Options

Free OpenSource SIEM that you recommend?

UnixGuyUnixGuy Mod Posts: 4,565 Mod
in Off-Topic
My experience in InfoSec is extremely limited so I'd like some input from the experienced folks in here :)

I'd like to implement some useful SIEM to truly monitor my environment, I was wondering if there are good free open source out there?

Also, what commercial tools do you recommend? I'm thinking of trying Splunk, but I'd rather something free & open source.
Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

Learn GRC! GRC Mastery : https://grcmastery.com 

· Share on FacebookShare on Twitter

Comments

  • Options
    Vask3nVask3n Member Posts: 517
    I currently use an ecosystem of open source tools which together form an effective SIEM

    You won't find an effective open source tool that functions as a complete SIEM just by itself. Instead, you will combine several tools together to form a SIEM-type solution.

    I have a SIEM pipeline that looks something like this (not giving all details, though): Open Source Host-based and network-based intrusion detection systems (HIDS and NIDS) which pass events to something like Logstash. From here, you can either visualize your logs with a dashboard like Graphite or Kibana, or you can go the extra step and implement a way to index/search through those logs- look into something called ElasticSearch
    Working on MS-ISA at Western Governor's University
    · Share on FacebookShare on Twitter
  • Options
    wes allenwes allen Member Posts: 540 ■■■■■□□□□□
    UnixGuy wrote: »
    Also, what commercial tools do you recommend? I'm thinking of trying Splunk, but I'd rather something free & open source.

    I would highly recommend Splunk - you can index up to 500mb / day on the free version. Without the enterprise security app, it won't be a traditional SIEM, but I get pinged for splunk jobs all the time, and I love the product for security work. If you want to do open source, then the ELK stack is the next best thing. I think Google recently released a platform that might be worth looking into, as well.
    · Share on FacebookShare on Twitter
  • Options
    the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    I highly recommend the ELK stack. We use it here at work and once you nail down the specifics it is an very effective tool. As stated above we run OSSEC on critical servers and output the logs to Logstash. From there we index them with Elasticsearch and created queries within Kibana to monitor for specific things we are looking for. With it we are able to detect hacking attempts, bad hardware, logins, password changes, and technically we can also see service issues. We got a report that one site was slow and I was able to do some queries which found an uptick in nagios calls. This uptick (when compared to other days) were higher in the hours of the slow period. If you need any pointers feel free to ask! I went through the Elasticsearch training and we've been running our cluster 10 months now.

    Splunk is definitely a great tool, but when you're on a budget ELK can do the same things (with a little work). Plus with Kibana 4 they've really stepped up their game.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
    · Share on FacebookShare on Twitter
  • Options
    yzTyzT Member Posts: 365 ■■■□□□□□□□
    Alienvault's OSSIM is the one I have used.
    · Share on FacebookShare on Twitter
  • Options
    UnixGuyUnixGuy Mod Posts: 4,565 Mod
    Thanks guys! ELK sounds like a great start! I'll give it a shot. I'll let you know how it goes :)
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

    · Share on FacebookShare on Twitter
Sign In or Register to comment.