71
69
[-testonly | -notestonly]
73
[-separator=<separator>]
75
SEC is a tool that was designed to solve event correlation tasks in
76
network and system management. Event correlation is a process where a
77
stream of primitive events is processed in order to detect
75
SEC is a tool that was designed for accomplishing various event correlation
76
tasks in the domains of system monitoring, network and security management,
77
etc. Event correlation is a process where a stream of primitive events is
78
processed in order to detect
78
79
.I composite events
79
80
that correspond to event patterns in the event stream.
81
82
After startup SEC reads lines from files, named pipes, or standard input,
82
matches the lines with regular expressions to recognize input events, and
83
matches the lines with patterns (regular expressions, Perl subroutines, etc.)
84
for recognizing input events, and
83
85
correlates events according to the rules in its configuration file(s).
84
86
In order to detect a composite event, rules are used
85
87
sequentially in the same order as they are given in the configuration
151
153
that the correlation operation is trying to detect (see RULES AND EVENT
152
154
CORRELATION OPERATIONS section for more information).
154
Rules allow not only shell commands to be executed as actions,
155
but among other options it is also possible to create and delete contexts
156
that decide whether a particular rule can be applied at the moment, generate
157
synthetic events that will act as input for other rules, and reset correlation
158
operations that have been started by other rules. This makes it possible to
156
Rules support not only the execution of shell commands as actions, but also
157
the creation and deletion of contexts that decide whether a particular rule
158
can be applied at a given moment, the generation of synthetic events that
159
will act as input for other rules, the clearing of correlation operations
160
that have been started by other rules, etc. This makes it possible to
159
161
combine several rules and form more complex event correlation schemes.
160
162
Contexts can not only be used for activating or deactivating a particular
161
163
rule, but they can also serve as event stores (in
162
164
.BR logsurfer (1)
163
the contexts are used in a similar way). There are actions for adding event
165
the contexts are used in a similar way). There are actions for adding events
164
166
to a context, reporting all events associated with a context, etc. By using
165
the features of SEC in an appropriate way, one can solve a wide range of event
166
correlation and event consolidation tasks.
167
the features of SEC in an appropriate way, one can accomplish a wide range
168
of event correlation and event consolidation tasks.
169
.B "-conf=<file pattern>"
170
expand <file pattern> to filenames (with Perl
171
.B -conf=<file pattern>
172
expand <file pattern> to filenames (with the Perl
172
174
function) and read event correlation rules from every file. Multiple
174
options can be specified on commandline. Each time SEC receives a signal
176
options can be specified at command line. Each time SEC receives a signal
175
177
that forces a configuration reload, <file pattern> is re-evaluated. See also
176
178
TIMING AND IPC section for a discussion about the rule processing order when
177
179
multiple configuration files are involved.
179
.B "-input=<file pattern>[=<context>]"
180
expand <file pattern> to filenames (with Perl
181
.B -input=<file pattern>[=<context>]
182
expand <file pattern> to filenames (with the Perl
182
184
function) and use the files as event sources. An input file can be a regular
183
185
file, named pipe, or standard input if
185
187
was specified. Multiple
187
options can be specified on commandline. Each time SEC receives a signal
189
options can be specified at command line. Each time SEC receives a signal
188
190
that forces it to reopen its input files, <file pattern> is re-evaluated.
189
191
If SEC experiences a system error when reading from an input file, it will
190
close the file. If <context> is given, SEC will set up the context <context>
191
each time it reads a line from input files that correspond to
192
<file pattern>. This will help the user to write rules that match data from
192
close the file (use the
194
option for reopening the file). If <context> is given, SEC will set up the
195
context <context> each time it reads a line from input files that correspond
196
to <file pattern>. This will help the user to write rules that match data from
193
197
particular input source(s) only. When there is an
195
199
option with <context> specified, it will automatically enable the
197
201
option. See TIMING AND IPC section for more information.
199
.B "-input_timeout=<input_timeout>"
201
.B "-timeout_script=<timeout_script>"
203
.BR -input_timeout=<input_timeout> ", " -timeout_script=<timeout_script>
202
204
if SEC has not observed new data in an input file during <input_timeout>
203
205
seconds (or the file was closed <input_timeout> seconds ago), <timeout_script>
204
will be executed with commandline parameters 1 and <the name of the input
206
will be executed with command line parameters 1 and <the name of the input
205
207
file>. If fresh data become available again, <timeout_script> will be executed
206
with commandline parameters 0 and <the name of the input file>.
208
with command line parameters 0 and <the name of the input file>.
208
.B "-reopen_timeout=<reopen_timeout>"
209
if SEC has not observed new data in an input file during <reopen_timeout>
210
seconds (or the file was closed <reopen_timeout> seconds ago), SEC will
211
attempt to reopen this input file. If the attempt fails, SEC will try again
212
after every <reopen_timeout> seconds until open succeeds.
214
.B "-poll_timeout=<poll_timeout>"
210
.B -reopen_timeout=<reopen_timeout>
211
if an input file is in closed state (e.g., because SEC has failed to open it
212
at startup), SEC will attempt to reopen this input file after every
213
<reopen_timeout> seconds until open succeeds.
215
.B -check_timeout=<check_timeout>
216
if SEC has not observed new data in an input file, SEC will not poll the file
217
(both for status and data) during the next <check_timeout> seconds.
219
.B -poll_timeout=<poll_timeout>
215
220
a real number that specifies how many seconds SEC will sleep when no new data
216
221
were read from input files. Default is 0.1 seconds.
218
.B "-check_timeout=<check_timeout>"
219
if SEC has not observed new data in an input file, SEC will not poll the file
220
(both for status and data) during the next <check_timeout> seconds.
222
.B "-blocksize=<io_block_size>"
223
.B -blocksize=<io_block_size>
223
224
size of the block in bytes that SEC will attempt to read from input files
224
225
at once. Default is 1024 (i.e., read from input files by 1KB blocks).
227
.B -bufsize=<input_buffer_size>
228
set input buffer to hold last <input_buffer_size> lines that have been read
229
from input files. The content of input buffer will be compared with patterns
230
that are part of rule definitions (i.e., no more than <input_buffer_size>
231
lines can be matched by a pattern at a time). Default size is 10 lines.
233
.B -evstoresize=<event_store_size>
234
set an upper limit to the size of context event stores - if an event store
235
already contains <event_store_size> events, SEC will add no more events to
236
that context, regardless of its configuration file directives.
238
.B -cleantime=<clean_time>
239
time interval in seconds that specifies how often internal event correlation
240
and context lists are processed, in order to accomplish time-related tasks
241
and to remove obsolete elements. Default is 1 second.
227
244
use <logfile> for logging SEC activities. Note that if the SEC standard error
228
245
is connected to a terminal, messages will be logged there, in order to
229
246
facilitate debugging. If the
267
285
Default <debuglevel> is 6 (i.e., log everything).
270
use <pidfile> for storing the process ID of SEC.
272
.B "-dump=<dumpfile>"
273
use <dumpfile> as the SEC dumpfile. Default is /tmp/sec.dump (see SIGNALS
274
section for more information).
276
.B "-cleantime=<clean_time>"
277
time interval in seconds that specifies how often internal event correlation
278
and context lists are processed to perform time-related tasks and to remove
279
obsolete elements. Default is 1 second.
281
.B "-bufsize=<input_buffer_size>"
282
set input buffer to hold last <input_buffer_size> lines that have been read
283
from input files. The content of input buffer will be compared with patterns
284
that are part of rule definitions (i.e., no more than <input_buffer_size>
285
lines can be matched by a pattern at a time).
286
Default size is 10 (i.e., 10 lines).
288
.B "-evstoresize=<event_store_size>"
289
set an upper limit to the size of context event stores - if an event store
290
already contains <event_store_size> events, SEC will add no more events to
291
that context, regardless of its configuration file directives. Specifying 0
292
as <event_store_size> or omitting the
294
option means that there is no limit to the size of event stores.
288
SEC will store its process ID to <pidfile> at startup.
291
SEC will use <dumpfile> as its dumpfile. See SIGNALS section for more
292
information. Default is /tmp/sec.dump.
294
.BR -quoting ", " -noquoting
301
297
option is specified, event description strings that are supplied to
342
330
is enabled by default),
344
332
will force SEC to read and process input files from the beginning to
345
the end, before the 'tail' mode is entered. Default is
333
the end, before the 'tail' mode is entered at SEC startup. Default is
346
334
.BR -nofromstart .
336
.BR -detach ", " -nodetach
353
option is specified, SEC will disassociate itself from the controlling
354
terminal and become a daemon (note that SEC will close its standard input,
355
standard output, and standard error, and change its working directory to
356
the root directory). Default is
339
option is specified, SEC will disassociate itself from the controlling
340
terminal and become a daemon at startup (note that SEC will close its standard
341
input, standard output, and standard error, and change its working directory
342
to the root directory). Default is
345
.BR -intevents ", " -nointevents
362
346
SEC will generate internal events when it starts up, when it receives
363
347
certain signals, and when it terminates normally. Specific rules can be
364
348
written to match those internal events, in order to take some action at SEC
366
350
See TIMING AND IPC section for more information. Default is
367
351
.BR -nointevents .
353
.BR -intcontexts ", " -nointcontexts
372
354
SEC will create an internal context when it reads a line from an input file.
373
355
This will help the user to write rules that match data from particular input
374
356
source only. See TIMING AND IPC section for more information. Default is
375
357
.BR -nointcontexts .
359
.BR -testonly ", " -notestonly
382
362
option is specified, SEC will exit immediately after parsing the configuration
383
363
file(s). If the configuration file(s) contained no faulty rules, SEC will exit
384
364
with 0, otherwise with 1. Default is
385
365
.BR -notestonly .
387
.B "-separator=<regexp>"
368
SEC will output usage information and exit.
371
SEC will output version information and exit.
390
373
Note that one can introduce options both with a single dash (-) and double
391
374
dash (--), and also use both an equal sign (=) and whitespace as a separator
392
375
between the option name and the option value, e.g.,
393
.B "-conf=<file pattern>"
376
.B -conf=<file pattern>
395
.B "--conf <file pattern>"
378
.B --conf <file pattern>
397
380
.SH CONFIGURATION FILE
398
The SEC configuration file consists of rule definitions. Each rule
399
definition is made up of key=value pairs, one key and value per line.
400
Values are case sensitive only where character case is important
381
The SEC configuration file consists of rule definitions which are separated
382
by empty and comment lines.
383
Each rule definition is made up of keyword=value pairs, one keyword and value
384
per line. Values are case sensitive only where character case is important
401
385
(like the values specifying regular expressions).
402
\\-symbol may be used at the end of a line to continue the key=value pair
386
\\-symbol may be used at the end of a line to continue the keyword=value pair
403
387
on the next line. Lines which begin with #-symbol are treated as comments and
404
388
ignored (whitespace characters may precede #-symbol). Any comment line,
405
389
empty line, or end of the file will terminate the preceding rule definition.
390
In order to insert comments into the rule definition, the
407
394
Before describing each rule type in detail, patterns and pattern types,
408
395
context expressions, and action lists are discussed, since they are
426
417
The pattern matches lines containing "Backup done:<TAB>success".
428
.I "RegExp[<number>]"
429
pattern is assumed to be a regular expression that last <number> input
430
line(s) are compared with. If the pattern matches, backreference values will
431
be assigned to the special variables $1, $2, ..., and the matching input
432
line(s) will be assigned to the special variable $0. These special variables
433
can be used in some other parts of the rule definition.
434
All regular expression constructs that Perl allows are allowed in the
420
pattern is assumed to be a regular expression that last <number> input
421
lines L1, L2, ..., L<number> are compared with. The input lines are joined
422
into a single string with the newline character acting as a separator, and
423
the resulting string "L1\\nL2\\n...\\nL<number>" is compared with the regular
424
expression pattern. (Note that if <number> is 1, the last input line without
425
a terminating newline is compared with the pattern.)
426
If the pattern matches, backreference values will
427
be assigned to the special variables $1, $2, ..., and the special variable $0
428
will be set to "L1\\nL2\\n...\\nL<number>" (i.e., to the matching input
429
line(s)). These special variables can be used in some other parts of the rule
430
definition. All regular expression constructs that Perl allows are allowed in
437
433
for more information). As an example, consider the following pattern
444
440
The pattern matches "printer: toner/ink low" messages in a case insensitive
445
441
manner from printers belonging to .mydomain. Note that the printer hostname
446
442
is assigned to $1, while the whole message line is assigned to $0.
443
As another example, the following pattern definition
449
produces a match if the last two input lines are AAA and BBB, and sets $0
448
.I "PerlFunc[<number>]"
449
pattern is assumed to be a Perl function that last <number> input
450
line(s) are compared with. The Perl function is compiled at SEC startup by
452
.I PerlFunc[<number>]
453
pattern is assumed to be a Perl function that last <number> input lines
454
L1, L2, ..., L<number> are submitted to. The Perl function is compiled at
455
SEC startup by calling the Perl
455
459
must return a code reference for the pattern to be valid (also see VARIABLES
456
460
AND EVAL section for more information).
457
461
In order to check whether the pattern matches, SEC will call the function
458
in list context and pass last <number> input line(s) to the function as
462
in list context and pass lines L1, L2, ..., L<number> and the names of
463
corresponding input sources S1, S2, ..., S<number> to the function as
466
function(L1, L2, ..., L<number>, S1, S2, ..., S<number>)
468
(if the input line has been generated with the
470
action, its input source name will be set to 'undef').
460
471
If the function returns several values or a single value that is TRUE in
461
472
boolean context, the pattern matches. If the pattern matches, return values
462
will be assigned to the special variables $1, $2, ..., and the matching input
463
line(s) will be assigned to the special variable $0. These special variables
464
can be used in some other parts of the rule definition. As an example,
465
consider the following pattern definition:
473
will be assigned to the special variables $1, $2, ..., and the special
474
variable $0 will be set to "L1\\nL2\\n...\\nL<number>" (i.e., to the matching
475
input line(s)). These special variables can be used in some other parts of
476
the rule definition. As an example, consider the following pattern definition:
469
480
pattern=sub { return ($_[0] cmp $_[1]); }
471
The pattern compares two last input lines in a stringwise manner, and
472
matches if the lines are different. Note that the result of the comparison
473
is assigned to $1, while the two input lines are concatenated and assigned
476
.I "NSubStr[<number>]"
478
.IR "SubStr[<number>]" ,
479
except the result of the match is negated.
481
.I "NRegExp[<number>]"
483
.IR "RegExp[<number>]" ,
484
except the result of the match is negated.
486
.I "NPerlFunc[<number>]"
488
.IR "PerlFunc[<number>]" ,
489
except the result of the match is negated.
482
The pattern compares last two input lines in a stringwise manner ($_[1]
483
holds the last line and $_[0] the preceding one), and matches if the lines
484
are different. Note that the result of the comparison is assigned to $1,
485
while the two input lines are concatenated (with the newline character
486
between them) and assigned to $0.
487
As another example, the following pattern definition
491
pattern=sub { if ($_[0] =~ /(abc|def)/) { \\
493
return defined($_[1]) ? $_[1] : "SEC"; } return 0; }
495
produces a match if the input line contains either the string "abc" or
496
the string "def", and sets $0 to the matching line and $1 to the name of
501
.IR SubStr[<number>] ,
502
except the result of the match is negated.
506
.IR RegExp[<number>] ,
507
except the result of the match is negated.
509
.I NPerlFunc[<number>]
511
.IR PerlFunc[<number>] ,
512
except the result of the match is negated.
492
515
pattern is assumed to be a truth value with TRUE and FALSE being legitimate
493
516
values for the pattern. TRUE always matches an input line while FALSE never
494
517
matches an input line.
670
699
assumed for <event text>. If <shellcmd> is omitted, <event text> is written
671
700
to standard output.
673
.I "create [<name> [<time> [<action list>] ] ]
702
.I create [<name> [<time> [<action list>] ] ]
674
703
Context with the name <name>, with the lifetime of <time> seconds, and with
675
704
empty event store is created (<name> may not contain spaces, and <time> is
676
705
an integer constant). If <name> is omitted, %s is assumed for its value.
677
706
Specifying 0 as <time> or omitting the value means infinite lifetime.
678
If <action list> is specified, it will be executed when context's lifetime is
679
exceeded. If <action list> is made up of more than one action, semicolons
707
If <action list> is specified, it will be executed when the context expires.
708
If <action list> is made up of more than one action, semicolons
680
709
must be used to separate the actions, and the list must be enclosed in
681
710
parentheses. If already existing context is recreated with
683
712
its lifetime will be extended for <time> seconds and its event store will
687
716
Context with the name <name> is deleted (<name> may not contain spaces).
688
717
If <name> is omitted, %s is assumed for its value.
689
718
If non-existing context is deleted, no operation will be performed.
691
.I "obsolete [<name>]"
694
723
except the action list of the context <name> (if the context has an action
695
724
list) will be executed before deletion.
697
.I "set <name> <time> [<action list>]
726
.I set <name> <time> [<action list>]
698
727
Settings for the context with the name <name> will be changed (<name> may
699
728
not contain spaces, and <time> is an integer constant). New lifetime of the
700
729
context will be <time> seconds with optional <action list> to be executed
701
when the lifetime is exceeded. Event store of the context will not be changed
730
when the context expires. Event store of the context will not be changed
704
733
Specifying 0 as <time> means infinite lifetime.
705
734
If <action list> is made up of more than one action, semicolons must be
706
735
used to separate the actions, and the list must be enclosed in parentheses.
708
.I "alias <name> [<alias>]"
737
.I alias <name> [<alias>]
709
738
An alias name <alias> will be created for the context with the name <name>
710
739
(<name> and <alias> may not contain spaces).
711
740
After the name <alias> has been created for a context, the context can be
741
770
action behaves like
743
772
and the context will be deleted; otherwise the context will continue to
744
exist under another name(s) with its event store and other attributes intact.
773
exist under other name(s) with its event store and other attributes intact.
746
.I "add <name> [<event text>]"
775
.I add <name> [<event text>]
747
776
Event string <event text> is added to the event store of the context <name>
748
777
(<name> may not contain spaces). Events in the store are ordered by the
749
778
time they were added, and every
751
adds event to the end of the store. If <event text> is omitted, %s is assumed
752
for its value. If context <name> does not exist, the context will be created
753
with infinite lifetime, empty action list and empty event store (as with
780
appends event to the end of the store. If <event text> is omitted, %s is
781
assumed for its value. If context <name> does not exist, the context will be
782
created with an infinite lifetime, empty action list and empty event store
754
784
.IR "create <name>" )
755
785
before adding the event. If <event text> contains newlines, it will be split
756
into parts by using the newline symbol as a delimiter, and each part is
786
into parts using the newline symbol as a delimiter, and each part is
757
787
added to the event store as a separate event string.
759
.I "fill <name> [<event text>]"
789
.I fill <name> [<event text>]
762
792
except the event store of the context <name> will be emptied before
763
793
<event text> is added.
765
.I "report <name> [<shellcmd>]"
795
.I report <name> [<shellcmd>]
766
796
Event store of the context <name> is reported with shell command <shellcmd>
767
797
(<name> may not contain spaces). Reporting means that events from the store
768
798
are fed to standard input of <shellcmd> in the order they were added into the
769
799
store, every event on a separate line. If <shellcmd> is omitted, events from
770
800
the store are written to standard output.
772
.I "copy <name> %<alnum_name>"
802
.I copy <name> %<alnum_name>
773
803
Event store of the context <name> is assigned to a user-defined variable
774
%<alnum_name> (<name> may not contain spaces). Before assignment takes
775
place, lines from the event store are joined into a scalar by using the
804
%<alnum_name> (<name> may not contain spaces). Before the assignment takes
805
place, lines from the event store are joined into a scalar using the
776
806
newline character as the separator (as with Perl join("\\n", @array)).
778
.I "empty <name> [%<alnum_name>]"
808
.I empty <name> [%<alnum_name>]
781
811
except the event store of the context <name> will be emptied after it
808
838
Since correlation operations started by different rules may detect composite
809
839
events that have identical description strings, rule number can be optionally
810
840
specified to point to a correlation operation that was started by a specific
811
rule (1 means first rule in the configuration file, 2 means second, etc.;
812
0 denotes the current rule).
841
rule (1 means the first rule in the configuration file, 2 means the second,
842
etc.; 0 denotes the current rule).
813
843
If + or - is prepended to <rule_number>, it is considered to be an offset
814
from current rule (e.g., -1 means previous rule and +1 next rule).
844
from the current rule (e.g., -1 means the previous rule and +1 the next rule).
815
845
For example, if a rule definition with the
817
847
action is given in the configuration file named my.conf, then
818
.I "reset 1 Counting linkdown events"
848
.I reset 1 Counting linkdown events
819
849
will terminate the event correlation operation with the key "my.conf | 0 |
820
850
Counting linkdown events" (note that internally the SEC rule IDs start from
822
.I "reset Counting linkdown events"
852
.I reset Counting linkdown events
823
853
will terminate event correlation operations with keys "my.conf | X | Counting
824
854
linkdown events", where X runs from 0 to N-1 and N is the number of rules in
825
855
the configuration file my.conf. If no operation with a given key exists,
827
857
will take no action.
829
.I "assign %<alnum_name> [<text>]"
859
.I assign %<alnum_name> [<text>]
830
860
Text <text> is assigned to a user-defined variable %<alnum_name>. If <text>
831
861
is omitted, %s is assumed for its value.
833
.I "eval %<alnum_name> <code>"
863
.I eval %<alnum_name> <code>
834
864
The parameter <code> is assumed to be a Perl miniprogram that will be executed
837
867
function in list context. If the miniprogram returns a single value, it will
838
868
be assigned to the variable %<alnum_name>. If the miniprogram returns several
839
values, they will be joined into a scalar by using the newline character as
869
values, they will be joined into a scalar using the newline character as
840
870
a separator (as with Perl join("\\n", @array)), and the scalar will be
841
871
assigned to the variable %<alnum_name>. If no value is returned or
1007
1040
(before adding a line, the rule checks if the context exists). After
1008
1041
adding a line, the rule extends context's lifetime for 30 minutes and sets
1009
the action list that will be executed when context times out. The third rule
1042
the action list that will be executed when the context expires. The third rule
1010
1043
mails collected logfile lines to root@localhost when the session <pid> is
1011
1044
closed. Collected lines will also be mailed when the session <pid> has been
1012
1045
inactive for 30 minutes (no logfile lines observed for that session).
1014
1047
Note that the logfile line that has matched the first rule will be passed
1015
1048
to the second rule and will become the first line in the event store
1049
(the first rule has the
1018
parameter set to TakeNext). The second rule has also
1051
parameter set to TakeNext). The second rule has also its
1020
1053
parameter set to TakeNext, since otherwise no logfile lines would reach the
1022
1055
.SS "SINGLEWITHSCRIPT RULE"
1024
1057
.B SingleWithScript
1025
rule was designed to integrate external scripts with SEC event flow.
1026
Its rule definition is similar to the Single rule, except of additional
1058
rule was designed to integrate external scripts with the SEC event flow.
1059
Its rule definition is similar to the Single rule, except of the additional
1031
1064
fixed to SingleWithScript (value is case insensitive).
1033
.I "continue (optional)"
1066
.IR continue " (optional)"
1034
1067
TakeNext or DontCont (values are case insensitive).
1037
1070
pattern type (value is case insensitive).
1042
.I "context (optional)"
1075
.IR context " (optional)"
1043
1076
context expression.
1046
1079
script that is executed after
1454
1499
value, in order to detect a composite event B.
1455
1500
Its rule definition has the following parameters:
1458
1503
fixed to SingleWithThreshold (value is case insensitive).
1460
.I "continue (optional)"
1505
.IR continue " (optional)"
1461
1506
TakeNext or DontCont (values are case insensitive).
1464
1509
pattern type (value is case insensitive).
1467
1512
pattern for detecting event A.
1469
.I "context (optional)"
1514
.IR context " (optional)"
1470
1515
context expression.
1473
1518
textual description of event B.
1476
1521
action list that is executed when
1478
1523
instances of event A have been observed within the given time window. After
1479
1524
that all events A will be ignored during the rest of the time window.
1526
.IR action2 " (optional)"
1527
action list that is executed when the event correlation operation terminates,
1530
has been previously executed by the operation.
1482
1533
size of the time window in seconds. The window is sliding - if event A has
1483
1534
been observed less than
1485
1536
times at the end of the window, the beginning of the window is moved to the
1486
1537
occurrence time of the second instance of event A, and the counting operation
1488
If there is no second instance of event A (i.e., event has been observed only
1489
once), the correlation operation will terminate.
1539
If there is no second instance of event A (i.e., the event has been observed
1540
only once), the correlation operation will terminate.
1492
1543
threshold value.
1545
.IR rem " (optional, may appear more than once)"
1546
remarks and comments.
1543
1597
stay below the second threshold value (in order to detect a composite event C).
1544
1598
Its rule definition has the following parameters:
1547
1601
fixed to SingleWith2Thresholds (value is case insensitive).
1549
.I "continue (optional)"
1603
.IR continue " (optional)"
1550
1604
TakeNext or DontCont (values are case insensitive).
1553
1607
pattern type (value is case insensitive).
1556
1610
pattern for detecting event A.
1558
.I "context (optional)"
1612
.IR context " (optional)"
1559
1613
context expression.
1562
1616
textual description of event B.
1565
1619
action list that is executed when
1567
instances of event A have been observed within time window
1621
instances of event A have been observed within the time window
1569
After that event counting is started again with threshold value
1623
After that event counting continues with the threshold value
1571
1625
and time window
1575
1629
size of the first time window in seconds. The window is sliding.
1578
first threshold value.
1632
the first threshold value.
1581
1635
textual description of event C.
1584
1638
action list that is executed if no more than
1586
instances of event A have been observed within last
1640
instances of event A have been observed during the last
1588
1642
seconds. After executing
1590
1644
the event correlation operation terminates.
1593
1647
size of the second time window in seconds. The window is sliding.
1596
second threshold value.
1650
the second threshold value.
1652
.IR rem " (optional, may appear more than once)"
1653
remarks and comments.
1823
1885
first element of the buffer. Note that when synthetic events have been created
1826
action and new input data is also available in input files, synthetic events
1888
action and new input data are also available in input files, synthetic events
1827
1889
are always read first by SEC. After no more such events are
1828
1890
available for reading, SEC will read new data from input files.
1830
1892
After the buffer has been updated (every update always adds only one
1831
1893
and removes only one line), the rules from configuration files are
1832
processed, comparing the rules against the new content of the input buffer.
1833
Even when a rule matches and its action list specifies an immediate change
1834
in the buffer (e.g., by using the
1894
processed, matching the rules against the new content of the input buffer.
1895
Even when a rule matches and its action list suggests an immediate change
1896
in the buffer (e.g., through the
1836
1898
action), the input buffer will _not_ be updated until all the rules have
1837
been compared against the current content of the buffer.
1899
been compared with the current content of the buffer.
1839
Rules from the same configuration file are compared against the input buffer
1901
Rules from the same configuration file are compared with the input buffer
1840
1902
in the order they were given in that file.
1841
1903
When multiple configuration files have been specified, each file containing
1842
a distinct ruleset, events are processed virtually in parallel - an event is
1843
always submitted for processing to all rulesets. However, the order the
1904
a distinct ruleset, events are processed virtually in parallel - the buffer
1905
is always processed by all rulesets. However, the order the
1844
1906
rulesets are applied during event processing is determined by the order
1845
the files were given at SEC commandline. If a
1907
the files were given at SEC command line. If a
1847
option specifies a pattern, SEC uses Perl
1909
option specifies a pattern, SEC uses the Perl
1849
1911
function to expand the pattern, and the resulting file list is applied by SEC
1850
1912
in the order returned by
2460
2543
signal to its child processes.
2463
SEC will act like it has received
2465
but variables and contexts (and context event stores) will not be deleted,
2466
and SEC will also not send
2468
to its child processes. Note that on some systems
2546
SEC will reopen its log and input files, and load its configuration from
2547
rule files which have been modified (file modification time returned by
2549
has changed) or created after the previous configuration load.
2550
SEC will also cancel event correlation operations started from rule files
2551
that have been modified or removed after the previous configuration load.
2552
Other operations and other event correlation entities
2553
(contexts, variables, child processes, etc.) will remain intact.
2554
Note that on some systems
2470
2556
is used in place of
2474
2560
some information about the current state of SEC (content of internal lists,
2475
2561
rule usage statistics, etc.) will be written to the SEC dumpfile.
2478
SEC will reopen its logfile. Useful for logfile rotating, since it
2479
does not cancel active event correlation operations like
2564
SEC will reopen its logfile (useful for logfile rotation).
2484
2567
SEC will terminate gracefully (all SEC child processes will receive