[[SEC - simple event correlator]]
 
Trace: » Getting Started » How To Generate ''.deb'' packages for the NetworkAuthority Inventory Server on Ubuntu » Known Barriers to Scalability » Developing ZipTie on Mac OS X » SEC - simple event correlator
Translations of this page:
Table of Contents

SEC - simple event correlator

SEC is an open source and platform independent event correlation tool that was designed to fill the gap between commercial event correlation systems and homegrown solutions that usually comprise a few simple shell scripts. SEC accepts input from regular files, named pipes, and standard input, and can thus be employed as an event correlator for any application that is able to write its output events to a file stream. The SEC configuration is stored in text files as rules, each rule specifying an event matching condition, an action list, and optionally a Boolean expression whose truth value decides whether the rule can be applied at a given moment. Regular expressions, Perl subroutines, etc. are used for defining event matching conditions. SEC can produce output events by executing user-specified shell scripts or programs (e.g., snmptrap or mail), by writing messages to pipes or files, and by various other means. Read more about sec here…

ZipTie utilizes SEC to enable event based backups. An SEC agent watches for user defined events and will launch predefined scripts to automatically backup devices with ZipTie.

Notifications are received from the devices using services like remote syslog, snmp, tacacs, and radius.

To make SEC easier to manage we have a wrapper. The wrapper enables us to launch multiple SEC' and start and stop individual SEC instances.

ZipTie's SEC package is 3 perl scripts; agent.pl, backup.pl and sec.pl.

  1. agent.pl is used to make managing sec.pl easier. It does this by requiring 3 command line arguments. agent.pl checks for a configuration directory and files and if they do not exist it creates them.
    • Usage: ./agent.pl [-n Name of agent to run -f Input file for sec.pl -a Start|Stop ]
  2. backup.pl is the action which will be performed if sec.pl finds any events in it’s input file. It the invokes backup operation using SOAP calls to ZipTie server.
  3. sec.pl opens and reads from the input file specified by agent.pl.

The first time you launch agent.it will create a directory named conf with 2 files.

  • sec.2.4.4-1.conf is the configuration file for sec.pl
  • reg_agent is the log file which stores information about sec.pl and its agent.

Prerequisites

  1. ZipTie 2008.04 or higher
  2. Perl 5.8.8 or higher (Active Perl 5.8.8).
  3. ZipTie::Client package for Perl. This package requires HTTP::Cookies and SOAP::Lite.

Example

This example will walk you through configuring a Cisco IOS device to utilize a remote syslog server and trigger a backup of the device with ZipTie.

Configuration & Settings

Enable the Cisco IOS device to send syslog notifications to the local0 facility on you ZipTie Server.

To do this login to the Cisco IOS device and do the following: 

# configure terminal
# logging trap notifications
# logging facility local0
# logging 10.1.1.1  (The IP address for you should be the same as the ZipTie Server).

To enable the syslog service on your Linux server to listen for remote events to the local0 facility do the following.

1. Enable network access to the standard syslog port and protocol 514/UDP on Linux Server. Typically this involves updating iptables on the server.

2. Enable syslog to listen for remote events. To do this you need to add the -r flag to the startup options for syslog. Modify /etc/sysconfig/syslog and add the -r to SYSLOGD_OPTIONS. 

SYSLOGD_OPTIONS="-m 0 -x -r"

3. Create a file where you would like the events sent to local0 to be stored. Typically you would do this under /var/log. Be sure to create the file that enables the syslog service to write to the file along with ZipTie user to read the file. As this is an example we will keep the file permission loose, but you can modify them as you see fit. 

# touch /var/log/zt.logwatch
# chmod 777 /var/log/zt.logwatch

4. Modify the syslog configuration file to write events for the local0 facility to our newly created file. Typically you will edit /etc/syslog.conf and add the following: 

local0.*     /var/log/zt.logwatch

5. Restart syslogd. 

# /etc/init.d/syslogd restart

How to run sec

Download and extract sec.zip a folder. In our example we will use /root/sec. Launch the SEC agent passing it an appropriate agent name, the syslog file we created, and the start action. 

 # perl /root/sec/agent.pl -n CiscoIOS -f /var/log/zt.logwatch -a start
 Agents registry file doesn't exist. Proceed to create it.
 SEC config doesn't exist. Proceed to create it.
 Starting SEC
 SEC (Simple Event Correlator) 2.4.2
 Reading configuration from /root/sec/conf/sec.2.4.4-1.conf
 Rule in /root/sec/conf/sec.2.4.4-1.conf at line 3:
 1 rules loaded from /root/sec/conf/sec.2.4.4-1.conf

If this is your first time running the SEC agent you will see notifications about default configuration files being created otherwise you will see finding and loading previous configurations. The last line should say: 

1 rules loaded from /your/path/to/sec/conf/sec.2.4.4-1.conf

The SEC agent is now running and watching for notifications from the Cisco IOS device.

To verify everything is working correctly log back into your Cisco IOS device and do the following: 

 # configure terminal
 # exit
 # exit

The Cisco IOS device should have sent a notification to your syslog server. SEC should have noticed this event and triggered a system backup. You should have seen the following message from your SEC agent: 

 Scheduled backup with execution ID: [number]

To stop this specific SEC agent launch another shell and do the following: 

perl /root/sec/agent.pl –n CiscoIOS –f /var/log/zt.logwatch -a stop
Done with execution!

The SEC process has now been stoped.

Download files

sec.zip

 
doc/sec.txt · Last modified: 2008/05/15 13:21 by mkourbanov
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki