Perl-based Event Correlation

News	Event Correlation Technologies	Recommended Links	Recommended Papers	Perl	Regex
Pipes				Humor	Etc

SEC is an open source and platform independent event correlation tool written in Perl (5.6 or later) by Risto Vaarandi.

SEC has been primarily tested on Linux and Solaris, but since it is written in Perl and does not use any platform-dependent subroutines, it should work on most operating systems.

Key features:

input: regular files, named pipes, and standard input, and can thus be employed as an event correlator for any application that is able to write its output events to a file stream.
rules, each rule specifying an event matching condition, an action list, and optionally a Boolean expression whose truth value decides whether the rule can be applied at a given moment. Regular expressions, Perl subroutines, etc. are used for defining event matching conditions. Event correlation rule types:
- Single - match input event and execute an action list.
- SingleWithScript - match input event and execute an action list, if an external script or program returns a certain exit value.
- SingleWithSuppress - match input event and execute an action list, but ignore the following matching events for the next t seconds.
- Pair - match input event, execute an action list, and ignore the following matching events until some other input event arrives. On the arrival of the second event execute another action list.
- PairWithWindow - match input event and wait for t seconds for other input event to arrive. If that event is not observed within the given time window, execute an action list. If the event arrives on time, execute another action list.
- SingleWithThreshold - count matching input events during t seconds and if a given threshold is exceeded, execute an action list and ignore the following matching events during the remaining time window. The window of t seconds is sliding.
- SingleWith2Thresholds - count matching input events during t1 seconds and if a given threshold is exceeded, execute an action list. Then start the counting of matching events again and if their number per t2 seconds drops below the second threshold, execute another action list. Both event correlation windows are sliding.
- Suppress - suppress matching input event (used to keep the event from being matched by later rules).
- Calendar - execute an action list at specific times.
  Rules allow not only shell commands to be executed as actions, but they can also:
  - create and delete contexts that decide whether a particular rule can be applied at a given moment,
  - associate events with a context and report collected events at a later time (similar feature is supported by logsurfer),
  - generate new events that will be input for other rules,
  - reset correlation operations that have been started by other rules,
  - spawn external event, fault, or knowledge analysis modules,
  - etc.
  This makes it possible to combine several rules and form more complex event correlation schemes.
output events can be produced by executing user-specified shell scripts or programs by writing messages to pipes or files, and by various other means. The applications SEC has been used or integrated with include HP OpenView NNM and Operations, CiscoWorks, BMC Patrol, Nagios, SNMPTT, Snort IDS, Prelude IDS, etc.

Notes:

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Some amount of grammar and spelling errors should be expected.
The site contain some broken links as it develops like a living tree... Please try to use Google, Open directory, etc. to find a replacement link (see HOWTO search the WEB for details). We would appreciate if you can mail us a correct link.

Google Search
Open directory	Research Index

Old News ;-)

[Dec 2, 2006] [PPT] Event correlation and data mining for event logs

[Jan 30, 2006] "Simple Event Correlator for real-time security log monitoring" - a paper about SEC that was published in Hakin9 Magazine

Simple Event Correlation installation and configuration

TIP - Learn how to install and configure Simple Event Correlation, an open source tool designed to monitor and react to incoming data feeds.

Recommended Links

Official Web page and documents

SEC - open source and platform independent event correlation tool

SEC manpage

FAQ

Articles

"Working with SEC - the Simple Event Correlator" by Jim Brown - an excellent paper that not only provides a good introduction to SEC but also covers a number of advanced issues (here are the links for the part 1 and part 2 of the paper).
Defining event rules in Simple Event Correlation by James Turnbull
"Hardening Linux" (Apress, 2005) by James Turnbull - Chapter 5 of the book contains a discussion and examples how to employ SEC for log monitoring.
"Real-time log file analysis using the Simple Event Correlator (SEC)" by John P. Rouillard - a paper with SEC ruleset examples that was presented at USENIX LISA'2004.
"SEC - a Lightweight Event Correlation Tool" - an early paper about SEC that was presented at IEEE IPOM'2002.
SEC rule repository at Bleeding Edge Threats - if you have developed a ruleset that might be interesting to others as well, please contribute.

Risto Vaarandi Publications

Risto Vaarandi. Simple Event Correlator for real-time security log monitoring. Hakin9 Magazine 1/2006 (6), pp. 28-39, 2006
Risto Vaarandi. Tools and Techniques for Event Log Analysis. PhD Thesis, Tallinn University of Technology, 2005
Risto Vaarandi. A Breadth-First Algorithm for Mining Frequent Patterns from Event Logs. Proceedings of the 2004 IFIP International Conference on Intelligence in Communication Systems, LNCS Vol. 3283, © Springer-Verlag, pp. 293-308, 2004
Risto Vaarandi. A Data Clustering Algorithm for Mining Patterns From Event Logs. Proceedings of the 2003 IEEE Workshop on IP Operations and Management, pp. 119-126, 2003
Risto Vaarandi. A Clustering Algorithm for Logfile Data Sets. Technical Report, University of Kuopio, 2003
Risto Vaarandi. SEC - a Lightweight Event Correlation Tool. Proceedings of the 2002 IEEE Workshop on IP Operations and Management, pp. 111-115, 2002
Risto Vaarandi. Platform Independent Event Correlation Tool for Network Management. Proceedings of the 2002 IEEE/IFIP Network Operations and Management Symposium, pp. 907-910, 2002
Risto Vaarandi. Platform Independent Tool for Local Event Correlation. Acta Cybernetica 15(4), pp. 705-723, 2002
Risto Vaarandi. Platform Independent Tool for Local Event Correlation. Technical Report, University of Szeged, 2001
Risto Vaarandi. Hajusad failisüsteemid ("Distributed File Systems"). MSc Thesis, University of Tartu, 1996 (see also the references page)

Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Disclaimer:

The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with.
We do not warrant the correctness of the information provided or its fitness for any purpose
In no way this site is associated with or endorse cybersquatters using the term "softpanorama" with other main or country domains (e.g. softpanorama.com) with bad faith intent to profit from the goodwill belonging to someone else.

Last modified: October 28, 2009