hi Richard and John, Hi Richard: > > In message > <caj69-dfkwv+bnuy7vipijt8ezof3fpz8eahuj1bbvzysno3...@mail.gmail.com>, > Richard_Ostrochovsk writes: > >this post loosely follows this one: > >https://sourceforge.net/p/simple-evcorr/mailman/message/36867007/. > > > >Being monitoring consultant and developer, I have > >an idea to hide complexity of SEC configurations, > >and still to allow to configure it also for > >"regular" administrators without any developer or > >SEC background. > > Being a "regular" administrator, I claim admins > that can't program/use programming methods won't > be admins much longer. If the companies you work > for are depending on (rapidly turning over) junior > admins to administer something as important as > monitoring and correlation you have a difficult > job ahead of you. > > Knowing regular expressions at the very least is > required to use SEC.
I agree with John's opinion. Also, regular expressions are not something specific to SEC, but they are used by many other event log processing and network monitoring tools such as syslog-ng, rsyslog, suricata, etc. While learning regular expressions requires some time from a newcomer, it is difficult to see how a monitoring engineer/admin would manage without this knowledge. I would also argue that creating more advanced event correlation schemes (not only for SEC, but for any other event correlation tool) definitely requires at least some development skills, since one has to essentially write down event processing algorithms here. Having said that, there are certainly ways to improve future versions of SEC -- for example, re-evaluating input file patterns after short time intervals (suggestion from one of the previous posts) is worth considering and I've written it down as an idea for the next version. Getting performance info out > of SEC is better, but still > difficult. E.G. finding and fixing expensive/poor > regular expressions can result in a significant > improvement of performance/throughput along with > hierarchical structuring of the rulesets. > > >Imagined concept illustration: > > > >[configuration DB] -> [generator(s)] -> [SEC configurations] > > > >The punch line is, that user won't need to know > >anything about SEC, but will need to understand > >logic of correlations employed, and their > >parameters > > I assume you mean regular expressions, threholds, > actions and commands etc. > > >(configuration DB may have some kind of GUI). In > >the background, higher-level correlations will be > >translated to respective SEC rules. > It is certainly possible to create such a configuration DB for a number of well known scenarios. For example, one could set up a database for common Cisco fault messages (maybe using examples from here: https://github.com/simple-evcorr/rulesets/blob/master/cisco/cisco-syslog.sec), and use it for automated creation of some specific rules, where the end user can change few simpler parameters (e.g., time windows and thresholds of event correlation rules). However, it is also important to understand the limitations of this approach -- whenever new event processing algorithms need to be written for new scenarios and event log types, someone with developer skills needs to step in. If you want to move the entire development work into GUI, maybe secadmin package that John has discussed below will provide some ideas? > There was a web interface referenced back in 2007 > at: > > > https://sourceforge.net/p/simple-evcorr/mailman/simple-evcorr-users/thread/op.tnxvfselqmj61d%40genius/#msg6200380 > > The url's are dead but I have a copy of secadmin > from 2009 I have put it up at: > > https://www.cs.umb.edu/~rouilj/sec/secadmin.tar.gz > > It doesn't use a back end db IIRC but it was > supposed to provide some guidance on creating the > correlation rules. Note that it would have to be > updated as new rules have been added since it was > developed. Also I think it ily supported the basic > sec correlations. > > Risto do you remember this? > After checking the link, I do recollect this post, but didn't have time to closely study this package at a time. However, I downloaded this package today and looked into it on a test virtual machine. This package is essentially a CGI script written for Apache web server, and despite being rolled out in 2006, it found it working on centos7 platform after few minor tweaks. The package offers a web based GUI for editing SEC rules, where most rule fields can be defined in text boxes, while values for some fields (e.g., rule type) can be selected from pull-down menus. I think it's a nice package for editing rules via web based interface, but one definitely has to update for newer SEC versions (since the GCI script was created in November 2006, it works with 2.4.X versions, while most recent sec-2.8.X contains many improvements over 2.4.X). hope this helps, risto
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
