Educause Security Discussion mailing list archives
Re: Open Source centralized log management/SIEM solutions
From: "Bradley, Stephen W. Mr." <bradlesw () MUOHIO EDU>
Date: Wed, 28 Apr 2010 09:48:49 -0400
We use OSSEC in production to monitor a specific set of Windows servers. Since it is a small subset of all servers the performance is not an issue. I have tuned it to the point where we get e-mail alerts for only the events we believe are pertinent and it works well. One of the first things I noticed was how often people forget their passwords....... steve ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joe Marshall Sent: Wednesday, April 28, 2010 9:42 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Open Source centralized log management/SIEM solutions The only other open-source SIEM that I know of is OSSIM. Someone else mentioned AlienVault, who seems to be the ones running OSSIM, not OSSEC. Unless I'm really confused... They are two very separate products, aren't they? http://www.alienvault.com/community.php?section=Home and http://www.ossec.net/ We tested OSSIM a few months ago. It looked extremely promising and was very easy to set up. It's performance was awful though. That could have been based on the older hardware we used to test it. I'd be very curious to hear from anyone running OSSEC or OSSIM in a production environment. We're starring at SIEM quotes from NitroSecurity, TriGeo, Q1Labs and a few others. They're all rather scary. I would love to find an open source solution that could save us some money. Joe Joe Marshall Executive Director of Network, Information Security, and Telecommunications Frederick Community College 7932 Opossumtown Pike Frederick, Maryland 21702 301.624.2824 phone 301.624.2898 fax
"Youngquist, Jason R." <jryoungquist () CCIS EDU> 4/26/2010 11:02 AM >>>
Is anyone using any Open Source or low cost centralized log management/SIEM solution in a production environment which you would recommend? Specifically, I'm looking for: --scalability - must be able to handle hundreds of log sources - majority being servers and network devices --good searching capability --ability to generate alerts --good reporting capability - pre-built reports would be nice --a solution auditors would approve --able to meet regulatory requirements such as PCI --fast implementation time - how long would it take to get the solution up and running? There are more things I'd like, but these are the big requirements. If an Open Source solution, are there any companies that offer professional services (ie. consulting/configuration assistance) so we could hit the ground running and not have to spend weeks/months configuring/creating rules/reports, etc. Ideally, the solution should have some commercial support behind it so if we run into any issues we can speak to a knowledgeable person. For those QSAs out there, are there any Open Source solutions/low-cost solutions that you have seen implemented well and meet the PCI regulatory guidelines? If so, what were they? If not, what were they lacking that commercial products provide? For those of you with a home-grown/Open Source log management solution, do you agree with the Gartner quote below? Why/why not? According to Gartner researchers, "Although [home-grown log management] may prove effective for a limited set of data sources with clearly defined "strings" that the organization is searching for, most organizations quickly run into scalability issues, as well as issues using the data for situational awareness in support of incident response. In most cases, internally developed centralized application log solutions will fall short of meeting organizational requirements." If you had to do it again would you "roll your own solution" or purchase a commercial log management product? Appreciate any information you can provide. Thanks. Jason Youngquist Information Technology Security Engineer, Security+ Technology Services Columbia College 1001 Rogers Street, Columbia, MO 65216 (573) 875-7334 jryoungquist () ccis edu http://www.ccis.edu
Current thread:
- Open Source centralized log management/SIEM solutions Youngquist, Jason R. (Apr 26)
- <Possible follow-ups>
- Re: Open Source centralized log management/SIEM solutions Adam Garside (Apr 26)
- Re: Open Source centralized log management/SIEM solutions Matthew Gracie (Apr 26)
- Re: Open Source centralized log management/SIEM solutions Paul Keser (Apr 26)
- Re: Open Source centralized log management/SIEM solutions Joe Marshall (Apr 28)
- Re: Open Source centralized log management/SIEM solutions Bradley, Stephen W. Mr. (Apr 28)
- Re: Open Source centralized log management/SIEM solutions Jason Frisvold (May 03)
- Re: Open Source centralized log management/SIEM solutions Russell Fulton (May 05)
- Re: Open Source centralized log management/SIEM solutions Jason Frisvold (May 10)
- Re: Open Source centralized log management/SIEM solutions Russell Fulton (May 13)