Much of the time you can trivially split your rules and then run multiple copies
of SEC, each processing a subnet of the rules on the logs that will match them.
Rsyslog has a very efficient parsing capability (mmnormalize), you can use it to
just classify the logs, or you can go a step further and have it extract the
relevant fields and pass them to SEC in ways that make it cheaper to parse and
where you do have rules that correlate across different types of logs, you may
be able to just combine those logs into one ruleset, or you can have parallel
instances output messages to say that their part of the correlation has tested
true and then have another instance that processes these partial correlation
messages and decide if the combined correlation is matched.
Simple-evcorr-users mailing list