[Simple-evcorr-users] sec-2.7.6

Mon, 14 Jul 2014 02:06:27 -0700 

hi all,
sec-2.7.6 has been released which is available at:
http://sourceforge.net/projects/simple-evcorr/files/sec/2.7.6/sec-2.7.6.tar.gz/download

The changelog for the new version is the following:

* added support for the 'cspawn' and 'cevent' actions which allow
  for generating synthetic events with custom internal contexts.

* fixes for logging the execution of 'shift' and 'pop' actions.

* starting from this version, warnings are produced for duplicate
  keywords in rule definitions.

With previous versions of sec, all synthetic events had an internal context
_INTERNAL_EVENT if --intcontexts command line option was used. The 'cspawn'
and 'cevent' actions which have been added to this version allow for
setting up a custom context for synthetic events. In order to provide an
example of the new functionality, here is an example from the man page --
if you start sec with

/usr/bin/sec --intevents --intcontexts --conf=/etc/sec/my.conf \
                    --input=/var/log/messages=MESSAGES \
                    --input=/var/log/secure=SECURE \
                    --input=/var/log/cron=CRON

 and the rule file /etc/sec/my.conf contains the following rules

       type=Single
       ptype=RegExp
       pattern=^(?:SEC_STARTUP|SEC_RESTART)$
       context=[SEC_INTERNAL_EVENT]
       desc=listen on 10514/tcp for incoming events
       action=cspawn MESSAGES /usr/bin/nc -l -k 10514

       type=Single
       ptype=RegExp
       pattern=.
       context=[MESSAGES]
       desc=echo everything from 10514/tcp and /var/log/messages
       action=write - $0

then SEC will receive input lines from the log files /var/log/messages,
/var/log/secure,  and  /var/log/cron, and will also run /usr/bin/nc for
receiving input lines from the port 10514/tcp.  All  input  lines  from
/var/log/messages  and  10514/tcp  are  matched  by the second rule and
written to standard output.

This functionality has been discussed in the mailing list (
http://sourceforge.net/p/simple-evcorr/mailman/message/29153552/), and
also, it complements recently added socket based actions nicely.

kind regards,
risto

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck®
Code Sight™ - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to