Lead Image © cepixx, 123RF.com
Simple Event Correlator
Log Shepherd
Collecting data is all the rage, but gaining meaningful insights from data is an art form. For example, if you want to find correlations between events in various logfiles, the Simple Event Correlator (SEC) is an obvious choice.
SEC handles a large chunk of the work of security information and event management (SIEM) software, which tries to make sense of a vast amount of data in (security) logs. Unlike, say, OSSIM (Open Source Security Information Management), SEC does not do this proactively; instead, it restricts itself to logfiles that come from other sources.
If you are looking forward to an installation marathon, you will be disappointed: The small tool is ultimately just a Perl script. The remaining files are documentation and various startup scripts that integrate SEC into various Linux distributions, FreeBSD, and Solaris. An installation program does not exist, so you need to copy the man page and binary manually to a suitable location. SEC was developed around 2000 by Risto Vaarandi, but the latest version is from January 2014.
The functional principle of SEC is to look for patterns in logfiles and, if found, initiate a predetermined action. The program can handle multiple logfiles simultaneously and perform actions that can depend on each other in many ways. SEC offers a wide range of preconfigured options. If that's not enough, you can still edit Perl code, which will probably cover most applications.
For the simplest case, SEC uses the Single rule type in which a single find of the pattern triggers an action. The syntax looks like this:
type=Single ptype=RegExp pattern=Failed password for root desc=Matched: $0 action=logonly
The rule type in the first line is followed by the pattern type (here, regular expression), the search pattern, the variable definition for the pattern description, and finally the action to perform. To test the configuration, you only need to store it in a file,
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Detecting security threats with Apache Spot
Security vulnerabilities often remain unknown when the data they reveal is buried in the depths of logfiles. Apache Spot uses big data and machine learning technologies to sniff out known and unknown IT security threats. -
Set up and operate security monitoring throughout the enterprise
We describe some basic considerations for choosing a Security Information and Event Management system and designing its implementation. -
Automate complex IT infrastructures with StackStorm
StackStorm is an open source, event-based platform for runbook automation. -
Advanced monitoring techniques for Azure VMs on Linux
We delve into advanced monitoring methods for enhancing the performance and security of Linux-based Azure virtual machines. -
A modern logging solution
As systems grow more complex and distributed, managing and making sense of logs used for monitoring, debugging, and troubleshooting can become a daunting task. Fluentd and its lighter counterpart Fluent Bit can help you unify data collection and consumption to make sense of logging data.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
