, and
signalling between them? Does anyone have of a working model that I
could use?
take a look at the linux-ha project, it will let you do the master/slave
(or larger clusters). you can have it move the IP that recieves the logs
and start/stop SEC, so only one box will be active at a time.
David Lang
the lead developer of rsyslog, so rsyslog
complies with this. I think (but have not checked) that syslog-ng also
complies with this.
David Lang
On Fri, Oct 23, 2009 at 6:17 PM, Ronald San Juan
ronald.sanj...@telus.com wrote:
Hi,
I am using SEC v2.5. The problem I have is SEC doesn't seem
alert that it has done so,
sleeps for 10 min, then turns it off (in the hope that the cause of the
flood has been fixed)
a simple SingleWithThreshold rule that matches any line should be enough
to kick this off.
David Lang
Time for me to reread the docs.
No Cisco in the pipeline, and the last msg
On Fri, 20 Nov 2009, John P. Rouillard wrote:
Hi David:
In message alpine.deb.2.00.0911192139410.10...@asgard.lang.hm,
david at lang.hm writes:
I am creating rules that accumulate log lines into a context for a later
report.
since these are _long_ log lines, they will wrap in the e-mail
be a good solution
would be to add a namespace option to the jump rule:
why can't you make the context names unique? you can add whatever you
would use as the namespace as part of the context name.
David Lang
# somewhat contrived jump rule - logically split input source
type=jump
pattern
/severity number.
David Lang
kind regards,
risto
--- On Sun, 10/24/10, Tim Peiffer peif...@umn.edu wrote:
From: Tim Peiffer peif...@umn.edu
Subject: [Simple-evcorr-users] New feature requests
To: simple-evcorr-users@lists.sourceforge.net
Date: Sunday, October 24, 2010, 12:31 AM
I would like to get
I would start off by running it through a pre-processor that would combine
these into one line.
have a process that looks for lines starting with whitespace and append
them to the prior line (with some sort of separator record between them)
David Lang
On Tue, 25 Jan 2011, Tim Peiffer wrote
like what you really want is SingleWithSupress and set the
window to 120 seconds
David Lang
--
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your
SEC works just fine reading from named pipe or stdin from a socket. I have
this working with rsyslog with the only problem being that when I want to
change the SEC rules, it involves a restart of rsyslog.
David Lang
On Sat, 13 Aug 2011, Jean Baptiste Favre wrote:
- second is: in order
on that box)
David Lang
--
FREE DOWNLOAD - uberSVN with Social Coding for Subversion.
Subversion made easy with a complete admin console. Easy
to use, easy to manage, easy to install, easy to extend.
Get a Free download
lower.
David Lang
--
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data
.
David Lang
--
Justin J. Novack
Official Disturber of the Peace
On Tue, Oct 18, 2011 at 1:52 PM, John P. Rouillard rou...@cs.umb.eduwrote:
In message
CAB3_BpPsYVc+OKX5oio03tuSy=D=o5ikb5eq7rxtxykvuax...@mail.gmail.com ,
Justin J. Novack writes:
[...]
I could tap the collective knowledge
On Wed, 19 Oct 2011, Justin J. Novack wrote:
Again, thank you John, David, et. al.
My full solution is posted for reference. Please feel free to include in
documentation.
/etc/sec/friendlynames.txt
GigabitEthernet1/37=TEST SERVER
GigabitEthernet3/39=IMPORTANT SERVER
a wildcard list of files? or just a single file?
by the way, the rsyslog imfile module has the ability to handle multi-line
logs (either by a blank line between the log entries, or with all parts of
the log after the first being indented).
David Lang
with --input option.
do you really need a unix socket, or would a named pipe work for you?
David Lang
--
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources
, that action can include a
script that can do anything that you tell it to do. What the script would
look like will be completely dependant on how your SMS alerting system
works.
David Lang
###
# /etc/sec.conf
#
##
# Suppress Workstations
#
type=Suppress
ptype=regexp
pattern=\S+\s+\S+\s+\S+\s
I've got some alerts configured that call an external script to send an
e-mail. It would be much nicer if I could add newlines to the sting to
format the mail message. when I try putting \n in the sting, that is what
comes out literaly.
David Lang
\nbaz);
what I've been trying is
action = shellcmd /path/to/script destination subject \
message\nmoremessage
David Lang
--
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library
I want to setup an alert based on too many of one type of log showing up
compared to another type of log during a window
Ideally, with the appropriate log messages being in a report
For example, I want to look at the number of successful and failed logins,
and alert if the number of failed
, the timeout
is reset, and the context from #2 is cleared.
David Lang--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can
it. Otherwise, have
the alert go into something that you are already watching. Just be careful
about overwelming people with alerts.
David Lang
On Thu, 30 Aug 2012, Joseph Guanzon wrote:
Hi David,
Sorry for asking this though I'm not too good this but can you give me
an idea on how you
is that you are being tripped up by the fact that by default the
first rule that matches ends processing of that log message.
try adding
continue=takenext
to the first rule and see if that works.
David Lang--
Live
the appropriate messages
http://nagios.sourceforge.net/docs/30/passivechecks.html
David Lang
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has
(FILE) { chomp; @junk=split('|',$_);
$known_admin_ips{$junk[0]}{$junk[1]} = 1; }; close(FILE))
David Lang--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat
. A context can
have a lifetime, after which it is removed, and it can have an action to
take when the lifetime expires. contexts can be modified by other rules.
These are deceptively simple. Used properly they provide a HUGE amount of
power.
David Lang
)
David Lang
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://ad.doubleclick.net/clk;258768047;13503038;j?
http://info.appdynamics.com
the
100 alerts it would state that there have been a 100 counts for this
certain alert received.
Yes, you can do this sort of thing.
David Lang
--
Don't let slow site performance ruin your business. Deploy New Relic APM
:522233
messages.20121002.2239.gz:507386
messages.20121002.2240.gz:524174
messages.20121002.2241.gz:620405
messages.20121002.2242.gz:540399
at this time of day (well past peak) the cpu load is fairly low.
These are not especially large configs.
David Lang
On Wed, 10 Oct 2012, Boyles, Gary P wrote:
David,
Thank you for your response.
Yes... I am worried about performance, so I'm trying to design-in good
performance from the get-go.
One thing to remember is that regex matches can be expensive (especially
complex regex matches like you use
. Without that all your logs
are being treated as being the same.
David Lang--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu
available for application usage
is really no better than
desc=connection open $2 $3 $4
David Lang
-Original Message-
From: da...@lang.hm [mailto:da...@lang.hm]
Sent: Thursday, October 18, 2012 3:06 PM
To: Paul Sun
Cc: simple-evcorr-users@lists.sourceforge.net
Subject: Re: [Simple-evcorr
diminishing the usefulness of the original
information).
[1] SSL Encrypting Syslog via Stunnel: http://librenix.com/?inode=7126
[2] Signed syslog Messages:
http://www.ietf.org/internet-drafts/draft-ietf-syslog-sign-23.txt
--
| David Vasil [EMAIL PROTECTED]
| Oak Ridge National Laboratory NCCS Division
quoted?
--David
--
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers brand creativity professionals. Meet
the minds behind Google Creative Lab, Visual Complexity
The message you are looking for wasn't from me (I just started the thread), look
in the mailing list archives on Nov 5 for the subject line:
Re: [Simple-evcorr-users] dealing with JSON based logs
David Lang
On Thu, 29 Nov 2012, Boyles, Gary P wrote:
Date: Thu, 29 Nov 2012 16:17:18 +
easier to read, easier to parse, win-win.
David Lang
On Wed, 5 Dec 2012, Boyles, Gary P wrote:
John,
I would say that the 2nd format is most definitely easier to read.
Gary Boyles
-Original Message-
From: John P. Rouillard [mailto:rou...@cs.umb.edu]
Sent: Tuesday, December 04
the cost.
David Lang
--
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add
?
David Lang
--
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
are probably better off setting
them at startup, then re-checking them (either based of calendar rules or when
a
'reload values' pattern shows up in a log message) rather than evaluating them
each time they are used.
David Lang
On Thu, 7 Feb 2013, Risto Vaarandi wrote:
On 02/06/2013 11:59 PM, David Lang wrote:
I think this sort of thing would be useful, a lot of 'action scripts' end up
being trivial wrappers to do these sorts of things, and opening/closing files
and starting programs can have a surprisingly large
sending you the message. If you only have one
Juniper, you can get away with desc being a fixed string.
David Lang
On Fri, 29 Mar 2013, Vernon Nelson wrote:
Date: Fri, 29 Mar 2013 16:12:18 -0400
From: Vernon Nelson keible...@gmail.com
To: simple-evcorr-users@lists.sourceforge.net
Subject: [Simple
and
that instance generates all the alerts, and deals with correlation rules that
need to take into account the different feeds.
David Lang
--
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100
On Tue, 7 May 2013, John Zhang wrote:
Hi David,
Thanks!
I am very interested in your solution, could you provide more details?
My requirements are also collecting logs from network, server and
applications, their volumes are about 50k log/s; except searching, also
need event correlation
{$junk[0]}{$junk[1]} = 1; }; close(FILE); )
And then later in your ruleset, you can have rules that use the perl snippet
if exists $known_admin_ips{product}{ip}
for a very fast lookup for even a large number of possible IP addresse
David Lang
.
David Lang
--
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system
the logs into a report, and then a singlewiththreshold that
exports the data when it fires.
The problem is expiring the old data from the report. I can think of ways to do
this, but not clean ones.
David Lang
#more than 15 failed logins
type=singlewiththreshold
desc=Possible brute force attempt
development version (as of yesterday, git version) of rsyslog allows
a newer syntax to be used that allows for command-line arguments to be used on
the command.
David Lang
On Thu, 27 Jun 2013, Risto Vaarandi wrote:
Date: Thu, 27 Jun 2013 11:14:15 +0300
From: Risto Vaarandi risto.vaara...@seb.ee
=continue) so that you can do different things with the log messages,
but more info is needed to create the specific rules.
David Lang--
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net
the last 10
iostat sets of output'.
I'd have to go back through my saved mail or the list archives, but I seem to
remember a recent discussion on how to do a time-based limit like this.
David Lang
--
Introducing Performance
On Thu, 22 Aug 2013, John P. Rouillard wrote:
In message alpine.deb.2.02.1308221357240.12...@nftneq.ynat.uz,
David Lang writes:
On Thu, 22 Aug 2013, John P. Rouillard wrote:
In trying to troubleshoot a problem with an application, I want to
include the prior 10 minutes of iostat info along
arriving for the first 40 seconds of
a
minute.
David Lang
--
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance
Thanks, that's what I thought I was reading, but I wasn't sure.
David Lang
On Mon, 9 Sep 2013, Risto Vaarandi wrote:
hi David,
unfortunately, eventgroup rule does not have this particular functionality,
and if you would like to ensure reporting precisely after 1 minute
intervals
On Thu, 19 Sep 2013, Risto Vaarandi wrote:
On 09/19/2013 06:16 AM, David Lang wrote:
I've started running SEC from rsyslog via omprog and it's running, but when
it
tries to write the dumpfile, nothing happens.
I did a cut-n-paste of the command line (as shown in ps) and ran it from
, 24 Sep 2013, Risto Vaarandi wrote:
hi David,
today afternoon, I did couple of additional tests and connected /bin/cat to
rsyslog. After creating such setup, I observed the same thing -- the
/bin/cat process does not respond to signals and can be taken down only
with SIGKILL. Apart from
a ; at the end of your existing action and put in your definition for
the second action.
David Lang
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore
a reference to
it, you can have other commands just access $hash{key}
David Lang
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP
On Fri, 27 Sep 2013, Mark D. Nagel wrote:
On 9/27/2013 4:14 PM, David Lang wrote:
remember that Perl variables (including hashes) that you create with one
rule can be
accessed by your perl code in any other rule.
you don't _have_ to use varmap.
If your flatten routine sets a variable
)..
Yes, SEC can read from a text file and apply it's rules to what it finds. Just
list that file as an input for SEC/
David Lang
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate
, but
unfortunately not able to match in SEC.
pattern=(Cross-site Scripting \(XSS\)|CRITICAL)
This matches 'Cross-site Scripting (XSS)' OR 'CRITICAL' not and
pattern=Cross-site Scripting \(XSS\).*CRITICAL
should require a log with both in it.
David Lang
is that time limits in SEC are based on wall-clock
time, not the timestamps in the log messages. So if a UDP flood attack causes
SEC to bog down and get way behind in processing messages, it's possible that
some of your other rules may not act the way you expect them to.
David Lang
On Tue, 17 Dec
of snmptt_cisco.conf, starting
from about line 110 where the errors are being reported.
If the contents are what's listed in () of the error message, the answer is that
whatever is in that file isn't a valid SEC configuration file.
David Lang
short answer: Yes, everything in SEC can be used for correlating (or if it
can't, it should be removed)
now, that wasn't the answer to what you really wanted to know, so could you try
reframing your question?
David Lang
On Thu, 6 Mar 2014, Rolf Nufable wrote:
could the jump rules
people want to do the exact same
thing in response to the exact same conditions.
What is it that you want to monitor for?
David Lang
On Sun, 6 Apr 2014, Tim Peiffer wrote:
I have a co-worker that is trying to introduce me to Raspberry Pi and
his facilities for monitoring an HD TV headend
or another way.
rather than sending this to an external script, have you looked at using a perl
snippit inside SEC?
you avoid the need to do a regex and then send it out, and you avoid the
startup
overhead of the external script.
David Lang
Keep in mind that there are several things that can cause SEC to see the logs in
a different order than they were generated in, so be careful about ordering
requirements.
David Lang
On Thu, 26 Jun 2014, Risto Vaarandi wrote:
For detecting sequences of events, you could use the following
Even on from the same device there are numerous things that can reorder logs,
the network can reorder logs, rsyslog can end up reordering logs, etc.
It doesn't happen a lot, but if you depend on the order, you will miss
correlations.
David Lang
On Mon, 30 Jun 2014, Risto Vaarandi wrote:
I'd
not
about SEC, but the ideas presented for splitting the work across multiple
machines, but then combining the results is applicable.
David Lang
--
Dive into the World of Parallel Programming! The Go Parallel Website
On Tue, 31 Mar 2015, John P. Rouillard wrote:
Hi David:
In message alpine.deb.2.02.1503311452250.26...@nftneq.ynat.uz,
David Lang writes:
before I realized that I really only needed USR2, I was sending sec
a HUP to get it to close all it's output files (for log rotation),
but I was running
On Tue, 31 Mar 2015, Risto Vaarandi wrote:
hi David,
the problem you are experiencing is related to the action-on-expire field
of the heartbeat_$1 context. When this context is created, its
action-on-expire field is set to the following list:
create heartbeat_$1 14400 (shellcmd /usr/local
On Thu, 2 Apr 2015, Risto Vaarandi wrote:
2015-04-02 1:22 GMT+03:00 David Lang da...@lang.hm:
On Wed, 1 Apr 2015, Risto Vaarandi wrote:
hi David,
is my understanding correct that you would like to have pre_restart event,
in order to execute the following steps:
1) when HUP is received
On Fri, 3 Apr 2015, Risto Vaarandi wrote:
2015-04-03 3:57 GMT+03:00 David Lang da...@lang.hm:
On Thu, 2 Apr 2015, Risto Vaarandi wrote:
2015-04-02 1:22 GMT+03:00 David Lang da...@lang.hm:
On Wed, 1 Apr 2015, Risto Vaarandi wrote:
hi David,
is my understanding correct that you would
On Thu, 2 Apr 2015, Risto Vaarandi wrote:
2015-04-02 1:30 GMT+03:00 David Lang da...@lang.hm:
On Wed, 18 Mar 2015, Risto Vaarandi wrote:
hi all,
last week, I had a conference presentation Simple Event Correlator - Best
Practices for Creating Scalable Configurations which was accompanied
On Wed, 1 Apr 2015, Risto Vaarandi wrote:
hi David,
is my understanding correct that you would like to have pre_restart event,
in order to execute the following steps:
1) when HUP is received, match pre_restart synthetic event and save event
correlation state to disk,
2) let the HUP
a rule that looks for both contexts to be raised and generate an
alert at that time (possibly including data from each of the two contexts)
David Lang--
___
Simple-evcorr-users
frequently (twice in a minute in the sample logs above)
David Lang
--
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs
On Wed, 15 Jul 2015, Risto Vaarandi wrote:
Hi David,
I noticed that sec is running without --notail option, but this causes sec
to stay around even after rsyslog has closed the write end of the pipe. I
would suggest including the --notail option in the sec command line which
causes
. That will tell you if
it's way behind (although sec using 100% cpu for any significant amountof time
will tell you is is not keeping up)
how are you reading the logs?
David Lang
On Tue, 25 Aug 2015, Ganji, Shashirekha Yadav wrote:
David,
SEC is perfectly fine is processing other alerts with out any delay.The BGP
alert is an exceptional case we have seen so far from past 2 years which was
alerted with some delay.
just double checking, are you sure that SEC didn't
in
processing logs.
David Lang
On Tue, 25 Aug 2015, Ganji, Shashirekha Yadav wrote:
David,
We are forwarding all devices logs to syslog server and using different
facilities based on the technologies.
I see actual device logs coming around 8:00pm on our syslog local files but
SEC alerted them @00
On Tue, 25 Aug 2015, Ganji, Shashirekha Yadav wrote:
David,
Excuse my ignorance.I just checked and it appears that there was delay of
4hrs for few other events yesterday evening.
But currently events are coming out well.
SO what do u suggest here?
Ok, this makes more sense :-)
https
to doing this
manually (detect the first event, set a context that will expire in X tiem and
do nothing when it expires)
pair of events where it notices the first event and if the second
> processing?
the variables are local to the rule, but you can use varmap to save them from
one rule and access them from others (this is designed to avoid needing to do
the parsing multiple times)
David Lang
--
has anyone put together the code that would be needed to detect if sec or log
delivery is falling behind? something along the order of 'if the timestamp in
the logs is > X min behind current, alert'?
David L
erl code here});pipe 'SEC is behind %o minutes. Log
time: $1' /bin/mailx -s "SEC: %t > SEC is behind 1+ minutes." u...@somewhere.edu
David Lang
On Mon, 4 Jan 2016, Todd M. Hall wrote:
> Date: Mon, 4 Jan 2016 13:25:26 -0600 (CST)
> From: Todd M. Hall <t...@msstate.edu>
>
the info anyway (to decide if the
rule matches), so setting it in a way that can be retrieved should be
cheap/free.
David Lang
On Wed, 10 Feb 2016, Risto Vaarandi wrote:
> when thinking quickly about it, it might be a better idea to provide time
> related data through action list variables. Cur
with the time= line) put into the $1-$5 variables, it would make this more
reliable, and shouldn't hurt any existing configs, because they can't be using
$
does this sound like a reasonable thing to do? and does it sound like an easy
thing to do?
David Lang
arsing is horribly slow)
then in the action, I call sec with a bunch of parameters so that it logs to a
file (but not too much), has a dumpfile defined, creates events and contexts for
startup/shutdown/restart, and when rsyslog is sent a HUP to roll it's logs, sec
will get USR2 instead of H
run across a few oddities and
it
seems better to add them all than to play wack-a-mole on them over time.
As for the other variables, they seem to cover things, but I wish there was a
good way to not have three versions of everything. But I guess that would
require having a function to cast th
On Mon, 18 Apr 2016, Risto Vaarandi wrote:
> hi David,
> I think I misread your previous mail -- my apologies. You were talking
> about the variables holding control characters, and *not* unpadded
> time-based variables?
Yes, I was saying we should add variables for all the contro
et a context with a timer for 10 min, when the canelation comes in delete
the context. If the timer expires, it will take the action specified to alert.
David Lang
--
___
S
to extend this timeout with systemd (it's always possible that
they decided that nobody needed to do that, but I'd bet that there is a way
somewhere)
David Lang
--
Check out the vibrant tech community on one of the world's most
try writing the log to /dev/log rather than sending it over the network
if you are needing to send it over the network, check your buffers, are they
getting full (and is your receiving syslog daemon keeping up)
On Tue, 27 Aug 2019, Santhosh Kumar wrote:
Date: Tue, 27 Aug 2019 10:55:44 +0900
I'm about to implement an SEC rule that will be fairly critical to our
business. It is a 'Pair' rule and at any time I may have multiple events that
have matched pattern 1 and are waiting for pattern 2.
But I have a number of other use cases for SEC that I'm eager to implement.
If at all
restart more
readily.
David Lang
___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
Hi Risto
Thank you so much for such a comprehensive and informative reply!
I'm just getting started with SEC but can already imagine a number of very
useful applications of it.
From: Risto Vaarandi
Sent: Friday, September 6, 2019 3:50 AM
To: David Thomas
Cc
I'm running into an issue with a correlation I'm trying to implement and I'm
hoping you can help.
Event 1 happens when a user logs into a vpn. It has the user's name the global
address and the local address assigned by the vpn.
Event 2 happens when the user logs off the vpn. It has the user's
@lists.sourceforge.net'
Subject: Re: [Simple-evcorr-users] Accessing A Perl Hash From Pattern1 In
Pattern 2
ATTENTION: This email originated from outside of Kwik Trip. Do not click links
or open attachments unless you recognize the sender and know the content is
safe.
Hi David,
Here’s your same rule
I set up SEC using the omprog option in rsyslog, so rsyslog started SEC and fed
the logs in via stdin rather than writing to disk.
On Thu, 26 Mar 2020, Dusan Sovic wrote:
I using similar approach as David mention. I processing syslog messages from
network devices (various Vendors like Arista
perl operations on a hash are surprisingly efficient. If you store your context
in a hash, it can be very efficient to add/remove/check specific items. What is
not efficient is aging things out based on time.
David Lang
On Thu, 2 Apr 2020, Richard Ostrochovský wrote:
Date: Thu, 2 Apr 2020
infrastructure, ideally on a dedicated system (or set of systems) so having
multiple instances, each eating a core, is a feature not a bug ;-)
David Lang
On Thu, 2 Apr 2020, Richard Ostrochovský wrote:
Date: Thu, 2 Apr 2020 00:15:08 +0200
From: Richard Ostrochovský
To: simple-evcorr-users
most syslog servers have the ability to log with subsecond accuracy, and
RFC-5424 requires it in the spec.
David Lang
___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple
1 - 100 of 101 matches
Mail list logo
