SEC – simple event correlator

Posted on by

Introduction

SEC is a tool for accomplishing event correlation tasks in the domains of log analysis, system monitoring, network and security management, etc. Event correlation is a procedure where a stream of events is processed, in order to detect (and act on) certain event groups that occur within predefined time windows. Unlike most other event correlation products which are heavyweight solutions, SEC is a lightweight and platform-independent event correlator which runs as a single process.

SEC reads lines from files, named pipes, or standard input, matches the lines with patterns (like regular expressions or Perl subroutines) for recognizing input events, and correlates events according to the rules in its configuration file(s). SEC can produce output by executing external programs (e.g., snmptrap or mail), by writing to files, by calling precompiled Perl subroutines, etc.

Documentation

See SEC manpage and FAQfor a detailed information about SEC. You can also check the following sources for additional information:

  • “Simple Event Correlator for real-time security log monitoring” – a paper about SEC that was published in Hakin9 Magazine 1/2006 (6) (see the Hakin9 web site for the most recent download link).
  • “Hardening Linux” (Apress, 2005) by James Turnbull – Chapter 5 of the book contains a discussion and examples how to employ SEC for log monitoring (see the Apress web site for the most recent download link).
  • “Real-time log file analysis using the Simple Event Correlator (SEC)” by John P. Rouillard – a paper with SEC ruleset examples that was presented at Jasmin Live USENIX LISA’2004.
  • “Working with SEC – the Simple Event Correlator” by Jim Brown – a tutorial paper with part 1 (2003) providing an introduction to SEC and part 2 (2004) covering several advanced topics.
  • “SEC – a Lightweight Event Correlation Tool” – an early paper about SEC that was presented at IEEE IPOM’2002.
  • SEC rule repository – if you have developed a ruleset that might be interesting to others as well, please contribute.

Installation information and dependencies

SEC has been primarily tested on Linux and Solaris, but since it is written in Perl and does not use any platform-dependent subroutines, it should work on most operating systems. The author has received reports about SEC working on FreeBSD, OpenBSD, HP-UX, AIX, Tru64 UNIX, Mac OS X, and Windows (with CygWin Perl).

In order to install SEC, check where your Perl executable is located and change the first line in the sec file accordingly. For example, if your Perl executable is /usr/local/bin/perl, set the first line to #!/usr/local/bin/perl -w. Then copy sec and sec.man (SEC manpage) to appropriate directories, e.g.,
cp sec /usr/local/bin
cp sec.man /usr/local/man/man1/sec.1 / jasminlive

Since SEC is generally not tested against outdated Perl releases, it is recommended to run SEC with at least Perl 5.6 (see http://www.perl.org for the latest stable Perl release). Apart from Perl, SEC does not depend on other software. It uses Perl Getopt, POSIX, Fcntl, IO::Handle, and Sys::Syslog modules which are included in the standard installation of Perl.