SEC - simple event correlator

Introduction

SEC is a tool for accomplishing event correlation tasks in the domains of log analysis, system monitoring, network and security management, etc. Event correlation is a procedure where a stream of events is processed, in order to detect (and act on) certain event groups that occur within predefined time windows. Unlike most other event correlation products which are heavyweight solutions, SEC is a lightweight and platform-independent event correlator which runs as a single process.

SEC reads lines from files, named pipes, or standard input, matches the lines with patterns (like regular expressions or Perl subroutines) for recognizing input events, and correlates events according to the rules in its configuration file(s). SEC can produce output by executing external programs (e.g., snmptrap or mail), by writing to files, by calling precompiled Perl subroutines, etc.

Documentation

See SEC manpage and FAQ for a detailed information about SEC. You can also check the following sources for additional information:

"Simple Event Correlator for real-time security log monitoring" - a paper about SEC that was published in Hakin9 Magazine 1/2006 (6) (see the Hakin9 web site for the most recent download link).
"Hardening Linux" (Apress, 2005) by James Turnbull - Chapter 5 of the book contains a discussion and examples how to employ SEC for log monitoring (see the Apress web site for the most recent download link).
"Real-time log file analysis using the Simple Event Correlator (SEC)" by John P. Rouillard - a paper with SEC ruleset examples that was presented at USENIX LISA'2004.
"Working with SEC - the Simple Event Correlator" by Jim Brown - a tutorial paper with part 1 (2003) providing an introduction to SEC and part 2 (2004) covering several advanced topics.
"SEC - a Lightweight Event Correlation Tool" - an early paper about SEC that was presented at IEEE IPOM'2002.
SEC rule repository - if you have developed a ruleset that might be interesting to others as well, please contribute.

Installation information and dependencies

SEC has been primarily tested on Linux and Solaris, but since it is written in Perl and does not use any platform-dependent subroutines, it should work on most operating systems. The author has received reports about SEC working on FreeBSD, OpenBSD, HP-UX, AIX, Tru64 UNIX, Mac OS X, and Windows (with CygWin Perl).

In order to install SEC, check where your Perl executable is located and change the first line in the sec file accordingly. For example, if your Perl executable is /usr/local/bin/perl, set the first line to #!/usr/local/bin/perl -w. Then copy sec and sec.man (SEC manpage) to appropriate directories, e.g.,
cp sec /usr/local/bin
cp sec.man /usr/local/man/man1/sec.1

Since SEC is generally not tested against outdated Perl releases, it is recommended to run SEC with at least Perl 5.6 (see http://www.perl.org for the latest stable Perl release). Apart from Perl, SEC does not depend on other software. It uses Perl Getopt, POSIX, Fcntl, IO::Handle, and Sys::Syslog modules which are included in the standard installation of Perl.

Mailing list

There is a mailing list for SEC users. The purpose of this list is to facilitate discussion between SEC users, so that you can ask questions from more experienced users and share your experience with others. Before posting a question, please search the list - there are some questions that get asked quite frequently and you might find several answers in the mailing list archive.

Download

sec-2.6.2.tar.gz (January 23 2012)

... or you can visit SEC download page at Sourceforge (has also older versions available).

SEC has also been packaged for a number of Linux and BSD distributions. You can try the following links for finding a package for your platform:
- Fedora and RHEL packages at Koji
- RPM package search at rpmfind.net
- Debian package info
- Ubuntu package info
- SLE and openSUSE package info
- Gentoo package info
- OpenBSD package info
(if any of the links are broken, please contact the author).

Related tools

Logpp is a tool that can be employed for reducing the load of SEC by filtering out irrelevant input data, for converting multi-line log messages into syslog format, and for other log preprocessing tasks. You might also be interested in SLCT and LogHound that were designed for mining patterns from log files.

Author

Risto Vaarandi (ristov at users d0t s0urcef0rge d0t net)

Please don't contact the author with SEC usage questions - you should post such questions to the SEC mailing list.

Acknowledgments

This work is supported by SEB.

The author wishes to thank the following people for supplying software patches and documentation updates:

Al Sorrell
James Brown
John P. Rouillard
Jon Frazier
Mark D. Nagel
Rick Casey
William Gertz