SEC (Simple Event Correlator)
SEC (Simple Event Correlator) is an open source and platform independent event correlation tool that was designed to fill the gap between commercial event correlation systems and homegrown solutions that usually comprise a few simple shell scripts. SEC accepts input from regular files, named pipes, and standard input, and can thus be employed as an event correlator for any application that is able to write its output events to a file stream. The SEC configuration is stored in text files as rules, each rule specifying an event matching condition, an action list, and optionally a Boolean expression whose truth value decides whether the rule can be applied at a given moment. Regular expressions, Perl subroutines, etc. are used for defining event matching conditions. SEC can produce output events by executing user-specified shell scripts or programs (e.g., snmptrap or mail), by writing messages to pipes or files, and by various other means.
Installatie
# cd /usr/ports/sysutils/sec # make install clean
Configureren van SEC
# ee /etc/sec.conf
# SEC - Simple Event Correlator Configuration File # # Description: # SEC is being used for real-time notification of # web server failure events. When HAProxy recognizes # a server failure it writes information about the # failure to its log file. SEC monitors the log file # looking for certain events and sends notification # e-mails to administrators # # match on a line like this: # Server http_proxy/www0 is DOWN. 0 active and 2 backup servers left. # Running on backup. 0 sessions active, 0 requeued, 0 remaining in queue. # Take the name of the instance (http_proxy/www0) and put it in $1 # Take the server status (DOWN or UP) and put it in $2 # Take the rest of the line and put it in $3 # type=Single ptype=RegExp pattern=Server\s+(\S+)\s+\S+\s+(\S+)(.*) desc=$0 action=pipe '%t server $1 went $2 $3' /usr/bin/mail -s 'HAProxy: $1 went $2' systeembeheer@markterweele.nl
De commando hieronder kun je gebruiken om de sec file in te lezen:
# sec -detach -pid=/var/run/sec.pid -conf=/etc/sec.conf -log=/var/log/sec.log -input=/var/log/messages
Met dit onderstaande script wordt
# ee /usr/bin/swatch2sec.pl
#!/usr/bin/perl -w
# swatch2sec (contributed by Johan Nilsson).
# Convert a swatch configuration file to a simple event correlator conf.
# Far from complete but might save time on long and simple swatch files.
#
# usage: swatch2sec < ~/.swatchrc > newconf.sec
#
use strict;
while ( my $line = <> ) {
chomp $line;
# keep comments and whitespace
if ( $line =~ /(^#|^\s*$)/ ) {
print "$line\n";
next;
}
# log line
if ( $line =~ /\s*watchfor\s*\/(.*)\/$/ ) {
print "type=single
ptype=regexp
pattern=(.*$1.*)
desc=Log line
action=write - \$1\n\n";
next; # should the pattern ($1) be enough?
}
# suppress line
if ( $line =~ /\s*ignore\s*\/(.*)\/$/ ) {
print "type=Suppress\nptype=RegExp\npattern=$1\n\n";
next;
}
# echo color not supported by sec, try ccze instead
if ( $line =~/\s*echo\s*\w/ ){
next;
}
# not implemented
print "## untranslated line from swatch: $line\n";
}
Opstart script maken:
# ee /etc/rc.d/rc.sec
#!/bin/bash
# description: Simple Event Correlator - SEC
#
# processname: /usr/local/sbin/sec.pl
# config: /etc/sec.conf
PATH=/sbin:/usr/sbin:/bin:/usr/bin
OPTIONS="-detach -conf=/etc/sec.conf -log=/var/log/sec.log -pid=/var/run/secd.pid"
OPTIONS2="-input=/var/log/messages"
RETVAL=0
prog="sec"
start() {
echo -n "Starting $prog: "
/usr/local/bin/sec $OPTIONS $OPTIONS2
RETVAL=$?
echo
touch /usr/bin/swatch2sec.pl
return $RETVAL
}
stop() {
echo -n "Stopping $prog: "
kill -9 `cat /var/run/secd.pid`
RETVAL=$?
echo
rm -f var/run/secd.pid
return $RETVAL
}
reload(){
stop
start
}
restart(){
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
*)
echo "Usage: rc.$prog {start|stop|status|restart|reload}"
RETVAL=1
esac
exit $RETVAL
# chmod 755 /etc/rc.d/rc.sec
Kopiëren van een logrotatie config file:
# cp /usr/ports/sysutils/logrotate/files/logrotate.conf.sample /etc/logrotate.conf # ee /etc/logrotate.conf
Pas de logrotate file aan.
# rotate log files weekly
#weekly
# rotate log files daily
daily
# keep 4 weeks worth of backlogs
#rotate 4
# keep 7 days worth of backlogs
rotate 7
# create new (empty) log files after rotating old ones
create
/var/log/sec.log {
missingok
postrotate
/etc/rc.d/rc.sec restart
endscript
}
Starten
Handmatig sec starten:
# sh /etc/rc.d/rc.sec start
Om het script sec.conf automatisch te laten opstarten als FreeBSD opstart:
Hiervoor moet je inloggen als root:
# ee /etc/rc.local
sh /etc/rc.d/rc.sec start
Links
- Zie ook: SEC website
- Zie ook: Voorbeeld sec.conf file voor haproxy
- Zie ook: SEC examples
Over de auteur
