Free OpenSource SIEM that you recommend?

My experience in InfoSec is extremely limited so I'd like some input from the experienced folks in here

I'd like to implement some useful SIEM to truly monitor my environment, I was wondering if there are good free open source out there?

Also, what commercial tools do you recommend? I'm thinking of trying Splunk, but I'd rather something free & open source.

Find more posts tagged with

Comments

Vask3n

I currently use an ecosystem of open source tools which together form an effective SIEM

You won't find an effective open source tool that functions as a complete SIEM just by itself. Instead, you will combine several tools together to form a SIEM-type solution.

I have a SIEM pipeline that looks something like this (not giving all details, though): Open Source Host-based and network-based intrusion detection systems (HIDS and NIDS) which pass events to something like Logstash. From here, you can either visualize your logs with a dashboard like Graphite or Kibana, or you can go the extra step and implement a way to index/search through those logs- look into something called ElasticSearch

wes allen

UnixGuy wrote: »

Also, what commercial tools do you recommend? I'm thinking of trying Splunk, but I'd rather something free & open source.

I would highly recommend Splunk - you can index up to 500mb / day on the free version. Without the enterprise security app, it won't be a traditional SIEM, but I get pinged for splunk jobs all the time, and I love the product for security work. If you want to do open source, then the ELK stack is the next best thing. I think Google recently released a platform that might be worth looking into, as well.

the_Grinch

I highly recommend the ELK stack. We use it here at work and once you nail down the specifics it is an very effective tool. As stated above we run OSSEC on critical servers and output the logs to Logstash. From there we index them with Elasticsearch and created queries within Kibana to monitor for specific things we are looking for. With it we are able to detect hacking attempts, bad hardware, logins, password changes, and technically we can also see service issues. We got a report that one site was slow and I was able to do some queries which found an uptick in nagios calls. This uptick (when compared to other days) were higher in the hours of the slow period. If you need any pointers feel free to ask! I went through the Elasticsearch training and we've been running our cluster 10 months now.

Splunk is definitely a great tool, but when you're on a budget ELK can do the same things (with a little work). Plus with Kibana 4 they've really stepped up their game.

yzT

Alienvault's OSSIM is the one I have used.

UnixGuy

Thanks guys! ELK sounds like a great start! I'll give it a shot. I'll let you know how it goes