Educause Security Discussion mailing list archives
Event 'consolidation' (or not)
From: Mark Poepping <poepping () CMU EDU>
Date: Tue, 25 Apr 2006 17:55:42 -0400
EDDY is another effort related to this space: http://www.cmu.edu/eddy http://middleware.internet2.edu/e2ed It was designed to apply for any logging use and is being created specifically to normalize and manage the orchestration of whatever events you have, application log files, IDS alerts, network flow data, etc. In this way, it essentially provides a platform and infrastructure to bring events together as you want to create whatever analytics you need (accounting, correlation, visualization, diagnostics, etc). The important points are: . there is a beta java framework that you can download now to begin experiments if you like. While it's still early in the development cycle, you can download a working version, and since we'd started with argus flow record rates, this release can handle over 5K events/sec. . at this point, EDDY is more technology than product, as an open-source distro in beta form, it's not turnkey, but the capabilities and generality extend far beyond anything currently in product. . there are few analytic methods included in this release, but once you have a common data representation, it will be easier to write better, more extensible analytics and bring wider data sources to them . "orchestration" is a very important point here - EDDY allows for some very creative options for moving data around, holding it, storing it, or throwing it away... . there is much more information, presentations, etc available at the web site, and I encourage you to check it out. There are the usual mailing lists and contact info there too, and we welcome your input. Mark Poepping
Attachment:
smime.p7s
Description:
Current thread:
- Event 'consolidation' (or not) Mark Poepping (Apr 25)