Event Rules Examples

Log Correlation Engine can be configured with the ability to interpret received log events based on log content and use configurable rules to generate active responses from the Log Correlation Engine server. These rules are configured in the Log Correlation Engine interface in the Event Rules section and can perform three primary responses:

  • email alerting
  • syslog alerting
  • command execution

Note: The Log Correlation Engine server will generate email alerts using the settings found msmtp.conf file, which can be found in the /opt/lce/tools/ directory on the Log Correlation Engine server. This file will need to include your email server information for alerting to function correctly.

Examples of practical applications include configuring rules to rate limit certain types of log events, email administrators immediately when an attack is detected, and send customized commands to a firewall when an inbound attack is detected and firewall reconfiguration needs to take place.

Various fields within the received log alert are automatically placed in variables that may be used as parameters within the active response. For example, consider the following Event Rules entry:

Name: DMZ Login


Event: SC4-Login

Command: echo "body: $log" | sendmail [email protected] "subject: $event1 from $sip"

RateLimit: 5m

This rule takes Log Correlation Engine events labeled “SC4-Login” to the specified IP addresses and automatically generates an email alert to the specified administrator email addresses. In addition, a rate limit is applied such that only one email would be sent every five minutes to prevent the Log Correlation Engine server from overwhelming the email server system. Configuration possibilities are limited only by the imagination of the Log Correlation Engine server administrator.