SEC - simple event correlator
SEC is a tool for accomplishing event correlation tasks in the domains of
log analysis, system monitoring, network and security management, etc.
Event correlation is a procedure where a stream of events is processed,
in order to detect (and act on) certain event groups that occur within
predefined time windows. Unlike most other event correlation products which
are heavyweight solutions, SEC is a lightweight and platform-independent
event correlator which runs as a single process.
SEC reads lines from files, named pipes, or standard input,
matches the lines with patterns (like regular expressions or Perl subroutines)
for recognizing input events, and correlates events according to the rules in
its configuration file(s). SEC can produce output by executing external
programs (e.g., snmptrap or mail), by writing to files, by
calling precompiled Perl subroutines, etc.
See SEC manpage and FAQ
for a detailed information about SEC. You can also check the following
sources for additional information:
"Security Event Processing with Simple Event Correlator" -
a paper from ISSA Journal August 2012 issue which focuses on some security
event processing scenarios.
- "Simple Event Correlator for real-time security log monitoring" -
a paper about SEC that was published in Hakin9 Magazine 1/2006 (6)
(see the Hakin9 web site for the most recent
- "Hardening Linux" (Apress, 2005) by James Turnbull -
Chapter 5 of the book contains a discussion and examples how to employ
SEC for log monitoring
(see the Apress web site for the most recent
"Real-time log file analysis using the Simple Event Correlator (SEC)"
by John P. Rouillard - a paper with SEC ruleset examples that was presented
at USENIX LISA'2004.
- "Working with SEC - the Simple Event Correlator" by Jim Brown -
a tutorial paper with
part 1 (2003) providing an
introduction to SEC and
part 2 (2004)
covering several advanced topics.
"SEC - a Lightweight Event Correlation Tool" - an early paper about SEC
that was presented at IEEE IPOM'2002.
- SEC rule repository - if you have developed
a ruleset that might be interesting to others as well, please contribute.
Installation information and dependencies
SEC has been primarily tested on Linux and Solaris, but since it is written
in Perl and does not use any platform-dependent subroutines, it should work
on most operating systems. The author has received reports about SEC working
on FreeBSD, OpenBSD, HP-UX, AIX, Tru64 UNIX, Mac OS X, and Windows (with
In order to install SEC, check where your Perl executable is located
and change the first line in the sec file accordingly.
For example, if your Perl executable is /usr/local/bin/perl,
set the first line to #!/usr/local/bin/perl -w.
Then copy sec and sec.man (SEC manpage)
to appropriate directories, e.g.,
cp sec /usr/local/bin
cp sec.man /usr/local/man/man1/sec.1
Since SEC is not tested against ancient Perl releases,
it is recommended to run SEC with at least Perl 5.8 (see
http://www.perl.org for the latest stable
Apart from Perl, SEC does not depend on other software.
It uses Perl Getopt, POSIX, Fcntl, Socket,
IO::Handle, and Sys::Syslog modules
which are included in the standard installation of Perl.
There is a
mailing list for SEC users.
The purpose of this list is to facilitate discussion between SEC users,
so that you can ask questions from more experienced users and share your
experience with others.
Before posting a question, please
the list - there are some questions that get asked quite frequently and
you might find several answers in the mailing list archive.
sec-2.7.2.tar.gz (April 12 2013)
... or you can visit
SEC download page at Sourceforge (has also older versions available).
SEC has also been packaged for a number of Linux and BSD distributions.
You can try the following links for finding a package for your platform:
Fedora and RHEL packages at Koji
RPM package search at rpmfind.net
- Debian package info
Ubuntu package info
SLE and openSUSE package info
Gentoo package info
- OpenBSD package info
- FreeBSD package info
(if any of the links are broken, please contact the author).
Logpp is a tool that can be
employed for reducing the load of SEC by filtering out irrelevant input data,
for converting multi-line log messages into syslog format, and for other log
You might also be interested in
LogHound that were designed
for mining patterns from log files.
(ristov at users d0t s0urcef0rge d0t net)
Please don't contact the author with SEC usage questions - you should post
such questions to the SEC mailing list.
This work is supported by SEB.
The author wishes to thank the following people for supplying software
patches and documentation updates:
John P. Rouillard
Mark D. Nagel