Event correlation

It is possible to write correlation rules in the NXLog language using the built-in features such as variables and statistical counters. While these features are quite powerful, some cases cannot be detected with them, especially when conditions require a sliding window correlation.

A dedicated NXLog module, pm_evcorr, is available for advanced correlation requirements. It provides features similar to those of SEC and greatly enhances the correlation capabilities of NXLog.

Example 1. Correlation rules

The following configuration provides samples for each type of rule: Absence, Pair, Simple, Suppressed, and Thresholded.

nxlog.conf
<Processor evcorr>
    Module                  pm_evcorr
    TimeField               EventTime

    <Simple>
        Exec                if $Message =~ /^simple/ $raw_event = "got simple";
    </Simple>

    <Suppressed>
        # Match input event and execute an action list, but ignore the following
        # matching events for the next t seconds.
        Condition           $Message =~ /^suppressed/
        Interval            30
        Exec                $raw_event = "suppressing..";
    </Suppressed>

    <Pair>
        # If TriggerCondition is true, wait Interval seconds for RequiredCondition
        # to be true and then do the Exec. If Interval is 0, there is no window on
        # matching.
        TriggerCondition    $Message =~ /^pair-first/
        RequiredCondition   $Message =~ /^pair-second/
        Interval            30
        Exec                $raw_event = "got pair";
    </Pair>

    <Absence>
        # If TriggerCondition is true, wait Interval seconds for RequiredCondition
        # to be true. If RequiredCondition does not become true within the specified
        # interval then do the Exec.
        TriggerCondition    $Message =~ /^absence-trigger/
        RequiredCondition   $Message =~ /^absence-required/
        Interval            10
        Exec                log_info("'absence-required' not received within 10s");
    </Absence>

    <Thresholded>
        # If the number of events exceeds the given threshold within the interval do
        # the Exec. Same as SingleWithThreshold in SEC.
        Condition           $Message =~ /^thresholded/
        Threshold           3
        Interval            60
        Exec                $raw_event = "got thresholded";
    </Thresholded>

    <Stop>
        Condition           $EventTime < 2010-01-02 00:00:00
        Exec                log_debug("got stop");
    </Stop>

    <Simple>
        # This will be rewritten only if the previous Stop condition is FALSE.
        Exec                $raw_event = "rewritten";
    </Simple>

</Processor>