Saturday, June 23, 2007

SEC - simple event correlator

I'm a huge fan of brilliantly simple Linux applications that strive to do one thing and do it extremely well.

My favorite Linux applications of all time meet the above criteria; OpenVPN, OpenSSH, netcat, Linux-HA, CARP, iptables, Nmap, Netcat, Cacti, Wireshark, syslog-ng, and Vim.

My latest infatuation is with a utility called SEC, the simple event correlator. SEC is much like Swatch, but more powerful due to its advanced features.

Swatch seems to be limited to single event matching. When an event is matched, it must immediately be acted upon. With SEC, it is a breeze to create a rule set to accomplish the following, "If there are 10 ssh attempts within a 1 minute window, then send an alert. Then send another alert after ssh attempts have ceased for 2 minutes." This level of analysis cannot be done in Swatch without extensive external scripting.

Other nice features include reporting a group of events at a later time and reading multiple input streams.

I wrote the simple SEC rule set below to collate events entering a VPN log matching severity level 1 or 2 and kick off an email report of collected events no more frequently than every two minutes.

#Rule 1
action=create EVENT_CONTEXT 120 ( report EVENT_CONTEXT /usr/bin/mail -s 'VPN device alert' )

#Rule 2
action=add EVENT_CONTEXT $0

SEC evaluates input one line at a time. For each line read, rules are evaluated sequentially until a match is found. There are two rules in the above configuration.

Rule 1
  • The rule type for the first rule is Single. SEC has several useful event correlation rule types. 'Single' matches input and executes an action list.
  • The ptype or pattern type is regular expression.
  • The pattern we are looking for in this example is SEV=1 or SEV=2. If a line matches, the context for this rule is evaluated.
  • Contexts can be created and deleted and are used to determine whether or not an action should be applied at the given moment. They can also be used to report collected events at a later time. "context=!EVENT_CONTEXT" evaluates the existence of the EVENT_CONTEXT context. In this example if it does not exist, the action is then executed.
  • "continue=TakeNext" causes SEC to pass this line of input to the next rule in the list, instead of stopping after the action is executed.
  • The action is to create a context called EVENT_CONTEXT. This context is set to expire after 2 minutes and email the entire contents of the context upon expiry.
Rule 2
  • The pattern for this rule is the same. All events matched by rule 1 are also caught and processed by this rule thanks to this and the TakeNext entry in rule 1.
  • EVENT_CONTEXT now exists, thanks to the action taken in rule 1.
  • The action for this rule is that an entry is added to EVENT_CONTEXT. $0 means that the entire line of the event will be added to the context. New entries matching the pattern can continuously be added to this context for up to two minutes when this context expires and is delivered via email, per rule 1.
More details on SEC can be found here:
SEC Project Home
SEC manpage