Event Rules Examples
LCE can be configured with the ability to interpret received log events based on log content and use configurable rules to generate active responses from the LCE server. These rules are configured in the LCE interface in the Event Rules section and can perform three primary responses:
- email alerting
syslogalerting- command execution
Note: The LCE server will generate email alerts using the settings found msmtp.conf file, which can be found in the /opt/lce/tools/ directory on the LCE server. This file will need to include your email server information for alerting to function correctly.
Example: Sample msmtp.conf File
# Example msmtp configuration file
#
# Please replace the following with the desired settings for mail server, encryption and authentication. The full
# msmtp documentation is located at http://msmtp.sourceforge.net/doc/msmtp.html.
#
# msmtp usage example: echo "This is a test message." | /opt/lce/tools/msmtp -C /opt/lce/tools/msmtp.conf [email protected]_address.com
account provider
host smtp.gmail.com
tls on
tls_certcheck off
tls_starttls off
from [email protected]_domain.com
auth on
user your_username
password your_password
port 465
logfile /opt/lce/tools/msmtp.log
# Set the above account to be the default when the -a flag is not used
account default : provider
Examples of practical applications include configuring rules to rate limit certain types of log events, email administrators immediately when an attack is detected, and send customized commands to a firewall when an inbound attack is detected and firewall reconfiguration needs to take place.
Various fields within the received log alert are automatically placed in variables that may be used as parameters within the active response. For example, consider the following Event Rules entry:
Name: DMZ Login
+IPS: 192.168.20.15,192.168.20.100,192.168.20.110-112
Event: SC4-Login
Command: echo "body: $log" | sendmail [email protected] "subject: $event1 from $sip"
RateLimit: 5m
This rule takes LCE events labeled “SC4-Login” to the specified IP addresses and automatically generates an email alert to the specified administrator email addresses. In addition, a rate limit is applied such that only one email would be sent every five minutes to prevent the LCE server from overwhelming the email server system. Configuration possibilities are limited only by the imagination of the LCE server administrator.