Educause Security Discussion mailing list archives

Re: Open Source centralized log management/SIEM solutions

From: "Bradley, Stephen W. Mr." <bradlesw () MUOHIO EDU>
Date: Wed, 28 Apr 2010 09:48:49 -0400

We use OSSEC in production to monitor a specific set of Windows servers.  Since it is a small subset of all servers the 
performance is not an issue.
I have tuned it to the point where we get e-mail alerts for only the events we believe are pertinent and it works well.

One of the first things I noticed was how often people forget their passwords.......


steve

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joe 
Marshall
Sent: Wednesday, April 28, 2010 9:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Open Source centralized log management/SIEM solutions

The only other open-source SIEM that I know of is OSSIM.  Someone else mentioned AlienVault, who seems to be the ones 
running OSSIM, not OSSEC.  Unless I'm really confused...  They are two very separate products, aren't they?
http://www.alienvault.com/community.php?section=Home
and
http://www.ossec.net/

We tested OSSIM a few months ago.  It looked extremely promising and was very easy to set up.  It's performance was 
awful though.  That could have been based on the older hardware we used to test it.

I'd be very curious to hear from anyone running OSSEC or OSSIM in a production environment.  We're starring at SIEM 
quotes from NitroSecurity, TriGeo, Q1Labs and a few others.  They're all rather scary.  I would love to find an open 
source solution that could save us some money.

Joe


Joe Marshall
Executive Director of Network, Information Security, and Telecommunications
Frederick Community College
7932 Opossumtown Pike
Frederick, Maryland 21702
301.624.2824 phone
301.624.2898 fax

"Youngquist, Jason R." <jryoungquist () CCIS EDU> 4/26/2010 11:02 AM >>>


Is anyone using any Open Source or low cost centralized log management/SIEM solution in a production environment which 
you would recommend?



Specifically, I'm looking for:

--scalability - must be able to handle hundreds of log sources - majority being servers and network devices

--good searching capability

--ability to generate alerts

--good reporting capability - pre-built reports would be nice

--a solution auditors would approve

--able to meet regulatory requirements such as PCI

--fast implementation time - how long would it take to get the solution up and running?





There are more things I'd like, but these are the big requirements.





If an Open Source solution, are there any companies that offer professional services (ie. consulting/configuration 
assistance) so we could hit the ground running and not have to spend weeks/months configuring/creating rules/reports, 
etc.  Ideally, the solution should have some commercial support behind it so if we run into any issues we can speak to 
a knowledgeable person.





For those QSAs out there, are there any Open Source solutions/low-cost solutions that you have seen implemented well 
and meet the PCI regulatory guidelines?  If so, what were they?  If not, what were they lacking that commercial 
products provide?





For those of you with a home-grown/Open Source log management solution, do you agree with the Gartner quote below?  
Why/why not?

According to Gartner researchers, "Although [home-grown log management] may prove effective for a limited set of data 
sources with clearly defined "strings" that the organization is searching for, most organizations quickly run into 
scalability issues, as well as issues using the data for situational awareness in support of incident response. In most 
cases, internally developed centralized application log solutions will fall short of meeting organizational 
requirements."



If you had to do it again would you "roll your own solution" or purchase a commercial log management product?





Appreciate any information you can provide.





Thanks.

Jason Youngquist

Information Technology Security Engineer, Security+

Technology Services

Columbia College

1001 Rogers Street, Columbia, MO  65216

(573) 875-7334

jryoungquist () ccis edu

http://www.ccis.edu

Current thread:

Open Source centralized log management/SIEM solutions Youngquist, Jason R. (Apr 26)
- <Possible follow-ups>
- Re: Open Source centralized log management/SIEM solutions Adam Garside (Apr 26)
- Re: Open Source centralized log management/SIEM solutions Matthew Gracie (Apr 26)
- Re: Open Source centralized log management/SIEM solutions Paul Keser (Apr 26)
- Re: Open Source centralized log management/SIEM solutions Joe Marshall (Apr 28)
- Re: Open Source centralized log management/SIEM solutions Bradley, Stephen W. Mr. (Apr 28)
- Re: Open Source centralized log management/SIEM solutions Jason Frisvold (May 03)
- Re: Open Source centralized log management/SIEM solutions Russell Fulton (May 05)
- Re: Open Source centralized log management/SIEM solutions Jason Frisvold (May 10)
- Re: Open Source centralized log management/SIEM solutions Russell Fulton (May 13)