2014-10-27 6:07 GMT+02:00 Yuheng Du <[email protected]>: > Hi all, > > Can I change the configuration file/add some new configurations of a SEC > instance at run-time without restarting the SEC instance? Or I have to > restart it in order to run a new configuration? >
if you have started sec with a --conf=/etc/sec/my.sec option and update /etc/sec/my.sec, then you can let sec load in the updated rules by sending the HUP or ABRT signal to the sec process. HUP will do a full restart, dropping all correlation state from memory, while ABRT will try to preserve as much state as possible. With ABRT, only correlation operations started by rules from /etc/sec/my.sec are terminated. However, if you would like to create new rule files which are not referenced by --conf options, things get a bit more trickier, since essentially you have to push a new option into the command line of a running process. Nevertheless, this can be done with sec, provided that you have started sec with the SECRC environment variable pointing to sec resource file. In resource file, you can add new command line options which are regarded as regular command line options by sec: http://simple-evcorr.sourceforge.net/man.html#lbBF > > Is it possible to run SEC in a purely distributed way? Like use a cluster > of nodes, each node process a partition of the incoming events, with the > load balanced automatically and communication traffic not overwhelming? > There are no such features built into the sec core. Since by design all memory-based correlation data structures must be fully shareable (readable and writable) between all rules, event correlation operations, and other sec entities, that would require implementing many complex things like common memory for several physical nodes. Also, due to data sharing events have to be processed sequentially -- if two events are processed in parallel and both of them modify the same data structure (say, they assign different values to a variable), result is unpredictable. Because of these complexities, sec is implemented as a single threaded UNIX tool. Whatever parallelism you want to have, you first need to split your rulebase into several independent parts, and set up a separate sec instance for each of those parts. Naturally, it is possible to run several instances of sec on one node or multiple nodes (as you can do with any UNIX tool), provided that each of those instances receives relevant events. Most popular choices for event forwarding have probably been various syslog servers like rsyslog and syslog-ng. kind regards, risto > I was thinking what direction should I go into to avoid events flooding at > SEC engine. > > Thanks for any suggestions. I am using this topic as a research topic. > > best, > Yuheng > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
