2
.\" SEC (Simple Event Correlator) 2.7.3 - sec.man
2
.\" SEC (Simple Event Correlator) 2.7.4 - sec.man
3
3
.\" Copyright (C) 2000-2013 Risto Vaarandi
5
5
.\" This program is free software; you can redistribute it and/or
16
16
.\" along with this program; if not, write to the Free Software
17
17
.\" Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
19
.TH sec 1 "May 2013" "SEC 2.7.3"
19
.TH sec 1 "June 2013" "SEC 2.7.4"
21
21
sec \- simple event correlator
81
SEC is a tool for accomplishing event correlation tasks in the domains of
82
log analysis, system monitoring, network and security management, etc.
85
SEC is an event correlation tool for advanced event processing which can
86
be harnessed for event log monitoring, for network and security management,
87
for fraud detection, and for any other task which involves event correlation.
83
88
Event correlation is a procedure where a stream of events is processed,
84
89
in order to detect (and act on) certain event groups that occur within
85
90
predefined time windows. Unlike many other event correlation products which
86
91
are heavyweight solutions, SEC is a lightweight and platform-independent
87
event correlator which runs as a single process.
92
event correlator which runs as a single process. The user can start it as
93
a daemon, employ it in shell pipelines, execute it interactively in
94
a terminal, run many SEC processes simultaneously for different tasks,
95
and use it in a wide variety of other ways.
89
97
SEC reads lines from files, named pipes, or standard input,
90
98
matches the lines with patterns (regular expressions, Perl subroutines, etc.)
101
by writing to files, by calling precompiled Perl subroutines, etc.
103
Some rules start event correlation operations, while other rules react
109
by writing to files, by sending data to TCP and UDP based servers,
110
by calling precompiled Perl subroutines, etc.
112
SEC can be run in various ways. For example, the following command line
113
starts it as a daemon, in order to monitor events appended to the
114
/var/log/messages syslog file with rules from /etc/sec/syslog.rules:
116
/usr/bin/sec --detach --conf=/etc/sec/syslog.rules \\
117
--input=/var/log/messages
119
Each time /var/log/messages is rotated, a new instance of /var/log/messages
120
is opened and processed from the beginning. The following command line
121
runs SEC in a shell pipeline, configuring it to process lines from standard
122
input, and to exit when the /usr/bin/nc tool closes its standard output
125
/usr/bin/nc -l 8080 | /usr/bin/sec --notail --input=- \\
126
--conf=/etc/sec/my.conf
128
Some SEC rules start event correlation operations, while other rules react
104
129
immediately to input events or system clock. For example, suppose that SEC
105
130
has been started with the following command line
331
356
if an input file is in the closed state (e.g., SEC fails to open the file at
332
357
startup, because it has not been created yet), SEC will attempt
333
358
to reopen the file after every <reopen_timeout> seconds until open succeeds.
359
This option has no meaning when the
361
option is also specified.
335
363
.B \-\-reopen_timeout
449
477
option is specified, SEC will process all data that are currently available
450
in input files and exit after reaching all EOFs. Default is
478
in input files and exit after reaching all EOFs.
479
If all input is received from a pipe and the
481
option is given, SEC terminates when the last writer closes the pipe
482
(EOF condition). Please note that with named pipes
454
option, SEC follows an input file both by its name and i-node, and thus
455
handles input file rotations seamlessly.
488
option, SEC will jump to the end of input files and wait for new lines to
490
Each input file is tracked both by its name and i-node, and
491
input file rotations are handled seamlessly.
456
492
If the input file is recreated or truncated, SEC will reopen it and process
457
493
its content from the beginning. If the input file is removed (i.e., there is
458
494
just an i-node left without a name), SEC will keep the i-node open and wait
459
495
for the input file recreation.
461
499
.BR \-\-fromstart ", " \-\-nofromstart
462
500
these flags have no meaning when the
518
555
.BR \-\-nokeepopen .
557
.BR \-\-rwfifo ", " \-\-norwfifo
560
option is specified, named pipe input files are opened in read-only mode.
561
In this mode, the named pipe has to be reopened when the last writer
562
closes the pipe, in order to clear the EOF condition on the pipe. With the
564
option, named pipe input files are opened in read-write mode, although
565
SEC never writes to the pipes. In this mode, the pipe does not need to be
566
reopened when an external writer closes it, since there is always at least
567
one writer on the pipe and EOF will never appear. Therefore, if the
569
option has been given,
571
should also be specified.
575
.BR \-\-childterm ", " \-\-nochildterm
578
option is specified, SEC will send the SIGTERM signal to all its child processes
579
when it terminates or goes through a full restart. Default is
520
582
.BR \-\-intevents ", " \-\-nointevents
521
583
SEC will generate internal events when it starts up, when it receives
522
584
certain signals, and when it terminates gracefully. Specific rules can be
1171
1233
However, several signals cause the file to be closed and reopened
1172
1234
(see SIGNALS section for more information).
1173
1235
Default value for <string> is %s.
1237
.I owritecl <filename> [<string>]
1240
action, except that the file <filename> is opened and closed at each write.
1241
Also, the string <string> is written without a terminating newline.
1242
If the file has already been opened by a previous
1246
does not use existing filehandle, but opens and closes the file separately.
1175
1248
.I udgram <filename> [<string>]
1176
1249
String <string> is written to the UNIX datagram socket <filename>
3332
3404
signal (this event will be the first event that SEC sees after reloading
3333
3405
its configuration)
3407
SEC_LOGROTATE - generated after SEC has received the
3409
signal (this event will be the first event that SEC sees after reopening
3410
its log file and closing its outputs)
3335
3412
SEC_SHUTDOWN - generated when SEC receives the
3337
3414
signal, or when SEC reaches all EOFs of input files after being started with
3340
option. After generating SEC_SHUTDOWN event, SEC sleeps for 3 seconds
3341
before sending SIGTERM to its child processes (if a child process was created
3342
immediately before SEC_SHUTDOWN, this delay leaves the process enough
3343
time for setting the signal handler for SIGTERM).
3419
option, SEC sleeps for 3 seconds after generating SEC_SHUTDOWN event, and then
3420
sends SIGTERM to its child processes (if a child process was triggered by
3421
SEC_SHUTDOWN, this delay leaves the process enough time for setting a signal
3422
handler for SIGTERM).
3345
3424
Before generating an internal event, SEC sets up a context named
3346
3425
SEC_INTERNAL_EVENT, in order to disambiguate internal events from
3396
3475
After forking an external program, SEC continues immediately, and checks
3397
3476
the program status periodically until the program exits. The running time of
3398
a child process is not limited in any way, and before finishing gracefully,
3477
a child process is not limited in any way. With the
3479
option, SEC sends the
3401
signal to all child processes that are still running.
3481
signal to all child processes when it terminates.
3402
3482
If some special exit procedures need to be accomplished in the child process
3403
3483
(or the child wishes to ignore
3420
3500
action=spawn exec /usr/local/bin/myscript.pl 2>/var/log/myscript.log
3422
Finally, note that if an action list includes two actions which fork
3502
Note that if an action list includes two actions which fork
3423
3503
external programs, the execution order these programs is not determined
3424
3504
by the order of actions in the list, since both programs are running
3425
3505
asynchronously.
3428
3508
.IR "action=shellcmd cmd1; shellcmd cmd2" ,
3429
3509
use the shell && operator and write
3430
3510
.IR "action=shellcmd cmd1 && cmd2" ).
3512
Sometimes it is desireable to start an external program and provide it with
3513
data from several rules. In order to create such setup, names pipes can be used.
3514
For example, if /var/log/pipe is a named pipe, then
3516
action=shellcmd /usr/bin/logger -f /var/log/pipe -p user.notice
3518
starts the /usr/bin/logger utility which sends all lines read from /var/log/pipe
3519
to the local syslog daemon with the "user" facility and "notice" level.
3520
In order to feed events to /usr/bin/logger, the
3522
action can be used (e.g.,
3523
.IR "write /var/log/pipe This is my event" ).
3524
Although SEC keeps the named pipe open across different
3526
actions, the pipe will be closed on the reception of SIGHUP, SIGABRT and SIGUSR2
3528
Since a number of command line tools terminate on receiving EOF from input, they
3529
need restarting after such signals have arrived. For this purpose, the
3531
option and SEC internal events can be used. For example, the following rule starts
3532
the /usr/bin/logger utility at SEC startup, and also restarts it after the reception
3533
of relevant signals:
3539
pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART|SEC_LOGROTATE)$
3541
context=SEC_INTERNAL_EVENT
3543
desc=start the logger tool
3545
action=free %emptystring; owritecl /var/log/pipe %emptystring; \\
3546
shellcmd /usr/bin/logger -f /var/log/pipe -p user.notice
3548
Note that if /var/log/pipe is never opened for writing by a
3550
action, /usr/bin/logger will never see EOF and will thus not terminate. The
3552
action opens and closes /var/log/pipe, in order to ensure the presence of EOF
3431
3554
.SH PERL INTEGRATION
3432
3555
SEC supports patterns, context expressions, and actions
3433
3556
which involve calls to the Perl
3598
3714
desc=Save all SEC contexts into /tmp/SEC_CONTEXTS on shutdown
3600
3716
action=lcall %ret -> ( sub { \\
3602
3717
Storable::store(\\%main::context_list, "/tmp/SEC_CONTEXTS"); } )
3604
3719
However, note that modifying data structures within SEC code is recommended
3605
3720
only for advanced users who have carefully studied relevant parts of the code.
3722
Finally, sometimes larger chunks of Perl code have to be used for event
3723
processing and correlation. However, writing many lines of code directly
3724
into a rule is cumbersome and may decrease its readability. In such cases
3725
it is recommended to separate the code into a custom Perl module which
3726
is loaded at SEC startup, and use the code through the module interface
3729
for further details):
3737
context=SEC_INTERNAL_EVENT
3739
desc=Load the SecStuff module
3741
action=eval %ret (require '/usr/local/sec/SecStuff.pm'); \\
3742
if %ret ( none ) else ( eval %o exit(1) )
3748
pattern=sub { return SecStuff::my_match($_[0]); }
3750
desc=event '$0' was matched by my_match()
3754
.SS Example 1 - a ruleset for Cisco events
3608
3755
This section presents an example rulebase for managing Cisco devices.
3609
3756
It is assumed that the managed devices have syslog
3610
3757
logging enabled, and that all syslog messages are sent to a central host
3935
.SS Example 2 - hierarchically organized rulesets for iptables and sshd events
3789
3936
This section presents an example of hierarchically organized rules for
3790
3937
processing Linux iptables events from /var/log/messages and SSH login events
3791
3938
from /var/log/secure. It is assumed that all rule files reside in the
3877
4019
pattern=IPTABLES
3879
4021
context=IPTABLES :> ( sub { return exists($_[0]->{"SYN"}) && \\
3881
4022
exists($_[0]->{"FIN"}) ; } ) \\
3883
4023
&& !SUPPRESS_IP_$+{SRC}
3885
4025
desc=SYN+FIN flood from host $+{SRC}
3887
4027
action=pipe '%t: %s' /bin/mail -s 'iptables alert' root@localhost; \\
3889
4028
create SUPPRESS_IP_$+{SRC} 3600
3899
4038
pattern=IPTABLES
3901
4040
context=IPTABLES :> ( sub { return exists($_[0]->{"SYN"}) && \\
3903
4041
!exists($_[0]->{"ACK"}) ; } ) \\
3905
4042
&& !SUPPRESS_IP_$+{SRC}
3907
4044
desc=SYN flood from host $+{SRC}
3909
4046
action=pipe '%t: %s' /bin/mail -s 'iptables alert' root@localhost; \\
3911
4047
create SUPPRESS_IP_$+{SRC} 3600
3979
4112
pattern2=SSH_LOGIN
3981
4114
context2=SSH_LOGIN :> \\
3983
4115
( sub { return $_[0]->{"status"} eq "Accepted"; } ) && \\
3985
4116
$+{user} %+{user} $+{srcip} %+{srcip} -> \\
3987
4117
( sub { return $_[0] eq $_[1] && $_[2] eq $_[3]; } )
3989
4119
desc2=User $+{user} logged in successfully from $+{srcip} within 60s
4065
4195
(these will be reopened on demand), reload its configuration, and
4066
4196
drop *all* event correlation state (all event correlation operations
4067
4197
will be terminated, all contexts will be deleted, all action list variables
4068
will be erased, etc.).
4069
SEC will also send the
4198
will be erased, etc.). With the
4200
option, SEC will also send the
4071
4202
signal to its child processes.
4107
4238
if SEC is running non-interactively (e.g., in daemon mode).
4110
SEC will terminate gracefully (all SEC child processes will receive
4241
SEC will terminate gracefully. With the
4243
option, all SEC child processes will receive
4113
4246
With some locale settings, apostrophes (') in this man page might
4114
4247
be displayed incorrectly. As a workaround, set the LANG environment