LogAnalysis
[logs] Open Source centralized log management/SIEM solutions Apr 26 2010 03:03PM
Youngquist, Jason R. (jryoungquist ccis edu) (2 replies)
RE: [logs] Open Source centralized log management/SIEM solutions Apr 27 2010 04:56PM
Starks, Michael (Michael Starks atosorigin com)
I believe OSSEC, plus Splunk would be a great low/no cost solution which
would meet all of your requirements. Syslog-ng can also be bolted on if
you want something like file system-level log storage with directories
based on hostnames.

I somewhat agree with the quote below if by "home grown" solutions,
Gartner means some internally developed scripts doing some string/regex
matching. If, on the other hand, they also include a collection of
mature open source tools to put the pieces together, I do not
necessarily think it's on the mark. Many of today's open-source log
management/analysis solutions rival the expensive commercial offerings
and provide a lot of value for the investment.

________________________________

From: loganalysis-bounces (at) loganalysis (dot) org [email concealed]
[mailto:loganalysis-bounces (at) loganalysis (dot) org [email concealed]] On Behalf Of Youngquist,
Jason R.
Sent: Monday, April 26, 2010 10:04 AM
To: 'loganalysis (at) loganalysis (dot) org [email concealed]'
Subject: [logs] Open Source centralized log management/SIEM solutions

Is anyone using any Open Source or low cost centralized log
management/SIEM solution in a production environment which you would
recommend?

Specifically, I'm looking for:

--scalability - must be able to handle hundreds of log sources -
majority being servers and network devices

--good searching capability

--ability to generate alerts

--good reporting capability - pre-built reports would be nice

--a solution auditors would approve

--able to meet regulatory requirements such as PCI

--fast implementation time - how long would it take to get the solution
up and running?

There are more things I'd like, but these are the big requirements.

If an Open Source solution, are there any companies that offer
professional services (ie. consulting/configuration assistance) so we
could hit the ground running and not have to spend weeks/months
configuring/creating rules/reports, etc. Ideally, the solution should
have some commercial support behind it so if we run into any issues we
can speak to a knowledgeable person.

For those QSAs out there, are there any Open Source solutions/low-cost
solutions that you have seen implemented well and meet the PCI
regulatory guidelines? If so, what were they? If not, what were they
lacking that commercial products provide?

For those of you with a home-grown/Open Source log management solution,
do you agree with the Gartner quote below? Why/why not?

According to Gartner researchers, "Although [home-grown log management]
may prove effective for a limited set of data sources with clearly
defined "strings" that the organization is searching for, most
organizations quickly run into scalability issues, as well as issues
using the data for situational awareness in support of incident
response. In most cases, internally developed centralized application
log solutions will fall short of meeting organizational requirements."

If you had to do it again would you "roll your own solution" or purchase
a commercial log management product?

Appreciate any information you can provide.

Thanks.

Jason Youngquist

Information Technology Security Engineer, Security+

Technology Services

Columbia College

1001 Rogers Street, Columbia, MO 65216

(573) 875-7334

jryoungquist (at) ccis (dot) edu [email concealed]

http://www.ccis.edu

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:x =
"urn:schemas-microsoft-com:office:excel" xmlns:p =
"urn:schemas-microsoft-com:office:powerpoint" xmlns:a =
"urn:schemas-microsoft-com:office:access" xmlns:dt =
"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s =
"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs =
"urn:schemas-microsoft-com:rowset" xmlns:z = "#RowsetSchema" xmlns:b =
"urn:schemas-microsoft-com:office:publisher" xmlns:ss =
"urn:schemas-microsoft-com:office:spreadsheet" xmlns:c =
"urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc =
"urn:schemas-microsoft-com:office:odc" xmlns:oa =
"urn:schemas-microsoft-com:office:activation" xmlns:html =
"http://www.w3.org/TR/REC-html40" xmlns:q =
"http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc =
"http://microsoft.com/officenet/conferencing" XMLNS:D = "DAV:" XMLNS:Repl =
"http://schemas.microsoft.com/repl/" xmlns:mt =
"http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2 =
"http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda =
"http://www.passport.com/NameSpace.xsd" xmlns:ois =
"http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir =
"http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds =
"http://www.w3.org/2000/09/xmldsig#" xmlns:dsp =
"http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc =
"http://schemas.microsoft.com/data/udc" xmlns:xsd =
"http://www.w3.org/2001/XMLSchema" xmlns:sub =
"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec =
"http://www.w3.org/2001/04/xmlenc#" xmlns:sp =
"http://schemas.microsoft.com/sharepoint/" xmlns:sps =
"http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi =
"http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs =
"http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf =
"http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p =
"http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf =
"http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss =
"http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi =
"http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi =
"http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver =
"http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels =
"http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp =
"http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t =
"http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m =
"http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl =
"http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl =
"http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksS
ervice"
XMLNS:Z = "urn:schemas-microsoft-com:" xmlns:st = ""><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16809" name=GENERATOR>
<STYLE>@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@font-face {
font-family: Consolas;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
LI.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
DIV.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P.MsoPlainText {
FONT-SIZE: 10.5pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: Consolas; mso-style-priority: 99; mso-style-link: "Plain Text Char"
}
LI.MsoPlainText {
FONT-SIZE: 10.5pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: Consolas; mso-style-priority: 99; mso-style-link: "Plain Text Char"
}
DIV.MsoPlainText {
FONT-SIZE: 10.5pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: Consolas; mso-style-priority: 99; mso-style-link: "Plain Text Char"
}
P.MsoAcetate {
FONT-SIZE: 8pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Tahoma","sans-serif"; mso-style-priority: 99; mso-style-link: "Balloon Text Char"
}
LI.MsoAcetate {
FONT-SIZE: 8pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Tahoma","sans-serif"; mso-style-priority: 99; mso-style-link: "Balloon Text Char"
}
DIV.MsoAcetate {
FONT-SIZE: 8pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Tahoma","sans-serif"; mso-style-priority: 99; mso-style-link: "Balloon Text Char"
}
SPAN.PlainTextChar {
FONT-FAMILY: Consolas; mso-style-priority: 99; mso-style-link: "Plain Text"; mso-style-name: "Plain Text Char"
}
SPAN.BalloonTextChar {
FONT-FAMILY: "Tahoma","sans-serif"; mso-style-priority: 99; mso-style-link: "Balloon Text"; mso-style-name: "Balloon Text Char"
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-US vLink=purple link=blue>
<DIV dir=ltr align=left><SPAN class=696364916-27042010><FONT face=Arial
color=#0000ff size=2>I believe OSSEC, plus Splunk would be a great low/no cost
solution which would meet all of your requirements. Syslog-ng can also be
bolted on if you want something like file system-level log storage with
directories based on hostnames.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=696364916-27042010></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=696364916-27042010><FONT face=Arial
color=#0000ff size=2>I somewhat agree with the quote below if by "home grown"
solutions, Gartner means some internally developed scripts doing some
string/regex matching. If, on the other hand, they also include a collection of
mature open source tools to put the pieces together, I do not necessarily think
it's on the mark. Many of today's open-source log management/analysis solutions
rival the expensive commercial offerings and provide a lot of value for the
investment.</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> loganalysis-bounces (at) loganalysis (dot) org [email concealed]
[mailto:loganalysis-bounces (at) loganalysis (dot) org [email concealed]] <B>On Behalf Of </B>Youngquist,
Jason R.<BR><B>Sent:</B> Monday, April 26, 2010 10:04 AM<BR><B>To:</B>
'loganalysis (at) loganalysis (dot) org [email concealed]'<BR><B>Subject:</B> [logs] Open Source centralized
log management/SIEM solutions<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=Section1>
<P class=MsoPlainText>Is anyone using any Open Source or low cost centralized
log management/SIEM solution in a production environment which you would
recommend?<o:p></o:p></P>
<P class=MsoPlainText><o:p> </o:p></P>
<P class=MsoPlainText>Specifically, I'm looking for:<o:p></o:p></P>
<P class=MsoPlainText>--scalability - must be able to handle hundreds of log
sources - majority being servers and network devices<o:p></o:p></P>
<P class=MsoPlainText>--good searching capability<o:p></o:p></P>
<P class=MsoPlainText>--ability to generate alerts<o:p></o:p></P>
<P class=MsoPlainText>--good reporting capability – pre-built reports would be
nice<o:p></o:p></P>
<P class=MsoPlainText>--a solution auditors would approve<o:p></o:p></P>
<P class=MsoPlainText>--able to meet regulatory requirements such as
PCI<o:p></o:p></P>
<P class=MsoPlainText>--fast implementation time – how long would it take to get
the solution up and running?<o:p></o:p></P>
<P class=MsoPlainText><o:p> </o:p></P>
<P class=MsoPlainText><o:p> </o:p></P>
<P class=MsoPlainText>There are more things I’d like, but these are the big
requirements.<o:p></o:p></P>
<P class=MsoPlainText><o:p> </o:p></P>
<P class=MsoPlainText><o:p> </o:p></P>
<P class=MsoPlainText>If an Open Source solution, are there any companies that
offer professional services (ie. consulting/configuration assistance) so we
could hit the ground running and not have to spend weeks/months
configuring/creating rules/reports, etc.  Ideally, the solution should have
some commercial support behind it so if we run into any issues we can speak to a
knowledgeable person.<o:p></o:p></P>
<P class=MsoPlainText><o:p> </o:p></P>
<P class=MsoPlainText><o:p> </o:p></P>
<P class=MsoPlainText>For those QSAs out there, are there any Open Source
solutions/low-cost solutions that you have seen implemented well and meet the
PCI regulatory guidelines?  If so, what were they?  If not, what were
they lacking that commercial products provide?<o:p></o:p></P>
<P class=MsoPlainText><o:p> </o:p></P>
<P class=MsoPlainText><o:p> </o:p></P>
<P class=MsoPlainText>For those of you with a home-grown/Open Source log
management solution, do you agree with the Gartner quote below?  Why/why
not?  <o:p></o:p></P>
<P class=MsoPlainText style="MARGIN-LEFT: 0.5in">According to Gartner
researchers, "Although [home-grown log management] may prove effective for a
limited set of data sources with clearly defined "strings" that the organization
is searching for, most organizations quickly run into scalability issues, as
well as issues using the data for situational awareness in support of incident
response. In most cases, internally developed centralized application log
solutions will fall short of meeting organizational
requirements."<o:p></o:p></P>
<P class=MsoPlainText><o:p> </o:p></P>
<P class=MsoPlainText>If you had to do it again would you “roll your own
solution” or purchase a commercial log management product? <o:p></o:p></P>
<P class=MsoPlainText><o:p> </o:p></P>
<P class=MsoPlainText><o:p> </o:p></P>
<P class=MsoPlainText>Appreciate any information you can provide.<o:p></o:p></P>
<P class=MsoPlainText><o:p> </o:p></P>
<P class=MsoPlainText><o:p> </o:p></P>
<P class=MsoPlainText>Thanks.<o:p></o:p></P>
<P class=MsoPlainText>Jason Youngquist<o:p></o:p></P>
<P class=MsoPlainText>Information Technology Security Engineer,
Security+<o:p></o:p></P>
<P class=MsoPlainText>Technology Services<o:p></o:p></P>
<P class=MsoPlainText>Columbia College<o:p></o:p></P>
<P class=MsoPlainText>1001 Rogers Street, Columbia, MO 
65216<o:p></o:p></P>
<P class=MsoPlainText>(573) 875-7334<o:p></o:p></P>
<P class=MsoPlainText>jryoungquist (at) ccis (dot) edu [email concealed]<o:p></o:p></P>
<P class=MsoPlainText>http://www.ccis.edu<o:p></o:p></P>
<P class=MsoPlainText> <o:p></o:p></P>
<P class=MsoPlainText><o:p> </o:p></P></DIV></BODY></HTML>
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
RE: [logs] Open Source centralized log management/SIEM solutions Apr 26 2010 05:38PM
Sandy Bird (sandy bird Q1Labs com) (2 replies)
RE: [logs] Open Source centralized log management/SIEM solutions Apr 26 2010 09:10PM
Kevin Reiter (KReiter insidefsi net)
Re: [logs] Open Source centralized log management/SIEM solutions Apr 26 2010 05:49PM
Harry Hoffman (hhoffman ip-solutions net) (1 replies)
RE: [logs] Open Source centralized log management/SIEM solutions Apr 27 2010 12:07PM
Soldatov, Sergey V. (SVSoldatov tnk-bp com)


 

Privacy Statement
Copyright 2010, SecurityFocus