LogAnalysis
[logs] Open Source centralized log management/SIEM solutions Apr 26 2010 03:03PM
Youngquist, Jason R. (jryoungquist ccis edu) (2 replies)
RE: [logs] Open Source centralized log management/SIEM solutions Apr 27 2010 04:56PM
Starks, Michael (Michael Starks atosorigin com)
RE: [logs] Open Source centralized log management/SIEM solutions Apr 26 2010 05:38PM
Sandy Bird (sandy bird Q1Labs com) (2 replies)
RE: [logs] Open Source centralized log management/SIEM solutions Apr 26 2010 09:10PM
Kevin Reiter (KReiter insidefsi net)
Actually, it was Arun on Feb 8. Anton didn't post until March 22 (guess he's been super busy lately?)

(Sorry, I couldn't resist..)

-----Original Message-----
From: loganalysis-bounces (at) loganalysis (dot) org [email concealed] [mailto:loganalysis-bounces (at) loganalysis (dot) org [email concealed]]On Behalf Of Sandy Bird
Sent: Monday, April 26, 2010 1:39 PM
To: Youngquist, Jason R.; loganalysis (at) loganalysis (dot) org [email concealed]
Subject: RE: [logs] Open Source centralized log management/SIEM solutions

Wow, people still use this list? I think the last post was from Anton back at the first of the year.

Honestly, assuming you want true open source, it will be a struggle. OSSIM (now AlienVault) is as close as you can probably get. I would guess it is becoming more "free" and less opensource by the day. If you are looking for "free" and not open source you have a few additional options. We have QRadar Slim Free Edition, but the free version is only good to 50 EPS... After 50 EPS you have to purchase appliances and licenses. The alerting and most of the correlation still works in the free version, but you lose the offense manager as well as asset and identity tracking. Splunk is another option (although might be a struggle for some of your alerting), and again the free version limits the amount of data you can deal with, or you have to purchase licenses.

Syslog-ng, grep and perl are always an option J... only half joking here...

Sandy

From: loganalysis-bounces (at) loganalysis (dot) org [email concealed] [mailto:loganalysis-bounces (at) loganalysis (dot) org [email concealed]] On Behalf Of Youngquist, Jason R.
Sent: Monday, April 26, 2010 12:04 PM
To: 'loganalysis (at) loganalysis (dot) org [email concealed]'
Subject: [logs] Open Source centralized log management/SIEM solutions

Is anyone using any Open Source or low cost centralized log management/SIEM solution in a production environment which you would recommend?

Specifically, I'm looking for:
--scalability - must be able to handle hundreds of log sources - majority being servers and network devices
--good searching capability
--ability to generate alerts
--good reporting capability - pre-built reports would be nice
--a solution auditors would approve
--able to meet regulatory requirements such as PCI
--fast implementation time - how long would it take to get the solution up and running?


There are more things I'd like, but these are the big requirements.


If an Open Source solution, are there any companies that offer professional services (ie. consulting/configuration assistance) so we could hit the ground running and not have to spend weeks/months configuring/creating rules/reports, etc. Ideally, the solution should have some commercial support behind it so if we run into any issues we can speak to a knowledgeable person.


For those QSAs out there, are there any Open Source solutions/low-cost solutions that you have seen implemented well and meet the PCI regulatory guidelines? If so, what were they? If not, what were they lacking that commercial products provide?


For those of you with a home-grown/Open Source log management solution, do you agree with the Gartner quote below? Why/why not?
According to Gartner researchers, "Although [home-grown log management] may prove effective for a limited set of data sources with clearly defined "strings" that the organization is searching for, most organizations quickly run into scalability issues, as well as issues using the data for situational awareness in support of incident response. In most cases, internally developed centralized application log solutions will fall short of meeting organizational requirements."

If you had to do it again would you "roll your own solution" or purchase a commercial log management product?


Appreciate any information you can provide.


Thanks.
Jason Youngquist
Information Technology Security Engineer, Security+
Technology Services
Columbia College
1001 Rogers Street, Columbia, MO 65216
(573) 875-7334
jryoungquist (at) ccis (dot) edu [email concealed]
http://www.ccis.edu

This message may contain confidential or proprietary information and is intended solely for the individual(s) to whom it is addressed. If you are not a named addressee you should not disseminate, distribute or copy this e-mail or act upon the information contained herein. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] Open Source centralized log management/SIEM solutions Apr 26 2010 05:49PM
Harry Hoffman (hhoffman ip-solutions net) (1 replies)
RE: [logs] Open Source centralized log management/SIEM solutions Apr 27 2010 12:07PM
Soldatov, Sergey V. (SVSoldatov tnk-bp com)


 

Privacy Statement
Copyright 2010, SecurityFocus