Many traditional event log management systems store events in a database and execute database queries for implementing event correlation. However, such systems are heavyweight solutions and often involve a complex database infrastructure on dedicated hardware.
In contrast, SEC is a lightweight and platform-independent event correlator which runs as a single process. The user can start it as a daemon, employ it in shell pipelines, execute it interactively in a terminal, run many SEC processes simultaneously for different tasks, and use it in a wide variety of other ways.
SEC reads lines from files, named pipes, or standard input, matches the lines with patterns (like regular expressions or Perl subroutines) for recognizing input events, and correlates events according to the rules in its configuration file(s). SEC can produce output by executing external programs (e.g., snmptrap or mail), by writing to files, by sending data to TCP and UDP based servers, by calling precompiled Perl subroutines, etc.
See SEC manpage for official documentation. The manpage provides an in-depth discussion of all SEC features and presents a number of detailed rule examples.
Also, the SEC FAQ provides answers to some frequently asked questions.
Here you can find the list of papers from more distant past that are relevant for SEC-2.6 or older (some solutions from these papers can be implemented more efficiently with more recent SEC versions):
In order to install SEC, check where your Perl executable is located
and change the first line in the sec file accordingly.
For example, if your Perl executable is /usr/local/bin/perl,
set the first line to #!/usr/local/bin/perl -w.
Then copy sec and sec.man (SEC manpage)
to appropriate directories, e.g.,
cp sec /usr/local/bin
cp sec.man /usr/local/man/man1/sec.1
Since SEC is not tested against ancient Perl releases,
it is recommended to run SEC with at least Perl 5.8 (see
https://www.perl.org for the latest stable
Perl release).
Apart from Perl, SEC does not depend on other software.
It uses Perl Getopt, POSIX, Fcntl, Socket,
IO::Handle, Sys::Syslog, and JSON::PP modules
which are included in the standard installation of Perl (the presence of
Sys::Syslog and JSON::PP is optional).
Mailing list
There is a
mailing list for SEC users.
The purpose of this list is to facilitate discussion between SEC users,
so that you can ask questions from more experienced users and share your
experience with others.
Before posting a question, please
search
the list - there are some questions that get asked quite frequently and
you might find several answers in the
mailing list archive.
Download
sec-2.9.3.tar.gz (November 1 2024)
... or you can visit SEC download pages at GitHub or Sourceforge (have also older versions available).
SEC has also been packaged for a number of Linux and BSD distributions.
You can try the following links for finding a package for your platform:
-
Fedora and RHEL packages at Koji
-
RPM package search at rpmfind.net
- Debian package info
-
Ubuntu package info
-
SLE and openSUSE package info
-
Gentoo package info
-
Arch Linux package info
- OpenBSD package info
- FreeBSD package info
(if any of the links are broken, please contact the author).
Please don't contact the author with SEC usage questions - you should post such questions to the SEC mailing list.
Risto Vaarandi, Bernhards Blumbergs and Emin Caliskan, "Simple Event Correlator - Best Practices for Creating Scalable Configurations," Proceedings of the 2015 IEEE CogSIMA Conference, pp. 96-100, 2015
The author also thanks the following people for supplying software patches, documentation fixes, and suggesting new features: Al Sorrell, Brian Mielke, David Lang, James Brown, Jon Frazier, Mark D. Nagel, Peter Eckel, Rick Casey, and William Gertz.
Last but not least, the author expresses his profound gratitude to John P. Rouillard for many great ideas and creative discussions that have helped to develop SEC.