Perl-based Event Correlation

News

Event Correlation Technologies

Recommended Papers

Perl

Regex

Etc

SEC is an open source and platform independent event correlation tool written in Perl (5.6 or later) by Risto Vaarandi.

SEC has been primarily tested on Linux and Solaris, but since it is written in Perl and does not use any platform-dependent subroutines, it should work on most operating systems. The author has received reports about SEC working on FreeBSD, OpenBSD, HP-UX, AIX, Tru64 UNIX, Mac OS X, and Win2000 (with CygWin Perl).

Key features:

input: regular files, named pipes, and standard input, and can thus be employed as an event correlator for any application that is able to write its output events to a file stream.
rules, each rule specifying an event matching condition, an action list, and optionally a Boolean expression whose truth value decides whether the rule can be applied at a given moment. Regular expressions, Perl subroutines, etc. are used for defining event matching conditions. Event correlation rule types:
- Single - match input event and execute an action list.
- SingleWithScript - match input event and execute an action list, if an external script or program returns a certain exit value.
- SingleWithSuppress - match input event and execute an action list, but ignore the following matching events for the next t seconds.
- Pair - match input event, execute an action list, and ignore the following matching events until some other input event arrives. On the arrival of the second event execute another action list.
- PairWithWindow - match input event and wait for t seconds for other input event to arrive. If that event is not observed within the given time window, execute an action list. If the event arrives on time, execute another action list.
- SingleWithThreshold - count matching input events during t seconds and if a given threshold is exceeded, execute an action list and ignore the following matching events during the remaining time window. The window of t seconds is sliding.
- SingleWith2Thresholds - count matching input events during t1 seconds and if a given threshold is exceeded, execute an action list. Then start the counting of matching events again and if their number per t2 seconds drops below the second threshold, execute another action list. Both event correlation windows are sliding.
- Suppress - suppress matching input event (used to keep the event from being matched by later rules).
- Calendar - execute an action list at specific times.
  Rules allow not only shell commands to be executed as actions, but they can also:
  - create and delete contexts that decide whether a particular rule can be applied at a given moment,
  - associate events with a context and report collected events at a later time (similar feature is supported by logsurfer),
  - generate new events that will be input for other rules,
  - reset correlation operations that have been started by other rules,
  - spawn external event, fault, or knowledge analysis modules,
  - etc.
  This makes it possible to combine several rules and form more complex event correlation schemes.
output events can be produced by executing user-specified shell scripts or programs by writing messages to pipes or files, and by various other means. The applications SEC has been used or integrated with include HP OpenView NNM and Operations, CiscoWorks, BMC Patrol, Nagios, SNMPTT, Snort IDS, Prelude IDS, etc.

Notes:

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Some amount of grammar and spelling errors should be expected.
The site contain some broken links as it develops like a living tree... Please try to use Google, Open directory, etc. to find a replacement link (see HOWTO search the WEB for details). We would appreciate if you can mail us a correct link.

Google Search
Open directory	Research Index

Old News ;-)

[Dec 2, 2006] [PPT] Event correlation and data mining for event logs

[Jan 30, 2006] "Simple Event Correlator for real-time security log monitoring" - a paper about SEC that was published in Hakin9 Magazine

Simple Event Correlation installation and configuration

TIP - Learn how to install and configure Simple Event Correlation, an open source tool designed to monitor and react to incoming data feeds.

Recommended Links

SEC - open source and platform independent event correlation tool

SEC manpage

FAQ

"Working with SEC - the Simple Event Correlator" by Jim Brown - an excellent paper that not only provides a good introduction to SEC but also covers a number of advanced issues (here are the links for the part 1 and part 2 of the paper).

"Hardening Linux" (Apress, 2005) by James Turnbull - Chapter 5 of the book contains a discussion and examples how to employ SEC for log monitoring.

"Real-time log file analysis using the Simple Event Correlator (SEC)" by John P. Rouillard - a paper with SEC ruleset examples that was presented at USENIX LISA'2004.

"SEC - a Lightweight Event Correlation Tool" - an early paper about SEC that was presented at IEEE IPOM'2002.

SEC rule repository at Bleeding Edge Threats - if you have developed a ruleset that might be interesting to others as well, please contribute.

Risto Vaarandi Publications

Risto Vaarandi. Simple Event Correlator for real-time security log monitoring. Hakin9 Magazine 1/2006 (6), pp. 28-39, 2006
Risto Vaarandi. Tools and Techniques for Event Log Analysis. PhD Thesis, Tallinn University of Technology, 2005
Risto Vaarandi. A Breadth-First Algorithm for Mining Frequent Patterns from Event Logs. Proceedings of the 2004 IFIP International Conference on Intelligence in Communication Systems, LNCS Vol. 3283, © Springer-Verlag, pp. 293-308, 2004
Risto Vaarandi. A Data Clustering Algorithm for Mining Patterns From Event Logs. Proceedings of the 2003 IEEE Workshop on IP Operations and Management, pp. 119-126, 2003
Risto Vaarandi. A Clustering Algorithm for Logfile Data Sets. Technical Report, University of Kuopio, 2003
Risto Vaarandi. SEC - a Lightweight Event Correlation Tool. Proceedings of the 2002 IEEE Workshop on IP Operations and Management, pp. 111-115, 2002
Risto Vaarandi. Platform Independent Event Correlation Tool for Network Management. Proceedings of the 2002 IEEE/IFIP Network Operations and Management Symposium, pp. 907-910, 2002
Risto Vaarandi. Platform Independent Tool for Local Event Correlation. Acta Cybernetica 15(4), pp. 705-723, 2002
Risto Vaarandi. Platform Independent Tool for Local Event Correlation. Technical Report, University of Szeged, 2001
Risto Vaarandi. Hajusad failisüsteemid ("Distributed File Systems"). MSc Thesis, University of Tartu, 1996 (see also the references page)

Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: July 18, 2008