Event correlation tool for advanced event processing
Simple Event Correlation (SEC) is a very powerful and lightweight real-time correlation engine for network management, log file monitoring, security management, fraud detection, and other tasks which involve event correlation. It is written in Perl, while that allows it to be cross platform, it requires extra installation of Perl distribution on Windows. It can store events to a database with the aid of extra Perl functions.
SEC is developed by dr. Risto Vaarandi, a senior scientest
While the manpage is well written with enough details and precise examples, I recommend the following readings as well.
- Simple Event Correlator - Best Practices for Creating Scalable Configurations Best practices are very important for performance considerations.
- Using SEC by David Lang
- SEC security rules by Markus Kont - SEC rulesets for identifying attack patterns in server log files.
- SEC rule repository - sample SEC rulesets contributed by users.
To run SEC on Microsoft Windows, it requires the installation of a Perl distribution. While ActiveState Perl and Strawberry Perls distros as both supported, I recommend using Cygwin Perl for the following reason:
- Easy installation via single user interface installer
- Includes cpan, yet modules can be compiled via Cygwin gcc
- Portability: although by default Cygwin is provided as an executable installer, which in turn installs the selected packages. The binaries were found to be fully portable and able to run without installation as long as they are carried with their required dependencies.
- Tarball sum size is 39 MB, on disk 129 MB
- Cygwin provides advanced UNIX emulation, which is required by a number of SEC features, such as:
- udgram, ustream, closeudgr and closestr: used for SEC input
- Spawn, cspawn actions: run command and uses its output as SEC input
- Stdin: SEC input from standard input
- Named pipe: SEC input from named pipe
- Process fork: SEC detach and run in background
- Signals: interrupt signals used for various SEC commands
- Other Cygwin binaries can be used for various operations.
To facilitate using SEC on Microsoft Windows, SECwin package can be installed, a single msi installer which also includes Cygwin Perl within, in addition to the following features:
- SEC Perl process watchdog for unexpected termination
- User interface to build SEC command’s parameters
- Sending signals to SEC via UI or System tray icon
- SEC statistics dump file rotation
- Display SEC Perl process statistics and information
- SEC log and statistics dump files viewers
- Automated update for SEC and SECwin
- Converting paths to Cygwin style
- System tray icon context menu for faster interactions
Using SEC for correlating Windows log events requires a log collection tool, I recommend NXLog-ce as a free log collection tool with greate capabilities. The manpage for NXLog covers its configuration with pretty clear examples. Additionally SEC rulesets for Windows is provided by the author of SECwin, which follows the best practices for creating SEC rules, for lowest resources consumption and to facilitate creating additional rules based on the Windows EvtLog dispatcher. The provided ruleset has proven it's power to detect various malicious activities and adds an additional security dimension.