This directory is populated with rules files for sec. To use them a command like like: sec -conf=*.sr -input=input -input=control=CONTROL -intevents will create an environment in which to use the rules. Note that these rules need sec 2.2.5 or newer. The rulesets are: 01report_myself_only.sr Implements filtering in a redundant setup. Needs some automatic mechanism of receiving/generating a heartbeat to other redundant servers so that only one server will handle non-local event analysis. 01control.sr Some commands to change the state of the running sec. Must be received from a particular file. Use -input=control=CONTROL on sec's command line. 10reboot_seq.sr Detects system reboot and analyzes them for timely completion of boot as well as hardware recognition. 10timestamp.sr Monitors the heartbeat messages that are sent through syslog facilities. This makes sure that syslog is properly configured to pass events of interest to the syslog server. This set of rules will report when a 10 minute heartbeat message is missing for a host/facility pair. It provides an example of detecting a missing event and learning about the events that should be monitored. 15ntp.sr Monitor ntpdate/xntp daemon syslog messages looking for time changes that exceed parameters, or loss of ntp synchronization, stopping of daemon etc. It analyzes (numeric) data within the log message to see if it should report a problem. 15printer.sr Rules to handle printer errors from lprng One set of rules uses timing and additional log messages to differentiate between paper jam, paper out and other printer offline and suppresses a door ajar error that would result from repairing a paper jam. This is sort of a multiway pair with a single introductory event and three possible outcomes. 20automountd.sr This ruleset looks at automountd mount failure error messages and reports when the same error occurs on the same host more than twice in 60 seconds, or when the same server host causes an error to be generated on more than three unique hosts 5 minutes. 20sshd.sr Ruleset to correlate between two processes. A tie event is generated using an sshrc file (included) to tie parent and child events together. This correlates all the login/authentication info with the error reports. Note that it is using a new deferred reporting mechanism. See the comments in the rules file for its purpose and implementation. It is much better then the older one I used since it generates less noise and is more robust, but I have not tested it as extensively as I should. 99rules_reset.sr This ruleset clears any EVENT_PROCESSED contexts and handles reporting of any unhandled log events.