Event Rules Examples

LCE can be configured with the ability to interpret received log events based on log content and use configurable rules to generate active responses from the LCE server. These rules are configured in the LCE interface in the Event Rules section and can perform three primary responses:

  • email alerting
  • syslog alerting
  • command execution

Note: The LCE server will generate email alerts using the settings found msmtp.conf file, which can be found in the /opt/lce/tools/ directory on the LCE server. This file will need to include your email server information for alerting to function correctly.

Examples of practical applications include configuring rules to rate limit certain types of log events, email administrators immediately when an attack is detected, and send customized commands to a firewall when an inbound attack is detected and firewall reconfiguration needs to take place.

Various fields within the received log alert are automatically placed in variables that may be used as parameters within the active response. For example, consider the following Event Rules entry:

Name: DMZ Login


Event: SC4-Login

Command: echo "body: $log" | sendmail "subject: $event1 from $sip"

RateLimit: 5m

This rule takes LCE events labeled “SC4-Login” to the specified IP addresses and automatically generates an email alert to the specified administrator email addresses. In addition, a rate limit is applied such that only one email would be sent every five minutes to prevent the LCE server from overwhelming the email server system. Configuration possibilities are limited only by the imagination of the LCE server administrator.