On Wed, Dec 21, 2011 at 4:51 PM, Risto Vaarandi <risto.vaara...@seb.ee>wrote:
> On 12/21/2011 12:33 PM, Kaushal Shriyan wrote:
>
>>
>>
>> On Wed, Dec 21, 2011 at 2:02 PM, Risto Vaarandi <risto.vaara...@seb.ee
>> <mailto:risto.vaara...@seb.ee>**> wrote:
>>
>> On 12/21/2011 01:43 AM, Kaushal Shriyan wrote:
>>
>> Hi
>>
>> I have gone through
>> http://simple-evcorr.__sourcef**orge.net/<http://sourceforge.net/>
>>
>>
>> <http://simple-evcorr.**sourceforge.net/<http://simple-evcorr.sourceforge.net/>>
>> and it is
>> quite interesting and there is also a learning process. At
>> present I am
>> using rsyslog daemon as a centralized server and several rsyslog
>> clients
>> connecting to it. Not sure i understand how sec is used in
>> conjunction
>> with rsyslog daemon.
>>
>> Please help me understand.
>>
>>
>> It is easy -- you have to set up SEC to monitor log files that
>> rsyslog creates. In order to match rsyslog events relevant in your
>> environment, you have to write down patterns and rules according to
>> your site's needs.
>> regards,
>> risto
>>
>> Hi Risto
>>
>> Thanks for the reply, Any how to or write up docs/tutorials to set "SEC
>> monitoring" on Ubuntu Linux Server 10.04 LTS. So my current setup is i
>> have a centralized rsyslog server and around 100 rsyslog clients which
>> pushes logs.
>> Not sure where would the SEC Monitoring fit in my setup. Do i need to
>> set SEC client and Server setup together.
>>
>> Help me understand.
>>
>> Regards
>>
>> Kaushal
>>
>
> There are no clients and servers involved here -- SEC runs as one UNIX
> process which accepts input from log file(s). It is your own preference
> where you set up this process and how you provide it with input events. In
> your case, however, it probably makes sense to set up SEC for monitoring
> log files on the central rsyslog server.
> If you want to learn quickly the basics of SEC, I think the best place to
> begin with is the SEC tutorial for beginners (written by Jim Brown):
> http://simple-evcorr.**sourceforge.net/SEC-tutorial/**article.html<http://simple-evcorr.sourceforge.net/SEC-tutorial/article.html>
> One thing to note is that the name of the sec program is not sec.planymore
> (this changed in the 2.6 version), but rather just sec.
> After reading the tutorial, I would also recommend studying the official
> man page:
> http://simple-evcorr.**sourceforge.net/man.html<http://simple-evcorr.sourceforge.net/man.html>
>
> SEC has been packaged for Ubuntu, so you can install it through Synaptic.
> Unfortunately, 2.6 version of SEC has not been packaged for Debian yet
> which means you only have 2.5.3 package available for Ubuntu :( If you want
> to install the latest version, you've got to get the source tarball.
> Nevertheless, the installation from source is very easy, and is just a
> matter of copying the SEC program into appropriate directory.
>
> Note that for running SEC, there aren't any specific instructions for
> Ubuntu (or any other unix flavor), since SEC doesn't come with any
> predefined rule sets. These would be very hard to create for all scenarios,
> since there are enormous numbers of potentially relevant log messages which
> can be created by vast number of different UNIX applications. Having said
> that, there are a number of example rule sets which are available at:
> http://simple-evcorr.**sourceforge.net/rulesets/<http://simple-evcorr.sourceforge.net/rulesets/>
> I believe after you have studied the tutorial and official documentation,
> it shouldn't be difficult to follow these examples. Also, some of these
> examples (like the one of Cisco boxes) could very well work out-of-the-box.
> Some other rulesets might need more tailoring for your environment, though.
>
> hope that helps,
> risto
>
>
Hi,
root@hostlogserver:~# apt-get install sec
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer
required:
linux-libc-dev manpages-dev libc-dev-bin libevtlog0
Use 'apt-get autoremove' to remove them.
The following NEW packages will be installed:
sec
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/74.1kB of archives.
After this operation, 360kB of additional disk space will be used.
Selecting previously deselected package sec.
(Reading database ... 50113 files and directories currently installed.)
Unpacking sec (from .../archives/sec_2.4.2-1_all.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up sec (2.4.2-1) ...
SEC disabled in /etc/default/sec
root@hostlogserver:~# /etc/init.d/sec restart
SEC disabled in /etc/default/sec
root@hostlogserver:~# vim /etc/default/sec
root@hostlogserver:~# /etc/init.d/sec restart
* Restarting Simple Event Correlator
sec
SEC (Simple Event Correlator) 2.4.2
Changing working directory to /
Reading configuration from /etc/sec.conf
Can't open configuration file /etc/sec.conf (No such file or directory)
[ OK ]
root@hostlogserver:~# dpkg -l '*sec*'
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name
Version Description
+++-====================================-====================================-========================================================================================
un checksecurity
<none> (no description available)
ii sec
2.4.2-1 Simple Event Correlator
root@hostlogserver:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04.3 LTS
Release: 10.04
Codename: lucid
root@hostlogserver:~# uname -a
Linux hostlogserver 2.6.32-36-server #79-Ubuntu SMP Tue Nov 8 22:44:38 UTC
2011 x86_64 GNU/Linux
root@hostlogserver:~#
Any clue about "Can't open configuration file /etc/sec.conf (No such file
or directory) ", I suppose there is no /etc/sec.conf file
Please suggest.
Regards
Kaushal
------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
