Much of the time you can trivially split your rules and then run multiple copies of SEC, each processing a subnet of the rules on the logs that will match them.

Rsyslog has a very efficient parsing capability (mmnormalize), you can use it to just classify the logs, or you can go a step further and have it extract the relevant fields and pass them to SEC in ways that make it cheaper to parse and process.

where you do have rules that correlate across different types of logs, you may be able to just combine those logs into one ruleset, or you can have parallel instances output messages to say that their part of the correlation has tested true and then have another instance that processes these partial correlation messages and decide if the combined correlation is matched.

David Lang

Simple-evcorr-users mailing list

Reply via email to