On 12/21/2011 12:33 PM, Kaushal Shriyan wrote: > > > On Wed, Dec 21, 2011 at 2:02 PM, Risto Vaarandi <risto.vaara...@seb.ee > <mailto:risto.vaara...@seb.ee>> wrote: > > On 12/21/2011 01:43 AM, Kaushal Shriyan wrote: > > Hi > > I have gone through http://simple-evcorr.__sourceforge.net/ > <http://simple-evcorr.sourceforge.net/> and it is > quite interesting and there is also a learning process. At > present I am > using rsyslog daemon as a centralized server and several rsyslog > clients > connecting to it. Not sure i understand how sec is used in > conjunction > with rsyslog daemon. > > Please help me understand. > > > It is easy -- you have to set up SEC to monitor log files that > rsyslog creates. In order to match rsyslog events relevant in your > environment, you have to write down patterns and rules according to > your site's needs. > regards, > risto > > Hi Risto > > Thanks for the reply, Any how to or write up docs/tutorials to set "SEC > monitoring" on Ubuntu Linux Server 10.04 LTS. So my current setup is i > have a centralized rsyslog server and around 100 rsyslog clients which > pushes logs. > Not sure where would the SEC Monitoring fit in my setup. Do i need to > set SEC client and Server setup together. > > Help me understand. > > Regards > > Kaushal
There are no clients and servers involved here -- SEC runs as one UNIX process which accepts input from log file(s). It is your own preference where you set up this process and how you provide it with input events. In your case, however, it probably makes sense to set up SEC for monitoring log files on the central rsyslog server. If you want to learn quickly the basics of SEC, I think the best place to begin with is the SEC tutorial for beginners (written by Jim Brown): http://simple-evcorr.sourceforge.net/SEC-tutorial/article.html One thing to note is that the name of the sec program is not sec.pl anymore (this changed in the 2.6 version), but rather just sec. After reading the tutorial, I would also recommend studying the official man page: http://simple-evcorr.sourceforge.net/man.html SEC has been packaged for Ubuntu, so you can install it through Synaptic. Unfortunately, 2.6 version of SEC has not been packaged for Debian yet which means you only have 2.5.3 package available for Ubuntu :( If you want to install the latest version, you've got to get the source tarball. Nevertheless, the installation from source is very easy, and is just a matter of copying the SEC program into appropriate directory. Note that for running SEC, there aren't any specific instructions for Ubuntu (or any other unix flavor), since SEC doesn't come with any predefined rule sets. These would be very hard to create for all scenarios, since there are enormous numbers of potentially relevant log messages which can be created by vast number of different UNIX applications. Having said that, there are a number of example rule sets which are available at: http://simple-evcorr.sourceforge.net/rulesets/ I believe after you have studied the tutorial and official documentation, it shouldn't be difficult to follow these examples. Also, some of these examples (like the one of Cisco boxes) could very well work out-of-the-box. Some other rulesets might need more tailoring for your environment, though. hope that helps, risto > > > ------------------------------------------------------------------------------ > Write once. Port to many. > Get the SDK and tools to simplify cross-platform app development. Create > new or port existing apps to sell to consumers worldwide. Explore the > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join > http://p.sf.net/sfu/intel-appdev > > > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
