Re: Syslog parsing

[Greg Vickers <g.vickers () QUT EDU AU>]

Hi all,

Penn, Blake wrote:
> We are in the process of engineering more robust and centralized logging to
> central syslog servers.  Problem is, once you have gigs and gigs of data,
> how do you parse it effectively and efficiently?
>
> We've looked at a lot of the common open-source parsers out there and
> haven't been too impressed.  Anyone know of a good syslog (or syslog-ng)
> parser (free or commercial), or developed one in-house?
>
> The features that we care most about are:
>
> *     Robust slicing of information across different categories (machine
> name, IP, event ID, etc.)
> *     Correlation capabilities
> *     Easy of use (preferably a web GUI, etc. for use by the lowest common
> denominator)
> *     Low FTE requirements!!!

We have recently completed an investigation into SEM/SIM technology and
shortlisted the following products: (In no particular order)
Security Information Manager by Openservice
Huntsman by Tier-3
Enterprise Security Analytics by Sensage
Security Manager by Intellitactics

They all have good correlation abilities and can slice and dice your
data however you like. Their list price is megabucks (i.e. >100k) but
generally you will be able to bring value to the deal to use as negotiation.

We ran a pilot of the above products and have made a recommendation to
the steering committee on which product to implement. Once it is
ratified, I will let you know which one we are going ahead with :)

--
Greg Vickers
Project Manager, IT Security
Information Technology Services
Queensland University of Technology
L12, 126 Margaret St, Brisbane

Phone: +61 7 3864 9536
Mobile: 0410 434 734
Fax: +61 7 3864 2921
Email: g.vickers () qut edu au
IT Security web site: http://www.its.qut.edu.au/itsecurity/

CRICOS No. 00213J