Event Rules Examples

Log Correlation Engine can be configured with the ability to interpret received log events based on log content and use configurable rules to generate active responses from the Log Correlation Engine server. These rules are configured in the Log Correlation Engine interface in the Event Rules section and can perform three primary responses:

  • email alerting
  • syslog alerting
  • command execution

Note: The Log Correlation Engine server will generate email alerts using the settings found msmtp.conf file, which can be found in the /opt/lce/tools/ directory on the Log Correlation Engine server. This file will need to include your email server information for alerting to function correctly.

# Example msmtp configuration file

#

# Please replace the following with the desired settings for mail server, encryption and authentication. The full

# msmtp documentation is located at http://msmtp.sourceforge.net/doc/msmtp.html.

#

# msmtp usage example: echo "This is a test message." | /opt/lce/tools/msmtp -C /opt/lce/tools/msmtp.conf your_name@your_address.com

account provider

host smtp.gmail.com

tls on

tls_certcheck off

tls_starttls off

from your_username@your_domain.com

auth on

user your_username

password your_password

port 465

logfile /opt/lce/tools/msmtp.log

# Set the above account to be the default when the -a flag is not used

account default : provider

Examples of practical applications include configuring rules to rate limit certain types of log events, email administrators immediately when an attack is detected, and send customized commands to a firewall when an inbound attack is detected and firewall reconfiguration needs to take place.

Various fields within the received log alert are automatically placed in variables that may be used as parameters within the active response. For example, consider the following Event Rules entry:

Name: DMZ Login

+IPS: 192.168.20.15,192.168.20.100,192.168.20.110-112

Event: SC4-Login

Command: echo "body: $log" | sendmail [email protected] "subject: $event1 from $sip"

RateLimit: 5m

This rule takes Log Correlation Engine events labeled “SC4-Login” to the specified IP addresses and automatically generates an email alert to the specified administrator email addresses. In addition, a rate limit is applied such that only one email would be sent every five minutes to prevent the Log Correlation Engine server from overwhelming the email server system. Configuration possibilities are limited only by the imagination of the Log Correlation Engine server administrator.