Return to
Portfolio

25.6. Event Correlation

It is possible to write correlation rules in the NXLog language using the built-in features such as the variables and statistical counters. While these are quite powerful, some cases cannot be detected with these, especially those conditions which require a sliding window.

A dedicated NXLog module, pm_evcorr, is available for advanced correlation requirements. It provides features similar to those of SEC and greatly enhances the correlation capabilities of NXLog.

Example 87. Correlation Rules

This following configuration sample contains a rule for each type.

nxlog.conf [Download file]

  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56


  
<Processor evcorr>
    Module                  pm_evcorr
    TimeField               EventTime

    <Simple>
        Exec                if $Message =~ /^simple/ $raw_event = "got simple";
    </Simple>

    <Suppressed>
        # Match input event and execute an action list, but ignore the following
        # matching events for the next t seconds.
        Condition           $Message =~ /^suppressed/
        Interval            30
        Exec                $raw_event = "suppressing..";
    </Suppressed>

    <Pair>
        # If TriggerCondition is true, wait Interval seconds for RequiredCondition
        # to be true and then do the Exec. If Interval is 0, there is no window on
        # matching.
        TriggerCondition    $Message =~ /^pair-first/
        RequiredCondition   $Message =~ /^pair-second/
        Interval            30
        Exec                $raw_event = "got pair";
    </Pair>

    <Absence>
        # If TriggerCondition is true, wait Interval seconds for RequiredCondition
        # to be true. If RequiredCondition does not become true within the specified
        # interval then do the Exec.
        TriggerCondition    $Message =~ /^absence-trigger/
        RequiredCondition   $Message =~ /^absence-required/
        Interval            10
        Exec                log_info("'absence-required' not received within 10s");
    </Absence>

    <Thresholded>
        # If the number of events exceeds the given threshold within the interval do
        # the Exec. Same as SingleWithThreshold in SEC.
        Condition           $Message =~ /^thresholded/
        Threshold           3
        Interval            60
        Exec                $raw_event = "got thresholded";
    </Thresholded>

    <Stop>
        Condition           $EventTime < 2010-01-02 00:00:00
        Exec                log_debug("got stop");
    </Stop>

    <Simple>
        # This will be rewritten only if the previous Stop condition is FALSE.
        Exec                $raw_event = "rewritten";
    </Simple>

</Processor>

← Previous: Detecting a Dead Agent or Log Source | ↑ Up: Processing Logs | ⌂ Home: NXLog User Guide | Next: Extracting Data →