Re: Open Source centralized log management/SIEM solutions

[Joe Marshall <JMarshall () FREDERICK EDU>]

The only other open-source SIEM that I know of is OSSIM.  Someone else
mentioned AlienVault, who seems to be the ones running OSSIM, not OSSEC.
 Unless I'm really confused...  They are two very separate products,
aren't they?
http://www.alienvault.com/community.php?section=Home
and
http://www.ossec.net/
 
We tested OSSIM a few months ago.  It looked extremely promising and
was very easy to set up.  It's performance was awful though.  That could
have been based on the older hardware we used to test it.
 
I'd be very curious to hear from anyone running OSSEC or OSSIM in a
production environment.  We're starring at SIEM quotes from
NitroSecurity, TriGeo, Q1Labs and a few others.  They're all rather
scary.  I would love to find an open source solution that could save us
some money.
 
Joe
 
 
Joe Marshall
Executive Director of Network, Information Security, and
Telecommunications
Frederick Community College
7932 Opossumtown Pike
Frederick, Maryland 21702
301.624.2824 phone
301.624.2898 fax 

> > > "Youngquist, Jason R." <jryoungquist () CCIS EDU> 4/26/2010 11:02 AM

Is anyone using any Open Source or low cost centralized log
management/SIEM solution in a production environment which you would
recommend?
 
Specifically, I'm looking for:
--scalability - must be able to handle hundreds of log sources -
majority being servers and network devices
--good searching capability
--ability to generate alerts
--good reporting capability * pre-built reports would be nice
--a solution auditors would approve
--able to meet regulatory requirements such as PCI
--fast implementation time * how long would it take to get the solution
up and running?
 
 
There are more things I*d like, but these are the big requirements.
 
 
If an Open Source solution, are there any companies that offer
professional services (ie. consulting/configuration assistance) so we
could hit the ground running and not have to spend weeks/months
configuring/creating rules/reports, etc.  Ideally, the solution should
have some commercial support behind it so if we run into any issues we
can speak to a knowledgeable person.
 
 
For those QSAs out there, are there any Open Source solutions/low-cost
solutions that you have seen implemented well and meet the PCI
regulatory guidelines?  If so, what were they?  If not, what were they
lacking that commercial products provide?
 
 
For those of you with a home-grown/Open Source log management solution,
do you agree with the Gartner quote below?  Why/why not?  
According to Gartner researchers, "Although [home-grown log management]
may prove effective for a limited set of data sources with clearly
defined "strings" that the organization is searching for, most
organizations quickly run into scalability issues, as well as issues
using the data for situational awareness in support of incident
response. In most cases, internally developed centralized application
log solutions will fall short of meeting organizational requirements."
 
If you had to do it again would you *roll your own solution* or
purchase a commercial log management product? 
 
 
Appreciate any information you can provide.
 
 
Thanks.
Jason Youngquist
Information Technology Security Engineer, Security+
Technology Services
Columbia College
1001 Rogers Street, Columbia, MO  65216
(573) 875-7334
jryoungquist () ccis edu
http://www.ccis.edu