Re: Open Source centralized log management/SIEM solutions

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

On 11/05/2010, at 5:25 AM, Jason Frisvold wrote:
> On 05/05/2010 05:16 AM, Russell Fulton wrote:
> > Currently I we are looking at OSSIM (yes, that is Alienvault) and prelude but mostly from the point of view of 
> > managing snort data.
>
> Are you at all concerned with their packaging methodology?  From what
> I'm seeing, OSSIM is only available as an ISO file integrated with
> Debian.  We're not Debian users and there's always a question when it
> comes to switching platforms for a single purpose if we can work around it..

Yes, this is a concern and one of the main things I don't like about ossim -- technically they are  open source but 
only just!  I have also heard mutterings that they don't scale well and as far as snort is concerned there is no 
support for barnyard (or any other way of getting stuff in from unified files) which make it difficult for me to test 
it without overloading by snort sensors.

Speaking of platforms, our official linux platform is RHE but I keep on hitting dependency problems with old versions 
various things -- current frustration is that prelude needs a much more recent version of python than RHE 5 supplies.  
I've been around this loop at least 3 times in the last 10 years and every time I end up selecting another distro and 
maintaining it myself.

> > Another cheepish option is Aanval, I have played with it briefly again focusing more on the snort side.
>
> I'll take a look at this as well, though they lose points immediately
> for having an entirely flash-based website...

:)


Russell