« back to all changes in this revision
Viewing changes to sec.pl.man
- browse files at revision 4
- compare with another revision
- download diff
- download tarball
- view history from revision 4
- Committer: Bazaar Package Importer
- Author(s): Jaakko Niemi
- Date: 2006-10-28 22:32:35 UTC
- mfrom: (1.2.1 upstream) (3.1.1 dapper)
- Revision ID: james.westby@ubuntu.com-20061028223235-eda4i78p8k992kd6
Tags: 2.4.0-1
* New upstream release
* update standards version, no changes needed
* update standards version, no changes needed
- files added:
- contrib
- files removed:
- convert.pl
- files modified:
- ChangeLog
added
removed
sec.pl.man
1
1
.\"
2
.\" SEC version 2.3.1 - sec.man
3
.\" simple event correlation tool
4
.\"
5
.\" Copyright (C) 2000-2005 Risto Vaarandi
2
.\" SEC (Simple Event Correlator) 2.4.0 - sec.man
3
.\" Copyright (C) 2000-2006 Risto Vaarandi
6
4
.\"
7
5
.\" This program is free software; you can redistribute it and/or
8
6
.\" modify it under the terms of the GNU General Public License
16
14
.\"
17
15
.\" You should have received a copy of the GNU General Public License
18
16
.\" along with this program; if not, write to the Free Software
19
.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
17
.\" Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
20
18
.\"
21
.TH sec 1 "February 2005" "SEC 2.3.1"
19
.TH sec 1 "October 2006" "SEC 2.4.0"
22
20
.SH NAME
23
21
sec \- simple event correlator
24
22
.SH SYNOPSIS
25
23
.TP
26
24
.B sec
27
-conf=<file pattern> ...
25
[-conf=<file pattern> ...]
28
26
.br
29
27
[-input=<file pattern>[=<context>] ...]
30
28
.br
34
32
.br
35
33
[-reopen_timeout=<reopen timeout>]
36
34
.br
35
[-check_timeout=<check timeout>]
36
.br
37
37
[-poll_timeout=<poll timeout>]
38
38
.br
39
[-check_timeout=<check timeout>]
40
.br
41
39
[-blocksize=<io block size>]
42
40
.br
41
[-bufsize=<input buffer size>]
42
.br
43
[-evstoresize=<event store size>]
44
.br
45
[-cleantime=<clean time>]
46
.br
43
47
[-log=<logfile>]
44
48
.br
45
49
[-syslog=<facility>]
50
54
.br
51
55
[-dump=<dumpfile>]
52
56
.br
53
[-cleantime=<clean time>]
54
.br
55
[-bufsize=<input buffer size>]
56
.br
57
[-evstoresize=<event store size>]
58
.br
59
57
[-quoting | -noquoting]
60
58
.br
61
59
[-tail | -notail]
70
68
.br
71
69
[-testonly | -notestonly]
72
70
.br
73
[-separator=<separator>]
71
[-help] [-?]
72
.br
73
[-version]
74
74
.SH DESCRIPTION
75
SEC is a tool that was designed to solve event correlation tasks in
76
network and system management. Event correlation is a process where a
77
stream of primitive events is processed in order to detect
75
SEC is a tool that was designed for accomplishing various event correlation
76
tasks in the domains of system monitoring, network and security management,
77
etc. Event correlation is a process where a stream of primitive events is
78
processed in order to detect
78
79
.I composite events
79
80
that correspond to event patterns in the event stream.
80
81
.PP
81
82
After startup SEC reads lines from files, named pipes, or standard input,
82
matches the lines with regular expressions to recognize input events, and
83
matches the lines with patterns (regular expressions, Perl subroutines, etc.)
84
for recognizing input events, and
83
85
correlates events according to the rules in its configuration file(s).
84
86
In order to detect a composite event, rules are used
85
87
sequentially in the same order as they are given in the configuration
97
99
composite events:
98
100
.PP
99
101
.B Single
100
- match input event and immediately execute an action.
102
- match input event and execute an action immediately.
101
103
.PP
102
104
.B SingleWithScript
103
105
- match input event and depending on the exit value of an external script,
151
153
that the correlation operation is trying to detect (see RULES AND EVENT
152
154
CORRELATION OPERATIONS section for more information).
153
155
.PP
154
Rules allow not only shell commands to be executed as actions,
155
but among other options it is also possible to create and delete contexts
156
that decide whether a particular rule can be applied at the moment, generate
157
synthetic events that will act as input for other rules, and reset correlation
158
operations that have been started by other rules. This makes it possible to
156
Rules support not only the execution of shell commands as actions, but also
157
the creation and deletion of contexts that decide whether a particular rule
158
can be applied at a given moment, the generation of synthetic events that
159
will act as input for other rules, the clearing of correlation operations
160
that have been started by other rules, etc. This makes it possible to
159
161
combine several rules and form more complex event correlation schemes.
160
162
Contexts can not only be used for activating or deactivating a particular
161
163
rule, but they can also serve as event stores (in
162
164
.BR logsurfer (1)
163
the contexts are used in a similar way). There are actions for adding event
165
the contexts are used in a similar way). There are actions for adding events
164
166
to a context, reporting all events associated with a context, etc. By using
165
the features of SEC in an appropriate way, one can solve a wide range of event
166
correlation and event consolidation tasks.
167
the features of SEC in an appropriate way, one can accomplish a wide range
168
of event correlation and event consolidation tasks.
167
169
.SH OPTIONS
168
170
.TP
169
.B "-conf=<file pattern>"
170
expand <file pattern> to filenames (with Perl
171
.B -conf=<file pattern>
172
expand <file pattern> to filenames (with the Perl
171
173
.BR glob ()
172
174
function) and read event correlation rules from every file. Multiple
173
175
.B -conf
174
options can be specified on commandline. Each time SEC receives a signal
176
options can be specified at command line. Each time SEC receives a signal
175
177
that forces a configuration reload, <file pattern> is re-evaluated. See also
176
178
TIMING AND IPC section for a discussion about the rule processing order when
177
179
multiple configuration files are involved.
178
180
.TP
179
.B "-input=<file pattern>[=<context>]"
180
expand <file pattern> to filenames (with Perl
181
.B -input=<file pattern>[=<context>]
182
expand <file pattern> to filenames (with the Perl
181
183
.BR glob ()
182
184
function) and use the files as event sources. An input file can be a regular
183
185
file, named pipe, or standard input if
184
186
.B -
185
187
was specified. Multiple
186
188
.B -input
187
options can be specified on commandline. Each time SEC receives a signal
189
options can be specified at command line. Each time SEC receives a signal
188
190
that forces it to reopen its input files, <file pattern> is re-evaluated.
189
191
If SEC experiences a system error when reading from an input file, it will
190
close the file. If <context> is given, SEC will set up the context <context>
191
each time it reads a line from input files that correspond to
192
<file pattern>. This will help the user to write rules that match data from
192
close the file (use the
193
.B -reopen_timeout
194
option for reopening the file). If <context> is given, SEC will set up the
195
context <context> each time it reads a line from input files that correspond
196
to <file pattern>. This will help the user to write rules that match data from
193
197
particular input source(s) only. When there is an
194
198
.B -input
195
199
option with <context> specified, it will automatically enable the
196
200
.B -intcontexts
197
201
option. See TIMING AND IPC section for more information.
198
202
.TP
199
.B "-input_timeout=<input_timeout>"
200
.TP
201
.B "-timeout_script=<timeout_script>"
203
.BR -input_timeout=<input_timeout> ", " -timeout_script=<timeout_script>
202
204
if SEC has not observed new data in an input file during <input_timeout>
203
205
seconds (or the file was closed <input_timeout> seconds ago), <timeout_script>
204
will be executed with commandline parameters 1 and <the name of the input
206
will be executed with command line parameters 1 and <the name of the input
205
207
file>. If fresh data become available again, <timeout_script> will be executed
206
with commandline parameters 0 and <the name of the input file>.
208
with command line parameters 0 and <the name of the input file>.
207
209
.TP
208
.B "-reopen_timeout=<reopen_timeout>"
209
if SEC has not observed new data in an input file during <reopen_timeout>
210
seconds (or the file was closed <reopen_timeout> seconds ago), SEC will
211
attempt to reopen this input file. If the attempt fails, SEC will try again
212
after every <reopen_timeout> seconds until open succeeds.
213
.TP
214
.B "-poll_timeout=<poll_timeout>"
210
.B -reopen_timeout=<reopen_timeout>
211
if an input file is in closed state (e.g., because SEC has failed to open it
212
at startup), SEC will attempt to reopen this input file after every
213
<reopen_timeout> seconds until open succeeds.
214
.TP
215
.B -check_timeout=<check_timeout>
216
if SEC has not observed new data in an input file, SEC will not poll the file
217
(both for status and data) during the next <check_timeout> seconds.
218
.TP
219
.B -poll_timeout=<poll_timeout>
215
220
a real number that specifies how many seconds SEC will sleep when no new data
216
221
were read from input files. Default is 0.1 seconds.
217
222
.TP
218
.B "-check_timeout=<check_timeout>"
219
if SEC has not observed new data in an input file, SEC will not poll the file
220
(both for status and data) during the next <check_timeout> seconds.
221
.TP
222
.B "-blocksize=<io_block_size>"
223
.B -blocksize=<io_block_size>
223
224
size of the block in bytes that SEC will attempt to read from input files
224
225
at once. Default is 1024 (i.e., read from input files by 1KB blocks).
225
226
.TP
226
.B "-log=<logfile>"
227
.B -bufsize=<input_buffer_size>
228
set input buffer to hold last <input_buffer_size> lines that have been read
229
from input files. The content of input buffer will be compared with patterns
230
that are part of rule definitions (i.e., no more than <input_buffer_size>
231
lines can be matched by a pattern at a time). Default size is 10 lines.
232
.TP
233
.B -evstoresize=<event_store_size>
234
set an upper limit to the size of context event stores - if an event store
235
already contains <event_store_size> events, SEC will add no more events to
236
that context, regardless of its configuration file directives.
237
.TP
238
.B -cleantime=<clean_time>
239
time interval in seconds that specifies how often internal event correlation
240
and context lists are processed, in order to accomplish time-related tasks
241
and to remove obsolete elements. Default is 1 second.
242
.TP
243
.B -log=<logfile>
227
244
use <logfile> for logging SEC activities. Note that if the SEC standard error
228
245
is connected to a terminal, messages will be logged there, in order to
229
246
facilitate debugging. If the
231
248
option has also been specified, no logging to standard error will take
232
249
place.
233
250
.TP
234
.B "-syslog=<facility>"
251
.B -syslog=<facility>
235
252
use syslog for logging SEC activities. All messages will be logged with the
236
253
facility <facility>, e.g.,
237
254
.I local0
238
255
(see
239
256
.BR syslog (3)
240
257
for possible facility values). Warning: be careful with this option if
241
you use SEC for monitoring syslog logfiles, because it might cause message
242
loops when SEC log messages are written to SEC input files.
258
you use SEC for monitoring syslog logfiles, because it might create message
259
loops (SEC log messages are written to SEC input files that trigger new
260
log messages).
243
261
.TP
244
.B "-debug=<debuglevel>"
262
.B -debug=<debuglevel>
245
263
set logging verbosity for the SEC logfile. Setting debuglevel to <debuglevel>
246
264
means that all messages from <debuglevel> and lower levels are logged (e.g.,
247
265
if <debuglevel> is 3, messages from levels 1, 2, and 3 are logged). The
251
269
a failed system call)
252
270
.br
253
271
2 - error messages (faults that need attention but don't cause SEC
254
to terminate, e.g., an incorrect rule definition in the configuration file)
272
to terminate, e.g., an incorrect rule definition in a configuration file)
255
273
.br
256
274
3 - warning messages (possible faults, e.g., a command forked from SEC
257
275
terminated with a non-zero exit code)
266
284
.br
267
285
Default <debuglevel> is 6 (i.e., log everything).
268
286
.TP
269
.B "-pid=<pidfile>"
270
use <pidfile> for storing the process ID of SEC.
271
.TP
272
.B "-dump=<dumpfile>"
273
use <dumpfile> as the SEC dumpfile. Default is /tmp/sec.dump (see SIGNALS
274
section for more information).
275
.TP
276
.B "-cleantime=<clean_time>"
277
time interval in seconds that specifies how often internal event correlation
278
and context lists are processed to perform time-related tasks and to remove
279
obsolete elements. Default is 1 second.
280
.TP
281
.B "-bufsize=<input_buffer_size>"
282
set input buffer to hold last <input_buffer_size> lines that have been read
283
from input files. The content of input buffer will be compared with patterns
284
that are part of rule definitions (i.e., no more than <input_buffer_size>
285
lines can be matched by a pattern at a time).
286
Default size is 10 (i.e., 10 lines).
287
.TP
288
.B "-evstoresize=<event_store_size>"
289
set an upper limit to the size of context event stores - if an event store
290
already contains <event_store_size> events, SEC will add no more events to
291
that context, regardless of its configuration file directives. Specifying 0
292
as <event_store_size> or omitting the
293
.B -evstoresize
294
option means that there is no limit to the size of event stores.
295
.TP
296
.B "-quoting"
297
.TP
298
.B "-noquoting"
287
.B -pid=<pidfile>
288
SEC will store its process ID to <pidfile> at startup.
289
.TP
290
.B -dump=<dumpfile>
291
SEC will use <dumpfile> as its dumpfile. See SIGNALS section for more
292
information. Default is /tmp/sec.dump.
293
.TP
294
.BR -quoting ", " -noquoting
299
295
if the
300
296
.B -quoting
301
297
option is specified, event description strings that are supplied to
309
305
Default is
310
306
.BR -noquoting .
311
307
.TP
312
.B "-tail"
313
.TP
314
.B "-notail"
308
.BR -tail ", " -notail
315
309
if the
316
310
.B -notail
317
311
option is specified, SEC will process all data that are currently available
324
318
If the input file is recreated or truncated, SEC will reopen it and process
325
319
its content from the start. If the input file is removed (i.e., there is
326
320
just an i-node left without name), SEC will keep the i-node open and wait for
327
the input file to be recreated. If the
328
.B "-reopen_timeout=<reopen_timeout>"
329
option was specified and no data have been added to the i-node during
330
<reopen_timeout> seconds, SEC will attempt to reopen the file without further
331
waiting for the file to be recreated.
332
.TP
333
.B "-fromstart"
334
.TP
335
.B "-nofromstart"
336
These flags have no meaning when the
321
the input file to be recreated.
322
.TP
323
.BR -fromstart ", " -nofromstart
324
these flags have no meaning when the
337
325
.B -notail
338
326
option is also specified. When used in combination with
339
327
.B -tail
342
330
is enabled by default),
343
331
.B -fromstart
344
332
will force SEC to read and process input files from the beginning to
345
the end, before the 'tail' mode is entered. Default is
333
the end, before the 'tail' mode is entered at SEC startup. Default is
346
334
.BR -nofromstart .
347
335
.TP
348
.B "-detach"
349
.TP
350
.B "-nodetach"
336
.BR -detach ", " -nodetach
351
337
if the
352
338
.B -detach
353
option is specified, SEC will disassociate itself from the controlling
354
terminal and become a daemon (note that SEC will close its standard input,
355
standard output, and standard error, and change its working directory to
356
the root directory). Default is
339
option is specified, SEC will disassociate itself from the controlling
340
terminal and become a daemon at startup (note that SEC will close its standard
341
input, standard output, and standard error, and change its working directory
342
to the root directory). Default is
357
343
.BR -nodetach .
358
344
.TP
359
.B "-intevents"
360
.TP
361
.B "-nointevents"
345
.BR -intevents ", " -nointevents
362
346
SEC will generate internal events when it starts up, when it receives
363
347
certain signals, and when it terminates normally. Specific rules can be
364
348
written to match those internal events, in order to take some action at SEC
366
350
See TIMING AND IPC section for more information. Default is
367
351
.BR -nointevents .
368
352
.TP
369
.B "-intcontexts"
370
.TP
371
.B "-nointcontexts"
353
.BR -intcontexts ", " -nointcontexts
372
354
SEC will create an internal context when it reads a line from an input file.
373
355
This will help the user to write rules that match data from particular input
374
356
source only. See TIMING AND IPC section for more information. Default is
375
357
.BR -nointcontexts .
376
358
.TP
377
.B "-testonly"
378
.TP
379
.B "-notestonly"
359
.BR -testonly ", " -notestonly
380
360
if the
381
361
.B -testonly
382
362
option is specified, SEC will exit immediately after parsing the configuration
383
363
file(s). If the configuration file(s) contained no faulty rules, SEC will exit
384
364
with 0, otherwise with 1. Default is
385
365
.BR -notestonly .
386
.TP
387
.B "-separator=<regexp>"
388
obsolete.
366
.TP
367
.BR -help ", " -?
368
SEC will output usage information and exit.
369
.TP
370
.B -version
371
SEC will output version information and exit.
389
372
.PP
390
373
Note that one can introduce options both with a single dash (-) and double
391
374
dash (--), and also use both an equal sign (=) and whitespace as a separator
392
375
between the option name and the option value, e.g.,
393
.B "-conf=<file pattern>"
376
.B -conf=<file pattern>
394
377
and
395
.B "--conf <file pattern>"
378
.B --conf <file pattern>
396
379
are equivalent.
397
380
.SH CONFIGURATION FILE
398
The SEC configuration file consists of rule definitions. Each rule
399
definition is made up of key=value pairs, one key and value per line.
400
Values are case sensitive only where character case is important
381
The SEC configuration file consists of rule definitions which are separated
382
by empty and comment lines.
383
Each rule definition is made up of keyword=value pairs, one keyword and value
384
per line. Values are case sensitive only where character case is important
401
385
(like the values specifying regular expressions).
402
\\-symbol may be used at the end of a line to continue the key=value pair
386
\\-symbol may be used at the end of a line to continue the keyword=value pair
403
387
on the next line. Lines which begin with #-symbol are treated as comments and
404
388
ignored (whitespace characters may precede #-symbol). Any comment line,
405
389
empty line, or end of the file will terminate the preceding rule definition.
390
In order to insert comments into the rule definition, the
391
.I rem
392
keyword can be used.
406
393
.PP
407
394
Before describing each rule type in detail, patterns and pattern types,
408
395
context expressions, and action lists are discussed, since they are
411
398
SEC supports the following pattern types (if <number> is omitted, 1 is
412
399
assumed):
413
400
.TP
414
.I "SubStr[<number>]"
401
.I SubStr[<number>]
415
402
pattern is assumed to be a substring that will be searched in last <number>
416
input line(s). If the substring is found, the pattern matches.
403
input lines L1, L2, ..., L<number>. The input lines are joined into a single
404
string with the newline character acting as a separator, and the resulting
405
string "L1\\nL2\\n...\\nL<number>" is searched for the substring. (Note
406
that if <number> is 1, the last input line without a terminating newline
407
is searched.) If the substring is found, the pattern matches.
417
408
The backslash constructs \\t, \\n, \\r, \\s, and \\0 can be used in the
418
409
pattern to denote tabulation, newline, carriage return, space character, and
419
410
empty string, while \\\\ denotes backslash itself. As an example, consider
425
416
.sp
426
417
The pattern matches lines containing "Backup done:<TAB>success".
427
418
.TP
428
.I "RegExp[<number>]"
429
pattern is assumed to be a regular expression that last <number> input
430
line(s) are compared with. If the pattern matches, backreference values will
431
be assigned to the special variables $1, $2, ..., and the matching input
432
line(s) will be assigned to the special variable $0. These special variables
433
can be used in some other parts of the rule definition.
434
All regular expression constructs that Perl allows are allowed in the
435
pattern (see
419
.I RegExp[<number>]
420
pattern is assumed to be a regular expression that last <number> input
421
lines L1, L2, ..., L<number> are compared with. The input lines are joined
422
into a single string with the newline character acting as a separator, and
423
the resulting string "L1\\nL2\\n...\\nL<number>" is compared with the regular
424
expression pattern. (Note that if <number> is 1, the last input line without
425
a terminating newline is compared with the pattern.)
426
If the pattern matches, backreference values will
427
be assigned to the special variables $1, $2, ..., and the special variable $0
428
will be set to "L1\\nL2\\n...\\nL<number>" (i.e., to the matching input
429
line(s)). These special variables can be used in some other parts of the rule
430
definition. All regular expression constructs that Perl allows are allowed in
431
the pattern (see
436
432
.BR perlre (1)
437
433
for more information). As an example, consider the following pattern
438
434
definition:
444
440
The pattern matches "printer: toner/ink low" messages in a case insensitive
445
441
manner from printers belonging to .mydomain. Note that the printer hostname
446
442
is assigned to $1, while the whole message line is assigned to $0.
443
As another example, the following pattern definition
444
.sp
445
ptype=regexp2
446
.br
447
pattern=^AAA\\nBBB$
448
.sp
449
produces a match if the last two input lines are AAA and BBB, and sets $0
450
to "AAA\\nBBB".
447
451
.TP
448
.I "PerlFunc[<number>]"
449
pattern is assumed to be a Perl function that last <number> input
450
line(s) are compared with. The Perl function is compiled at SEC startup by
451
calling Perl
452
.I PerlFunc[<number>]
453
pattern is assumed to be a Perl function that last <number> input lines
454
L1, L2, ..., L<number> are submitted to. The Perl function is compiled at
455
SEC startup by calling the Perl
452
456
.BR eval ()
453
457
function, and
454
458
.BR eval ()
455
459
must return a code reference for the pattern to be valid (also see VARIABLES
456
460
AND EVAL section for more information).
457
461
In order to check whether the pattern matches, SEC will call the function
458
in list context and pass last <number> input line(s) to the function as
459
parameters.
462
in list context and pass lines L1, L2, ..., L<number> and the names of
463
corresponding input sources S1, S2, ..., S<number> to the function as
464
parameters:
465
.sp
466
function(L1, L2, ..., L<number>, S1, S2, ..., S<number>)
467
.sp
468
(if the input line has been generated with the
469
.I event
470
action, its input source name will be set to 'undef').
460
471
If the function returns several values or a single value that is TRUE in
461
472
boolean context, the pattern matches. If the pattern matches, return values
462
will be assigned to the special variables $1, $2, ..., and the matching input
463
line(s) will be assigned to the special variable $0. These special variables
464
can be used in some other parts of the rule definition. As an example,
465
consider the following pattern definition:
473
will be assigned to the special variables $1, $2, ..., and the special
474
variable $0 will be set to "L1\\nL2\\n...\\nL<number>" (i.e., to the matching
475
input line(s)). These special variables can be used in some other parts of
476
the rule definition. As an example, consider the following pattern definition:
466
477
.sp
467
478
ptype=perlfunc2
468
479
.br
469
480
pattern=sub { return ($_[0] cmp $_[1]); }
470
481
.sp
471
The pattern compares two last input lines in a stringwise manner, and
472
matches if the lines are different. Note that the result of the comparison
473
is assigned to $1, while the two input lines are concatenated and assigned
474
to $0.
475
.TP
476
.I "NSubStr[<number>]"
477
like
478
.IR "SubStr[<number>]" ,
479
except the result of the match is negated.
480
.TP
481
.I "NRegExp[<number>]"
482
like
483
.IR "RegExp[<number>]" ,
484
except the result of the match is negated.
485
.TP
486
.I "NPerlFunc[<number>]"
487
like
488
.IR "PerlFunc[<number>]" ,
489
except the result of the match is negated.
490
.TP
491
.I "TValue"
482
The pattern compares last two input lines in a stringwise manner ($_[1]
483
holds the last line and $_[0] the preceding one), and matches if the lines
484
are different. Note that the result of the comparison is assigned to $1,
485
while the two input lines are concatenated (with the newline character
486
between them) and assigned to $0.
487
As another example, the following pattern definition
488
.sp
489
ptype=perlfunc
490
.br
491
pattern=sub { if ($_[0] =~ /(abc|def)/) { \\
492
.br
493
return defined($_[1]) ? $_[1] : "SEC"; } return 0; }
494
.sp
495
produces a match if the input line contains either the string "abc" or
496
the string "def", and sets $0 to the matching line and $1 to the name of
497
the input source.
498
.TP
499
.I NSubStr[<number>]
500
like
501
.IR SubStr[<number>] ,
502
except the result of the match is negated.
503
.TP
504
.I NRegExp[<number>]
505
like
506
.IR RegExp[<number>] ,
507
except the result of the match is negated.
508
.TP
509
.I NPerlFunc[<number>]
510
like
511
.IR PerlFunc[<number>] ,
512
except the result of the match is negated.
513
.TP
514
.I TValue
492
515
pattern is assumed to be a truth value with TRUE and FALSE being legitimate
493
516
values for the pattern. TRUE always matches an input line while FALSE never
494
517
matches an input line.
504
527
.SS "CONTEXT EXPRESSIONS"
505
528
Context expression is a logical expression that consists of context names,
506
529
Perl miniprograms, and Perl functions as operands; operands are combined with
507
operators ! (logical NOT), && (logical AND), || (logical OR), and parentheses.
530
operators ! (logical NOT), && (short-circuit logical AND), || (short-circuit
531
logical OR), and parentheses.
508
532
Context expressions are employed for activating or deactivating rules -
509
the truth value of the rule's context expression must be TRUE for the rule
510
to be applicable.
533
normally, the context expression is evaluated immediately after the pattern
534
has matched input line(s), and the rule will process the input line(s) only
535
if the expression evaluates TRUE.
511
536
.PP
512
537
If the operand contains the arrow (->), the text following the arrow
513
538
is considered to be a Perl function that will be compiled at SEC startup by
514
calling Perl
539
calling the Perl
515
540
.BR eval ()
516
541
function, and
517
542
.BR eval ()
528
553
If the operand begins with the equal sign (=), the following text is
529
554
considered to be a Perl miniprogram. The miniprogram may contain $<number>
530
555
and %<number> special variables. In order to evaluate the Perl miniprogram
531
operand, it will be executed by calling Perl
556
operand, it will be executed by calling the Perl
532
557
.BR eval ()
533
558
function in scalar context (also see VARIABLES AND EVAL section for more
534
559
information). If the return value of the miniprogram is TRUE in boolean
549
574
value of the operand is TRUE, otherwise its truth value is FALSE.
550
575
.PP
551
576
If the whole context expression is enclosed in square brackets [ ], e.g.,
552
.BR "[MYCONTEXT1 && !MYCONTEXT2]" ,
577
.RB [ MYCONTEXT1 " && !" MYCONTEXT2 ],
553
578
SEC evaluates the expression _before_ pattern matching operation (normally
554
579
the pattern is compared with input line(s) first, so that $<number> and
555
580
%<number> variables in the context expression could be replaced with their
577
602
and
578
603
.B C2
579
604
do not exist and the $1 variable equals to the string "myhost.mydomain".
580
Note that the Perl code of the third expression is compiled each time the
581
expression is evaluated.
605
Note that since && is a short-circuiting operation, the Perl code
606
of the third expression is not evaluated if
607
.B C1
608
and/or
609
.B C2
610
exist.
582
611
.SS "ACTION LISTS"
583
612
Action list consists of action definitions that are separated by semicolons.
584
613
Each action definition begins with a keyword specifying the action type,
607
636
underscores). In order to disambiguate <alnum_name> from the following text,
608
637
<alnum_name> must be enclosed in braces: %{<alnum_name>}.
609
638
.PP
610
In order to use semicolons inside a non-constant parameter, the parameter must
611
be enclosed in parentheses (the outermost set of parentheses will be removed
612
by SEC during configuration file parsing).
639
In order to use semicolons inside a non-constant action parameter,
640
the parameter must be enclosed in parentheses (the outermost set of
641
parentheses will be removed by SEC during configuration file parsing).
613
642
.PP
614
643
The following actions are supported:
615
644
.TP
616
.I "none"
645
.I none
617
646
No action.
618
647
.TP
619
.I "logonly"
648
.I logonly
620
649
Event description (the value of the %s variable) is logged.
621
650
.TP
622
.I "write <filename> [<event text>]"
651
.I write <filename> [<event text>]
623
652
Event string <event text> and terminating newline are written to the file
624
653
<filename> (<filename> may not contain spaces). File may be a regular file,
625
654
named pipe, or standard output if
639
668
.I shellcmd
640
669
does.
641
670
.TP
642
.I "shellcmd <shellcmd>"
671
.I shellcmd <shellcmd>
643
672
Shell command <shellcmd> is executed. If the
644
673
.B -quoting
645
674
option was specified, %s will be converted to '%s' before supplying it to
649
678
.B -noquoting
650
679
options).
651
680
.TP
652
.I "spawn <shellcmd>"
681
.I spawn <shellcmd>
653
682
Identical to the
654
683
.I shellcmd
655
684
action, except the following - every line from the standard output of
656
685
<shellcmd> is treated like SEC input line and matched against the rules.
657
686
This is done by applying
658
.I "event 0 <line>"
687
.I event 0 <line>
659
688
to every line from standard output (see the
660
689
.I event
661
690
action). Note that if <shellcmd> outputs a large data set at once, SEC
662
691
will process it all at once, so if <shellcmd> enters an endless "busy write"
663
692
loop, it will block SEC from doing anything other than processing its output.
664
693
.TP
665
.I "pipe '<event text>' [<shellcmd>]"
694
.I pipe '<event text>' [<shellcmd>]
666
695
Event string <event text> and terminating newline are fed to the standard
667
696
input of shell command <shellcmd> (apostrophes are used to mark the beginning
668
697
and end of <event text>, in order to distinguish it from <shellcmd>).
670
699
assumed for <event text>. If <shellcmd> is omitted, <event text> is written
671
700
to standard output.
672
701
.TP
673
.I "create [<name> [<time> [<action list>] ] ]
702
.I create [<name> [<time> [<action list>] ] ]
674
703
Context with the name <name>, with the lifetime of <time> seconds, and with
675
704
empty event store is created (<name> may not contain spaces, and <time> is
676
705
an integer constant). If <name> is omitted, %s is assumed for its value.
677
706
Specifying 0 as <time> or omitting the value means infinite lifetime.
678
If <action list> is specified, it will be executed when context's lifetime is
679
exceeded. If <action list> is made up of more than one action, semicolons
707
If <action list> is specified, it will be executed when the context expires.
708
If <action list> is made up of more than one action, semicolons
680
709
must be used to separate the actions, and the list must be enclosed in
681
710
parentheses. If already existing context is recreated with
682
711
.IR create ,
683
712
its lifetime will be extended for <time> seconds and its event store will
684
713
be emptied.
685
714
.TP
686
.I "delete [<name>]"
715
.I delete [<name>]
687
716
Context with the name <name> is deleted (<name> may not contain spaces).
688
717
If <name> is omitted, %s is assumed for its value.
689
718
If non-existing context is deleted, no operation will be performed.
690
719
.TP
691
.I "obsolete [<name>]"
720
.I obsolete [<name>]
692
721
Behaves like
693
722
.IR delete ,
694
723
except the action list of the context <name> (if the context has an action
695
724
list) will be executed before deletion.
696
725
.TP
697
.I "set <name> <time> [<action list>]
726
.I set <name> <time> [<action list>]
698
727
Settings for the context with the name <name> will be changed (<name> may
699
728
not contain spaces, and <time> is an integer constant). New lifetime of the
700
729
context will be <time> seconds with optional <action list> to be executed
701
when the lifetime is exceeded. Event store of the context will not be changed
730
when the context expires. Event store of the context will not be changed
702
731
by
703
732
.IR set .
704
733
Specifying 0 as <time> means infinite lifetime.
705
734
If <action list> is made up of more than one action, semicolons must be
706
735
used to separate the actions, and the list must be enclosed in parentheses.
707
736
.TP
708
.I "alias <name> [<alias>]"
737
.I alias <name> [<alias>]
709
738
An alias name <alias> will be created for the context with the name <name>
710
739
(<name> and <alias> may not contain spaces).
711
740
After the name <alias> has been created for a context, the context can be
726
755
action is called for one of the context names, the context data structure is
727
756
destroyed, and all context names (which are now pointers to unallocated
728
757
memory) are removed from the list of context names. Also note that if the
729
lifetime of the context is exceeded, its action list is executed only once,
758
context expires, its action list is executed only once,
730
759
no matter how many names the context has.
731
760
.TP
732
.I "unalias [<alias>]"
761
.I unalias [<alias>]
733
762
Context name <alias> is removed from the list of context names, so that the
734
763
name <alias> can no longer be used to refer to the context it was previously
735
764
associated with (<alias> may not contain spaces).
741
770
action behaves like
742
771
.I delete
743
772
and the context will be deleted; otherwise the context will continue to
744
exist under another name(s) with its event store and other attributes intact.
773
exist under other name(s) with its event store and other attributes intact.
745
774
.TP
746
.I "add <name> [<event text>]"
775
.I add <name> [<event text>]
747
776
Event string <event text> is added to the event store of the context <name>
748
777
(<name> may not contain spaces). Events in the store are ordered by the
749
778
time they were added, and every
750
779
.I add
751
adds event to the end of the store. If <event text> is omitted, %s is assumed
752
for its value. If context <name> does not exist, the context will be created
753
with infinite lifetime, empty action list and empty event store (as with
780
appends event to the end of the store. If <event text> is omitted, %s is
781
assumed for its value. If context <name> does not exist, the context will be
782
created with an infinite lifetime, empty action list and empty event store
783
(as with
754
784
.IR "create <name>" )
755
785
before adding the event. If <event text> contains newlines, it will be split
756
into parts by using the newline symbol as a delimiter, and each part is
786
into parts using the newline symbol as a delimiter, and each part is
757
787
added to the event store as a separate event string.
758
788
.TP
759
.I "fill <name> [<event text>]"
789
.I fill <name> [<event text>]
760
790
Behaves like
761
791
.IR add ,
762
792
except the event store of the context <name> will be emptied before
763
793
<event text> is added.
764
794
.TP
765
.I "report <name> [<shellcmd>]"
795
.I report <name> [<shellcmd>]
766
796
Event store of the context <name> is reported with shell command <shellcmd>
767
797
(<name> may not contain spaces). Reporting means that events from the store
768
798
are fed to standard input of <shellcmd> in the order they were added into the
769
799
store, every event on a separate line. If <shellcmd> is omitted, events from
770
800
the store are written to standard output.
771
801
.TP
772
.I "copy <name> %<alnum_name>"
802
.I copy <name> %<alnum_name>
773
803
Event store of the context <name> is assigned to a user-defined variable
774
%<alnum_name> (<name> may not contain spaces). Before assignment takes
775
place, lines from the event store are joined into a scalar by using the
804
%<alnum_name> (<name> may not contain spaces). Before the assignment takes
805
place, lines from the event store are joined into a scalar using the
776
806
newline character as the separator (as with Perl join("\\n", @array)).
777
807
.TP
778
.I "empty <name> [%<alnum_name>]"
808
.I empty <name> [%<alnum_name>]
779
809
Behaves like
780
810
.IR copy ,
781
811
except the event store of the context <name> will be emptied after it
783
813
.I empty
784
814
simply removes all lines from the event store.
785
815
.TP
786
.I "event [<time>] [<event text>]"
816
.I event [<time>] [<event text>]
787
817
After <time> seconds a synthetic event <event text> is created (<time> is an
788
818
integer constant). SEC treats the <event text> string exactly like line(s)
789
819
read from input - it is inserted into the input buffer in order to compare it
790
820
with rules. If <event text> is omitted, %s is assumed for its value.
791
821
Specifying 0 as <time> or omitting the value means now. If <event text>
792
contains newlines, it will be split into parts by using the newline symbol as
822
contains newlines, it will be split into parts using the newline symbol as
793
823
a delimiter, and each part is created as a separate synthetic event.
794
824
.TP
795
.I "reset [<rule_number>] [<event text>]"
825
.I reset [<rule_number>] [<event text>]
796
826
Cancel event correlation operations that are currently detecting the
797
827
composite event <event text> (<rule_number> is a string constant), i.e.,
798
828
SEC will terminate event correlation operations that have <event text> in
808
838
Since correlation operations started by different rules may detect composite
809
839
events that have identical description strings, rule number can be optionally
810
840
specified to point to a correlation operation that was started by a specific
811
rule (1 means first rule in the configuration file, 2 means second, etc.;
812
0 denotes the current rule).
841
rule (1 means the first rule in the configuration file, 2 means the second,
842
etc.; 0 denotes the current rule).
813
843
If + or - is prepended to <rule_number>, it is considered to be an offset
814
from current rule (e.g., -1 means previous rule and +1 next rule).
844
from the current rule (e.g., -1 means the previous rule and +1 the next rule).
815
845
For example, if a rule definition with the
816
846
.I reset
817
847
action is given in the configuration file named my.conf, then
818
.I "reset 1 Counting linkdown events"
848
.I reset 1 Counting linkdown events
819
849
will terminate the event correlation operation with the key "my.conf | 0 |
820
850
Counting linkdown events" (note that internally the SEC rule IDs start from
821
851
zero), while
822
.I "reset Counting linkdown events"
852
.I reset Counting linkdown events
823
853
will terminate event correlation operations with keys "my.conf | X | Counting
824
854
linkdown events", where X runs from 0 to N-1 and N is the number of rules in
825
855
the configuration file my.conf. If no operation with a given key exists,
826
856
.I reset
827
857
will take no action.
828
858
.TP
829
.I "assign %<alnum_name> [<text>]"
859
.I assign %<alnum_name> [<text>]
830
860
Text <text> is assigned to a user-defined variable %<alnum_name>. If <text>
831
861
is omitted, %s is assumed for its value.
832
862
.TP
833
.I "eval %<alnum_name> <code>"
863
.I eval %<alnum_name> <code>
834
864
The parameter <code> is assumed to be a Perl miniprogram that will be executed
835
by calling Perl
865
by calling the Perl
836
866
.BR eval ()
837
867
function in list context. If the miniprogram returns a single value, it will
838
868
be assigned to the variable %<alnum_name>. If the miniprogram returns several
839
values, they will be joined into a scalar by using the newline character as
869
values, they will be joined into a scalar using the newline character as
840
870
a separator (as with Perl join("\\n", @array)), and the scalar will be
841
871
assigned to the variable %<alnum_name>. If no value is returned or
842
872
.BR eval ()
851
881
of semicolons inside the code by SEC. Also see VARIABLES AND EVAL section for
852
882
more information.
853
883
.TP
854
.I "call %<alnum_name1> %<alnum_name2> [<parameter list>]"
884
.I call %<alnum_name1> %<alnum_name2> [<parameter list>]
855
885
The parameter %<alnum_name2> is assumed to be a reference to a Perl function
856
886
that was created previously with the
857
887
.I eval
859
889
parameter list to the function (parameters are separated by whitespace).
860
890
If the function returns a single value, it will
861
891
be assigned to the variable %<alnum_name1>. If the function returns several
862
values, they will be joined into a scalar by using the newline character as
892
values, they will be joined into a scalar using the newline character as
863
893
a separator (as with Perl join("\\n", @array)), and the scalar will be
864
894
assigned to the variable %<alnum_name1>. If no value is returned or
865
895
%<alnum_name2> is not a code reference, no assignment will take place.
880
910
.PP
881
911
Add the value of the $0 variable to the event store of the context
882
912
.BR "ftp_<the value of $1>" .
883
Also extend the context's lifetime for 30 minutes, so that when the context's
884
lifetime is exceeded, its event store will be mailed to the local root.
913
Also extend the context's lifetime for 30 minutes, so that when the context
914
expires, its event store will be mailed to the local root.
885
915
.PP
886
916
eval %funcptr ( sub { my(@buf) = split(/\\n/, $_[0]); \\
887
917
.br
920
950
immediate action to be taken. Its rule definition has the following
921
951
parameters:
922
952
.TP
923
.I "type"
953
.I type
924
954
fixed to Single (value is case insensitive, so single or sIngLe can be
925
955
used instead).
926
956
.TP
927
.I "continue (optional)"
957
.IR continue " (optional)"
928
958
TakeNext or DontCont (values are case insensitive). The first specifies that
929
959
search for matching rules will continue after the match (i.e., input line(s)
930
960
that match
936
966
.I continue
937
967
keyword is missing from the rule definition, DontCont is assumed.
938
968
.TP
939
.I "ptype"
969
.I ptype
940
970
pattern type (value is case insensitive).
941
971
.TP
942
.I "pattern"
972
.I pattern
943
973
pattern.
944
974
.TP
945
.I "context (optional)"
975
.IR context " (optional)"
946
976
context expression.
947
977
.TP
948
.I "desc"
949
textual description of detected event.
950
.TP
951
.I "action"
952
action list that will be executed when event is detected.
978
.I desc
979
textual description of the detected event.
980
.TP
981
.I action
982
action list that will be executed when the event is detected.
983
.TP
984
.IR rem " (optional, may appear more than once)"
985
remarks and comments.
953
986
.PP
954
987
Note that
955
988
.IR context ,
998
1031
action=report ftp_$1 /bin/mail root@localhost; \\
999
1032
delete ftp_$1
1000
1033
.PP
1001
First rule creates context with the name
1034
The first rule creates the context with the name
1002
1035
.B ftp_<pid>
1003
1036
when someone connects from host ristov2 with ftp. The second rule adds all
1004
1037
logfile lines that are associated with the session <pid> to the event store
1006
1039
.B ftp_<pid>
1007
1040
(before adding a line, the rule checks if the context exists). After
1008
1041
adding a line, the rule extends context's lifetime for 30 minutes and sets
1009
the action list that will be executed when context times out. The third rule
1042
the action list that will be executed when the context expires. The third rule
1010
1043
mails collected logfile lines to root@localhost when the session <pid> is
1011
1044
closed. Collected lines will also be mailed when the session <pid> has been
1012
1045
inactive for 30 minutes (no logfile lines observed for that session).
1013
1046
.PP
1014
1047
Note that the logfile line that has matched the first rule will be passed
1015
1048
to the second rule and will become the first line in the event store
1016
(the first rule has
1049
(the first rule has the
1017
1050
.I continue
1018
parameter set to TakeNext). The second rule has also
1051
parameter set to TakeNext). The second rule has also its
1019
1052
.I continue
1020
1053
parameter set to TakeNext, since otherwise no logfile lines would reach the
1021
1054
third rule.
1022
1055
.SS "SINGLEWITHSCRIPT RULE"
1023
1056
The
1024
1057
.B SingleWithScript
1025
rule was designed to integrate external scripts with SEC event flow.
1026
Its rule definition is similar to the Single rule, except of additional
1058
rule was designed to integrate external scripts with the SEC event flow.
1059
Its rule definition is similar to the Single rule, except of the additional
1027
1060
.I script
1028
1061
parameter:
1029
1062
.TP
1030
.I "type"
1063
.I type
1031
1064
fixed to SingleWithScript (value is case insensitive).
1032
1065
.TP
1033
.I "continue (optional)"
1066
.IR continue " (optional)"
1034
1067
TakeNext or DontCont (values are case insensitive).
1035
1068
.TP
1036
.I "ptype"
1069
.I ptype
1037
1070
pattern type (value is case insensitive).
1038
1071
.TP
1039
.I "pattern"
1072
.I pattern
1040
1073
pattern.
1041
1074
.TP
1042
.I "context (optional)"
1075
.IR context " (optional)"
1043
1076
context expression.
1044
1077
.TP
1045
.I "script"
1078
.I script
1046
1079
script that is executed after
1047
1080
.I pattern
1048
1081
and
1055
1088
.I action2
1056
1089
will be executed (if given).
1057
1090
.TP
1058
.I "desc"
1059
textual description of detected event.
1091
.I desc
1092
textual description of the detected event.
1060
1093
.TP
1061
.I "action"
1094
.I action
1062
1095
action list that will be executed when
1063
1096
.I script
1064
1097
returns zero for its exit value.
1065
1098
.TP
1066
.I "action2 (optional)"
1099
.IR action2 " (optional)"
1067
1100
action list that will be executed when
1068
1101
.I script
1069
1102
returns non-zero for its exit value.
1103
.TP
1104
.IR rem " (optional, may appear more than once)"
1105
remarks and comments.
1070
1106
.PP
1071
1107
Note that
1072
1108
.IR context ,
1125
1161
rule was designed to implement the event correlation
1126
1162
operation called
1127
1163
.IR compression ,
1128
where multiple instances of event A are reduced into single event.
1129
Its rule definition is similar to the Single rule, except of additional
1164
where multiple instances of event A are reduced into a single event.
1165
Its rule definition is similar to the Single rule, except of the additional
1130
1166
.I window
1131
1167
parameter:
1132
1168
.TP
1133
.I "type"
1169
.I type
1134
1170
fixed to SingleWithSuppress (value is case insensitive).
1135
1171
.TP
1136
.I "continue (optional)"
1172
.IR continue " (optional)"
1137
1173
TakeNext or DontCont (values are case insensitive).
1138
1174
.TP
1139
.I "ptype"
1175
.I ptype
1140
1176
pattern type (value is case insensitive).
1141
1177
.TP
1142
.I "pattern"
1178
.I pattern
1143
1179
pattern for detecting event A.
1144
1180
.TP
1145
.I "context (optional)"
1181
.IR context " (optional)"
1146
1182
context expression.
1147
1183
.TP
1148
.I "desc"
1184
.I desc
1149
1185
textual description of event A.
1150
1186
.TP
1151
.I "action"
1187
.I action
1152
1188
action list that will be executed when event A is first observed. Following
1153
1189
instances of event A will be ignored.
1154
1190
.TP
1155
.I "window"
1191
.I window
1156
1192
time in seconds that following events A are ignored for.
1193
.TP
1194
.IR rem " (optional, may appear more than once)"
1195
remarks and comments.
1157
1196
.PP
1158
1197
Note that
1159
1198
.IR context ,
1181
1220
.PP
1182
1221
notify.sh "File system /usr full"
1183
1222
.PP
1184
and ignores following such lines during next 15 minutes.
1223
and ignores following such lines during the next 15 minutes.
1185
1224
.PP
1186
1225
Note that line "/tmp: file system full" would not be ignored, since SEC
1187
1226
identifies correlation operations by a key that contains event
1200
1239
into event pair (A, B) inside a given time window.
1201
1240
Its rule definition has the following parameters:
1202
1241
.TP
1203
.I "type"
1242
.I type
1204
1243
fixed to Pair (value is case insensitive).
1205
1244
.TP
1206
.I "continue (optional)"
1245
.IR continue " (optional)"
1207
1246
TakeNext or DontCont (values are case insensitive). Specifies if
1208
1247
input line(s) that match
1209
1248
.I pattern
1211
1250
.I context
1212
1251
will be passed to the next rule.
1213
1252
.TP
1214
.I "ptype"
1253
.I ptype
1215
1254
pattern type (value is case insensitive).
1216
1255
.TP
1217
.I "pattern"
1256
.I pattern
1218
1257
pattern for detecting event A.
1219
1258
.TP
1220
.I "context (optional)"
1259
.IR context " (optional)"
1221
1260
context expression.
1222
1261
.TP
1223
.I "desc"
1262
.I desc
1224
1263
textual description of event A.
1225
1264
.TP
1226
.I "action"
1265
.I action
1227
1266
action list that will be executed when event A is first observed. Following
1228
1267
instances of event A will be ignored.
1229
1268
.TP
1230
.I "continue2 (optional)"
1269
.IR continue2 " (optional)"
1231
1270
TakeNext or DontCont (values are case insensitive). Specifies if
1232
1271
input line(s) that match
1233
1272
.I pattern2
1235
1274
.I context2
1236
1275
will be passed to the next rule.
1237
1276
.TP
1238
.I "ptype2"
1277
.I ptype2
1239
1278
pattern type (value is case insensitive).
1240
1279
.TP
1241
.I "pattern2"
1280
.I pattern2
1242
1281
pattern for detecting event B.
1243
1282
.TP
1244
.I "context2 (optional)"
1283
.IR context2 " (optional)"
1245
1284
context expression.
1246
1285
.TP
1247
.I "desc2"
1286
.I desc2
1248
1287
textual description of event B.
1249
1288
.TP
1250
.I "action2"
1289
.I action2
1251
1290
action list that will be executed when event B is observed. After executing
1252
1291
.I action2
1253
1292
the event correlation operation terminates.
1254
1293
.TP
1255
.I "window (optional)"
1294
.IR window " (optional)"
1256
1295
time
1257
1296
.I t
1258
in seconds that is allowed to elapse between first instance
1297
in seconds that is allowed to elapse between the first instance
1259
1298
of event A and event B. If event B does not appear during
1260
1299
.I t
1261
1300
seconds, then the correlation operation started by this rule terminates.
1262
Specifying 0 as value or omitting
1301
Specifying 0 as value or omitting the
1263
1302
.I window
1264
1303
parameter means setting
1265
1304
.I t
1266
1305
to infinity (i.e., if event B does not appear,
1267
1306
event A will be ignored forever).
1307
.TP
1308
.IR rem " (optional, may appear more than once)"
1309
remarks and comments.
1268
1310
.PP
1269
1311
Note that
1270
1312
.IR context ,
1318
1360
.PP
1319
1361
and waits for the line "NFS server fserv ok" for 1 hour, ignoring all
1320
1362
"NFS server fserv is not responding" lines. When the line "NFS server fserv
1321
ok" appears, the correlation operation executes shell command
1363
ok" appears, the correlation operation executes the shell command
1322
1364
.PP
1323
1365
notify.sh "fserv OK"
1324
1366
.PP
1333
1375
event B inside a given time window.
1334
1376
Its rule definition has the following parameters:
1335
1377
.TP
1336
.I "type"
1378
.I type
1337
1379
fixed to PairWithWindow (value is case insensitive).
1338
1380
.TP
1339
.I "continue (optional)"
1381
.IR continue " (optional)"
1340
1382
TakeNext or DontCont (values are case insensitive). Specifies if input
1341
1383
line(s) that match
1342
1384
.I pattern
1344
1386
.I context
1345
1387
will be passed to the next rule.
1346
1388
.TP
1347
.I "ptype"
1389
.I ptype
1348
1390
pattern type (value is case insensitive).
1349
1391
.TP
1350
.I "pattern"
1392
.I pattern
1351
1393
pattern for detecting event A.
1352
1394
.TP
1353
.I "context (optional)"
1395
.IR context " (optional)"
1354
1396
context expression.
1355
1397
.TP
1356
.I "desc"
1398
.I desc
1357
1399
textual description of event A.
1358
1400
.TP
1359
.I "action"
1401
.I action
1360
1402
action list that is executed after event A was observed and event B did not
1361
1403
appear within the given time window.
1362
1404
.TP
1363
.I "continue2 (optional)"
1405
.IR continue2 " (optional)"
1364
1406
TakeNext or DontCont (values are case insensitive). Specifies if input
1365
1407
line(s) that match
1366
1408
.I pattern2
1368
1410
.I context2
1369
1411
will be passed to the next rule.
1370
1412
.TP
1371
.I "ptype2"
1413
.I ptype2
1372
1414
pattern type (value is case insensitive).
1373
1415
.TP
1374
.I "pattern2"
1416
.I pattern2
1375
1417
pattern for detecting event B.
1376
1418
.TP
1377
.I "context2 (optional)"
1419
.IR context2 " (optional)"
1378
1420
context expression.
1379
1421
.TP
1380
.I "desc2"
1422
.I desc2
1381
1423
textual description of event B.
1382
1424
.TP
1383
.I "action2"
1425
.I action2
1384
1426
action list that is executed after event A was observed and event B appeared
1385
1427
within the given time window. After executing
1386
1428
.I action2
1387
1429
the event correlation operation terminates.
1388
1430
.TP
1389
.I "window"
1431
.I window
1390
1432
size of the time window in seconds.
1433
.TP
1434
.IR rem " (optional, may appear more than once)"
1435
remarks and comments.
1391
1436
.PP
1392
1437
Note that
1393
1438
.IR context ,
1437
1482
When "node fserv interface 192.168.1.1 down" line appears in input,
1438
1483
this rule starts a correlation operation that waits 10 minutes for
1439
1484
"node fserv interface 192.168.1.1 up" line, and if that line does not
1440
arrive on time, the correlation operation executes shell command
1485
arrive on time, the correlation operation executes the shell command
1441
1486
.PP
1442
1487
notify.sh "fserv if 192.168.1.1 is down"
1443
1488
.PP
1454
1499
value, in order to detect a composite event B.
1455
1500
Its rule definition has the following parameters:
1456
1501
.TP
1457
.I "type"
1502
.I type
1458
1503
fixed to SingleWithThreshold (value is case insensitive).
1459
1504
.TP
1460
.I "continue (optional)"
1505
.IR continue " (optional)"
1461
1506
TakeNext or DontCont (values are case insensitive).
1462
1507
.TP
1463
.I "ptype"
1508
.I ptype
1464
1509
pattern type (value is case insensitive).
1465
1510
.TP
1466
.I "pattern"
1511
.I pattern
1467
1512
pattern for detecting event A.
1468
1513
.TP
1469
.I "context (optional)"
1514
.IR context " (optional)"
1470
1515
context expression.
1471
1516
.TP
1472
.I "desc"
1517
.I desc
1473
1518
textual description of event B.
1474
1519
.TP
1475
.I "action"
1520
.I action
1476
1521
action list that is executed when
1477
1522
.I thresh
1478
1523
instances of event A have been observed within the given time window. After
1479
1524
that all events A will be ignored during the rest of the time window.
1480
1525
.TP
1481
.I "window"
1526
.IR action2 " (optional)"
1527
action list that is executed when the event correlation operation terminates,
1528
if
1529
.I action
1530
has been previously executed by the operation.
1531
.TP
1532
.I window
1482
1533
size of the time window in seconds. The window is sliding - if event A has
1483
1534
been observed less than
1484
1535
.I thresh
1485
1536
times at the end of the window, the beginning of the window is moved to the
1486
1537
occurrence time of the second instance of event A, and the counting operation
1487
1538
will continue.
1488
If there is no second instance of event A (i.e., event has been observed only
1489
once), the correlation operation will terminate.
1539
If there is no second instance of event A (i.e., the event has been observed
1540
only once), the correlation operation will terminate.
1490
1541
.TP
1491
.I "thresh"
1542
.I thresh
1492
1543
threshold value.
1544
.TP
1545
.IR rem " (optional, may appear more than once)"
1546
remarks and comments.
1493
1547
.PP
1494
1548
Note that
1495
1549
.IR context ,
1515
1569
thresh=3
1516
1570
.PP
1517
1571
When line "user dbadmin login failure on tty1" is observed, the rule starts
1518
a correlation operation that executes shell command
1572
a correlation operation that executes the shell command
1519
1573
.PP
1520
1574
notify.sh "Repeated login failures for user dbadmin on tty1"
1521
1575
.PP
1530
1584
action=shellcmd notify.sh "%s"; reset 0 %s
1531
1585
.PP
1532
1586
the correlation operation will terminate itself after calling notify.sh, and
1533
the next matching line will always start a new counting operation.
1587
the next matching line will start a new counting operation.
1534
1588
.SS "SINGLEWITH2THRESHOLDS RULE"
1535
1589
The
1536
1590
.B SingleWith2Thresholds
1543
1597
stay below the second threshold value (in order to detect a composite event C).
1544
1598
Its rule definition has the following parameters:
1545
1599
.TP
1546
.I "type"
1600
.I type
1547
1601
fixed to SingleWith2Thresholds (value is case insensitive).
1548
1602
.TP
1549
.I "continue (optional)"
1603
.IR continue " (optional)"
1550
1604
TakeNext or DontCont (values are case insensitive).
1551
1605
.TP
1552
.I "ptype"
1606
.I ptype
1553
1607
pattern type (value is case insensitive).
1554
1608
.TP
1555
.I "pattern"
1609
.I pattern
1556
1610
pattern for detecting event A.
1557
1611
.TP
1558
.I "context (optional)"
1612
.IR context " (optional)"
1559
1613
context expression.
1560
1614
.TP
1561
.I "desc"
1615
.I desc
1562
1616
textual description of event B.
1563
1617
.TP
1564
.I "action"
1618
.I action
1565
1619
action list that is executed when
1566
1620
.I thresh
1567
instances of event A have been observed within time window
1621
instances of event A have been observed within the time window
1568
1622
.IR window .
1569
After that event counting is started again with threshold value
1623
After that event counting continues with the threshold value
1570
1624
.I thresh2
1571
1625
and time window
1572
1626
.IR window2 .
1573
1627
.TP
1574
.I "window"
1628
.I window
1575
1629
size of the first time window in seconds. The window is sliding.
1576
1630
.TP
1577
.I "thresh"
1578
first threshold value.
1631
.I thresh
1632
the first threshold value.
1579
1633
.TP
1580
.I "desc2"
1634
.I desc2
1581
1635
textual description of event C.
1582
1636
.TP
1583
.I "action2"
1637
.I action2
1584
1638
action list that is executed if no more than
1585
1639
.I thresh2
1586
instances of event A have been observed within last
1640
instances of event A have been observed during the last
1587
1641
.I window2
1588
1642
seconds. After executing
1589
1643
.I action2
1590
1644
the event correlation operation terminates.
1591
1645
.TP
1592
.I "window2"
1646
.I window2
1593
1647
size of the second time window in seconds. The window is sliding.
1594
1648
.TP
1595
.I "thresh2"
1596
second threshold value.
1649
.I thresh2
1650
the second threshold value.
1651
.TP
1652
.IR rem " (optional, may appear more than once)"
1653
remarks and comments.
1597
1654
.PP
1598
1655
Note that
1599
1656
.IR context ,
1629
1686
thresh2=0
1630
1687
.PP
1631
1688
When SYS-3-CPUHOG syslog message is received from a router, the rule starts
1632
a counting operation that executes shell command
1689
a counting operation that executes the shell command
1633
1690
.PP
1634
1691
notify.sh "router <routername> CPU overload"
1635
1692
.PP
1636
1693
if additional SYS-3-CPUHOG syslog message is received from the router within
1637
next 5 minutes. After that the correlation operation waits until no
1638
SYS-3-CPUHOG syslog messages have been received from the router during last 1
1639
hour, and then executes
1694
5 minutes. After that the correlation operation waits until no SYS-3-CPUHOG
1695
syslog messages have been received from the router during the last 1 hour,
1696
and then executes
1640
1697
.PP
1641
1698
notify.sh "router <routername> CPU load normal"
1642
1699
.SS "SUPPRESS RULE"
1650
1707
if the event parameters match the pattern specified. Its rule definition has
1651
1708
the following parameters:
1652
1709
.TP
1653
.I "type"
1710
.I type
1654
1711
fixed to Suppress (value is case insensitive).
1655
1712
.TP
1656
.I "ptype"
1713
.I ptype
1657
1714
pattern type (value is case insensitive).
1658
1715
.TP
1659
.I "pattern"
1716
.I pattern
1660
1717
pattern for detecting event A (or its subclass) that must be suppressed (or
1661
1718
filtered out).
1662
1719
.TP
1663
.I "context (optional)"
1720
.IR context " (optional)"
1664
1721
context expression.
1665
1722
.TP
1666
.I "desc (optional)"
1723
.IR desc " (optional)"
1667
1724
textual description of this rule.
1725
.TP
1726
.IR rem " (optional, may appear more than once)"
1727
remarks and comments.
1668
1728
.PP
1669
1729
Note that the
1670
1730
.I context
1686
1746
.br
1687
1747
pattern=/dev/vg01/\\S+: [Ff]ile system full
1688
1748
.PP
1689
First rule suppresses all "file system full" events if context
1749
The first rule suppresses all "file system full" events if the context
1690
1750
.B mycontext
1691
is present. Second rule filters out all "file system full"
1692
events that concern volume group vg01.
1751
is present. The second rule filters out all "file system full"
1752
events that concern the volume group vg01.
1693
1753
.SS "CALENDAR RULE"
1694
1754
The
1695
1755
.B Calendar
1697
1757
other rules, this rule reacts only to the system clock, ignoring other
1698
1758
input. Its rule definition has the following parameters:
1699
1759
.TP
1700
.I "type"
1760
.I type
1701
1761
fixed to Calendar (value is case insensitive).
1702
1762
.TP
1703
.I "time"
1763
.I time
1704
1764
crontab-style time specification (see
1705
1765
.BR crontab (1)
1706
1766
for more information). Time specification consists of five fields separated
1711
1771
Sunday). Asterisks (*), ranges of numbers (e.g., 8-11), and lists (e.g.,
1712
1772
2,5,7-9) are allowed as field values.
1713
1773
.TP
1714
.I "context (optional)"
1774
.IR context " (optional)"
1715
1775
context expression.
1716
1776
.TP
1717
.I "desc"
1777
.I desc
1718
1778
event description string.
1719
1779
.TP
1720
.I "action"
1780
.I action
1721
1781
action list to be executed.
1782
.TP
1783
.IR rem " (optional, may appear more than once)"
1784
remarks and comments.
1722
1785
.PP
1723
1786
.B Examples:
1724
1787
.PP
1809
1872
correlation operations.
1810
1873
.SH TIMING AND IPC
1811
1874
There are several kinds of events that SEC reacts to - changes in input
1812
files (e.g., appearance of new data), the reception of a signal, status change
1813
of a child process, and time related events (expiration of the context
1814
lifetime, a Calendar rule that has become active, etc.).
1875
files (e.g., appearance of new data), reception of a signal, status change
1876
of a child process, and time related events (e.g., context expiration).
1815
1877
.PP
1816
1878
When new data appear in SEC input files, only one line will be read at a time
1817
1879
(even when more lines are available), after which the input buffer is updated
1823
1885
first element of the buffer. Note that when synthetic events have been created
1824
1886
with the
1825
1887
.I event
1826
action and new input data is also available in input files, synthetic events
1888
action and new input data are also available in input files, synthetic events
1827
1889
are always read first by SEC. After no more such events are
1828
1890
available for reading, SEC will read new data from input files.
1829
1891
.PP
1830
1892
After the buffer has been updated (every update always adds only one
1831
1893
and removes only one line), the rules from configuration files are
1832
processed, comparing the rules against the new content of the input buffer.
1833
Even when a rule matches and its action list specifies an immediate change
1834
in the buffer (e.g., by using the
1894
processed, matching the rules against the new content of the input buffer.
1895
Even when a rule matches and its action list suggests an immediate change
1896
in the buffer (e.g., through the
1835
1897
.I event
1836
1898
action), the input buffer will _not_ be updated until all the rules have
1837
been compared against the current content of the buffer.
1899
been compared with the current content of the buffer.
1838
1900
.PP
1839
Rules from the same configuration file are compared against the input buffer
1901
Rules from the same configuration file are compared with the input buffer
1840
1902
in the order they were given in that file.
1841
1903
When multiple configuration files have been specified, each file containing
1842
a distinct ruleset, events are processed virtually in parallel - an event is
1843
always submitted for processing to all rulesets. However, the order the
1904
a distinct ruleset, events are processed virtually in parallel - the buffer
1905
is always processed by all rulesets. However, the order the
1844
1906
rulesets are applied during event processing is determined by the order
1845
the files were given at SEC commandline. If a
1907
the files were given at SEC command line. If a
1846
1908
.B -conf
1847
option specifies a pattern, SEC uses Perl
1909
option specifies a pattern, SEC uses the Perl
1848
1910
.BR glob ()
1849
1911
function to expand the pattern, and the resulting file list is applied by SEC
1850
1912
in the order returned by
1889
1951
.PP
1890
1952
If the
1891
1953
.B -intevents
1892
commandline option is given, SEC will generate internal events when
1954
command line option is given, SEC will generate internal events when
1893
1955
it is started up, when it receives certain signals, and when it terminates
1894
1956
normally. Inside SEC, internal event is treated as if it was a line that
1895
1957
was read from a SEC input file.
1904
1966
option has been given, this event will always be the first event that SEC
1905
1967
observes)
1906
1968
.PP
1907
SEC_RESTART - generated after SEC has received
1969
SEC_RESTART - generated after SEC has received the
1908
1970
.B SIGHUP
1909
1971
signal and all internal data structures have been cleared (this event will
1910
1972
be the first event that SEC observes after reloading its configuration)
1911
1973
.PP
1912
SEC_SOFTRESTART - generated after SEC has received
1974
SEC_SOFTRESTART - generated after SEC has received the
1913
1975
.B SIGABRT
1914
1976
signal (this event will be the first event that SEC observes after reloading
1915
1977
its configuration)
1916
1978
.PP
1917
SEC_SHUTDOWN - generated when SEC receives
1979
SEC_SHUTDOWN - generated when SEC receives the
1918
1980
.B SIGTERM
1919
1981
signal, or when SEC reaches all EOFs of input files after being started with
1920
1982
the
1932
1994
.PP
1933
1995
If the
1934
1996
.B -intcontexts
1935
commandline option is given, or there is an
1997
command line option is given, or there is an
1936
1998
.B -input
1937
1999
option with a context specified, SEC will create an internal context each time
1938
a line is read from an input file, or a line is read that was created with
2000
a line is read from an input file, or a line is read that was created with the
1939
2001
.I event
1940
2002
action. The internal context will be deleted immediately after the line has
1941
2003
been matched against all rules. For all input files that have the context
1944
2006
the name of the internal context is <context>. If the line was read from
1945
2007
the input file <filename> for which there is no context name set, the name
1946
2008
of the internal context is _FILE_EVENT_<filename>. If the line was created
1947
with
2009
with the
1948
2010
.I event
1949
2011
action, the name of the internal context is _INTERNAL_EVENT. This will help
1950
2012
the end user to write rules that will match data from one particular input
1966
2028
.IR spawn ,
1967
2029
.IR pipe ,
1968
2030
and
1969
.IR report
2031
.I report
1970
2032
actions involve the creation of a child process. The communication between
1971
2033
SEC and its child processes takes place through pipes (created with Perl pipe
1972
2034
opens like open(FH, "| mycommand") or
1973
2035
.BR pipe (2)
1974
2036
system call). Note that the running time of children is not limited in any
1975
way, so long-running processes can be started from SEC. For instance, you
1976
could start a SEC agent with
2037
way, so long-running processes can be started from SEC. For instance, one
2038
could start a SEC agent with the
1977
2039
.I spawn
1978
2040
action that runs forever and provides SEC with additional input events.
1979
However, note that before termination, SEC sends the
2041
However, note that SEC sends the
1980
2042
.B SIGTERM
1981
signal to all its children.
2043
signal to all its children before termination.
1982
2044
If some special exit procedures need to be carried out in the child process
1983
2045
(or the child wishes to ignore
1984
2046
.BR SIGTERM ),
1986
2048
.B SIGTERM
1987
2049
signal.
1988
2050
.PP
1989
Note that if your rule definition includes two
2051
Note that if a rule definition includes two
1990
2052
.I shellcmd
1991
2053
actions (or other actions that call external scripts or
1992
2054
programs), the order that these scripts or programs are executed
1993
is not determined. For instance, if you have the following action definition
2055
is not determined. For instance, with the following action definition
1994
2056
.PP
1995
2057
action=shellcmd cmd1; shellcmd cmd2
1996
2058
.PP
1997
then cmd2 could well terminate before cmd1, or cmd2 could well start before
1998
cmd1 (e.g., when cmd1 is a complex commandline and cmd2 is relatively simple,
2059
cmd2 could well terminate before cmd1, or cmd2 could well start before
2060
cmd1 (e.g., when cmd1 is a complex command line and cmd2 is relatively simple,
1999
2061
it takes more time from the shell to process and start cmd1 than cmd2).
2000
2062
.SH VARIABLES AND EVAL
2001
2063
There are two kinds of variables that can be used in SEC rule definitions -
2034
2096
%%t.)
2035
2097
.PP
2036
2098
SEC allows the user to define patterns, context expressions, and actions
2037
which involve calls to Perl
2099
which involve calls to the Perl
2038
2100
.BR eval ()
2039
2101
function. In addition to explicitly using %<alnum_name> variables that are
2040
2102
global across the rules, the user can implicitly employ Perl variables created
2101
2163
action=report ftp_$1 /bin/mail root@localhost; \\
2102
2164
delete ftp_$1
2103
2165
.PP
2104
First rule creates context with the name
2166
The first rule creates the context with the name
2105
2167
.B ftp_<pid>
2106
2168
when someone connects from host ristov2 with ftp. The second rule adds all
2107
2169
logfile lines that are associated with the session <pid> to the event store
2109
2171
.B ftp_<pid>
2110
2172
(before adding a line, the rule checks if the context exists). After
2111
2173
adding a line, the rule extends context's lifetime for 30 minutes and sets
2112
the action list that will be executed when context times out. The third rule
2174
the action list that will be executed when the context expires. The third rule
2113
2175
mails collected logfile lines to root@localhost when the session <pid> is
2114
2176
closed. Collected lines will also be mailed when the session <pid> has been
2115
2177
inactive for 30 minutes (no logfile lines observed for that session).
2116
2178
.PP
2117
2179
Note that the logfile line that has matched the first rule will be passed
2118
2180
to the second rule and will become the first line in the event store
2119
(the first rule has
2181
(the first rule has the
2120
2182
.I continue
2121
parameter set to TakeNext). The second rule has also
2183
parameter set to TakeNext). The second rule has also its
2122
2184
.I continue
2123
2185
parameter set to TakeNext, since otherwise no logfile lines would reach the
2124
2186
third rule.
2125
2187
.SS "Example 2"
2126
2188
Suppose there is a backup job in your system that runs at 2AM every night
2127
2189
and logs "BACKUP READY" message when it has completed its work. You want to
2128
send SNMP trap if there is no message in the log by 2:15AM.
2190
send an SNMP trap if there is no message in the log by 2:15AM.
2129
2191
.PP
2130
2192
type=Calendar
2131
2193
.br
2199
2261
window=86400
2200
2262
.PP
2201
2263
If "node <node> interface <interface> down" event is observed, the interface
2202
is checked with not_resp.sh script. If the interface is found to be down
2264
is checked with the not_resp.sh script. If the interface is found to be down
2203
2265
(not_resp.sh returns 0 as its exit code), event
2204
"NODE <node> IF <interface> DOWN" is generated, which will be matched by the
2266
"NODE <node> IF <interface> DOWN" is generated which will be matched by the
2205
2267
second rule. The second rule starts a correlation operation that calls
2206
2268
.PP
2207
2269
notify.sh "Interface <interface> is down at node <node>"
2229
2291
disk box. You would like to use different e-mail address at night-time and
2230
2292
also receive a report of all night events. The problem here is that useful
2231
2293
information is scattered over 7 lines and needs to be consolidated into
2232
single event. Consider the following rules to accomplish this task:
2294
a single event. Consider the following rules for accomplishing this task:
2233
2295
.PP
2234
2296
type=Calendar
2235
2297
.br
2262
2324
.br
2263
2325
action=shellcmd alarm.sh "%s"
2264
2326
.PP
2265
First rule creates context
2327
The first rule creates the context
2266
2328
.B night
2267
2329
with the lifetime of 10 hours every day at 10PM.
2268
The second rule specifies that script nightalarm.sh must be used for
2269
sending alert messages at nights, otherwise script alarm.sh should be used.
2270
Every night-time event is added to context
2330
The second rule specifies that the script nightalarm.sh must be used for
2331
sending alert messages at nights, otherwise the script alarm.sh should be
2332
used. Every night-time event is added to the context
2271
2333
.BR night ,
2272
2334
and collected events will be mailed to root@localhost at 8AM.
2273
2335
.SS "Example 5"
2279
2341
.PP
2280
2342
# Set up contexts NIGHT and WEEKEND for nights
2281
2343
.br
2282
# and weekends. Context NIGHT has a lifetime
2344
# and weekends. The context NIGHT has a lifetime
2283
2345
.br
2284
# of 8 hours and context WEEKEND 2 days
2346
# of 8 hours and the context WEEKEND 2 days
2285
2347
.PP
2286
2348
type=Calendar
2287
2349
.br
2407
2469
.PP
2408
2470
# If "<router> INTERFACE <interface> DOWN" event is
2409
2471
.br
2410
# received from previous rule, send a notification and
2472
# received from the previous rule, send a notification and
2411
2473
.br
2412
2474
# wait for "interface up" event for the next 24 hours
2413
2475
.PP
2448
2510
window=21600
2449
2511
.br
2450
2512
thresh=10
2513
.SH ENVIRONMENT
2514
If the
2515
.B
2516
SECRC
2517
environment variable is set, SEC expects it to contain the name of its
2518
resource file. Resource file lines which are empty or which begin with #
2519
(whitespace may precede #) are ignored; other lines must contain SEC
2520
command line options, with each option on a separate line. When SEC
2521
reads the resource file, each non-empty and non-comment line is
2522
considered a single option and is pushed into the @ARGV array as a single
2523
element. Note that although SEC re-reads its resource file at the
2524
reception of the
2525
.B SIGHUP
2526
or
2527
.B SIGABRT
2528
signal, adding an option that specifies a certain
2529
startup procedure (e.g.,
2530
.B -pid
2531
or
2532
.BR -detach )
2533
will not produce the desired effect at runtime.
2451
2534
.SH SIGNALS
2452
2535
.TP
2453
.B "SIGHUP"
2454
SEC will reload its configuration, reopen its input files and logfile, and
2536
.B SIGHUP
2537
SEC will reopen its log and input files, reload its configuration, and
2455
2538
reset internal lists that contain correlation information (i.e., all active
2456
2539
event correlation operations will be cancelled, all contexts will be deleted,
2457
2540
and all user-defined variables will lose their values).
2459
2542
.B SIGTERM
2460
2543
signal to its child processes.
2461
2544
.TP
2462
.B "SIGABRT"
2463
SEC will act like it has received
2464
.BR SIGHUP ,
2465
but variables and contexts (and context event stores) will not be deleted,
2466
and SEC will also not send
2467
.B SIGTERM
2468
to its child processes. Note that on some systems
2545
.B SIGABRT
2546
SEC will reopen its log and input files, and load its configuration from
2547
rule files which have been modified (file modification time returned by
2548
.BR stat (2)
2549
has changed) or created after the previous configuration load.
2550
SEC will also cancel event correlation operations started from rule files
2551
that have been modified or removed after the previous configuration load.
2552
Other operations and other event correlation entities
2553
(contexts, variables, child processes, etc.) will remain intact.
2554
Note that on some systems
2469
2555
.B SIGIOT
2470
2556
is used in place of
2471
2557
.BR SIGABRT .
2472
2558
.TP
2473
.B "SIGUSR1"
2559
.B SIGUSR1
2474
2560
some information about the current state of SEC (content of internal lists,
2475
2561
rule usage statistics, etc.) will be written to the SEC dumpfile.
2476
2562
.TP
2477
.B "SIGUSR2"
2478
SEC will reopen its logfile. Useful for logfile rotating, since it
2479
does not cancel active event correlation operations like
2480
.B SIGHUP
2481
does.
2563
.B SIGUSR2
2564
SEC will reopen its logfile (useful for logfile rotation).
2482
2565
.TP
2483
.B "SIGTERM"
2566
.B SIGTERM
2484
2567
SEC will terminate gracefully (all SEC child processes will receive
2485
2568
.BR SIGTERM ).
2486
2569
.SH AUTHOR
2495
2578
.BR pipe (2),
2496
2579
.BR snmpnotify (1),
2497
2580
.BR snmptrap (1),
2581
.BR stat (2),
2498
2582
.BR syslog (3),
2499
2583
.BR time (2)
Loggerhead is a web-based interface for Breezy
Version: 2.0.1