SEC 2.3.2 review
DownloadSEC is an open source and platform independent event correlation tool that was designed to fill the gap between commercial event corr
|
|
SEC is an open source and platform independent event correlation tool that was designed to fill the gap between commercial event correlation systems and homegrown solutions that usually comprise a few simple shell scripts.
SEC accepts input from regular files, named pipes, and standard input, and can thus be employed as an event correlator for any application that is able to write its output events to a file stream.
The SEC configuration is stored in text files as rules, each rule specifying an event matching condition, an action list, and optionally a Boolean expression whose truth value decides whether the rule can be applied at a given moment.
Regular expressions, Perl subroutines, etc. are used for defining event matching conditions. SEC can produce output events by executing user-specified shell scripts or programs (e.g., snmptrap or mail), by writing messages to pipes or files, and by various other means.
Here are some key features of "SEC":
Event correlation for HP OpenView NNM
Event correlation for HP OpenView Operations management server and agents
Event management for CiscoWorks
Event management for BMC Patrol
Event correlation for Nagios
Event consolidation and correlation for Snort IDS
Log file monitoring and analysis (used in place of swatch and logsurfer)
Supported Operations:
Following event correlation rule types are currently implemented in SEC:
Single - match input event and execute an action list.
SingleWithScript - match input event and execute an action list, if an external script or program returns a certain exit value.
SingleWithSuppress - match input event and execute an action list, but ignore the following matching events for the next t seconds.
Pair - match input event, execute an action list, and ignore the following matching events until some other input event arrives. On the arrival of the second event execute another action list.
PairWithWindow - match input event and wait for t seconds for other input event to arrive. If that event is not observed within the given time window, execute an action list. If the event arrives on time, execute another action list.
SingleWithThreshold - count matching input events during t seconds and if a given threshold is exceeded, execute an action list and ignore the following matching events during the remaining time window. The window of t seconds is sliding.
SingleWith2Thresholds - count matching input events during t1 seconds and if a given threshold is exceeded, execute an action list. Then start the counting of matching events again and if their number per t2 seconds drops below the second threshold, execute another action list. Both event correlation windows are sliding.
Suppress - suppress matching input event (used to keep the event from being matched by later rules).
Calendar - execute an action list at specific times.
Rules allow not only shell commands to be executed as actions, but they can also:
create and delete contexts that decide whether a particular rule can be applied at a given moment,
associate events with a context and report collected events at a later time (similar feature is supported by logsurfer),
generate new events that will be input for other rules,
reset correlation operations that have been started by other rules,
spawn external event, fault, or knowledge analysis modules,
etc.
This makes it possible to combine several rules and form more complex event correlation schemes.
What's New in This Release:
calls to Sys::Syslog functions are now enclosed in eval { }, in order to trap die() calls from those functions.
modified pattern matching functions.
input source names are now also passed as parameters to PerlFunc and NPerlFunc pattern functions.
SEC 2.3.2 keywords