SEC - simple event correlator

Introduction

SEC is an event correlation tool for advanced event processing which can be harnessed for event log monitoring, for network and security management, for fraud detection, and for any other task which involves event correlation. Event correlation is a procedure where a stream of events is processed, in order to detect (and act on) certain event groups that occur within predefined time windows. Unlike many other event correlation products which are heavyweight solutions, SEC is a lightweight and platform-independent event correlator which runs as a single process. The user can start it as a daemon, employ it in shell pipelines, execute it interactively in a terminal, run many SEC processes simultaneously for different tasks, and use it in a wide variety of other ways.

SEC reads lines from files, named pipes, or standard input, matches the lines with patterns (like regular expressions or Perl subroutines) for recognizing input events, and correlates events according to the rules in its configuration file(s). SEC can produce output by executing external programs (e.g., snmptrap or mail), by writing to files, by sending data to TCP and UDP based servers, by calling precompiled Perl subroutines, etc.

Documentation

See SEC manpage for official documentation. Also, the FAQ provides answers to some frequently asked questions.

For additional information, you can check the following sources:

Installation information and dependencies

SEC has been primarily tested on Linux and Solaris, but since it is written in Perl and does not use any platform-dependent subroutines, it should work on most operating systems. The author has received reports about SEC working on FreeBSD, OpenBSD, HP-UX, AIX, Tru64 UNIX, Mac OS X, and Windows (with CygWin Perl).

In order to install SEC, check where your Perl executable is located and change the first line in the sec file accordingly. For example, if your Perl executable is /usr/local/bin/perl, set the first line to #!/usr/local/bin/perl -w. Then copy sec and sec.man (SEC manpage) to appropriate directories, e.g.,
cp sec /usr/local/bin
cp sec.man /usr/local/man/man1/sec.1

Since SEC is not tested against ancient Perl releases, it is recommended to run SEC with at least Perl 5.8 (see http://www.perl.org for the latest stable Perl release). Apart from Perl, SEC does not depend on other software. It uses Perl Getopt, POSIX, Fcntl, Socket, IO::Handle, and Sys::Syslog modules which are included in the standard installation of Perl.

Mailing list

There is a mailing list for SEC users. The purpose of this list is to facilitate discussion between SEC users, so that you can ask questions from more experienced users and share your experience with others. Before posting a question, please search the list - there are some questions that get asked quite frequently and you might find several answers in the mailing list archive.

Download

sec-2.7.6.tar.gz (July 14 2014)

... or you can visit SEC download page at Sourceforge (has also older versions available).

SEC has also been packaged for a number of Linux and BSD distributions. You can try the following links for finding a package for your platform:
- Fedora and RHEL packages at Koji
- RPM package search at rpmfind.net
- Debian package info
- Ubuntu package info
- SLE and openSUSE package info
- Gentoo package info
- OpenBSD package info
- FreeBSD package info
(if any of the links are broken, please contact the author).

Author

Risto Vaarandi (ristov at users d0t s0urcef0rge d0t net)

Please don't contact the author with SEC usage questions - you should post such questions to the SEC mailing list.

Acknowledgments

This work is supported by SEB.

The author thanks the following people for supplying software patches, documentation fixes, and suggesting new features: Al Sorrell, David Lang, James Brown, Jon Frazier, Mark D. Nagel, Peter Eckel, Rick Casey, and William Gertz.

Last but not least, the author expresses his profound gratitute to John P. Rouillard for many great ideas and creative discussions that have helped to develop SEC.


Get Simple Event Correlator at SourceForge.net. Fast, secure and Free Open Source software downloads