try writing the log to /dev/log rather than sending it over the network
if you are needing to send it over the network, check your buffers, are they getting full (and is your receiving syslog daemon keeping up)
On Tue, 27 Aug 2019, Santhosh Kumar wrote:
Date: Tue, 27 Aug 2019 10:55:44 +0900 From: Santhosh Kumar <santhoshkmrre...@gmail.com> To: Risto Vaarandi <risto.vaara...@gmail.com> Cc: simple-evcorr-users@lists.sourceforge.net Subject: Re: [Simple-evcorr-users] (no subject) Hello Risto I’ve been running tests on SEC for a while and stuck with below points. I’m not familiar with Perl though I tried to find a solution from sec mail bucket but no luck, please suggest if this can be achieved with high performance, 1. I could see a log drops when I tested with the event rate of 15000 logs/sec. A simple SEC rule to receive and forward all the logs to a destination. The output shows relatively less number of logs. This also increases the cpu usage from 0.3% to 45% ************************ Type=single Ptype=regexp Pattern=([.\d]+) Desc=$1 Action=pipe $0 nc syslog101 514 ************************ 1. On a different scenario, I was interested to match the logs with list of IOC’s. Here i was trying to mail the detected log along with IOC name. I could achieve it to certain level as mentioned in example but no luck with this cases, "Split IP's from the IOC file and use it on the “pattern” to match IP from logs" ************************ IOC_data_proposal.txt 187.163.222.244:465 - emotet 187.189.195.208:8443 - emotet 188.166.253.46:8080 - emotet 189.209.217.49:80 - heartbleed ************************ Please check and share some insights. Eg: I currently tested below case and its working fine as this is a straight forward IOC matches. ************************ #Current Rule for matching IOC: type=Single ptype=RegExp pattern=(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART) desc=load IOC data action=logonly; delete IP; create IP; \ lcall %iocevents -> (sub{scalar `cat /usr/local/bin/sec-rules/ioc_data.txt`}); \ cevent IOC_IP 0 %iocevents; type=Single ptype=RegExp pattern=. context=IOC_IP desc=create an entry action=logonly; alias IOC IOC_$0 type=Single ptype=regexp context=IOC_$2 pattern= syslog.*hostname=([\w\-\d]+).*IP=([\d\.]+) desc=Matched host & ip: $2 && $3 action=pipe '$0' mail -s ‘%s’ ‘test123.gmail.com’ IOC_data.txt 187.163.222.244 187.189.195.208 188.166.253.46 189.209.217.49 187.163.222.244 187.189.195.208 188.166.253.46 189.209.217.49 ************************ Regards, san
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users