Pedro Martin wrote: > Hi, > > Is there a way to use sec feeding variable thresholds to the rules in > the config files? > > There are some processes that we are monitoring using the "control > chart" algorithm. This algorithm takes the data in a given time window > and calculates its mean and its upper and lower control limits that > indicate the threshold at which the process output is considered > statistically 'unlikely'. > > The question is ¿can we use this calculated upper and lower control > limits as thresholds with sec? ¿how can we modify the threshold in a > rule without stopping and restarting sec? ¿is it possible? > > thanks in advance.
Pedro, that is a tricky question. The short answer is -- you can't modify the thresholds (and time windows) of rule definitions, they have a constant nature. There are several reasons for this, but most important one is that rules actually don't do any correlation on events -- all this work is done by event correlation operations. Event correlation operations have several properties: 1) they are dynamic entities that reside in memory, 2) they are started by rules and get their input from rules, 3) they don't have 1-1 relationship with rules -- one rule could start many operations. Therefore, changing a rule definition on the fly (either by editing or through a variable) is a non-trivial issue. Suppose you change both the threshold and time window in a SingleWithThreshold definition. In that case it's quite hard to determine whether this change applies to currently running and future operations, future operations only, or no operations at all? In all cases, the correlation logic might become a lot harder to understand for the end user (and in the first case, a number of difficult implementation questions would arise). Therefore SEC takes the simple and clear path, where rule modification cancels all related operations. However, as for using variable thresholds, there are ways to handle this problem. Firstly, SEC allows for using a variety of Perl expressions and code snippets in your rule definitions, and variable thresholds can be implemented in this way. For example, here is a very simple example that uses a Single rule + a Perl expression as a context: type=single ptype=regexp pattern=set (\d+) desc=set threshold to $1 action=eval %o ($thresh = $1) type=single ptype=substr pattern=test context= =(++$counter >= $thresh) desc=test event observed more than threshold action=logonly; eval %o ($counter = 0) There is also another way for changing the rule definitions without full restart of SEC -- volatile rules should be put to a separate file that a script can change, and the SIGABRT signal should be sent to SEC after the rule definitions have been changed. This signal invokes a soft reload which cancels only the operations started from the changed rule file, leaving other event correlation state intact in memory. hth, risto > > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > > > ------------------------------------------------------------------------ > > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
