/files/prelude-lml.service
new file mode 100644
index 000000000000..9d9230c6ff4c
--- /dev/null
+++ b/net-analyzer/prelude-lml/files/prelude-lml.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Prelude-LML service
+DefaultDependencies=no
+After=remote_fs.target prelude-manager.service
+
+[Service]
+ExecStart=/usr/bin/prelude-lml -d -P /run/prelude-lml/prelude-lml.pid
+Type=forking
+PIDFile=/run/prelude-lml/prelude-lml.pid
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-analyzer/prelude-lml/metadata.xml b/net-analyzer/prelude-lml/metadata.xml
new file mode 100644
index 000000000000..9aa90946ee78
--- /dev/null
+++ b/net-analyzer/prelude-lml/metadata.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>thomas.andrejak@gmail.com</email>
+		<name>Thomas Andrejak</name>
+	</maintainer>
+	<maintainer type="project">
+		<email>proxy-maint@gentoo.org</email>
+		<name>Proxy Maintainers</name>
+	</maintainer>
+	<longdescription lang="en">
+		Prelude-LML is a log analyser that allows Prelude to collect and
+		analyze information from all kind of applications emitting logs or
+		syslog messages in order to detect suspicious activities and transform
+		them into Prelude-IDMEF alerts. Prelude-LML handles events generated
+		by a large set of applications
+	</longdescription>
+	<use>
+		<flag name="tls">Enables Prelude LML support Syslog through TLS
+		using <pkg>net-libs/gnutls</pkg>.</flag>
+	</use>
+</pkgmetadata>
diff --git a/net-analyzer/prelude-lml/prelude-lml-3.0.0.ebuild b/net-analyzer/prelude-lml/prelude-lml-3.0.0.ebuild
new file mode 100644
index 000000000000..6d57560ab95a
--- /dev/null
+++ b/net-analyzer/prelude-lml/prelude-lml-3.0.0.ebuild
@@ -0,0 +1,59 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+inherit autotools eutils systemd
+
+DESCRIPTION="The prelude log analyzer"
+HOMEPAGE="https://www.prelude-siem.org"
+SRC_URI="https://www.prelude-siem.org/pkg/src/3.0.0/${P}.tar.gz"
+
+LICENSE="GPL-2+"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="tls icu"
+
+RDEPEND="dev-libs/libprelude
+	dev-libs/libpcre
+	icu? ( dev-libs/icu )
+	tls? ( net-libs/gnutls )"
+
+DEPEND="${RDEPEND}
+	virtual/pkgconfig"
+
+PATCHES=(
+	"${FILESDIR}/${P}-configure.patch"
+	"${FILESDIR}/${P}-conf.patch"
+	"${FILESDIR}/${P}-run.patch"
+)
+
+src_prepare() {
+	default_src_prepare
+
+	mv "${S}/configure.in" "${S}/configure.ac" || die "mv failed"
+
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		--localstatedir=/var \
+		$(use_enable icu) \
+		$(use_enable tls gnutls)
+}
+
+src_install() {
+	default_src_install
+
+	rm -rv "${D}/run" || die "rm failed"
+	keepdir /var/${PN}
+
+	prune_libtool_files --modules
+
+	systemd_dounit "${FILESDIR}/${PN}.service"
+	systemd_newtmpfilesd "${FILESDIR}/${PN}.run" "${PN}.conf"
+
+	newinitd "${FILESDIR}/${PN}.initd" "${PN}"
+}