Event Correlation Types
LogZilla documentation for Event Correlation Types
Event Correlation Rule Types
The following Event Correlation (EC) rule types are used in LogZilla solution examples. Each entry lists purpose, required keys, and a verified example from existing documentation.
Pattern type (ptype)
SubStr: substring matching (preferred for performance)RegExp: regular expression matching when substring is not sufficient
Single
Guidance: Single-event conditions should use LogZilla Triggers for performance and simplicity. Use an EC Single rule only when it is a required step inside a larger, stateful correlation chain. See Creating Triggers.
Match a single event that meets the condition.
- Keys:
ptype,pattern, optionalcontext,desc,action
Example (Windows successful login after brute force):
text# Single-event detection type=Single ptype=RegExp pattern=WINDOWS_AUTH.*MSWin EventID="4624" desc=Successful login after brute force - potential compromise action=eval %target_host $ENV{EVENT_HOST}; \ shellcmd (logger -t SEC-WINDOWS-SECURITY -p local0.crit \ "WINDOWS_COMPROMISE_SUSPECTED target=\"%target_host\"")
SingleWithThreshold
Count matching events within a time window and fire when the threshold is reached.
- Keys:
ptype,pattern, optionalcontext,desc,action,thresh,window
Example (Windows brute force):
text# Count failed auth attempts type=SingleWithThreshold ptype=SubStr pattern=WINDOWS_AUTH context=($ENV{EVENT_USER_TAGS_MSWIN_EVENTID} eq "4625") desc=Brute force attack detected against Windows user action=eval %username $ENV{EVENT_USER_TAGS_MSWIN_FAILED_LOGIN_USER}; \ eval %src_ip $ENV{EVENT_USER_TAGS_MSWIN_FAILED_LOGIN_SOURCE_NETWORK}; \ eval %target_host $ENV{EVENT_HOST}; \ create BRUTE_FORCE_ACTIVE_%username_%src_ip 1800; \ shellcmd (logger -t SEC-WINDOWS-SECURITY -p local0.alert \ "BRUTE_FORCE_DETECTED user=\"%username\" src_ip=\"%src_ip\" target=\"%target_host\" attempts=\"$thresh\"") thresh=10 window=300
Pair
Detect a two-step sequence: an initial event followed by a second event.
- Keys:
ptype,pattern,context,desc,action, plusptype2,pattern2,context2,desc2,action2
Example (BGP down then up with outage duration):
text# Down then Up with calculated duration type=Pair ptype=SubStr pattern=BGP_EVENT context=($ENV{EVENT_CISCO_MNEMONIC} eq "BGP-5-ADJCHANGE") && \ ($ENV{EVENT_MESSAGE} =~ /Down/) desc=BGP Neighbor Down on $ENV{EVENT_HOST} action=eval %neighbor_ip $ENV{EVENT_USER_TAGS_SRCIP}; \ eval %router_host $ENV{EVENT_HOST}; \ eval %down_time (time()); ptype2=SubStr pattern2=BGP_EVENT context2=($ENV{EVENT_MESSAGE} =~ /BGP.*Up/) && \ ($ENV{EVENT_USER_TAGS_SRCIP} eq "%neighbor_ip") && \ ($ENV{EVENT_HOST} eq "%router_host") desc2=BGP Neighbor %neighbor_ip Up on %router_host action2=eval %up_time (time()); \ eval %outage_duration (%up_time - %down_time); \ shellcmd (logger -t SEC-BGP \ "BGP_OUTAGE_RESOLVED neighbor=\"%neighbor_ip\" downtime=\"%outage_duration\"")
PairWithWindow
Like Pair, but requires the second event to arrive within a specified window.
- Keys: same as
Pair, pluswindow
Example (BGP adjacency down/up within 4 hours):
text# Down then Up within a maximum window type=PairWithWindow ptype=SubStr pattern=BGP_EVENT context=($ENV{EVENT_CISCO_MNEMONIC} eq "BGP-5-ADJCHANGE") && \ ($ENV{EVENT_MESSAGE} =~ /neighbor.*Down/) desc=BGP neighbor outage detected on $ENV{EVENT_HOST} action=eval %neighbor_ip $ENV{EVENT_USER_TAGS_SRCIP}; \ eval %router_host $ENV{EVENT_HOST}; \ eval %outage_start (time()); ptype2=SubStr pattern2=BGP_EVENT context2=($ENV{EVENT_CISCO_MNEMONIC} eq "BGP-5-ADJCHANGE") && \ ($ENV{EVENT_MESSAGE} =~ /neighbor.*Up/) && \ ($ENV{EVENT_USER_TAGS_SRCIP} eq "%neighbor_ip") && \ ($ENV{EVENT_HOST} eq "%router_host") action2=eval %outage_duration (time() - %outage_start); \ shellcmd (logger -t SEC-BGP \ "BGP_OUTAGE host=%router_host neighbor=%neighbor_ip duration=%outage_duration") window=14400
SingleWithScript
Run an external script to decide or compute a condition.
- Keys:
ptype,pattern,script,desc,action, optionalaction2
Example (Memory trend analysis):
text# Analyze memory trend in external script type=SingleWithScript ptype=SubStr pattern=MEMORY_USAGE script=/usr/local/bin/check-memory-trend.sh $ENV{EVENT_HOST} $ENV{EVENT_USER_TAGS_MEMORY_USAGE} desc=Memory leak detected on $ENV{EVENT_HOST} action=eval %host $ENV{EVENT_HOST}; \ eval %memory_usage $ENV{EVENT_USER_TAGS_MEMORY_USAGE}; \ eval %service $ENV{EVENT_USER_TAGS_SERVICE}; \ shellcmd (logger -t SEC-PERFORMANCE -p local0.alert \ "MEMORY_LEAK_DETECTED host=%host service=%service memory_usage=%memory_usage") action2=logonly
EventGroup3
Correlate three related conditions (with thresholds) to indicate a larger issue.
- Keys:
ptype,pattern,context,threshfor each group segment
Example (Network device health):
text# Multiple health indicators combined type=EventGroup3 ptype=SubStr pattern=DEVICE_HEALTH context=($ENV{EVENT_PROGRAM} eq "cisco_ios") && \ ($ENV{EVENT_USER_TAGS_CPU_USAGE} > 80) thresh=3 ptype2=SubStr pattern2=DEVICE_HEALTH context2=($ENV{EVENT_PROGRAM} eq "cisco_ios") && \ ($ENV{EVENT_USER_TAGS_MEMORY_USAGE} > 90) thresh2=2 ptype3=SubStr pattern3=INTERFACE_EVENT context3=($ENV{EVENT_CISCO_MNEMONIC} eq "LINK-3-UPDOWN") && \ ($ENV{EVENT_MESSAGE} =~ /down/) thresh3=1 desc=Device health degradation on $ENV{EVENT_HOST} action=shellcmd (echo "DEVICE_HEALTH_ALERT host=$ENV{EVENT_HOST} cpu_high=true memory_high=true interface_down=true" | \ logger -t SEC-CRITICAL -p local0.crit)
Notes
- Prefer
ptype=SubStrand exact string matching when possible for better performance. - Use
threshandwindowto control noise and define meaningful time bounds for correlation. - When calling external scripts from EC rules (
shellcmd), pass values as positional arguments and read them as$1,$2, etc., in the script. - Prefer LogZilla Triggers for single-event logic whenever possible; reserve EC for multi-event/stateful correlation.