LogAnalysis
[logs] Open Source centralized log management/SIEM solutions Apr 26 2010 03:03PM
Youngquist, Jason R. (jryoungquist ccis edu) (2 replies)
RE: [logs] Open Source centralized log management/SIEM solutions Apr 27 2010 04:56PM
Starks, Michael (Michael Starks atosorigin com)
RE: [logs] Open Source centralized log management/SIEM solutions Apr 26 2010 05:38PM
Sandy Bird (sandy bird Q1Labs com) (2 replies)
Wow, people still use this list? I think the last post was from Anton
back at the first of the year.

Honestly, assuming you want true open source, it will be a struggle.
OSSIM (now AlienVault) is as close as you can probably get. I would
guess it is becoming more "free" and less opensource by the day. If you
are looking for "free" and not open source you have a few additional
options. We have QRadar Slim Free Edition, but the free version is only
good to 50 EPS... After 50 EPS you have to purchase appliances and
licenses. The alerting and most of the correlation still works in the
free version, but you lose the offense manager as well as asset and
identity tracking. Splunk is another option (although might be a
struggle for some of your alerting), and again the free version limits
the amount of data you can deal with, or you have to purchase licenses.

Syslog-ng, grep and perl are always an option J... only half joking
here...

Sandy

From: loganalysis-bounces (at) loganalysis (dot) org [email concealed]
[mailto:loganalysis-bounces (at) loganalysis (dot) org [email concealed]] On Behalf Of Youngquist,
Jason R.
Sent: Monday, April 26, 2010 12:04 PM
To: 'loganalysis (at) loganalysis (dot) org [email concealed]'
Subject: [logs] Open Source centralized log management/SIEM solutions

Is anyone using any Open Source or low cost centralized log
management/SIEM solution in a production environment which you would
recommend?

Specifically, I'm looking for:

--scalability - must be able to handle hundreds of log sources -
majority being servers and network devices

--good searching capability

--ability to generate alerts

--good reporting capability - pre-built reports would be nice

--a solution auditors would approve

--able to meet regulatory requirements such as PCI

--fast implementation time - how long would it take to get the solution
up and running?

There are more things I'd like, but these are the big requirements.

If an Open Source solution, are there any companies that offer
professional services (ie. consulting/configuration assistance) so we
could hit the ground running and not have to spend weeks/months
configuring/creating rules/reports, etc. Ideally, the solution should
have some commercial support behind it so if we run into any issues we
can speak to a knowledgeable person.

For those QSAs out there, are there any Open Source solutions/low-cost
solutions that you have seen implemented well and meet the PCI
regulatory guidelines? If so, what were they? If not, what were they
lacking that commercial products provide?

For those of you with a home-grown/Open Source log management solution,
do you agree with the Gartner quote below? Why/why not?

According to Gartner researchers, "Although [home-grown log management]
may prove effective for a limited set of data sources with clearly
defined "strings" that the organization is searching for, most
organizations quickly run into scalability issues, as well as issues
using the data for situational awareness in support of incident
response. In most cases, internally developed centralized application
log solutions will fall short of meeting organizational requirements."

If you had to do it again would you "roll your own solution" or purchase
a commercial log management product?

Appreciate any information you can provide.

Thanks.

Jason Youngquist

Information Technology Security Engineer, Security+

Technology Services

Columbia College

1001 Rogers Street, Columbia, MO 65216

(573) 875-7334

jryoungquist (at) ccis (dot) edu [email concealed]

http://www.ccis.edu

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-sign
ature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006"
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationship
s" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/message
s" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/"
xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/Publ
ishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='color:#1F497D'>Wow, people still use this list? 
I think the last post was from Anton back at the first of the year.<o:p></o:p></span></p>

<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='color:#1F497D'>Honestly, assuming you want true
open source, it will be a struggle.  OSSIM (now AlienVault) is as close as
you can probably get.  I would guess it is becoming more “free”
and less opensource by the day.  If you are looking for “free”
and not open source you have a few additional options.  We have QRadar
Slim Free Edition, but the free version is only good to 50 EPS… After 50
EPS you have to purchase appliances and licenses. The alerting and most of the
correlation still works in the free version, but you lose the offense manager
as well as asset and identity tracking.  Splunk is another option
(although might be a struggle for some of your alerting), and again the free
version limits the amount of data you can deal with, or you have to purchase licenses. 
<o:p></o:p></span></p>

<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='color:#1F497D'>Syslog-ng, grep and perl are
always an option </span><span style='font-family:Wingdings;color:#1F497D'>J</span><span
style='color:#1F497D'>… only half joking here…<o:p></o:p></span></p>

<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='color:#1F497D'>Sandy<o:p></o:p></span></p>

<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>

<div>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span><
/b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> loganalysis-bounces (at) loganalysis (dot) org [email concealed]
[mailto:loganalysis-bounces (at) loganalysis (dot) org [email concealed]] <b>On Behalf Of </b>Youngquist,
Jason R.<br>
<b>Sent:</b> Monday, April 26, 2010 12:04 PM<br>
<b>To:</b> 'loganalysis (at) loganalysis (dot) org [email concealed]'<br>
<b>Subject:</b> [logs] Open Source centralized log management/SIEM solutions<o:p></o:p></span></p>

</div>

</div>

<p class=MsoNormal><o:p> </o:p></p>

<p class=MsoPlainText>Is anyone using any Open Source or low cost centralized
log management/SIEM solution in a production environment which you would
recommend?<o:p></o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText>Specifically, I'm looking for:<o:p></o:p></p>

<p class=MsoPlainText>--scalability - must be able to handle hundreds of log
sources - majority being servers and network devices<o:p></o:p></p>

<p class=MsoPlainText>--good searching capability<o:p></o:p></p>

<p class=MsoPlainText>--ability to generate alerts<o:p></o:p></p>

<p class=MsoPlainText>--good reporting capability – pre-built reports
would be nice<o:p></o:p></p>

<p class=MsoPlainText>--a solution auditors would approve<o:p></o:p></p>

<p class=MsoPlainText>--able to meet regulatory requirements such as PCI<o:p></o:p></p>

<p class=MsoPlainText>--fast implementation time – how long would it take
to get the solution up and running?<o:p></o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText>There are more things I’d like, but these are the
big requirements.<o:p></o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText>If an Open Source solution, are there any companies that
offer professional services (ie. consulting/configuration assistance) so we
could hit the ground running and not have to spend weeks/months
configuring/creating rules/reports, etc.  Ideally, the solution should
have some commercial support behind it so if we run into any issues we can
speak to a knowledgeable person.<o:p></o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText>For those QSAs out there, are there any Open Source
solutions/low-cost solutions that you have seen implemented well and meet the
PCI regulatory guidelines?  If so, what were they?  If not, what were
they lacking that commercial products provide?<o:p></o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText>For those of you with a home-grown/Open Source log
management solution, do you agree with the Gartner quote below?  Why/why
not?  <o:p></o:p></p>

<p class=MsoPlainText style='margin-left:.5in'>According to Gartner
researchers, "Although [home-grown log management] may prove effective for
a limited set of data sources with clearly defined "strings" that the
organization is searching for, most organizations quickly run into scalability
issues, as well as issues using the data for situational awareness in support
of incident response. In most cases, internally developed centralized
application log solutions will fall short of meeting organizational
requirements."<o:p></o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText>If you had to do it again would you “roll your own
solution” or purchase a commercial log management product? <o:p></o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText>Appreciate any information you can provide.<o:p></o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

<p class=MsoPlainText>Thanks.<o:p></o:p></p>

<p class=MsoPlainText>Jason Youngquist<o:p></o:p></p>

<p class=MsoPlainText>Information Technology Security Engineer, Security+<o:p></o:p></p>

<p class=MsoPlainText>Technology Services<o:p></o:p></p>

<p class=MsoPlainText>Columbia College<o:p></o:p></p>

<p class=MsoPlainText>1001 Rogers Street, Columbia, MO  65216<o:p></o:p></p>

<p class=MsoPlainText>(573) 875-7334<o:p></o:p></p>

<p class=MsoPlainText>jryoungquist (at) ccis (dot) edu [email concealed]<o:p></o:p></p>

<p class=MsoPlainText>http://www.ccis.edu<o:p></o:p></p>

<p class=MsoPlainText> <o:p></o:p></p>

<p class=MsoPlainText><o:p> </o:p></p>

</div>

</body>

</html>
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
RE: [logs] Open Source centralized log management/SIEM solutions Apr 26 2010 09:10PM
Kevin Reiter (KReiter insidefsi net)
Re: [logs] Open Source centralized log management/SIEM solutions Apr 26 2010 05:49PM
Harry Hoffman (hhoffman ip-solutions net) (1 replies)
RE: [logs] Open Source centralized log management/SIEM solutions Apr 27 2010 12:07PM
Soldatov, Sergey V. (SVSoldatov tnk-bp com)


 

Privacy Statement
Copyright 2010, SecurityFocus