[logs] Log Aggregation/SIEM solutions/Compliance

[Bill Clark]

Since the list has picked up a bit again.  I thought I would throw something
out there for opinions. I am looking to solve many similar problems possibly
in one product.  One need is a tool to allow many different types of people
to view collections or classes of log events in one place.  Currently we
have number of different centralized collection points.  One place for all
snort senors, one place for all firewall logs, one for all Unix servers, one
for all Windows Servers, One for all Identity Management events, etc.. you
get the idea.

We want a tool for Security oversight, Compliance and Operational benefits.
At the same time attesting to log reviews for compliance has become quite
tedious.  And there is a need for better automated workflow and notification
of all these logs.  Originally I thought we might develop this in-house
perhaps leveraging an Opensource tool.  But we have found that there is a
tool out there we think will do most of this with the money we had budgeted
to do this ourselves.  And if we went with it we could start benefiting
sooner.

We have identified the Novell acquisition of e-Security's Sentinel product.
We like that it is agent less with some light agent support and the
correlation rules are PCRE like.  The collectors appear to meet most of our
needs with flexibility to add custom ones.  The architecture also seems
scalable with a Message-bus feeding a database.  And the database is pretty
open.

I don't want turn this into a product pimping session.  I am looking for
opinions of people that have looked at it, used it, or have other better
ideas commercial or Opensource.  Arcsight was ruled out early because of
cost and not looking very open.  I won't get into specific requirements as
this isn't an RFP.

-- 
Bill Clark
wwclarkATgmailDOTcom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.loganalysis.org/pipermail/loganalysis/attachments/20070329/ad9a893a/attachment.html