WebTrends Alternative

["Burden, James" <JBurden () caiso com>]

I am running several firewalls at our site from several different vendors.
Being from the 'old school' and use to writing shell scripts to parse the
logs to get to the point where a human has to look at them.  Modification to
the scripts is usually fairly constant as you are continually trying to
refine what you want to view, or report.

Recently a product was mentioned in the firewalls list that would perform
this function called "WebTrends" - http://www.webtrends.com  I looked into
this company as a possible way to cut down on our labor while keeping our
firewall (server) log reviews current.  What I wanted to do was to download
all of our firewall logs to a UNIX platform with a dedicated NIC to an NT
box running WebTrends.  Many of the firewalls on the market are supported by
WebTrends, and they even give configuration on how to push syslog (UDP 514)
from the firewalls to the server.  I asked for a possible solution of:

Firewall <--IPSEC (syslog) --> UNIX box <-cross-over-cable-WebTrends

He replied to my five question email with four URLs pointing at his site.
Thus not answering any question, beyond what I already knew, except for the
following question:
*  When/if WebTrends would ever support a complete UNIX solution?
(WebTrends is currently geared towards NT....)

Unfortunately, WebTrends licensing strategy makes it financially infeasible
for a large shop.  Basically, you license each firewall ($1497) or you can
purchase additional licenses in groups of 4 ($4497).  In all fairness, the
sales guy did state that he would work with the price with us.  If you
wanted support for the product then you were required to pay $1798 for each
firewall per year.  When I inquired about a site license he stated that it
was not available.  He made the comment that they have to make money also.
While I am not against someone making money, I do not think that WebTrends
is the way to go for a large shop with several firewalls.  For instance,
lets say you have 40 firewalls:

10 (4 licenses in 1) x $4497 = $44,970

And if you want support:

40 x $1798 = $71,920 per year

Now, I still have to hire the people to read the logs/reports and act on
them.  I have received estimates for outsourcing this entire process between
$900-$3000 per firewall.  Plus, I would get change management, someone to
make the changes, patch the firewalls, and etceteras.

40 x $900 = $36,000 per year

What I am looking for is a product with a bit more of a "progressive" view.
Does anyone know of one?  Or is it back to the shell scripting salt mines?
Another idea that comes to mind is to hire a couple of developers to write
my own.  

As a last idea, is anyone interested in setting up a new business?  ;-)

Happy Hunting,
Jim


James L. Burden, Security Engineer and Architect
California Independent System Operator
Phone: 916.351.2243 http://www.caiso.com
41DF 0E4C 26E0 2FD3 8C81  A260 5C40 280E B4AE 7420
_____________________________________
  Know yourself, Know your enemy
     in a hundred battles you will never be in danger,
  Know the ground, Know the weather,
     and your victory will be total.    - Sun Tzu 
_____________________________________              

Disclaimer:  The above represents my personal opinions and not an 
official endorsement or position by the California ISO, my current 
employer.  I reserve the right to disavow them at my convenience.