Hello: In message <[EMAIL PROTECTED]>, "=?GB2312?B?wfXTwg==?=" writes:
> At the beginning, becase of lack of sec rules, we received huge >number of tickets. So we changed our way. Everyday we review the event >log and collect the events which are important to us and should be >handled manually. then we wrote rules for these events. It seems OK >now Yup. I never recommend sending all events to a ticketing system until you have a working set of rules. I also have a catchall rule at the end that sends email of unhandled events to a few humans to analyze, and if needed forward to a ticketing system. > However we did encouter some problems which are not resolved : > 1. There are always some servers which are under maintenance in our >datacenter. So in the maintenance windows, server guys do not want to >receive the tickets. at first , we change our rule with calendar and >context, then restart SEC to meet this requirement. later we found >this is job seems impossible because the hosts under maintenance are >always changed day by day and the maintenace windows could be random >and overlap. for examples, A,B under maintain during 00:00am-2:00:am, >C,D under maintian during 01:00am-3:00am. so I shoud write about 140 >maintain context for each servers. Use contexts that are manually controlled and a rule set that checks the source of each event. If the source host for that event is in maintainance (as determined by a context called <hostname>_in_maint) for example, just consumes the event and don't pass it to any other rules. To dynamically configure contexts under the control of an outside agent (windows scheduler, cron etc), see: http://www.cs.umb.edu/~rouilj/sec/rulesets/Readme.txt for the mechanism to create a control channel/input and http://www.cs.umb.edu/~rouilj/sec/rulesets/01control.sr for rules that ceate/delete/obsolete and add to contexts based on events appended to the external control file. > 2. how to manage the logpp's and sec rules. we've got more and more >rules over the time and would like to put them into some catagory, >easy to find and etc. Sounds like you need to read: http://www.cs.umb.edu/~rouilj/sec/sec_paper_full.pdf along with reviewing the info linked from: http://www.cs.umb.edu/~rouilj/sec > 3. the next plan to add syslog of our cisco deviced into this >system, As I found, SEC will correlate the event rule by rule until >matched on rules. That means a cisco event would be passed by all >windows rulIs before it was correclated. think it would lead >performance problem when rules for cisco have been added. My simple >solution is to run some separate process to handle different events. The paper referenced above discusses how to handle this and the sample rule sets linked from http://www.cs.umb.edu/~rouilj/sec implement a framework to limit ruleset application to only a subset of all events. -- -- rouilj John Rouillard =========================================================================== My employers don't acknowledge my existence much less my opinions. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
