LogAnalysis
[logs] Open Source centralized log management/SIEM solutions Apr 26 2010 03:03PM
Youngquist, Jason R. (jryoungquist ccis edu) (2 replies)
Is anyone using any Open Source or low cost centralized log management/SIEM solution in a production environment which you would recommend?

Specifically, I'm looking for:

--scalability - must be able to handle hundreds of log sources - majority being servers and network devices

--good searching capability

--ability to generate alerts

--good reporting capability - pre-built reports would be nice

--a solution auditors would approve

--able to meet regulatory requirements such as PCI

--fast implementation time - how long would it take to get the solution up and running?

There are more things I'd like, but these are the big requirements.

If an Open Source solution, are there any companies that offer professional services (ie. consulting/configuration assistance) so we could hit the ground running and not have to spend weeks/months configuring/creating rules/reports, etc. Ideally, the solution should have some commercial support behind it so if we run into any issues we can speak to a knowledgeable person.

For those QSAs out there, are there any Open Source solutions/low-cost solutions that you have seen implemented well and meet the PCI regulatory guidelines? If so, what were they? If not, what were they lacking that commercial products provide?

For those of you with a home-grown/Open Source log management solution, do you agree with the Gartner quote below? Why/why not?

According to Gartner researchers, "Although [home-grown log management] may prove effective for a limited set of data sources with clearly defined "strings" that the organization is searching for, most organizations quickly run into scalability issues, as well as issues using the data for situational awareness in support of incident response. In most cases, internally developed centralized application log solutions will fall short of meeting organizational requirements."

If you had to do it again would you "roll your own solution" or purchase a commercial log management product?

Appreciate any information you can provide.

Thanks.

Jason Youngquist

Information Technology Security Engineer, Security+

Technology Services

Columbia College

1001 Rogers Street, Columbia, MO 65216

(573) 875-7334

jryoungquist (at) ccis (dot) edu [email concealed]

http://www.ccis.edu

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-sign
ature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006"
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationship
s" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/message
s" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/"
xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/Publ
ishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoPlainText>Is anyone using any Open Source or low cost centralized
log management/SIEM solution in a production environment which you would
recommend?<o:p></o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText>Specifically, I'm looking for:<o:p></o:p></p>

<p class=MsoPlainText>--scalability - must be able to handle hundreds of log
sources - majority being servers and network devices<o:p></o:p></p>

<p class=MsoPlainText>--good searching capability<o:p></o:p></p>

<p class=MsoPlainText>--ability to generate alerts<o:p></o:p></p>

<p class=MsoPlainText>--good reporting capability – pre-built reports would be
nice<o:p></o:p></p>

<p class=MsoPlainText>--a solution auditors would approve<o:p></o:p></p>

<p class=MsoPlainText>--able to meet regulatory requirements such as PCI<o:p></o:p></p>

<p class=MsoPlainText>--fast implementation time – how long would it take to
get the solution up and running?<o:p></o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText>There are more things I’d like, but these are the big
requirements.<o:p></o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText>If an Open Source solution, are there any companies that
offer professional services (ie. consulting/configuration assistance) so we
could hit the ground running and not have to spend weeks/months
configuring/creating rules/reports, etc.  Ideally, the solution should
have some commercial support behind it so if we run into any issues we can
speak to a knowledgeable person.<o:p></o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText>For those QSAs out there, are there any Open Source
solutions/low-cost solutions that you have seen implemented well and meet the
PCI regulatory guidelines?  If so, what were they?  If not, what were
they lacking that commercial products provide?<o:p></o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText>For those of you with a home-grown/Open Source log
management solution, do you agree with the Gartner quote below?  Why/why
not?  <o:p></o:p></p>

<p class=MsoPlainText style='margin-left:.5in'>According to Gartner
researchers, "Although [home-grown log management] may prove effective for
a limited set of data sources with clearly defined "strings" that the
organization is searching for, most organizations quickly run into scalability
issues, as well as issues using the data for situational awareness in support
of incident response. In most cases, internally developed centralized
application log solutions will fall short of meeting organizational
requirements."<o:p></o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText>If you had to do it again would you “roll your own
solution” or purchase a commercial log management product? <o:p></o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText>Appreciate any information you can provide.<o:p></o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText>Thanks.<o:p></o:p></p>

<p class=MsoPlainText>Jason Youngquist<o:p></o:p></p>

<p class=MsoPlainText>Information Technology Security Engineer, Security+<o:p></o:p></p>

<p class=MsoPlainText>Technology Services<o:p></o:p></p>

<p class=MsoPlainText>Columbia College<o:p></o:p></p>

<p class=MsoPlainText>1001 Rogers Street, Columbia, MO  65216<o:p></o:p></p>

<p class=MsoPlainText>(573) 875-7334<o:p></o:p></p>

<p class=MsoPlainText>jryoungquist (at) ccis (dot) edu [email concealed]<o:p></o:p></p>

<p class=MsoPlainText>http://www.ccis.edu<o:p></o:p></p>

<p class=MsoPlainText> <o:p></o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

</div>

</body>

</html>
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
RE: [logs] Open Source centralized log management/SIEM solutions Apr 27 2010 04:56PM
Starks, Michael (Michael Starks atosorigin com)
RE: [logs] Open Source centralized log management/SIEM solutions Apr 26 2010 05:38PM
Sandy Bird (sandy bird Q1Labs com) (2 replies)
RE: [logs] Open Source centralized log management/SIEM solutions Apr 26 2010 09:10PM
Kevin Reiter (KReiter insidefsi net)
Re: [logs] Open Source centralized log management/SIEM solutions Apr 26 2010 05:49PM
Harry Hoffman (hhoffman ip-solutions net) (1 replies)
RE: [logs] Open Source centralized log management/SIEM solutions Apr 27 2010 12:07PM
Soldatov, Sergey V. (SVSoldatov tnk-bp com)


 

Privacy Statement
Copyright 2010, SecurityFocus