article word cloud

Simple Event Correlator (SEC) can be configured to ignore routine errors and alert you to serious errors or errors that have never occurred before. In this short article, I will describe how to integrate SEC with syslog-ng. I will describe the following:

  • Installing SEC
  • Configuring SEC
  • Testing the SEC Configuration
  • Configuring syslog-ng
  • Next Steps

Installing SEC

Download SEC. Copy sec.pl to /usr/local/bin and mark it executable.

Configuring SEC

Create the SEC configuration file, /usr/local/etc/sec.conf, marked as world-readable. Edit the file as appropriate (you’ll need to understand regular expressions and read the SEC documentation). Here is an example:

###
# /usr/local/etc/sec.conf
#
##
# Suppress Workstations
#
type=Suppress
ptype=regexp
pattern=S+s+S+s+S+s+(tpr|dpr|bpr|pre)
##
# Combine unknown errors by daemon each hour and report
#
type=Single
ptype=regexp
pattern=S+s+S+s+S+s+(S+)s+(w+).*:s+(.*)
desc=$1 $2
context=!$1_$2
action=create $1_$2 3600 (report $1_$2 /bin/mail -s
"LogAlert: $2 errors summary" helpdesk@example.com);
pipe '$0' /bin/mail -s "LogAlert: $2 error, suppressing similar for 1 hour" helpdesk@example.com

type=Single
ptype=regexp
pattern=S+s+S+s+S+s+(S+)s+(w+).*:s+(.*)
desc=$1 $2
context=$1_$2
action=add $1_$2 $0

Testing the SEC Configuration

SEC provides a test-only mode. Run the following, then correct any syntax errors in sec.conf.

sec.pl --conf=/usr/local/etc/sec.conf -testonly

Configuring syslog-ng

The following example is a minimal syslog-ng.conf that demonstrates how to send syslog events at level “error” and higher to SEC:

source s_all {
  tcp();
  udp();
  internal();
  unix-stream("/dev/log");
  file("/proc/kmsg" program_override("kernel: "));
};
filter f_problems { level("err") or level("alert") or level("crit") or level("emerg"); };
destination d_sec {
  program("/usr/local/sbin/sec.pl -input="-" -conf=/usr/local/etc/sec.conf");
};
log {
  source(s_all);
  filter(f_problems);
  destination(d_sec);
}

Restarting syslog-ng

You will restart syslog-ng in order to have changes to your SEC config file take effect.

Next Steps

The example sec.conf I listed above will notify you about all errors in your network. You will certainly want to add more “Suppress” rules and other rules to collect and report errors (see the SEC manpage and FAQ for tips).