401
403
on the next line. Lines which begin with #-symbol are treated as comments and
402
404
ignored (whitespace characters may precede #-symbol). Any comment line,
403
405
empty line, or end of the file will terminate the preceding rule definition.
407
rule was designed for matching input events that require
408
immediate action to be taken. Its rule definition has the following
412
fixed to Single (value is case insensitive, so single or sIngLe can be
415
.I "continue (optional)"
416
TakeNext or DontCont (values are case insensitive). The first specifies that
417
search for matching rules will continue after the match (i.e., matching input
418
line(s) will be passed to the next rule), the second will quit the search.
421
keyword is missing from the rule definition, DontCont is assumed.
424
RegExp[<number>], SubStr[<number>], NRegExp[<number>], or NSubStr[<number>]
425
(values are case insensitive). Specifies the type of the pattern
428
lines the pattern was designed to match. If type begins with RegExp, pattern
429
is assumed to be a regular expression. If type begins with SubStr, pattern is
430
assumed to be a substring that will be searched in input line(s). NRegExp
431
and NSubStr are similar to RegExp and SubStr, except the result of the match
432
is negated. If <number> is given, pattern will be compared with last <number>
433
input lines. If <number> is omitted, 1 is assumed.
436
regular expression or substring that input line(s) will be compared with in
437
order to detect an event. If the regular expression matches the input line(s)
438
or the substring is found in the input line(s) (the original result of the
439
comparison will be negated for NRegExp and NSubStr), rule is considered
440
matching and action is executed. All regular expression constructs that Perl
441
allows are allowed here. For example, if case insensitive matching is desired
442
then (?i) can be prepended to the regular expression (see
407
Before describing each rule type in detail, patterns and pattern types,
408
context expressions, and action lists are discussed, since they are
409
important parts of the rule definition.
410
.SS "PATTERNS AND PATTERN TYPES"
411
SEC supports the following pattern types (if <number> is omitted, 1 is
414
.I "SubStr[<number>]"
415
pattern is assumed to be a substring that will be searched in last <number>
416
input line(s). If the substring is found, the pattern matches.
417
The backslash constructs \\t, \\n, \\r, \\s, and \\0 can be used in the
418
pattern to denote tabulation, newline, carriage return, space character, and
419
empty string, while \\\\ denotes backslash itself. As an example, consider
420
the following pattern definition:
424
pattern=Backup done:\\tsuccess
426
The pattern matches lines containing "Backup done:<TAB>success".
428
.I "RegExp[<number>]"
429
pattern is assumed to be a regular expression that last <number> input
430
line(s) are compared with. If the pattern matches, backreference values will
431
be assigned to the special variables $1, $2, ..., and the matching input
432
line(s) will be assigned to the special variable $0. These special variables
433
can be used in some other parts of the rule definition.
434
All regular expression constructs that Perl allows are allowed in the
444
for more information).
445
If pattern is a substring then backslash constructs \\t, \\n, \\r, \\s,
446
and \\0 can be used to denote tabulation, newline, carriage return, space
447
character, and empty string, while \\\\ denotes backslash itself.
449
.I "context (optional)"
450
logical expression that consists of context names and Perl miniprograms
451
as operands; operands are combined with logical operators !, &&, ||, and
452
parentheses. If the operand begins with =, it is considered to be a Perl
453
miniprogram that will be executed by calling Perl
455
function; otherwise the operand is considered to be a context name.
457
If the context name <context name> refers to an existing context, the value
458
of the operand <context name> is considered to be TRUE.
460
If the Perl miniprogram <code> was successfully compiled and
462
returns TRUE for it in Perl scalar context, the value of
463
the operand <code> is considered to be TRUE. Note that since the Perl
464
miniprogram may contain operators that clash with the operators of the context
465
expression itself (e.g., '!'), it is strongly recommended to enclose the Perl
466
miniprogram in parentheses, e.g., consider the following context expression:
468
context= =({my($temp) = 0; return !$temp;}) && !MYCONTEXT
470
(also see VARIABLES AND EVAL section for more information).
472
If the truth value of the logical expression is TRUE, then the rule matches;
473
otherwise the rule is considered not matching.
477
was a regular expression with bracketing constructs, then
478
$1, $2, ... special variables can be used in context names to get the
479
backreference values, and special variable $0 can also be used to get the
480
input line(s) that were matched by
483
If the logical expression is enclosed in square brackets [ ], e.g.,
485
context=[MYCONTEXT1 && !MYCONTEXT2]
488
instruct SEC to evaluate the expression _before_ pattern matching operation,
491
is compared with input line(s) (the outermost set of brackets will be
492
removed by SEC during configuration file parsing). This could save CPU time
493
when many of the input lines are known to match
495
but not the logical expression.
498
textual description of detected event. If
500
was a regular expression and bracketing constructs were used inside it, then
501
$1, $2, ... special variables can be used in event description to get the
502
backreference values, and special variable $0 can also be used to get the
503
input line(s) that were matched by
505
The event description formed here can be referenced by %s.
508
list of actions separated by semicolons that will be executed when event
510
Action definition starts by keyword specifying the action type, followed by
511
additional parameters. If
513
was a regular expression and bracketing constructs were used inside it, then
514
$1, $2, ... special variables can be used in additional parameters to get the
515
backreference values, and special variable $0 can also be used to get the
516
input line(s) that were matched by
518
Also, the following variables can be used:
520
%s - event description string
437
for more information). As an example, consider the following pattern
442
pattern=(?i)(\\S+\\.mydomain).*printer: toner\\/ink low
444
The pattern matches "printer: toner/ink low" messages in a case insensitive
445
manner from printers belonging to .mydomain. Note that the printer hostname
446
is assigned to $1, while the whole message line is assigned to $0.
448
.I "PerlFunc[<number>]"
449
pattern is assumed to be a Perl function that last <number> input
450
line(s) are compared with. The Perl function is compiled at SEC startup by
455
must return a code reference for the pattern to be valid (also see VARIABLES
456
AND EVAL section for more information).
457
In order to check whether the pattern matches, SEC will call the function
458
in list context and pass last <number> input line(s) to the function as
460
If the function returns several values or a single value that is TRUE in
461
boolean context, the pattern matches. If the pattern matches, return values
462
will be assigned to the special variables $1, $2, ..., and the matching input
463
line(s) will be assigned to the special variable $0. These special variables
464
can be used in some other parts of the rule definition. As an example,
465
consider the following pattern definition:
469
pattern=sub { return ($_[0] cmp $_[1]); }
471
The pattern compares two last input lines in a stringwise manner, and
472
matches if the lines are different. Note that the result of the comparison
473
is assigned to $1, while the two input lines are concatenated and assigned
476
.I "NSubStr[<number>]"
478
.IR "SubStr[<number>]" ,
479
except the result of the match is negated.
481
.I "NRegExp[<number>]"
483
.IR "RegExp[<number>]" ,
484
except the result of the match is negated.
486
.I "NPerlFunc[<number>]"
488
.IR "PerlFunc[<number>]" ,
489
except the result of the match is negated.
492
pattern is assumed to be a truth value with TRUE and FALSE being legitimate
493
values for the pattern. TRUE always matches an input line while FALSE never
494
matches an input line.
496
Note that since Pair and PairWithWindow rules have two pattern definitions,
497
special variables $<number> set by the first pattern are shadowed when the
498
second pattern matches and sets the variables. In order to access the shadowed
499
variables, they must be referred to as %<number> (e.g., instead of $1 one has
500
to write %1). Also note that the second pattern of Pair and PairWithWindow
501
rules may contain $<number> variables, if the second pattern is of type
502
SubStr, NSubStr, Regexp, or NRegExp. The variables are substituted at
503
runtime with the values set by the first pattern.
504
.SS "CONTEXT EXPRESSIONS"
505
Context expression is a logical expression that consists of context names,
506
Perl miniprograms, and Perl functions as operands; operands are combined with
507
operators ! (logical NOT), && (logical AND), || (logical OR), and parentheses.
508
Context expressions are employed for activating or deactivating rules -
509
the truth value of the rule's context expression must be TRUE for the rule
512
If the operand contains the arrow (->), the text following the arrow
513
is considered to be a Perl function that will be compiled at SEC startup by
518
must return a code reference for the operand to be valid (also
519
see VARIABLES AND EVAL section for more information).
520
If any text precedes the arrow, it is considered to be the list of parameters
522
Parameters are separated by whitespace and may contain $<number> and
523
%<number> special variables. In order to evaluate the Perl function operand,
524
the function with its parameter list will be called in scalar context. If
525
the return value of the function is TRUE in boolean context, the truth value
526
of the operand is TRUE, otherwise its truth value is FALSE.
528
If the operand begins with the equal sign (=), the following text is
529
considered to be a Perl miniprogram. The miniprogram may contain $<number>
530
and %<number> special variables. In order to evaluate the Perl miniprogram
531
operand, it will be executed by calling Perl
533
function in scalar context (also see VARIABLES AND EVAL section for more
534
information). If the return value of the miniprogram is TRUE in boolean
535
context, the truth value of the operand is TRUE, otherwise its truth value
538
Note that since Perl functions, miniprograms, and parameter lists may contain
539
strings that clash with the operators of the context expression (e.g., '!'),
540
it is strongly recommended to enclose them in parentheses, e.g.,
542
($1 $2) -> (sub { return ($_[0] != $_[1]); })
544
=({my($temp) = 0; return !$temp;})
546
If the operand is not a Perl function or program, it is considered to be
547
a context name. Context name may contain $<number> and %<number> special
548
variables. If the context name refers to an existing context, the truth
549
value of the operand is TRUE, otherwise its truth value is FALSE.
551
If the whole context expression is enclosed in square brackets [ ], e.g.,
552
.BR "[MYCONTEXT1 && !MYCONTEXT2]" ,
553
SEC evaluates the expression _before_ pattern matching operation (normally
554
the pattern is compared with input line(s) first, so that $<number> and
555
%<number> variables in the context expression could be replaced with their
556
values). Evaluating context expression first could save CPU time when many of
557
the input lines are known to match the pattern but not the context expression,
558
and the expression does not contain any variables.
560
As an example, consider the following context expressions:
562
-> ( sub { my(@stat) = stat("/var/log/messages"); \\
564
return (!scalar(@stat) || time() - $stat[9] > 3600); } )
566
($1 $2) -> (sub { return ($_[0] != $_[1]); }) && C1
568
!(C1 || C2) && =("$1" eq "myhost.mydomain")
570
The first expression is TRUE when the /var/log/messages file does not exist
571
or was last modified more than 1 hour ago. The second expression is TRUE
572
when variables $1 and $2 are numerically not equal and the context
575
The third expression is TRUE when contexts
579
do not exist and the $1 variable equals to the string "myhost.mydomain".
580
Note that the Perl code of the third expression is compiled each time the
581
expression is evaluated.
583
Action list consists of action definitions that are separated by semicolons.
584
Each action definition begins with a keyword specifying the action type,
585
followed by additional parameters. Additional parameters that do not have
586
a constant nature may contain $<number> and %<number> special variables.
587
Also, the following variables can be used in non-constant parameters:
589
%s - event description string (set either by the
593
parameter of the rule definition).
522
595
%t - textual timestamp (as returned by
562
does. In order to use semicolons inside the <filename> or <event text>
563
parameter, the parameter must be enclosed in parentheses (the outermost set
564
of parentheses will be removed by SEC during configuration file parsing).
565
.IP "shellcmd <shellcmd>"
566
shell command <shellcmd> is executed. %-variables can be used in <shellcmd>.
642
.I "shellcmd <shellcmd>"
643
Shell command <shellcmd> is executed. If the
569
645
option was specified, %s will be converted to '%s' before supplying it to
646
shell command (see the
574
options). In order to use semicolons inside the <shellcmd>
575
parameter, the parameter must be enclosed in parentheses (the outermost set
576
of parentheses will be removed by SEC during configuration file parsing).
577
.IP "spawn <shellcmd>"
652
.I "spawn <shellcmd>"
580
action, except the following: every line from the standard output of
655
action, except the following - every line from the standard output of
581
656
<shellcmd> is treated like SEC input line and matched against the rules.
582
657
This is done by applying
583
658
.I "event 0 <line>"
584
to every line from standard output (see
659
to every line from standard output (see the
586
661
action). Note that if <shellcmd> outputs a large data set at once, SEC
587
662
will process it all at once, so if <shellcmd> enters an endless "busy write"
588
663
loop, it will block SEC from doing anything other than processing its output.
589
In order to use semicolons inside the <shellcmd> parameter,
590
the parameter must be enclosed in parentheses (the outermost set of
591
parentheses will be removed by SEC during configuration file parsing).
592
.IP "pipe '<event text>' [<shellcmd>]"
593
Event <event text> is fed to the standard input of shell command <shellcmd>
594
(apostrophes are used to mark the beginning and end of the event text, in
595
order to distinguish it from <shellcmd>). %-variables can be used in
596
<event text> and <shellcmd>.
665
.I "pipe '<event text>' [<shellcmd>]"
666
Event string <event text> and terminating newline are fed to the standard
667
input of shell command <shellcmd> (apostrophes are used to mark the beginning
668
and end of <event text>, in order to distinguish it from <shellcmd>).
597
669
If <event text> is omitted and there is nothing between apostrophes, %s is
598
assumed for <event text> (i.e., event description string is fed to <shellcmd>).
599
If <shellcmd> is omitted, <event text> is written to standard output.
600
In order to use semicolons inside the <event text> or <shellcmd>
601
parameter, the parameter must be enclosed in parentheses (the outermost set
602
of parentheses will be removed by SEC during configuration file parsing).
603
.IP "create [<name> [<time> [<action list>] ] ]
604
context with the name <name>, with the lifetime of <time> seconds, and with
605
empty event store is created (<name> may not contain spaces).
606
%-variables can be used in context name <name>.
607
If <name> is omitted, %s is assumed for its value
608
(i.e., context with the name of event description is created).
670
assumed for <event text>. If <shellcmd> is omitted, <event text> is written
673
.I "create [<name> [<time> [<action list>] ] ]
674
Context with the name <name>, with the lifetime of <time> seconds, and with
675
empty event store is created (<name> may not contain spaces, and <time> is
676
an integer constant). If <name> is omitted, %s is assumed for its value.
609
677
Specifying 0 as <time> or omitting the value means infinite lifetime.
610
678
If <action list> is specified, it will be executed when context's lifetime is
611
679
exceeded. If <action list> is made up of more than one action, semicolons
612
680
must be used to separate the actions, and the list must be enclosed in
613
parentheses. In order to use semicolons inside the <name> parameter,
614
the parameter must be enclosed in parentheses (the outermost set of
615
parentheses will be removed by SEC during configuration file parsing).
616
If already existing context is recreated with
681
parentheses. If already existing context is recreated with
618
683
its lifetime will be extended for <time> seconds and its event store will
620
.IP "delete [<name>]"
621
context with the name <name> is deleted (<name> may not contain spaces).
622
%-variables can be used in context name <name>.
623
If <name> is omitted, %s is assumed for its value
624
(i.e., context with the name of event description is deleted).
687
Context with the name <name> is deleted (<name> may not contain spaces).
688
If <name> is omitted, %s is assumed for its value.
625
689
If non-existing context is deleted, no operation will be performed.
626
In order to use semicolons inside the <name> parameter,
627
the parameter must be enclosed in parentheses (the outermost set of
628
parentheses will be removed by SEC during configuration file parsing).
629
.IP "set <name> <time> [<action list>]
630
settings for the context with the name <name> will be changed (<name> may
631
not contain spaces). New lifetime of the context will be <time> seconds with
632
optional <action list> to be executed when the lifetime is exceeded. Event
633
store of the context will not be changed by
691
.I "obsolete [<name>]"
694
except the action list of the context <name> (if the context has an action
695
list) will be executed before deletion.
697
.I "set <name> <time> [<action list>]
698
Settings for the context with the name <name> will be changed (<name> may
699
not contain spaces, and <time> is an integer constant). New lifetime of the
700
context will be <time> seconds with optional <action list> to be executed
701
when the lifetime is exceeded. Event store of the context will not be changed
635
%-variables can be used in context name <name>.
636
704
Specifying 0 as <time> means infinite lifetime.
637
705
If <action list> is made up of more than one action, semicolons must be
638
706
used to separate the actions, and the list must be enclosed in parentheses.
639
In order to use semicolons inside the <name> parameter, the parameter must
640
be enclosed in parentheses (the outermost set of parentheses will be removed
641
by SEC during configuration file parsing).
642
.IP "alias <name> [<alias>]"
643
An alias name <alias> will be created for the context with the name <name>.
708
.I "alias <name> [<alias>]"
709
An alias name <alias> will be created for the context with the name <name>
710
(<name> and <alias> may not contain spaces).
644
711
After the name <alias> has been created for a context, the context can be
645
referred to by using both <alias> and <name>. %-variables can be used in
646
<name> and <alias>. If <alias> is omitted, %s is assumed for its value. If
647
context with the name <name> does not exist, or the name <alias> already
712
referred to by using both <alias> and <name>. If <alias> is omitted, %s is
713
assumed for its value.
714
If context with the name <name> does not exist, or the name <alias> already
648
715
exists, the alias will not be created. Internally, SEC does not distinguish
649
716
in any way between <alias> and <name> - they are both pointers to the same
650
context data structure. This means that all SEC configuration file directives
651
that are valid for <name> are also valid for <alias>. Note that since <alias>
652
and <name> are pointers to the same context, it makes no difference whether
717
context data structure. Therefore, it makes no difference whether
653
718
context attributes (like lifetime, event store, etc.) are changed by calling
681
743
and the context will be deleted; otherwise the context will continue to
682
744
exist under another name(s) with its event store and other attributes intact.
683
In order to use semicolons inside the <alias> parameter,
684
the parameter must be enclosed in parentheses (the outermost set of
685
parentheses will be removed by SEC during configuration file parsing).
686
.IP "add <name> [<event text>]"
687
Event <event text> is added to the event store of the context <name>
746
.I "add <name> [<event text>]"
747
Event string <event text> is added to the event store of the context <name>
688
748
(<name> may not contain spaces). Events in the store are ordered by the
689
749
time they were added, and every
691
adds event to the end of the store. %-variables can be used in <name> and
692
<event text>. If <event text>
693
is omitted, %s is assumed for its value (i.e., event description string is
694
added to event store). If context <name> does not exist, the context will
695
be created with infinite lifetime, empty action list and empty event store
751
adds event to the end of the store. If <event text> is omitted, %s is assumed
752
for its value. If context <name> does not exist, the context will be created
753
with infinite lifetime, empty action list and empty event store (as with
697
754
.IR "create <name>" )
698
before adding the event. In order to use semicolons inside
699
the <name> or <event text> parameter, the parameter must be enclosed
700
in parentheses (the outermost set of parentheses will be removed by SEC
701
during configuration file parsing).
702
.IP "fill <name> [<event text>]"
755
before adding the event. If <event text> contains newlines, it will be split
756
into parts by using the newline symbol as a delimiter, and each part is
757
added to the event store as a separate event string.
759
.I "fill <name> [<event text>]"
705
762
except the event store of the context <name> will be emptied before
706
763
<event text> is added.
707
.IP "report <name> [<shellcmd>]"
765
.I "report <name> [<shellcmd>]"
708
766
Event store of the context <name> is reported with shell command <shellcmd>
709
767
(<name> may not contain spaces). Reporting means that events from the store
710
768
are fed to standard input of <shellcmd> in the order they were added into the
711
store, every event on a separate line. %-variables can be used in
712
<name> and <shellcmd>. If <shellcmd> is omitted, events from the store
713
are written to standard output. In order to use semicolons inside
714
the <name> or <shellcmd> parameter, the parameter must be enclosed
715
in parentheses (the outermost set of parentheses will be removed by SEC
716
during configuration file parsing).
717
.IP "copy <name> %<letter>"
769
store, every event on a separate line. If <shellcmd> is omitted, events from
770
the store are written to standard output.
772
.I "copy <name> %<alnum_name>"
718
773
Event store of the context <name> is assigned to a user-defined variable
719
%<letter>. Before assignment takes place, lines from the event store
720
are joined into a scalar by using the newline character as the separator
721
(as with Perl join("\\n", @array)). %-variables can be used in <name>.
722
In order to use semicolons inside the <name> parameter, the parameter must
723
be enclosed in parentheses (the outermost set of parentheses will be removed
724
by SEC during configuration file parsing).
725
.IP "empty <name> [%<letter>]"
774
%<alnum_name> (<name> may not contain spaces). Before assignment takes
775
place, lines from the event store are joined into a scalar by using the
776
newline character as the separator (as with Perl join("\\n", @array)).
778
.I "empty <name> [%<alnum_name>]"
728
781
except the event store of the context <name> will be emptied after it
729
has been assigned to the variable %<letter>. If %<letter> is omitted,
782
has been assigned to the variable %<alnum_name>. If %<alnum_name> is omitted,
731
784
simply removes all lines from the event store.
732
.IP "event [<time>] [<event text>]"
733
after <time> seconds a synthetic event <event text> is created. SEC treats
734
the <event text> string exactly like line(s) read from input - it is inserted
735
into the input buffer in order to compare it with rules. %-variables can be
736
used in <event text>. If <event text> is omitted, %s is assumed for its value
737
(i.e., event description string is inserted into the input buffer).
786
.I "event [<time>] [<event text>]"
787
After <time> seconds a synthetic event <event text> is created (<time> is an
788
integer constant). SEC treats the <event text> string exactly like line(s)
789
read from input - it is inserted into the input buffer in order to compare it
790
with rules. If <event text> is omitted, %s is assumed for its value.
738
791
Specifying 0 as <time> or omitting the value means now. If <event text>
739
contains newlines, it will be split into parts by using the newline symbol as
740
a delimiter, and each part is submitted with
742
action separately. In order to use semicolons inside the <event text>
743
parameter, the parameter must be enclosed in parentheses (the outermost set
744
of parentheses will be removed by SEC during configuration file parsing).
745
.IP "reset [<rule_number>] [<event text>]"
746
cancel event correlation operations that are currently detecting the
747
composite event <event text>, i.e., SEC will terminate event correlation
748
operations that have <event text> in their keys as event description string
749
(if such operations exist, see RULES AND EVENT CORRELATION OPERATIONS section
750
for more information). If there are multiple configuration files specified,
792
contains newlines, it will be split into parts by using the newline symbol as
793
a delimiter, and each part is created as a separate synthetic event.
795
.I "reset [<rule_number>] [<event text>]"
796
Cancel event correlation operations that are currently detecting the
797
composite event <event text> (<rule_number> is a string constant), i.e.,
798
SEC will terminate event correlation operations that have <event text> in
799
their keys as event description string (if such operations exist, see
800
RULES AND EVENT CORRELATION OPERATIONS section for more information).
801
If there are multiple configuration files specified,
752
803
can cancel only those correlation operations that have been started by the
753
804
rules from the same configuration file where the
755
806
action itself is defined.
756
%-variables can be used in <event text>.
757
If <event text> is omitted, %s is assumed for its value (i.e.,
758
correlation operation that is detecting the composite event equal to event
759
description string is cancelled).
807
If <event text> is omitted, %s is assumed for its value.
760
808
Since correlation operations started by different rules may detect composite
761
809
events that have identical description strings, rule number can be optionally
762
810
specified to point to a correlation operation that was started by a specific
763
811
rule (1 means first rule in the configuration file, 2 means second, etc.;
764
812
0 denotes the current rule).
765
813
If + or - is prepended to <rule_number>, it is considered to be an offset
766
from current rule (for example, -1 means previous rule and +1 next rule).
814
from current rule (e.g., -1 means previous rule and +1 next rule).
767
815
For example, if a rule definition with the
769
817
action is given in the configuration file named my.conf, then
774
822
.I "reset Counting linkdown events"
775
823
will terminate event correlation operations with keys "my.conf | X | Counting
776
824
linkdown events", where X runs from 0 to N-1 and N is the number of rules in
777
the configuration file my.conf. If there is no operation with a given key,
825
the configuration file my.conf. If no operation with a given key exists,
779
827
will take no action.
780
In order to use semicolons inside the <event text> parameter,
781
the parameter must be enclosed in parentheses (the outermost set of
782
parentheses will be removed by SEC during configuration file parsing).
783
.IP "assign %<letter> [<text>]"
784
Text <text> is assigned to a user-defined variable %<letter>. %-variables
785
(including %<letter> itself) can be used in <text>. If <text> is omitted,
786
%s is assumed for its value. In order to use semicolons inside
787
the <text> parameter, the parameter must be enclosed in parentheses (the
788
outermost set of parentheses will be removed by SEC during configuration
790
.IP "eval %<letter> <code>"
829
.I "assign %<alnum_name> [<text>]"
830
Text <text> is assigned to a user-defined variable %<alnum_name>. If <text>
831
is omitted, %s is assumed for its value.
833
.I "eval %<alnum_name> <code>"
791
834
The parameter <code> is assumed to be a Perl miniprogram that will be executed
794
function for it and storing the return value(s) to an internal array (this
795
allows the miniprogram to return both scalar and list values).
796
The array elements are joined into a scalar by using the newline character as
797
the separator (as with Perl join("\\n", @array)), and the scalar is assigned
798
to the variable %<letter>. If
837
function in list context. If the miniprogram returns a single value, it will
838
be assigned to the variable %<alnum_name>. If the miniprogram returns several
839
values, they will be joined into a scalar by using the newline character as
840
a separator (as with Perl join("\\n", @array)), and the scalar will be
841
assigned to the variable %<alnum_name>. If no value is returned or
800
fails, nothing is assigned to the variable %<letter>.
801
%-variables (including %<letter> itself) can be used in <code>. Note that
843
fails, no assignment will take place.
844
Note that before calling
804
%-variables are replaced with their values and therefore can't be used as
805
lvalues. Since most Perl programs contain semicolons which are also used
806
by SEC as separators between actions, it is recommended to enclose
846
$<number>, %<number>, and %<alnum_name> variables in the miniprogram are
847
replaced with their values and therefore can't be used as lvalues.
848
Since most Perl programs contain semicolons which are also
849
used by SEC as separators between actions, it is recommended to enclose
807
850
the <code> parameter in parentheses, in order to avoid the inperpretation
808
of semicolons inside the code by SEC (the outermost set of parentheses
809
will be removed by SEC during configuration file parsing). Also see
810
VARIABLES AND EVAL section for more information.
851
of semicolons inside the code by SEC. Also see VARIABLES AND EVAL section for
854
.I "call %<alnum_name1> %<alnum_name2> [<parameter list>]"
855
The parameter %<alnum_name2> is assumed to be a reference to a Perl function
856
that was created previously with the
858
action. The function will be called in list context by passing optional
859
parameter list to the function (parameters are separated by whitespace).
860
If the function returns a single value, it will
861
be assigned to the variable %<alnum_name1>. If the function returns several
862
values, they will be joined into a scalar by using the newline character as
863
a separator (as with Perl join("\\n", @array)), and the scalar will be
864
assigned to the variable %<alnum_name1>. If no value is returned or
865
%<alnum_name2> is not a code reference, no assignment will take place.
866
Also see VARIABLES AND EVAL section for more information.
870
spawn /bin/tail -f /var/log/trapd.log
872
Follow the /var/log/trapd.log file and feed to SEC input all lines that are
873
appended to the file.
875
pipe '%t: $0' /bin/mail -s "alert message" root@localhost
877
Mail the timestamp and the value of the $0 variable to the local root.
879
add ftp_$1 $0; set ftp_$1 1800 (report ftp_$1 /bin/mail root@localhost)
881
Add the value of the $0 variable to the event store of the context
882
.BR "ftp_<the value of $1>" .
883
Also extend the context's lifetime for 30 minutes, so that when the context's
884
lifetime is exceeded, its event store will be mailed to the local root.
886
eval %funcptr ( sub { my(@buf) = split(/\\n/, $_[0]); \\
888
my(@ret) = grep(!/^#/, @buf); return @ret; } ); \\
890
copy C1 %in; call %out %funcptr %in; fill C1 %out
892
Create a subroutine for weeding out comment lines from the input list, and
893
use this subroutine for removing comment lines from the event store of the
813
897
As already noted, SEC context expressions and action lists may contain
814
898
parentheses which are used for grouping and masking purposes. When SEC parses
815
899
its configuration, it checks whether parentheses in context expressions and
906
1034
TakeNext or DontCont (values are case insensitive).
909
RegExp[<number>], SubStr[<number>], NRegExp[<number>], or NSubStr[<number>]
910
(values are case insensitive).
1037
pattern type (value is case insensitive).
913
regular expression or substring that input line(s) will be compared with in
914
order to detect an event.
916
1042
.I "context (optional)"
917
context definition. If
919
was a regular expression then $0, $1, $2, ... special variables can be used
923
1046
script that is executed after
925
has matched some input line(s). The names of all existing contexts are fed
1050
have matched some input line(s). The names of all existing contexts are fed
926
1051
to the standard input of the script, a name per line.
927
1052
If the script returns zero for its exit value,
929
1054
will be executed; if the script returns non-zero,
931
will be executed (if given). If
933
was a regular expression then $0, $1, $2, ... special variables can be used
1056
will be executed (if given).
937
textual description of detected event. If
939
was a regular expression then $0, $1, $2, ... special variables can be used
940
in this field. The event description formed here can be referenced by %s.
1059
textual description of detected event.
943
1062
action list that will be executed when
945
has matched some input line(s) and
947
returns zero for its exit value. If
949
was a regular expression then $0, $1, $2, ... special variables can be used
1064
returns zero for its exit value.
952
1066
.I "action2 (optional)"
953
1067
action list that will be executed when
955
has matched some input line(s) and
957
returns non-zero for its exit value. If
959
was a regular expression then $0, $1, $2, ... special variables can be used
962
Note that since the runtime of the script that is specified by the
1069
returns non-zero for its exit value.
1078
parameters may contain $<number> variables.
1080
Also note that since the runtime of the script that is specified by the
964
1082
parameter is not limited in any way, waiting for that script
965
1083
to complete could freeze the entire event processing for an indefinite
966
1084
amount of time. Therefore, once the
968
parameter has matched input line(s), SEC does not wait for the script to
1088
parameters have matched input line(s), SEC does not wait for the script to
969
1089
complete but rather continues its work. The exit value of the script
970
1090
will be fetched when the script actually terminates, and depending on
971
1091
the exit value, either
1091
1207
TakeNext or DontCont (values are case insensitive). Specifies if
1092
1208
input line(s) that match
1094
1212
will be passed to the next rule.
1097
RegExp[<number>], SubStr[<number>], NRegExp[<number>], or NSubStr[<number>]
1098
(values are case insensitive).
1215
pattern type (value is case insensitive).
1101
regular expression or substring that input line(s) will be compared with in
1102
order to detect event A.
1218
pattern for detecting event A.
1104
1220
.I "context (optional)"
1105
context definition. If
1107
was a regular expression then $0, $1, $2, ... special variables can be used
1111
textual description of event A. If
1113
was a regular expression then $0, $1, $2, ... special variables can be used
1114
in this field. The event description formed here can be referenced by %s.
1224
textual description of event A.
1117
1227
action list that will be executed when event A is first observed. Following
1118
instances of event A will be ignored. If
1120
was a regular expression then $0, $1, $2, ... special variables can be used
1228
instances of event A will be ignored.
1123
1230
.I "continue2 (optional)"
1124
1231
TakeNext or DontCont (values are case insensitive). Specifies if
1125
1232
input line(s) that match
1127
1236
will be passed to the next rule.
1130
RegExp[<number>], SubStr[<number>], NRegExp[<number>], or NSubStr[<number>]
1131
(values are case insensitive).
1239
pattern type (value is case insensitive).
1134
regular expression or substring that input line(s) will be compared with in
1135
order to detect event B. If
1137
was a regular expression then $0, $1, $2, ... special variables can be used
1242
pattern for detecting event B.
1140
1244
.I "context2 (optional)"
1141
context definition. If
1145
parameter was a regular expression, then $0, $1, $2, ... special variables
1146
can be used in this field. If
1148
was a regular expression, then values of
1150
are used, otherwise values of
1154
In the special case where both
1158
were regular expressions, %0, %1, %2, ... special variables can be used to
1161
while $0, $1, $2, ... refer to values of
1165
textual description of event B. If
1169
parameter was a regular expression, then $0, $1, $2, ... special variables
1170
can be used in this field. If
1172
was a regular expression, then values of
1174
are used, otherwise values of
1178
In the special case where both
1182
were regular expressions, %0, %1, %2, ... special variables can be used to
1185
while $0, $1, $2, ... refer to values of
1187
The event description formed here can be referenced by %s.
1248
textual description of event B.
1190
action list that will be executed when event B is observed. If
1194
parameter was a regular expression, then $0, $1, $2, ... special variables
1195
can be used in this field. If
1197
was a regular expression, then values of
1199
are used, otherwise values of
1203
In the special case where both
1207
were regular expressions, %0, %1, %2, ... special variables can be used to
1210
while $0, $1, $2, ... refer to values of
1251
action list that will be executed when event B is observed. After executing
1253
the event correlation operation terminates.
1213
1255
.I "window (optional)"
1275
1340
TakeNext or DontCont (values are case insensitive). Specifies if input
1276
1341
line(s) that match
1278
1345
will be passed to the next rule.
1281
RegExp[<number>], SubStr[<number>], NRegExp[<number>], or NSubStr[<number>]
1282
(values are case insensitive).
1348
pattern type (value is case insensitive).
1285
regular expression or substring that input line(s) will be compared with in
1286
order to detect event A.
1351
pattern for detecting event A.
1288
1353
.I "context (optional)"
1289
context definition. If
1291
was a regular expression then $0, $1, $2, ... special variables can be used
1295
textual description of event A. If
1297
was a regular expression then $0, $1, $2, ... special variables can be used
1298
in this field. The event description formed here can be referenced by %s.
1357
textual description of event A.
1301
1360
action list that is executed after event A was observed and event B did not
1302
appear within given time window. If
1304
was a regular expression then $0, $1, $2, ... special variables can be used
1361
appear within the given time window.
1307
1363
.I "continue2 (optional)"
1308
1364
TakeNext or DontCont (values are case insensitive). Specifies if input
1309
1365
line(s) that match
1311
1369
will be passed to the next rule.
1314
RegExp[<number>], SubStr[<number>], NRegExp[<number>], or NSubStr[<number>]
1315
(values are case insensitive).
1372
pattern type (value is case insensitive).
1318
regular expression or substring that input line(s) will be compared with in
1319
order to detect event B. If
1321
was a regular expression then $0, $1, $2, ... special variables can be used
1375
pattern for detecting event B.
1324
1377
.I "context2 (optional)"
1325
context definition. If
1329
parameter was a regular expression, then $0, $1, $2, ... special variables
1330
can be used in this field. If
1332
was a regular expression, then values of
1334
are used, otherwise values of
1338
In the special case where both
1342
were regular expressions, %0, %1, %2, ... special variables can be used to
1345
while $0, $1, $2, ... refer to values of
1347
The event description formed here can be referenced by %s.
1350
textual description of event B. If
1354
parameter was a regular expression, then $0, $1, $2, ... special variables
1355
can be used in this field. If
1357
was a regular expression, then values of
1359
are used, otherwise values of
1363
In the special case where both
1367
were regular expressions, %0, %1, %2, ... special variables can be used to
1370
while $0, $1, $2, ... refer to values of
1372
The event description formed here can be referenced by %s.
1381
textual description of event B.
1375
1384
action list that is executed after event A was observed and event B appeared
1376
within given time window. If
1380
parameter was a regular expression, then $0, $1, $2, ... special variables
1381
can be used in this field. If
1383
was a regular expression, then values of
1385
are used, otherwise values of
1389
In the special case where both
1393
were regular expressions, %0, %1, %2, ... special variables can be used to
1396
while $0, $1, $2, ... refer to values of
1385
within the given time window. After executing
1387
the event correlation operation terminates.
1400
1390
size of the time window in seconds.
1400
parameters may contain $<number> variables. The
1402
parameter may contain $<number> variables if
1404
supports variable substitutions at runtime. If
1406
shadows the $<number> variables of
1413
parameters may contain %<number> variables.
1404
1417
type=PairWithWindow
2006
1999
it takes more time from the shell to process and start cmd1 than cmd2).
2007
2000
.SH VARIABLES AND EVAL
2008
2001
There are two kinds of variables that can be used in SEC rule definitions -
2009
$<number> and %<number> variables that hold regular expression backreference
2010
values, and %<letter> variables (like %s, %t, and %u) that have been designed
2011
for use in action lists. Backreference variables will always be evaluated
2012
first, and the evaluation takes place right after the corresponding regular
2013
expression has matched the input event.
2014
All the $<number> and %<number> variables will be replaced with the
2015
backreference values at once, even when they are part of the action list
2016
definition and this action list is going to be executed at a later time.
2017
%<letter> variables, in turn, will be evaluated right before the action list
2018
is actually executed. Note that %<letter> variables are currently limited to
2019
have names of 1 character from the set A-Za-z (i.e., the Latin alphabet).
2020
If a variable does not have a value (e.g., $4 when there are just two
2021
backreference values), it will be left intact, i.e., it is not replaced with
2002
$<number> and %<number> variables that are set during pattern matching,
2003
and %<alnum_name> variables (like %s, %t, and %u) that have been designed
2004
for use in action lists.
2005
All $<number> and %<number> variables will be substituted with their values
2006
immediately after input line(s) have matched the rule, even when they are
2007
part of the action list definition and this action list is going to be
2008
executed at a later time.
2009
%<alnum_name> variables, in turn, will be substituted with their values right
2010
before the action list is actually executed.
2011
If a variable does not have a value (e.g., $4 when the pattern returned just
2012
two values), it will be left intact, i.e., it is not replaced with an empty
2024
2015
In order to mask the variables, an extra $ or % must be prepended to them,
2025
e.g., $$1 evaluates to $1, and not a dollar sign followed by the first
2026
backreference value. Also, all occurrences of $$ will be converted to $
2027
when $<number> variables are evaluated, and all occurrences of %% will be
2028
converted to % when %<number> or %<letter> variables are evaluated,
2016
e.g., $$1 yields $1, and not a dollar sign followed by the first value
2017
returned by the pattern. Also, all occurrences of $$ will be converted to $
2018
when $<number> variables are substituted, and all occurrences of %% will be
2019
converted to % when %<number> or %<alnum_name> variables are substituted,
2029
2020
so that one could use $ or % together with variable names (e.g., $$$1 will
2030
yield a dollar sign that is followed by the first backreference value).
2031
Please note the following caveat for the Pair* rules which employ
2032
a regular expression for their second pattern: since both %<number> and
2033
%<letter> variables may be used in the second action list, and %<number>
2034
variables are evaluated first (at the moment when the first pattern matches
2035
input line(s) and an event correlation operation is started), all occurrences
2036
of %% in the second action list have been already replaced with a single
2037
percent sign by the time when %<letter> variables are finally evaluated.
2021
yield a dollar sign that is followed by the first value returned by
2024
Please note the following caveat for Pair and PairWithWindow rules when
2025
the second pattern shadows the $<number> variables of the first pattern -
2026
since both %<number> and %<alnum_name> variables may be used in the second
2027
action list and %<number> variables are substituted first (at the moment
2028
when the first pattern matches input line(s) and the event correlation
2029
operation is started), all occurrences of %% in the second action list have
2030
already been replaced with a single percent sign by the time when
2031
%<alnum_name> variables are finally substituted.
2038
2032
(E.g., in order to express %%t in the second action list, one must actually
2039
2033
write it as %%%%t or %%%t, since after %% to % conversion they both yield
2042
SEC allows the user to define context expressions and actions which involve
2036
SEC allows the user to define patterns, context expressions, and actions
2037
which involve calls to Perl
2047
the user can execute arbitrary Perl programs. Furthermore, in addition
2048
to explicitly using %<letter> variables that are global across the rules,
2049
the user can implicitly employ Perl global variables created by
2039
function. In addition to explicitly using %<alnum_name> variables that are
2040
global across the rules, the user can implicitly employ Perl variables created
2051
2043
for the same purpose. E.g., when SEC has executed the following action
2053
2045
action=eval %a ($b = 1)
2055
the variable $b and its value will become visible for the subsequent calls to
2057
and with the following context expression
2047
the variable $b and its value will become visible in the following context
2059
2050
context= =(++$b > 10)
2061
one can, for instance, implement event counting implicitly.
2052
(with that expression one can implement event counting implicitly).
2062
2053
In order to avoid possible clashes with the variables inside the SEC
2063
2054
code itself, all calls for
2065
2056
are made in the main::SEC namespace (i.e., inside the special package
2067
2058
This still leaves the user with an opportunity to set the variables within
2068
the SEC code (e.g., by using the main:: prefix), and thus alter the behavior
2059
the SEC code (e.g., by using the main:: prefix), and thus to alter the behavior
2069
2060
of SEC, but this is only recommended for advanced users who have studied the
2070
2061
code thoroughly and know what they are doing.