| |
man : sec(1)
sec(1) sec(1)
NAME
sec - simple event correlator
SYNOPSIS
sec [-conf=<file pattern> ...]
[-input=<file pattern>[=<context>] ...]
[-input_timeout=<input timeout>]
[-timeout_script=<timeout script>]
[-reopen_timeout=<reopen timeout>]
[-check_timeout=<check timeout>]
[-poll_timeout=<poll timeout>]
[-blocksize=<io block size>]
[-bufsize=<input buffer size>]
[-evstoresize=<event store size>]
[-cleantime=<clean time>]
[-log=<logfile>]
[-syslog=<facility>]
[-debug=<debuglevel>]
[-pid=<pidfile>]
[-dump=<dumpfile>]
[-quoting | -noquoting]
[-tail | -notail]
[-fromstart | -nofromstart]
[-detach | -nodetach]
[-intevents | -nointevents]
[-intcontexts | -nointcontexts]
[-testonly | -notestonly]
[-help] [-?]
[-version]
DESCRIPTION
SEC is a tool that was designed for accomplishing various event corre-
lation tasks in the domains of system monitoring, network and security
management, etc. Event correlation is a process where a stream of prim-
itive events is processed in order to detect composite events that cor-
respond to event patterns in the event stream.
After startup SEC reads lines from files, named pipes, or standard
input, matches the lines with patterns (regular expressions, Perl sub-
routines, etc.) for recognizing input events, and correlates events
according to the rules in its configuration file(s). In order to
detect a composite event, rules are used sequentially in the same order
as they are given in the configuration file. If there are two or more
configuration files, rule sequences from different files are used vir-
tually in parallel. SEC can be configured to produce its output by
executing user-specified shell commands, and by using utilities like
snmptrap(1) or snmpnotify(1), SEC can generate network management
events as output. Other options for producing output events are
described further in this man page.
Following rule types are currently implemented in SEC for detecting
composite events:
Single - match input event and execute an action immediately.
SEC 2.5.3 December 2009 1
sec(1) sec(1)
SingleWithScript - match input event and depending on the exit value of
an external script, execute an action.
SingleWithSuppress - match input event and execute an action immedi-
ately, but ignore following matching events for the next t seconds.
Pair - match input event, execute an action immediately, and ignore
following matching events until some other input event arrives. On the
arrival of the second event execute another action.
PairWithWindow - match input event and wait for t seconds for other
input event to arrive. If that event is not observed within a given
time window, execute an action. If the event arrives on time, execute
another action.
SingleWithThreshold - count matching input events during t seconds and
if a given threshold is exceeded, execute an action and ignore all
matching events during the rest of the time window.
SingleWith2Thresholds - count matching input events during t1 seconds
and if a given threshold is exceeded, execute an action. Then start the
counting of matching events again and if their number per t2 seconds
drops below the second threshold, execute another action.
Suppress - suppress matching input events (used to keep the events from
being matched by later rules).
Calendar - execute an action at specific times.
Jump - submit matching input events to specific ruleset(s) for further
processing.
Options - set processing options for a ruleset.
If a rule defines the correlation of several events in a certain time
window, the rule will start an event correlation operation when the
first matching event occurs. In order to distinguish between different
event correlation operations that have been started by the rules, every
operation is assigned a unique key that is generated from the rule ID,
the name of the configuration file the rule belongs to, and the textual
description of the composite event that the correlation operation is
trying to detect (see RULES AND EVENT CORRELATION OPERATIONS section
for more information).
Rules support not only the execution of shell commands as actions, but
also the creation and deletion of contexts that decide whether a par-
ticular rule can be applied at a given moment, the generation of syn-
thetic events that will act as input for other rules, the clearing of
correlation operations that have been started by other rules, etc. This
makes it possible to combine several rules and form more complex event
correlation schemes. Contexts can not only be used for activating or
deactivating a particular rule, but they can also serve as event stores
(in logsurfer(1) the contexts are used in a similar way). There are
actions for adding events to a context, reporting all events associated
SEC 2.5.3 December 2009 2
sec(1) sec(1)
with a context, etc. By using the features of SEC in an appropriate
way, one can accomplish a wide range of event correlation and event
consolidation tasks.
OPTIONS
-conf=<file pattern>
expand <file pattern> to filenames (with the Perl glob() func-
tion) and read event correlation rules from every file. Multiple
-conf options can be specified at command line. Each time SEC
receives a signal that forces a configuration reload, <file pat-
tern> is re-evaluated. See also TIMING section for a discussion
about the rule processing order when multiple configuration
files are involved.
-input=<file pattern>[=<context>]
expand <file pattern> to filenames (with the Perl glob() func-
tion) and use the files as event sources. An input file can be a
regular file, named pipe, or standard input if - was specified.
Multiple -input options can be specified at command line. Each
time SEC receives a signal that forces it to reopen its input
files, <file pattern> is re-evaluated. If SEC experiences a
system error when reading from an input file, it will close the
file (use the -reopen_timeout option for reopening the file). If
<context> is given, SEC will set up the context <context> each
time it reads a line from input files that correspond to <file
pattern>. This will help the user to write rules that match data
from particular input source(s) only. When there is an -input
option with <context> specified, it will automatically enable
the -intcontexts option. See INTERNAL EVENTS AND CONTEXTS sec-
tion for more information.
-input_timeout=<input_timeout>, -timeout_script=<timeout_script>
if SEC has not observed new data in an input file during
<input_timeout> seconds (or the file was closed <input_timeout>
seconds ago), <timeout_script> will be executed with command
line parameters 1 and <the name of the input file>. If fresh
data become available again, <timeout_script> will be executed
with command line parameters 0 and <the name of the input file>.
-reopen_timeout=<reopen_timeout>
if an input file is in closed state (e.g., because SEC has
failed to open it at startup), SEC will attempt to reopen this
input file after every <reopen_timeout> seconds until open suc-
ceeds.
-check_timeout=<check_timeout>
if SEC has not observed new data in an input file, SEC will not
poll the file (both for status and data) during the next
<check_timeout> seconds.
-poll_timeout=<poll_timeout>
a real number that specifies how many seconds SEC will sleep
when no new data were read from input files. Default is 0.1 sec-
onds.
SEC 2.5.3 December 2009 3
sec(1) sec(1)
-blocksize=<io_block_size>
size of the block in bytes that SEC will attempt to read from
input files at once. Default is 1024 (i.e., read from input
files by 1KB blocks).
-bufsize=<input_buffer_size>
set input buffer to hold last <input_buffer_size> lines that
have been read from input files. The content of input buffer
will be compared with patterns that are part of rule definitions
(i.e., no more than <input_buffer_size> lines can be matched by
a pattern at a time). Default size is 10 lines.
-evstoresize=<event_store_size>
set an upper limit to the size of context event stores - if an
event store already contains <event_store_size> events, SEC will
add no more events to that context, regardless of its configura-
tion file directives.
-cleantime=<clean_time>
time interval in seconds that specifies how often internal event
correlation and context lists are processed, in order to accom-
plish time-related tasks and to remove obsolete elements. See
TIMING section for more information. Default is 1 second.
-log=<logfile>
use <logfile> for logging SEC activities. Note that if the SEC
standard error is connected to a terminal, messages will be
logged there, in order to facilitate debugging. If the -detach
option has also been specified, no logging to standard error
will take place.
-syslog=<facility>
use syslog for logging SEC activities. All messages will be
logged with the facility <facility>, e.g., local0 (see syslog(3)
for possible facility values). Warning: be careful with this
option if you use SEC for monitoring syslog logfiles, because it
might create message loops (SEC log messages are written to SEC
input files that trigger new log messages).
-debug=<debuglevel>
set logging verbosity for the SEC logfile. Setting debuglevel to
<debuglevel> means that all messages from <debuglevel> and lower
levels are logged (e.g., if <debuglevel> is 3, messages from
levels 1, 2, and 3 are logged). The following levels are recog-
nized by SEC:
1 - critical messages (severe faults that cause SEC to termi-
nate, e.g., a failed system call)
2 - error messages (faults that need attention but don't cause
SEC to terminate, e.g., an incorrect rule definition in a con-
figuration file)
3 - warning messages (possible faults, e.g., a command forked
from SEC terminated with a non-zero exit code)
4 - notification messages (normal system level events and inter-
rupts, e.g., the reception of a signal)
SEC 2.5.3 December 2009 4
sec(1) sec(1)
5 - informative messages (information about external commands
forked from SEC)
6 - debug messages (detailed information about all SEC activi-
ties)
Default <debuglevel> is 6 (i.e., log everything). See SIGNALS
section for information on how to change <debuglevel> at run-
time.
-pid=<pidfile>
SEC will store its process ID to <pidfile> at startup.
-dump=<dumpfile>
SEC will use <dumpfile> as its dumpfile. See SIGNALS section for
more information. Default is /tmp/sec.dump.
-quoting, -noquoting
if the -quoting option is specified, event description strings
that are supplied to external shell commands of shellcmd and
spawn actions will be put inside apostrophes. All apostrophes '
that strings originally contain will be masked. This option pre-
vents the shell from interpreting special symbols that event
description strings might contain. Default is -noquoting.
-tail, -notail
if the -notail option is specified, SEC will process all data
that are currently available in input files and exit after
reaching all EOFs. Default is -tail - SEC will jump to the end
of input files and wait for new lines to arrive. With the -tail
option, SEC follows an input file by its name (and not merely by
its i-node). If the input file is recreated or truncated, SEC
will reopen it and process its content from the start. If the
input file is removed (i.e., there is just an i-node left with-
out name), SEC will keep the i-node open and wait for the input
file to be recreated.
-fromstart, -nofromstart
these flags have no meaning when the -notail option is also
specified. When used in combination with -tail (or alone, since
-tail is enabled by default), -fromstart will force SEC to read
and process input files from the beginning to the end, before
the 'tail' mode is entered at SEC startup. Default is -nofrom-
start.
-detach, -nodetach
if the -detach option is specified, SEC will disassociate itself
from the controlling terminal and become a daemon at startup
(note that SEC will close its standard input, standard output,
and standard error, and change its working directory to the root
directory). Default is -nodetach.
-intevents, -nointevents
SEC will generate internal events when it starts up, when it
receives certain signals, and when it terminates normally. Spe-
cific rules can be written to match those internal events, in
SEC 2.5.3 December 2009 5
sec(1) sec(1)
order to take some action at SEC startup, restart, and shutdown.
See INTERNAL EVENTS AND CONTEXTS section for more information.
Default is -nointevents.
-intcontexts, -nointcontexts
SEC will create an internal context when it reads a line from an
input file. This will help the user to write rules that match
data from particular input source only. See INTERNAL EVENTS AND
CONTEXTS section for more information. Default is -nointcon-
texts.
-testonly, -notestonly
if the -testonly option is specified, SEC will exit immediately
after parsing the configuration file(s). If the configuration
file(s) contained no faulty rules, SEC will exit with 0, other-
wise with 1. Default is -notestonly.
-help, -?
SEC will output usage information and exit.
-version
SEC will output version information and exit.
Note that one can introduce options both with a single dash (-) and
double dash (--), and also use both the equal sign (=) and whitespace
as a separator between the option name and the option value, e.g.,
-conf=<file pattern> and --conf <file pattern> are equivalent.
CONFIGURATION FILE
The SEC configuration file consists of rule definitions which are sepa-
rated by empty and comment lines. Each rule definition is made up of
keyword=value pairs, one keyword and value per line. Values are case
sensitive only where character case is important (like the values spec-
ifying regular expressions). \-symbol may be used at the end of a line
to continue the keyword=value pair on the next line. Lines which begin
with #-symbol are treated as comments and ignored (whitespace charac-
ters may precede #-symbol). Any comment line, empty line, or end of the
file will terminate the preceding rule definition. In order to insert
comments into the rule definition, the rem keyword can be used.
Apart from keywords that are part of rule definitions, label keywords
may appear anywhere in the configuration file. The value of each label
keyword will be treated as a label that can be referred to in rule def-
initions as a point-of-continue. This allows to continue event pro-
cessing at a rule that follows the label, after the current rule has
matched and processed the event.
Before describing each rule type in detail, patterns and pattern types,
context expressions, and action lists are discussed, since they are
important parts of the rule definition.
PATTERNS AND PATTERN TYPES
SEC supports the following pattern types (if <number> is omitted, 1 is
assumed):
SEC 2.5.3 December 2009 6
sec(1) sec(1)
SubStr[<number>]
pattern is assumed to be a substring that will be searched in
last <number> input lines L1, L2, ..., L<number>. The input
lines are joined into a single string with the newline character
acting as a separator, and the resulting string
"L1\nL2\n...\nL<number>" is searched for the substring. (Note
that if <number> is 1, the last input line without a terminating
newline is searched.) If the substring is found, the pattern
matches. The backslash constructs \t, \n, \r, \s, and \0 can be
used in the pattern to denote tabulation, newline, carriage
return, space character, and empty string, while \\ denotes
backslash itself. As an example, consider the following pattern
definition:
ptype=substr
pattern=Backup done:\tsuccess
The pattern matches lines containing "Backup done:<TAB>success".
RegExp[<number>]
pattern is assumed to be a regular expression that last <number>
input lines L1, L2, ..., L<number> are compared with. The input
lines are joined into a single string with the newline character
acting as a separator, and the resulting string
"L1\nL2\n...\nL<number>" is compared with the regular expression
pattern. (Note that if <number> is 1, the last input line with-
out a terminating newline is compared with the pattern.) If the
pattern matches, backreference values will be assigned to the
special variables $1, $2, ..., and the special variable $0 will
be set to "L1\nL2\n...\nL<number>" (i.e., to the matching input
line(s)). These special variables can be used in some other
parts of the rule definition. All regular expression constructs
that Perl allows are allowed in the pattern (see perlre(1) for
more information). As an example, consider the following pattern
definition:
ptype=regexp
pattern=(?i)(\S+\.mydomain).*printer: toner\/ink low
The pattern matches "printer: toner/ink low" messages in a case
insensitive manner from printers belonging to .mydomain. Note
that the printer hostname is assigned to $1, while the whole
message line is assigned to $0. As another example, the follow-
ing pattern definition
ptype=regexp2
pattern=^AAA\nBBB$
produces a match if the last two input lines are AAA and BBB,
and sets $0 to "AAA\nBBB".
PerlFunc[<number>]
pattern is assumed to be a Perl function that last <number>
input lines L1, L2, ..., L<number> are submitted to. The Perl
SEC 2.5.3 December 2009 7
sec(1) sec(1)
function is compiled at SEC startup by calling the Perl eval()
function, and eval() must return a code reference for the pat-
tern to be valid (also see VARIABLES AND EVAL section for more
information). In order to check whether the pattern matches,
SEC will call the function in list context and pass lines L1,
L2, ..., L<number> and the names of corresponding input sources
S1, S2, ..., S<number> to the function as parameters:
function(L1, L2, ..., L<number>, S1, S2, ..., S<number>)
(if the input line has been generated with the event action, its
input source name will be set to 'undef'). If the function
returns several values or a single value that is TRUE in boolean
context, the pattern matches. If the pattern matches, return
values will be assigned to the special variables $1, $2, ...,
and the special variable $0 will be set to "L1\nL2\n...\nL<num-
ber>" (i.e., to the matching input line(s)). These special vari-
ables can be used in some other parts of the rule definition. As
an example, consider the following pattern definition:
ptype=perlfunc2
pattern=sub { return ($_[0] cmp $_[1]); }
The pattern compares last two input lines in a stringwise manner
($_[1] holds the last line and $_[0] the preceding one), and
matches if the lines are different. Note that the result of the
comparison is assigned to $1, while the two input lines are con-
catenated (with the newline character between them) and assigned
to $0. As another example, the following pattern definition
ptype=perlfunc
pattern=sub { if ($_[0] =~ /(abc|def)/) { \
return defined($_[1]) ? $_[1] : "SEC"; } return 0; }
produces a match if the input line contains either the string
"abc" or the string "def", and sets $0 to the matching line and
$1 to the name of the input source.
NSubStr[<number>]
like SubStr[<number>], except the result of the match is
negated.
NRegExp[<number>]
like RegExp[<number>], except the result of the match is
negated.
NPerlFunc[<number>]
like PerlFunc[<number>], except the result of the match is
negated.
TValue pattern is assumed to be a truth value with TRUE and FALSE being
legitimate values for the pattern. TRUE always matches an input
line while FALSE never matches an input line.
SEC 2.5.3 December 2009 8
sec(1) sec(1)
Note that since Pair and PairWithWindow rules have two pattern defini-
tions, special variables $<number> set by the first pattern are shad-
owed when the second pattern matches and sets the variables. In order
to access the shadowed variables, they must be referred to as %<number>
(e.g., instead of $1 one has to write %1). Also note that the second
pattern of Pair and PairWithWindow rules may contain $<number> vari-
ables, if the second pattern is of type SubStr, NSubStr, Regexp, or
NRegExp. The variables are substituted at runtime with the values set
by the first pattern.
CONTEXT EXPRESSIONS
Context expression is a logical expression that consists of context
names, Perl miniprograms, and Perl functions as operands; operands are
combined with operators ! (logical NOT), && (short-circuit logical
AND), || (short-circuit logical OR), and parentheses. Context expres-
sions are employed for activating or deactivating rules - normally, the
context expression is evaluated immediately after the pattern has
matched input line(s), and the rule will process the input line(s) only
if the expression evaluates TRUE.
If the operand contains the arrow (->), the text following the arrow is
considered to be a Perl function that will be compiled at SEC startup
by calling the Perl eval() function, and eval() must return a code ref-
erence for the operand to be valid (also see VARIABLES AND EVAL section
for more information). If any text precedes the arrow, it is consid-
ered to be the list of parameters for the function. Parameters are
separated by whitespace and may contain $<number> and %<number> special
variables. In order to evaluate the Perl function operand, the function
with its parameter list will be called in scalar context. If the return
value of the function is TRUE in boolean context, the truth value of
the operand is TRUE, otherwise its truth value is FALSE.
If the operand begins with the equal sign (=), the following text is
considered to be a Perl miniprogram. The miniprogram may contain $<num-
ber> and %<number> special variables. In order to evaluate the Perl
miniprogram operand, it will be executed by calling the Perl eval()
function in scalar context (also see VARIABLES AND EVAL section for
more information). If the return value of the miniprogram is TRUE in
boolean context, the truth value of the operand is TRUE, otherwise its
truth value is FALSE.
Note that since Perl functions, miniprograms, and parameter lists may
contain strings that clash with the operators of the context expression
(e.g., '!'), it is strongly recommended to enclose them in parentheses,
e.g.,
($1 $2) -> (sub { return ($_[0] != $_[1]); })
=({my($temp) = 0; return !$temp;})
If the operand is not a Perl function or program, it is considered to
be a context name. Context name may contain $<number> and %<number>
special variables. If the context name refers to an existing context,
the truth value of the operand is TRUE, otherwise its truth value is
SEC 2.5.3 December 2009 9
sec(1) sec(1)
FALSE.
If the whole context expression is enclosed in square brackets [ ],
e.g., [MYCONTEXT1 && !MYCONTEXT2], SEC evaluates the expression
_before_ pattern matching operation (normally the pattern is compared
with input line(s) first, so that $<number> and %<number> variables in
the context expression could be replaced with their values). Evaluating
context expression first could save CPU time when many of the input
lines are known to match the pattern but not the context expression,
and the expression does not contain any variables.
As an example, consider the following context expressions:
-> ( sub { my(@stat) = stat("/var/log/messages"); \
return (!scalar(@stat) || time() - $stat[9] > 3600); } )
($1 $2) -> (sub { return ($_[0] != $_[1]); }) && C1
!(C1 || C2) && =("$1" eq "myhost.mydomain")
The first expression is TRUE when the /var/log/messages file does not
exist or was last modified more than 1 hour ago. The second expression
is TRUE when variables $1 and $2 are numerically not equal and the con-
text C1 exists. The third expression is TRUE when contexts C1 and C2
do not exist and the $1 variable equals to the string "myhost.mydo-
main". Note that since && is a short-circuiting operation, the Perl
code of the third expression is not evaluated if C1 and/or C2 exist.
ACTION LISTS
Action list consists of action definitions that are separated by semi-
colons. Each action definition begins with a keyword specifying the
action type, followed by additional parameters. Additional parameters
that do not have a constant nature may contain $<number> and %<number>
special variables. Also, the following variables can be used in non-
constant parameters:
%s - event description string (set either by the desc or desc2 parame-
ter of the rule definition).
%t - textual timestamp (as returned by date(1)).
%u - numeric timestamp (as returned by time(2)).
%<alnum_name> - user-defined variables that can be set at SEC runtime
with certain actions like assign and eval (<alnum_name> must begin with
a letter and may contain letters, digits, and underscores). In order to
disambiguate <alnum_name> from the following text, <alnum_name> must be
enclosed in braces: %{<alnum_name>}.
In order to use semicolons inside a non-constant action parameter, the
parameter must be enclosed in parentheses (the outermost set of paren-
theses will be removed by SEC during configuration file parsing).
The following actions are supported:
none No action.
SEC 2.5.3 December 2009 10
sec(1) sec(1)
logonly [<event text>]
Event string <event text> is logged. If <event text> is omit-
ted, %s is assumed for its value.
write <filename> [<event text>]
Event string <event text> and terminating newline are written to
the file <filename> (<filename> may not contain spaces). File
may be a regular file, named pipe, or standard output if - was
specified. If the file is a regular file, <event text> is
appended to the end of the file. If the file does not exist, it
is created as a regular file before writing. If <event text> is
omitted, %s is assumed for its value. Though write can also be
expressed through the shellcmd action, write does not involve
fork(2) like shellcmd does.
shellcmd <shellcmd>
Shell command <shellcmd> is executed. If the -quoting option was
specified, %s will be converted to '%s' before supplying it to
shell command (see the -quoting and -noquoting options).
spawn <shellcmd>
Identical to the shellcmd action, except the following - every
line from the standard output of <shellcmd> is treated like SEC
input line and matched against the rules. This is done by
applying event 0 <line> to every line from standard output (see
the event action). Note that if <shellcmd> outputs a large data
set at once, SEC will process it all at once, so if <shellcmd>
enters an endless "busy write" loop, it will block SEC from
doing anything other than processing its output.
pipe '<event text>' [<shellcmd>]
Event string <event text> and terminating newline are fed to the
standard input of shell command <shellcmd> (apostrophes are used
to mark the beginning and end of <event text>, in order to dis-
tinguish it from <shellcmd>). If <event text> is omitted and
there is nothing between apostrophes, %s is assumed for <event
text>. If <shellcmd> is omitted, <event text> is written to
standard output.
create [<name> [<time> [<action list>] ] ]
Context with the name <name>, with the lifetime of <time> sec-
onds, and with empty event store is created (<name> may not con-
tain spaces, and <time> must evaluate to an unsigned integer at
runtime). If <name> is omitted, %s is assumed for its value.
Specifying 0 as <time> or omitting the value means infinite
lifetime. If <action list> is specified, it will be executed
when the context expires. If <action list> is made up of more
than one action, semicolons must be used to separate the
actions, and the list must be enclosed in parentheses. In
<action list>, the internal context name _THIS may be used for
referring to the context <name> (see INTERNAL EVENTS AND CON-
TEXTS section for a detailed discussion). If already existing
context is recreated with create, its lifetime will be extended
for <time> seconds, its action list will be reinitialized, and
SEC 2.5.3 December 2009 11
sec(1) sec(1)
its event store will be emptied.
delete [<name>]
Context with the name <name> is deleted (<name> may not contain
spaces). If <name> is omitted, %s is assumed for its value. If
non-existing context is deleted, no operation will be performed.
obsolete [<name>]
Behaves like delete, except the action list of the context
<name> (if the context has an action list) will be executed
before deletion.
set <name> <time> [<action list>]
Settings for the context with the name <name> will be changed
(<name> may not contain spaces, and <time> must evaluate to an
unsigned integer at runtime). New lifetime of the context will
be <time> seconds with optional <action list> to be executed
when the context expires. If <action list> is omitted, set will
not modify the action list of the context (note that prior to
SEC 2.5.3, the action list was cleared). Event store of the
context will not be altered by set. Specifying 0 as <time>
means infinite lifetime. If <action list> is made up of more
than one action, semicolons must be used to separate the
actions, and the list must be enclosed in parentheses. In
<action list>, the internal context name _THIS may be used for
referring to the context <name> (see INTERNAL EVENTS AND CON-
TEXTS section for a detailed discussion).
alias <name> [<alias>]
An alias name <alias> will be created for the context with the
name <name> (<name> and <alias> may not contain spaces). After
the name <alias> has been created for a context, the context can
be referred to by using both <alias> and <name>. If <alias> is
omitted, %s is assumed for its value. If context with the name
<name> does not exist, or the name <alias> already exists, the
alias will not be created. Internally, SEC does not distinguish
in any way between <alias> and <name> - they are both pointers
to the same context data structure. Therefore, it makes no dif-
ference whether context attributes (like lifetime, event store,
etc.) are changed by calling an action (e.g., set or add) for
<name> or <alias>. If the delete action is called for one of
the context names, the context data structure is destroyed, and
all context names (which are now pointers to unallocated memory)
are removed from the list of context names. Also note that if
the context expires, its action list is executed only once, no
matter how many names the context has.
unalias [<alias>]
Context name <alias> is removed from the list of context names,
so that the name <alias> can no longer be used to refer to the
context it was previously associated with (<alias> may not con-
tain spaces). If <alias> is omitted, %s is assumed for its
value. If unalias is called for non-existing context name, no
operation will be performed. If the name <alias> was the last
SEC 2.5.3 December 2009 12
sec(1) sec(1)
reference to a context, the unalias action behaves like delete
and the context will be deleted; otherwise the context will con-
tinue to exist under other name(s) with its event store and
other attributes intact.
add <name> [<event text>]
Event string <event text> is added to the event store of the
context <name> (<name> may not contain spaces). Events in the
store are ordered by the time they were added, and every add
appends event to the end of the store. If <event text> is omit-
ted, %s is assumed for its value. If context <name> does not
exist, the context will be created with an infinite lifetime,
empty action list and empty event store (as with create <name>)
before adding the event. If <event text> contains newlines, it
will be split into parts using the newline symbol as a delimiter
(as with Perl split(/\n/, $event)), and each part is added to
the event store as a separate event string.
fill <name> [<event text>]
Behaves like add, except the event store of the context <name>
will be emptied before <event text> is added.
report <name> [<shellcmd>]
Event store of the context <name> is reported with shell command
<shellcmd> (<name> may not contain spaces). Reporting means that
events from the store are fed to standard input of <shellcmd> in
the order they were added into the store, every event on a sepa-
rate line. If <shellcmd> is omitted, events from the store are
written to standard output.
copy <name> %<alnum_name>
Event store of the context <name> is assigned to a user-defined
variable %<alnum_name> (<name> may not contain spaces). Before
the assignment takes place, lines from the event store are
joined into a scalar using the newline character as the separa-
tor (as with Perl join("\n", @array)).
empty <name> [%<alnum_name>]
Behaves like copy, except the event store of the context <name>
will be emptied after it has been assigned to the variable
%<alnum_name>. If %<alnum_name> is omitted, empty simply removes
all lines from the event store.
event [<time>] [<event text>]
After <time> seconds a synthetic event <event text> is created
(<time> is an integer constant). SEC treats the <event text>
string exactly like line(s) read from input - it is inserted
into the input buffer in order to compare it with rules. If
<event text> is omitted, %s is assumed for its value. Specify-
ing 0 as <time> or omitting the value means now. If <event text>
contains newlines, it will be split into parts using the newline
symbol as a delimiter (as with Perl split(/\n/, $event)), and
each part is created as a separate synthetic event.
SEC 2.5.3 December 2009 13
sec(1) sec(1)
tevent <time> [<event text>]
Behaves like event, except <time> may contain variables and must
evaluate to an unsigned integer at runtime.
reset [<rule_number>] [<event text>]
Cancel event correlation operations that are currently detecting
the composite event <event text> (<rule_number> is a string con-
stant), i.e., SEC will terminate event correlation operations
that have <event text> in their keys as event description string
(if such operations exist, see RULES AND EVENT CORRELATION OPER-
ATIONS section for a detailed discussion). If there are multi-
ple configuration files specified, reset can cancel only those
correlation operations that have been started by the rules from
the same configuration file where the reset action itself is
defined. If <event text> is omitted, %s is assumed for its
value. Since correlation operations started by different rules
may detect composite events that have identical description
strings, rule number can be optionally specified to point to a
correlation operation that was started by a specific rule (1
means the first rule in the configuration file, 2 means the sec-
ond, etc.; 0 denotes the current rule). If + or - is prepended
to <rule_number>, it is considered to be an offset from the cur-
rent rule (e.g., -1 means the previous rule and +1 the next
rule). For example, if a rule definition with the reset action
is given in the configuration file named my.conf, then reset 1
Counting linkdown events will terminate the event correlation
operation with the key "my.conf | 0 | Counting linkdown events"
(note that internally the SEC rule IDs start from zero), while
reset Counting linkdown events will terminate event correlation
operations with keys "my.conf | X | Counting linkdown events",
where X runs from 0 to N-1 and N is the number of rules in the
configuration file my.conf. If no operation with a given key
exists, reset will take no action.
assign %<alnum_name> [<text>]
Text <text> is assigned to a user-defined variable
%<alnum_name>. If <text> is omitted, %s is assumed for its
value.
eval %<alnum_name> <code>
The parameter <code> is assumed to be a Perl miniprogram that
will be executed by calling the Perl eval() function in list
context. If the miniprogram returns a single value, it will be
assigned to the variable %<alnum_name>. If the miniprogram
returns several values, they will be joined into a scalar using
the newline character as a separator (as with Perl join("\n",
@array)), and the scalar will be assigned to the variable
%<alnum_name>. If no value is returned or eval() fails, no
assignment will take place. Note that before calling eval(),
$<number>, %<number>, and %<alnum_name> variables in the
miniprogram are replaced with their values and therefore can't
be used as lvalues. Since most Perl programs contain semicolons
which are also used by SEC as separators between actions, it is
recommended to enclose the <code> parameter in parentheses, in
SEC 2.5.3 December 2009 14
sec(1) sec(1)
order to avoid the inperpretation of semicolons inside the code
by SEC. Also see VARIABLES AND EVAL section for more informa-
tion.
call %<alnum_name1> %<alnum_name2> [<parameter list>]
The parameter %<alnum_name2> is assumed to be a reference to a
Perl function that was created previously with the eval action.
The function will be called in list context by passing optional
parameter list to the function (parameters are separated by
whitespace). If the function returns a single value, it will be
assigned to the variable %<alnum_name1>. If the function returns
several values, they will be joined into a scalar using the new-
line character as a separator (as with Perl join("\n", @array)),
and the scalar will be assigned to the variable %<alnum_name1>.
If no value is returned or %<alnum_name2> is not a code refer-
ence, no assignment will take place. Also see VARIABLES AND
EVAL section for more information.
Examples:
spawn /bin/tail -f /var/log/trapd.log
Follow the /var/log/trapd.log file and feed to SEC input all lines that
are appended to the file.
pipe '%t: $0' /bin/mail -s "alert message" root@localhost
Mail the timestamp and the value of the $0 variable to the local root.
add ftp_$1 $0; set ftp_$1 1800 (report ftp_$1 /bin/mail root@localhost)
Add the value of the $0 variable to the event store of the context
ftp_<the value of $1>. Also extend the context's lifetime for 30 min-
utes, so that when the context expires, its event store will be mailed
to the local root.
eval %funcptr ( sub { my(@buf) = split(/\n/, $_[0]); \
my(@ret) = grep(!/^#/, @buf); return @ret; } ); \
copy C1 %in; call %out %funcptr %in; fill C1 %out
Create a subroutine for weeding out comment lines from the input list,
and use this subroutine for removing comment lines from the event store
of the context C1.
OTHER ISSUES
As already noted, SEC context expressions and action lists may contain
parentheses which are used for grouping and masking purposes. When SEC
parses its configuration, it checks whether parentheses in context
expressions and action lists are balanced (i.e., whether each parenthe-
sis has a counterpart), since unbalanced parentheses introduce ambigu-
ity. This can cause SEC to reject some otherwise legitimate constructs,
e.g.,
action=eval %o (print ")";)
SEC 2.5.3 December 2009 15
sec(1) sec(1)
will be considered an invalid action list (however, note that
action=eval %o (print "()";)
would be passed by SEC, since now parentheses are balanced). In order
to avoid such unwanted behavior, each parenthesis without a counterpart
must be masked with a backslash (the backslash will be removed by SEC
during configuration file parsing), e.g.,
action=eval %o (print "\)";)
SINGLE RULE
The Single rule was designed for matching input events that require
immediate action to be taken. The rule definition has the following
parameters:
type fixed to Single (value is case insensitive, so single or sIngLe
can be used instead).
continue (optional)
TakeNext, DontCont or GoTo <label> (apart from <label>, values
are case insensitive). TakeNext specifies that search for match-
ing rules will continue after the match (i.e., input line(s)
that match pattern and context will be passed to the next rule);
DontCont will quit the search. GoTo <label> allows to continue
the search for matching rules, starting from the location of
<label> in the configuration file (<label> must be defined with
the label keyword anywhere in the configuration file _after_ the
current rule definition). If the continue keyword is missing
from the rule definition, DontCont is assumed.
ptype pattern type (value is case insensitive).
pattern
pattern.
context (optional)
context expression.
desc textual description of the detected event.
action action list that will be executed when the event is detected.
rem (optional, may appear more than once)
remarks and comments.
Note that context, desc, and action parameters may contain $<number>
variables.
Examples:
type=single
continue=takenext
ptype=regexp
SEC 2.5.3 December 2009 16
sec(1) sec(1)
pattern=ftpd\[(\d+)\]: \S+ \(ristov2.*FTP session opened
desc=ftp session opened for ristov2 pid $1
action=create ftp_$1
type=single
continue=takenext
ptype=regexp
pattern=ftpd\[(\d+)\]:
context=ftp_$1
desc=ftp session event for ristov2 pid $1
action=add ftp_$1 $0; set ftp_$1 1800 \
(report ftp_$1 /bin/mail root@localhost)
type=single
ptype=regexp
pattern=ftpd\[(\d+)\]: \S+ \(ristov2.*FTP session closed
desc=ftp session closed for ristov2 pid $1
action=report ftp_$1 /bin/mail root@localhost; \
delete ftp_$1
The first rule creates the context with the name ftp_<pid> when someone
connects from host ristov2 with ftp. The second rule adds all logfile
lines that are associated with the session <pid> to the event store of
the context ftp_<pid> (before adding a line, the rule checks if the
context exists). After adding a line, the rule extends context's life-
time for 30 minutes and sets the action list that will be executed when
the context expires. The third rule mails collected logfile lines to
root@localhost when the session <pid> is closed. Collected lines will
also be mailed when the session <pid> has been inactive for 30 minutes
(no logfile lines observed for that session).
Note that the logfile line that has matched the first rule will be
passed to the second rule and will become the first line in the event
store (the first rule has the continue parameter set to TakeNext). The
second rule has also its continue parameter set to TakeNext, since oth-
erwise no logfile lines would reach the third rule.
SINGLEWITHSCRIPT RULE
The SingleWithScript rule was designed to integrate external scripts
with the SEC event flow. The rule definition is similar to the Single
rule, except of the additional script parameter:
type fixed to SingleWithScript (value is case insensitive).
continue (optional)
TakeNext, DontCont or GoTo <label> (apart from <label>, values
are case insensitive).
ptype pattern type (value is case insensitive).
pattern
pattern.
SEC 2.5.3 December 2009 17
sec(1) sec(1)
context (optional)
context expression.
script script that is executed after pattern and context have matched
some input line(s). The names of all existing contexts are fed
to the standard input of the script, a name per line. If the
script returns zero for its exit value, action will be executed;
if the script returns non-zero, action2 will be executed (if
given).
desc textual description of the detected event.
action action list that will be executed when script returns zero for
its exit value.
action2 (optional)
action list that will be executed when script returns non-zero
for its exit value.
rem (optional, may appear more than once)
remarks and comments.
Note that context, script, desc, action, and action2 parameters may
contain $<number> variables.
Also note that since the runtime of the script that is specified by the
script parameter is not limited in any way, waiting for that script to
complete could freeze the entire event processing for an indefinite
amount of time. Therefore, once the pattern and context parameters have
matched input line(s), SEC does not wait for the script to complete but
rather continues its work. The exit value of the script will be fetched
when the script actually terminates, and depending on the exit value,
either action or action2 (if it exists) will be executed.
Examples:
type=SingleWithScript
ptype=RegExp
pattern=interface (\S+) down
script=/usr/local/scripts/ping.sh $1
desc=Interface $1 down
action=shellcmd /usr/local/scripts/notify.sh "%s"
When "interface <ipaddress> down" line appears in input, this rule acts
by calling
/usr/local/scripts/ping.sh <ipaddress>
and if the script returns 0 as its exit value, the rule calls
/usr/local/scripts/notify.sh "Interface <ipaddress> down"
(note also that SEC feeds the names of all existing contexts to the
standard input of the /usr/local/scripts/ping.sh script.)
SEC 2.5.3 December 2009 18
sec(1) sec(1)
SINGLEWITHSUPPRESS RULE
The SingleWithSuppress rule was designed to implement the event corre-
lation operation called compression, where multiple instances of event
A are reduced into a single event. The rule definition is similar to
the Single rule, except of the additional window parameter:
type fixed to SingleWithSuppress (value is case insensitive).
continue (optional)
TakeNext, DontCont or GoTo <label> (apart from <label>, values
are case insensitive).
ptype pattern type (value is case insensitive).
pattern
pattern for detecting event A.
context (optional)
context expression.
desc textual description of event A.
action action list that will be executed when event A is first
observed. Following instances of event A will be ignored.
window time in seconds that following events A are ignored for.
rem (optional, may appear more than once)
remarks and comments.
Note that context, desc, and action parameters may contain $<number>
variables.
Examples:
type=SingleWithSuppress
ptype=RegExp
pattern=(\S+): [fF]ile system full
desc=File system $1 full
action=shellcmd notify.sh "%s"
window=900
When "/usr: file system full" line appears in input, this rule starts a
correlation operation that calls
notify.sh "File system /usr full"
and ignores following such lines during the next 15 minutes.
Note that line "/tmp: file system full" would not be ignored, since SEC
identifies correlation operations by a key that contains event descrip-
tion string of the composite event (given by the desc parameter). Since
strings "/usr: file system full" and "/tmp: file system full" differ,
SEC will start another correlation operation for the latter (see RULES
SEC 2.5.3 December 2009 19
sec(1) sec(1)
AND EVENT CORRELATION OPERATIONS section for more information).
PAIR RULE
The Pair rule was designed to implement one of the basic forms of the
temporal relationship event correlation operation, where two or more
events A and B are reduced into event pair (A, B) inside a given time
window. The rule definition has the following parameters:
type fixed to Pair (value is case insensitive).
continue (optional)
TakeNext, DontCont or GoTo <label> (apart from <label>, values
are case insensitive). Specifies if input line(s) that match
pattern and context will be passed to the following rules.
ptype pattern type (value is case insensitive).
pattern
pattern for detecting event A.
context (optional)
context expression.
desc textual description of event A.
action action list that will be executed when event A is first
observed. Following instances of event A will be ignored.
continue2 (optional)
TakeNext, DontCont or GoTo <label> (apart from <label>, values
are case insensitive). Specifies if input line(s) that match
pattern2 and context2 will be passed to the following rules.
ptype2 pattern type (value is case insensitive).
pattern2
pattern for detecting event B.
context2 (optional)
context expression.
desc2 textual description of event B.
action2
action list that will be executed when event B is observed.
After executing action2 the event correlation operation termi-
nates.
window (optional)
time t in seconds that is allowed to elapse between the first
instance of event A and event B. If event B does not appear dur-
ing t seconds, then the correlation operation started by this
rule terminates. Specifying 0 as value or omitting the window
parameter means setting t to infinity (i.e., if event B does not
SEC 2.5.3 December 2009 20
sec(1) sec(1)
appear, event A will be ignored forever).
rem (optional, may appear more than once)
remarks and comments.
Note that context, desc, action, context2, desc2, and action2 parame-
ters may contain $<number> variables. The pattern2 parameter may con-
tain $<number> variables if ptype2 supports variable substitutions at
runtime. If pattern2 shadows the $<number> variables of pattern, then
context2, desc2, and action2 parameters may contain %<number> vari-
ables.
Examples:
type=Pair
ptype=RegExp
pattern=NFS server (\S+) not responding
desc=$1 is not responding
action=shellcmd notify.sh "%s"
ptype2=substr
pattern2=NFS server $1 ok
desc2=$1 OK
action2=shellcmd notify.sh "%s"
window=3600
When "NFS server fserv is not responding" line appears in input, the
correlation operation started by this rule calls
notify.sh "fserv is not responding"
and waits for the line "NFS server fserv ok" for 1 hour, ignoring all
"NFS server fserv is not responding" lines. When the line "NFS server
fserv ok" appears, the correlation operation executes the shell command
notify.sh "fserv OK"
and terminates. If time (1 hour) runs out, the correlation operation
will terminate without doing anything.
PAIRWITHWINDOW RULE
The PairWithWindow rule was designed to implement another variant of
the temporal relationship event correlation operation that checks if
event A will be followed by event B inside a given time window. The
rule definition has the following parameters:
type fixed to PairWithWindow (value is case insensitive).
continue (optional)
TakeNext, DontCont or GoTo <label> (apart from <label>, values
are case insensitive). Specifies if input line(s) that match
pattern and context will be passed to the following rules.
ptype pattern type (value is case insensitive).
SEC 2.5.3 December 2009 21
sec(1) sec(1)
pattern
pattern for detecting event A.
context (optional)
context expression.
desc textual description of event A.
action action list that is executed after event A was observed and
event B did not appear within the given time window.
continue2 (optional)
TakeNext, DontCont or GoTo <label> (apart from <label>, values
are case insensitive). Specifies if input line(s) that match
pattern2 and context2 will be passed to the following rules.
ptype2 pattern type (value is case insensitive).
pattern2
pattern for detecting event B.
context2 (optional)
context expression.
desc2 textual description of event B.
action2
action list that is executed after event A was observed and
event B appeared within the given time window. After executing
action2 the event correlation operation terminates.
window size of the time window in seconds.
rem (optional, may appear more than once)
remarks and comments.
Note that context, desc, action, context2, desc2, and action2 parame-
ters may contain $<number> variables. The pattern2 parameter may con-
tain $<number> variables if ptype2 supports variable substitutions at
runtime. If pattern2 shadows the $<number> variables of pattern, then
context2, desc2, and action2 parameters may contain %<number> vari-
ables.
Examples:
type=PairWithWindow
ptype=RegExp
pattern=node (\S+) interface (\S+) down
desc=$1 if $2 is down
action=shellcmd notify.sh "%s"
ptype2=SubStr
pattern2=node $1 interface $2 up
desc2=$1 if $2 short outage
action2=event
SEC 2.5.3 December 2009 22
sec(1) sec(1)
window=600
When "node fserv interface 192.168.1.1 down" line appears in input,
this rule starts a correlation operation that waits 10 minutes for
"node fserv interface 192.168.1.1 up" line, and if that line does not
arrive on time, the correlation operation executes the shell command
notify.sh "fserv if 192.168.1.1 is down"
and terminates. If the line arrives on time, the operation generates
event "fserv if 192.168.1.1 short outage" and terminates.
SINGLEWITHTHRESHOLD RULE
The SingleWithThreshold rule was designed to implement the counting
event correlation operation, where instances of event A are counted
inside a given time window and the number of events is compared with a
threshold value, in order to detect a composite event B. The rule def-
inition has the following parameters:
type fixed to SingleWithThreshold (value is case insensitive).
continue (optional)
TakeNext, DontCont or GoTo <label> (apart from <label>, values
are case insensitive).
ptype pattern type (value is case insensitive).
pattern
pattern for detecting event A.
context (optional)
context expression.
desc textual description of event B.
action action list that is executed when thresh instances of event A
have been observed within the given time window. After that all
events A will be ignored during the rest of the time window.
action2 (optional)
action list that is executed when the event correlation opera-
tion terminates, if action has been previously executed by the
operation.
window size of the time window in seconds. The window is sliding - if
event A has been observed less than thresh times at the end of
the window, the beginning of the window is moved to the occur-
rence time of the second instance of event A, and the counting
operation will continue. If there is no second instance of
event A (i.e., the event has been observed only once), the cor-
relation operation will terminate.
thresh threshold value.
SEC 2.5.3 December 2009 23
sec(1) sec(1)
rem (optional, may appear more than once)
remarks and comments.
Note that context, desc, and action parameters may contain $<number>
variables.
Examples:
type=SingleWithThreshold
ptype=RegExp
pattern=user (\S+) login failure on (\S+)
desc=Repeated login failures for user $1 on $2
action=shellcmd notify.sh "%s"
window=60
thresh=3
When line "user dbadmin login failure on tty1" is observed, the rule
starts a correlation operation that executes the shell command
notify.sh "Repeated login failures for user dbadmin on tty1"
if additional two such lines are observed within 1 minute. Following
"user dbadmin login failure on tty1" lines will be ignored by this rule
until 60 seconds have elapsed since the arrival of first line.
After changing the action parameter in the rule definition to
action=shellcmd notify.sh "%s"; reset 0 %s
the correlation operation will terminate itself after calling
notify.sh, and the next matching line will start a new counting opera-
tion.
SINGLEWITH2THRESHOLDS RULE
The SingleWith2Thresholds rule was designed to implement another vari-
ant of the counting event correlation operation, where instances of
event A are counted twice - first for checking if the threshold value
is exceeded (in order to detect a composite event B), and then for
checking if the number of instances will stay below the second thresh-
old value (in order to detect a composite event C). The rule defini-
tion has the following parameters:
type fixed to SingleWith2Thresholds (value is case insensitive).
continue (optional)
TakeNext, DontCont or GoTo <label> (apart from <label>, values
are case insensitive).
ptype pattern type (value is case insensitive).
pattern
pattern for detecting event A.
SEC 2.5.3 December 2009 24
sec(1) sec(1)
context (optional)
context expression.
desc textual description of event B.
action action list that is executed when thresh instances of event A
have been observed within the time window window. After that
event counting continues with the threshold value thresh2 and
time window window2.
window size of the first time window in seconds. The window is sliding.
thresh the first threshold value.
desc2 textual description of event C.
action2
action list that is executed if no more than thresh2 instances
of event A have been observed during the last window2 seconds.
After executing action2 the event correlation operation termi-
nates.
window2
size of the second time window in seconds. The window is slid-
ing.
thresh2
the second threshold value.
rem (optional, may appear more than once)
remarks and comments.
Note that context, desc, action, desc2, and action2 parameters may con-
tain $<number> variables.
Examples:
type=SingleWith2Thresholds
ptype=RegExp
pattern=(\S+): %SYS-3-CPUHOG
desc=router $1 CPU overload
action=shellcmd notify.sh "%s"
window=300
thresh=2
desc2=router $1 CPU load normal
action2=shellcmd notify.sh "%s"
window2=3600
thresh2=0
When SYS-3-CPUHOG syslog message is received from a router, the rule
starts a counting operation that executes the shell command
notify.sh "router <routername> CPU overload"
SEC 2.5.3 December 2009 25
sec(1) sec(1)
if additional SYS-3-CPUHOG syslog message is received from the router
within 5 minutes. After that the correlation operation waits until no
SYS-3-CPUHOG syslog messages have been received from the router during
the last 1 hour, and then executes
notify.sh "router <routername> CPU load normal"
SUPPRESS RULE
The Suppress rule was designed to implement event suppression and fil-
tering, where matching events are kept from being processed by later
rules in the same configuration file. The rule definition has the fol-
lowing parameters:
type fixed to Suppress (value is case insensitive).
ptype pattern type (value is case insensitive).
pattern
pattern for detecting event A (or its subclass) that must be
suppressed (or filtered out).
context (optional)
context expression.
desc (optional)
textual description of this rule.
rem (optional, may appear more than once)
remarks and comments.
Note that the context parameter may contain $<number> variables.
Examples:
type=Suppress
ptype=RegExp
pattern=[Ff]ile system full
context=mycontext
type=Suppress
ptype=RegExp
pattern=/dev/vg01/\S+: [Ff]ile system full
The first rule suppresses all "file system full" events if the context
mycontext is present. The second rule filters out all "file system
full" events that concern the volume group vg01.
CALENDAR RULE
The Calendar rule was designed for executing actions at specific times.
Unlike all other rules, this rule reacts only to the system clock,
ignoring other input. The rule definition has the following parameters:
type fixed to Calendar (value is case insensitive).
SEC 2.5.3 December 2009 26
sec(1) sec(1)
time crontab-style time specification (see crontab(1) for more infor-
mation). Time specification consists of five fields separated by
whitespace characters. First field denotes minutes (allowed val-
ues 0-59), second field hours (allowed values 0-23), third field
days (allowed values 0-31, 0 denotes the last day of the month),
fourth field months (allowed values 1-12), and fifth field week-
days (allowed values 0-7, 0 and 7 denote Sunday). Asterisks (*),
ranges of numbers (e.g., 8-11), and lists (e.g., 2,5,7-9) are
allowed as field values. Asterisks and ranges may be augmented
with step values (e.g., 47-55/2 means 47,49,51,53,55). There is
one important difference from crontab-style time specification -
the day and weekday field must always both match the current
time for the action to be executed.
context (optional)
context expression.
desc event description string.
action action list to be executed.
rem (optional, may appear more than once)
remarks and comments.
Examples:
type=Calendar
time=0 23 * * *
desc=NightContext
action=create %s 32400
This rule creates the context NightContext every day at 11PM. Context
has a lifetime of 9 hours.
type=Calendar
time=0 1 25-31 10 7
desc=end of DST
action=shellcmd dstend.sh
This rule executes dstend.sh on last Sunday in October, 1 AM.
JUMP RULE
The Jump rule was designed for submitting matching events to specific
ruleset(s) for further processing. This rule works as follows - if the
input buffer matches the rule, SEC continues the search for matching
rules in configuration file set(s) given with the cfset parameter.
Rules from one file are tried sequentially in the order of their
appearance; rule sequences from different files are used virtually in
parallel. The rule definition has the following parameters:
type fixed to Jump (value is case insensitive).
continue (optional)
TakeNext, DontCont or GoTo <label> (apart from <label>, values
SEC 2.5.3 December 2009 27
sec(1) sec(1)
are case insensitive).
ptype pattern type (value is case insensitive).
pattern
pattern for detecting events that are submitted for further pro-
cessing.
context (optional)
context expression.
cfset (optional)
configuration file set names that are separated by whitespace.
Configuration file sets can be created with the Options rule
(see its joincfset parameter), with each set containing at least
one configuration file. If more that one set name is given,
sets are processed from left to right; a matching rule in one
set doesn't prevent SEC from processing the following sets.
constset (optional)
Yes or No (values are case insensitive). Yes means that the set
names given with the cfset parameter are constants; No means
that SEC will search the names for $<number> special variables
after a match and substitute them with their current values. If
the constset parameter is missing from the rule definition, Yes
is assumed.
desc (optional)
textual description of this rule.
rem (optional, may appear more than once)
remarks and comments.
Note that context and cfset parameters may contain $<number> variables
(in the latter case, the variables will be replaced with their values
only if constset is set to No). If the cfset parameter is omitted and
continue is set to GoTo, the Jump rule can be used for skipping rules
inside the current configuration file; if both cfset and continue are
omitted, Jump is identical to Suppress.
Examples:
type=Jump
ptype=RegExp
pattern=sshd\[\d+\]:
cfset=sshd-rules auth-rules
When an sshd syslog message appears in input, rules from configuration
files of the set sshd-rules are first used for matching the message,
and then rules from the configuration file set auth-rules are tried.
OPTIONS RULE
The Options rule was designed for setting processing options for the
ruleset in the current configuration file. If more than one Options
SEC 2.5.3 December 2009 28
sec(1) sec(1)
rule is present in the configuration file, the last instance overrides
all previous instances. Note that the Options rule is only processed
when SEC (re)starts and reads in the configuration file. Since this
rule is not applied at runtime, it can never match events, react to the
system clock, or start event correlation operations. The rule defini-
tion has the following parameters:
type fixed to Options (value is case insensitive).
joincfset (optional)
configuration file set names that are separated by whitespace.
The ruleset in the current configuration file is added to every
set in the list of names. If a set doesn't exist, it will be
created and the current configuration file becomes its first
member.
procallin (optional)
Yes or No (values are case insensitive). Yes means that the
ruleset in the current configuration file is used for processing
all input; No means that the ruleset in the current configura-
tion file is used for processing input from Jump rules only. If
the Options rule is not present in the configuration file or the
procallin parameter is missing from the rule definition, Yes is
assumed.
rem (optional, may appear more than once)
remarks and comments.
Examples:
type=Options
joincfset=sshd-rules
procallin=no
type=Options
joincfset=linux solaris
The first rule adds the current configuration file to the set sshd-
rules which is used for matching input from Jump rules only. The sec-
ond rule adds the current configuration file to sets linux and solaris
which are used for matching all input. Note that if these two rules
appear in the same configuration file, the second rule will override
the first.
RULES AND EVENT CORRELATION OPERATIONS
Although each event correlation operation is started by a SEC rule,
there is no one-to-one relationship between rules and event correlation
operations, since one rule could start several event correlation opera-
tions that run simultaneously. In order to distinguish one event corre-
lation operation from another, SEC assigns a key to every operation
that is composed from the rule file name, the rule ID, and the event
description string that is derived from the desc parameter of the rule
definition (by replacing variables with their values).
SEC 2.5.3 December 2009 29
sec(1) sec(1)
Suppose you have a configuration file my.conf with one rule in it:
type=SingleWithThreshold
ptype=RegExp
pattern=user (\S+) login failure on (\S+)
desc=Repeated login failures for user $1 on $2
action=shellcmd notify.sh "%s"
window=60
thresh=3
Suppose that SEC observes an input line "user admin login failure on
tty1". This matches the pattern 'user (\S+) login failure on (\S+)',
and after replacing $1 and $2 with their values, the desc parameter
will yield "Repeated login failures for user admin on tty1". SEC will
then form a key for the event correlation operation, using the configu-
ration file name, the rule ID, and the event description string:
my.conf | 0 | Repeated login failures for user admin on tty1
Since the rule was the first one in the configuration file, its ID is
0. The ID for the second rule would be 1, for the third rule 2, etc.
Note that because the configuration file name and the rule ID are pre-
sent in the keys, event correlation operations started by different
rules will not clash, even if the rules have identical values for the
desc parameter.
After calculating the key, SEC will check if there already is an event
correlation operation with that key. If such operation exists, the
input line will be correlated by the existing operation. Otherwise, a
new event correlation operation will be started.
By using appropriate event description string definitions, you can
change the scope of individual event correlation operations. For
instance, if you use "Repeated login failures for user $1" for the desc
parameter in the above rule definition, the following three lines will
now be correlated by the same event correlation operation:
user admin login failure on tty1
user admin login failure on tty5
user admin login failure on tty2
In other words, SEC will now just count login failures for different
users, disregarding terminal names.
Finally, it should be noted that Single, SingleWithScript, Suppress,
Calendar, and Jump rules never start event correlation operations,
since they don't involve the matching of several events over a certain
time window (i.e., their design allows them to complete their work
almost immediately without starting an event correlation operation).
Therefore, the desc parameter of these rules does not influence the
number and the scope of event correlation operations.
TIMING
There are several kinds of events that SEC reacts to - changes in input
SEC 2.5.3 December 2009 30
sec(1) sec(1)
files (e.g., appearance of new data), reception of a signal, status
change of a child process, and time related events (e.g., context expi-
ration).
When new data appear in SEC input files, only one line will be read at
a time (even when more lines are available), after which the input
buffer is updated with the line that was read. Input buffer contains
the last N lines from the SEC input, in the order they were read (the
value of N can be set with the -bufsize option). Updating the input
buffer means that the last element (the oldest line) is removed from
the end of the buffer, while the new line becomes the first element of
the buffer. Note that when synthetic events have been created with the
event action and new input data are also available in input files, syn-
thetic events are always read first by SEC. After no more such events
are available for reading, SEC will read new data from input files.
After the buffer has been updated (every update always adds only one
and removes only one line), the rules from configuration files are pro-
cessed, matching the rules against the new content of the input buffer.
Even when a rule matches and its action list suggests an immediate
change in the buffer (e.g., through the event action), the input buffer
will _not_ be updated until all the rules have been compared with the
current content of the buffer.
Rules from the same configuration file are compared with the input
buffer in the order they were given in that file. When multiple con-
figuration files have been specified, each file containing a distinct
ruleset, events are processed virtually in parallel - the buffer is
always processed by all rulesets. However, the order the rulesets are
applied during event processing is determined by the order the files
were given at SEC command line. If a -conf option specifies a pattern,
SEC uses the Perl glob() function to expand the pattern, and the
resulting file list is applied by SEC in the order returned by glob().
E.g., if glob() returns filenames in ascending ASCII order, you have
specified -conf options in the following way:
-conf=/home/risto/*.conf -conf=/home/risto/*.conf2
and directory /home/risto contains files A.conf, B.conf2, and C.conf,
then SEC applies these ruleset files in the following order: A.conf,
C.conf, and B.conf2. Also, note that even if A.conf contains a Suppress
rule for a particular event, the event is still processed by rulesets
in C.conf and B.conf2. However, if you want to enforce a fixed order
for ruleset file application in a portable way, it is recommended to
create a unique set for each file with the Options rule, and employ the
Jump rule for defining the processing order for sets, e.g.:
# This rule appears in A.conf
type=Options
joincfset=FileA
procallin=no
# This rule appears in B.conf2
type=Options
SEC 2.5.3 December 2009 31
sec(1) sec(1)
joincfset=FileB
procallin=no
# This rule appears in C.conf
type=Options
joincfset=FileC
procallin=no
# This rule appears in main.conf
type=Jump
ptype=TValue
pattern=TRUE
cfset=FileA FileC FileB
After the input buffer has been updated and its content has been pro-
cessed by the rules, SEC handles the signals that have been received
since the last check, and also reads possible output from its child
processes. When the timeout specified with the -cleantime option has
expired, SEC also checks the contexts and the event correlation opera-
tions that have timers associated with them (e.g., SingleWithSuppress
and PairWithWindow rules). This means that the value of -cleantime
should be relatively small, in order to keep the event correlation
operations accurate. By setting the -cleantime option value to 0, SEC
will check the event correlation timers after processing every line,
but this will consume more CPU time. The higher the value, the less CPU
time will be consumed, so the value of the -cleantime option depends on
your requirements. Note that if the -poll_timeout option value exceeds
the value given with -cleantime, the -poll_timeout option value takes
precedence (i.e., sleeps after unsuccessful polls will not be short-
ened).
INTERNAL EVENTS AND CONTEXTS
In the action list of a context, the context can also be referred with
the internal context name _THIS. The name _THIS is created and deleted
dynamically by SEC and it points to the context only during its action
list execution. This feature is useful when the context has had sev-
eral names during its lifetime (created with the alias action), and it
is hard to determine which names exist when the context expires. For
example, if the context is created with create A 60 (report A /bin/mail
root) which is immediately followed by alias A B and unalias A, the
report action will fail since the name A no longer refers to the con-
text. However, replacing the first action with create A 60 (report
_THIS /bin/mail root) will produce the correct result.
If the -intevents command line option is given, SEC will generate
internal events when it is started up, when it receives certain sig-
nals, and when it terminates normally. Inside SEC, internal event is
treated as if it was a line that was read from a SEC input file. Spe-
cific rules can be written to match internal events, in order to take
some action (e.g., start an external event correlation module with
spawn when SEC starts up). The following internal events are supported:
SEC_STARTUP - generated when SEC is started (once the -intevents option
has been given, this event will always be the first event that SEC
SEC 2.5.3 December 2009 32
sec(1) sec(1)
observes)
SEC_RESTART - generated after SEC has received the SIGHUP signal and
all internal data structures have been cleared (this event will be the
first event that SEC observes after reloading its configuration)
SEC_SOFTRESTART - generated after SEC has received the SIGABRT signal
(this event will be the first event that SEC observes after reloading
its configuration)
SEC_SHUTDOWN - generated when SEC receives the SIGTERM signal, or when
SEC reaches all EOFs of input files after being started with the
-notail option. After generating SEC_SHUTDOWN event, SEC will sleep for
3 seconds before sending SIGTERM to its child processes (if there are
any child processes that were started by SEC_SHUTDOWN, the processes
will have enough time to set a signal handler for SIGTERM if needed).
Right before generating an internal event, SEC will also set up a con-
text named SEC_INTERNAL_EVENT, in order to distinguish between true
internal events and coincidents that look like internal events. The
SEC_INTERNAL_EVENT context will be deleted immediately after the inter-
nal event has been processed by all rules.
If the -intcontexts command line option is given, or there is an -input
option with a context specified, SEC will create an internal context
each time a line is read from an input file, or a line is read that was
created with the event action. The internal context will be deleted
immediately after the line has been matched against all rules. For all
input files that have the context name explicitly set with -input=<file
pattern>=<context>, the name of the internal context is <context>. If
the line was read from the input file <filename> for which there is no
context name set, the name of the internal context is
_FILE_EVENT_<filename>. If the line was created with the event action,
the name of the internal context is _INTERNAL_EVENT. This will help the
end user to write rules that will match data from one particular input
source only, e.g., the rule
type=Suppress
ptype=TValue
pattern=TRUE
context=[!_FILE_EVENT_/dev/logpipe]
will pass to the following rules only those lines that were read from
/dev/logpipe.
INTERPROCESS COMMUNICATION
The shellcmd, spawn, pipe, and report actions involve the creation of a
child process. The communication between SEC and its child processes
takes place through pipes (created with Perl pipe opens like open(FH,
"| mycommand") or pipe(2) system call). Note that the running time of
children is not limited in any way, so long-running processes can be
started from SEC. For instance, one could start a SEC agent with the
spawn action that runs forever and provides SEC with additional input
events. However, note that SEC sends the SIGTERM signal to all its
SEC 2.5.3 December 2009 33
sec(1) sec(1)
children before termination. If some special exit procedures need to
be carried out in the child process (or the child wishes to ignore
SIGTERM), then the child must install a handler for the SIGTERM signal.
Note that if a rule definition includes two shellcmd actions (or other
actions that call external scripts or programs), the order that these
scripts or programs are executed is not determined. For instance, with
the following action definition
action=shellcmd cmd1; shellcmd cmd2
cmd2 could well terminate before cmd1, or cmd2 could well start before
cmd1 (e.g., when cmd1 is a complex command line and cmd2 is relatively
simple, it takes more time from the shell to process and start cmd1
than cmd2).
VARIABLES AND EVAL
There are two kinds of variables that can be used in SEC rule defini-
tions - $<number> and %<number> variables that are set during pattern
matching, and %<alnum_name> variables (like %s, %t, and %u) that have
been designed for use in action lists. All $<number> and %<number>
variables will be substituted with their values immediately after input
line(s) have matched the rule, even when they are part of the action
list definition and this action list is going to be executed at a later
time. %<alnum_name> variables, in turn, will be substituted with their
values right before the action list is actually executed. If a vari-
able does not have a value (e.g., $4 when the pattern returned just two
values), it will be left intact, i.e., it is not replaced with an empty
string. Also, the values are substituted as strings, therefore substi-
tuting values of other types (e.g., references) will not work, unless
explicitly noted otherwise (e.g., the function reference in the call
action).
In order to mask the variables, an extra $ or % must be prepended to
them, e.g., $$1 yields $1, and not a dollar sign followed by the first
value returned by the pattern. Also, all occurrences of $$ will be con-
verted to $ when $<number> variables are substituted, and all occur-
rences of %% will be converted to % when %<number> or %<alnum_name>
variables are substituted, so that one could use $ or % together with
variable names (e.g., $$$1 will yield a dollar sign that is followed by
the first value returned by the pattern).
Please note the following caveat for Pair and PairWithWindow rules when
the second pattern shadows the $<number> variables of the first pattern
- since both %<number> and %<alnum_name> variables may be used in the
second action list and %<number> variables are substituted first (at
the moment when the first pattern matches input line(s) and the event
correlation operation is started), all occurrences of %% in the second
action list have already been replaced with a single percent sign by
the time when %<alnum_name> variables are finally substituted. (E.g.,
in order to express %%t in the second action list, one must actually
write it as %%%%t or %%%t, since after %% to % conversion they both
yield %%t.)
SEC 2.5.3 December 2009 34
sec(1) sec(1)
SEC allows the user to define patterns, context expressions, and
actions which involve calls to the Perl eval() function. In addition to
explicitly using %<alnum_name> variables that are global across the
rules, the user can implicitly employ Perl variables created with
eval() for the same purpose. E.g., when SEC has executed the following
action
action=eval %a ($b = 1)
the variable $b and its value will become visible in the following con-
text expression
context= =(++$b > 10)
(with that expression one can implement event counting implicitly). In
order to avoid possible clashes with the variables inside the SEC code
itself, all calls for eval() are made in the main::SEC namespace (i.e.,
inside the special package main::SEC). This still leaves the user with
an opportunity to set the variables within the SEC code (e.g., by using
the main:: prefix), and thus to alter the behavior of SEC, but this is
only recommended for advanced users who have studied the code thor-
oughly and know what they are doing.
EXAMPLES
Example 1
Consider the following rules:
type=single
continue=takenext
ptype=regexp
pattern=ftpd\[(\d+)\]: \S+ \(ristov2.*FTP session opened
desc=ftp session opened for ristov2 pid $1
action=create ftp_$1
type=single
continue=takenext
ptype=regexp
pattern=ftpd\[(\d+)\]:
context=ftp_$1
desc=ftp session event for ristov2 pid $1
action=add ftp_$1 $0; set ftp_$1 1800 \
(report ftp_$1 /bin/mail root@localhost)
type=single
ptype=regexp
pattern=ftpd\[(\d+)\]: \S+ \(ristov2.*FTP session closed
desc=ftp session closed for ristov2 pid $1
action=report ftp_$1 /bin/mail root@localhost; \
delete ftp_$1
The first rule creates the context with the name ftp_<pid> when someone
connects from host ristov2 with ftp. The second rule adds all logfile
lines that are associated with the session <pid> to the event store of
the context ftp_<pid> (before adding a line, the rule checks if the
SEC 2.5.3 December 2009 35
sec(1) sec(1)
context exists). After adding a line, the rule extends context's life-
time for 30 minutes and sets the action list that will be executed when
the context expires. The third rule mails collected logfile lines to
root@localhost when the session <pid> is closed. Collected lines will
also be mailed when the session <pid> has been inactive for 30 minutes
(no logfile lines observed for that session).
Note that the logfile line that has matched the first rule will be
passed to the second rule and will become the first line in the event
store (the first rule has the continue parameter set to TakeNext). The
second rule has also its continue parameter set to TakeNext, since oth-
erwise no logfile lines would reach the third rule.
Example 2
Suppose there is a backup job in your system that runs at 2AM every
night and logs "BACKUP READY" message when it has completed its work.
You want to send an SNMP trap if there is no message in the log by
2:15AM.
type=Calendar
time=59 1 * * *
desc=WAITING FOR BACKUP
action=event %s
type=PairWithWindow
ptype=SubStr
pattern=WAITING FOR BACKUP
desc=Backup not ready!
action=shellcmd sendtrap.sh "%s"
ptype2=SubStr
pattern2=BACKUP READY
desc2=Backup ready
action2=none
window=960
The first rule generates "WAITING FOR BACKUP" event every night at
1:59AM. This event is matched by the second rule, which starts a cor-
relation operation that will wait for "BACKUP READY" event for the next
16 minutes. If the event arrives on time, no action is executed, oth-
erwise
sendtrap.sh "Backup not ready!"
is called.
Example 3
Consider the following rules:
type=SingleWithScript
ptype=RegExp
pattern=node (\S+) interface (\S+) down
script=not_resp.sh $2
desc=NODE $1 IF $2 DOWN
action=event %s
SEC 2.5.3 December 2009 36
sec(1) sec(1)
type=Pair
ptype=RegExp
pattern=NODE (\S+) IF (\S+) DOWN
desc=Interface $2 is down at node $1
action=shellcmd notify.sh "%s"
ptype2=SubStr
pattern2=node $1 interface $2 up
desc2=Interface $2 is up at node $1
action2=shellcmd notify.sh "%s"
window=86400
If "node <node> interface <interface> down" event is observed, the
interface is checked with the not_resp.sh script. If the interface is
found to be down (not_resp.sh returns 0 as its exit code), event "NODE
<node> IF <interface> DOWN" is generated which will be matched by the
second rule. The second rule starts a correlation operation that calls
notify.sh "Interface <interface> is down at node <node>"
and then waits for the "node <node> interface <interface> up" event for
the next 24 hours. When that event is observed, the correlation opera-
tion calls
notify.sh "Interface <interface> is up at node <node>"
and terminates.
Example 4
Suppose you have a disk box that logs following error messages:
Description of Error:
Disk drive (CRU: A1) has failed and can no longer be accessed. (SP
Event Code 0xA07)
Probable Cause / Recommended Action:
Replace the disk module (CRU: A1).
You would like to receive an e-mail message if something happens to the
disk box. You would like to use different e-mail address at night-time
and also receive a report of all night events. The problem here is that
useful information is scattered over 7 lines and needs to be consoli-
dated into a single event. Consider the following rules for accomplish-
ing this task:
type=Calendar
time=0 22 * * *
desc=night
action=create %s 36000 \
(report %s /bin/mail root@localhost)
type=Single
ptype=RegExp7
SEC 2.5.3 December 2009 37
sec(1) sec(1)
pattern=Description of Error:\n.*\n(.+)\n.*\n.*\n.*\n(.+)
context=night
desc=Error=$1 Recmnd=$2
action=shellcmd nightalarm.sh "%s"; add night %s
type=Single
ptype=RegExp7
pattern=Description of Error:\n.*\n(.+)\n.*\n.*\n.*\n(.+)
desc=Error=$1 Recmnd=$2
action=shellcmd alarm.sh "%s"
The first rule creates the context night with the lifetime of 10 hours
every day at 10PM. The second rule specifies that the script nighta-
larm.sh must be used for sending alert messages at nights, otherwise
the script alarm.sh should be used. Every night-time event is added to
the context night, and collected events will be mailed to root@local-
host at 8AM.
Example 5
This section presents an example rulebase for managing Cisco devices.
It is assumed that the managed devices have syslog(3)-style logging
enabled, and that all syslog messages are sent to a central host and
written to logfile(s) that are monitored by SEC.
# Set up contexts NIGHT and WEEKEND for nights
# and weekends. The context NIGHT has a lifetime
# of 8 hours and the context WEEKEND 2 days
type=Calendar
time=0 23 * * *
desc=NIGHT
action=create %s 28800
type=Calendar
time=0 0 * * 6
desc=WEEKEND
action=create %s 172800
# If a router does not come up within 5 minutes
# after it was rebooted, generate event
# "<router> REBOOT FAILURE". The next rule matches
# this event, checks the router with ping and sends
# a notification if there is no response.
type=PairWithWindow
ptype=RegExp
pattern=(\S+) \d+: %SYS-5-RELOAD
desc=$1 REBOOT FAILURE
action=event %s
ptype2=RegExp
pattern2=($1) \d+: %SYS-5-RESTART
desc2=$1 successful reboot
action2=logonly
window=300
SEC 2.5.3 December 2009 38
sec(1) sec(1)
type=SingleWithScript
ptype=RegExp
pattern=(\S+) REBOOT FAILURE
script=not_responding.sh $1
desc=$1 did not come up after reboot
action=shellcmd notify.sh "%s"
# Send a notification if CPU load of a router is too
# high (two CPUHOG messages are received within 5
# minutes); send another notification if the load is
# normal again (no CPUHOG messages within last 15
# minutes). Rule is not applied at night or weekend.
type=SingleWith2Thresholds
ptype=RegExp
pattern=(\S+) \d+: %SYS-3-CPUHOG
context=!(NIGHT || WEEKEND)
desc=$1 CPU overload
action=shellcmd notify.sh "%s"
window=300
thresh=2
desc2=$1 CPU load normal
action2=shellcmd notify.sh "%s"
window2=900
thresh2=0
# If a router interface is in down state for less
# than 15 seconds, generate event
# "<router> INTERFACE <interface> SHORT OUTAGE";
# otherwise generate event
# "<router> INTERFACE <interface> DOWN".
type=PairWithWindow
ptype=RegExp
pattern=(\S+) \d+: %LINK-3-UPDOWN: Interface (.+), changed state to
down
desc=$1 INTERFACE $2 DOWN
action=event %s
ptype2=RegExp
pattern2=($1) \d+: %LINK-3-UPDOWN: Interface ($2), changed state to up
desc2=$1 INTERFACE $2 SHORT OUTAGE
action2=event %s
window=15
# If "<router> INTERFACE <interface> DOWN" event is
# received from the previous rule, send a notification and
# wait for "interface up" event for the next 24 hours
type=Pair
ptype=RegExp
pattern=(\S+) INTERFACE (\S+) DOWN
desc=$1 interface $2 is down
action=shellcmd notify.sh "%s"
ptype2=RegExp
SEC 2.5.3 December 2009 39
sec(1) sec(1)
pattern2=($1) \d+: %LINK-3-UPDOWN: Interface ($2), changed state to up
desc2=$1 interface $2 is up
action2=shellcmd notify.sh "%s"
window=86400
# If ten "short outage" events have been observed
# in the window of 6 hours, send a notification
type=SingleWithThreshold
ptype=RegExp
pattern=(\S+) INTERFACE (\S+) SHORT OUTAGE
desc=Interface $2 at node $1 is unstable
action=shellcmd notify.sh "%s"
window=21600
thresh=10
ENVIRONMENT
If the SECRC environment variable is set, SEC expects it to contain the
name of its resource file. Resource file lines which are empty or which
begin with # (whitespace may precede #) are ignored; other lines must
contain SEC command line options, with each option on a separate line
and the equal sign (=) as a separator between the option name and the
option value. When SEC reads the resource file, each non-empty and
non-comment line is considered a single option and is pushed into the
@ARGV array as a single element. Note that although SEC re-reads its
resource file at the reception of the SIGHUP or SIGABRT signal, adding
an option that specifies a certain startup procedure (e.g., -pid or
-detach) will not produce the desired effect at runtime.
SIGNALS
SIGHUP SEC will reopen its log and input files, reload its configura-
tion, and reset internal lists that contain correlation informa-
tion (i.e., all active event correlation operations will be can-
celled, all contexts will be deleted, and all user-defined vari-
ables will lose their values). SEC will also send the SIGTERM
signal to its child processes.
SIGABRT
SEC will reopen its log and input files, and load its configura-
tion from rule files which have been modified (file modification
time returned by stat(2) has changed) or created after the pre-
vious configuration load. SEC will also cancel event correla-
tion operations started from rule files that have been modified
or removed after the previous configuration load. Other opera-
tions and other event correlation entities (contexts, variables,
child processes, etc.) will remain intact. Note that on some
systems SIGIOT is used in place of SIGABRT.
SIGUSR1
some information about the current state of SEC (content of
internal lists, rule usage statistics, etc.) will be written to
the SEC dumpfile.
SEC 2.5.3 December 2009 40
sec(1) sec(1)
SIGUSR2
SEC will reopen its logfile (useful for logfile rotation).
SIGINT SEC will increase its logging level by one; if the current level
is 6, the level will be set back to 1. Please note this feature
is available only if SEC standard input is not connected to a
terminal (e.g., in daemon mode).
SIGTERM
SEC will terminate gracefully (all SEC child processes will
receive SIGTERM).
AUTHOR
Risto Vaarandi (ristov at users d0t s0urcef0rge d0t net)
SEE ALSO
crontab(1), date(1), fork(2), logsurfer(1), perl(1), perlre(1),
pipe(2), snmpnotify(1), snmptrap(1), stat(2), syslog(3), time(2)
SEC 2.5.3 December 2009 41
|
