Hi all,
I am looking for a good log centralisation / alerting / mining solution. I know about syslog-ng / rsyslog+phpLogCon, I'd like something more complete ...
Something with a bit of realtime analysis (regexp ?) and correlation ... and a nice interface where you could get some useful details fast ...
What solution do swinoggers use ??
Thanks !
Hello,
Maybe have a look at splunk. It's not free, but it seems to do what you're looking for.
I'd like to ask at the same time if anyone here is using it. Because I thinking about installing it on our network. So some feedbacks would be great.
www.splunk.com
Regards, Olivier B.
Marcel Prisi a écrit :
Hi all,
I am looking for a good log centralisation / alerting / mining solution. I know about syslog-ng / rsyslog+phpLogCon, I'd like something more complete ...
Something with a bit of realtime analysis (regexp ?) and correlation ... and a nice interface where you could get some useful details fast ...
What solution do swinoggers use ??
Thanks !
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Hi
There is actually a free version of splunk, with a few restrictions though (no access controls). But you still can handle up to 500MB Log per day and it's quite easy to install and configure.
The search engine seems to be quite powerful, we run it on a debian system with 256mb ram, got approx. 7'500'000 log entries on it and a searching for a host takes just a few secs.
Regards
Tobias
Olivier Beytrison schrieb:
Hello,
Maybe have a look at splunk. It's not free, but it seems to do what you're looking for.
I'd like to ask at the same time if anyone here is using it. Because I thinking about installing it on our network. So some feedbacks would be great.
www.splunk.com
Regards, Olivier B.
Marcel Prisi a écrit :
Hi all,
I am looking for a good log centralisation / alerting / mining solution. I know about syslog-ng / rsyslog+phpLogCon, I'd like something more complete ...
Something with a bit of realtime analysis (regexp ?) and correlation ... and a nice interface where you could get some useful details fast ...
What solution do swinoggers use ??
Thanks !
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Splunk. Definitely Splunk ;)
If you have any questions or you want to talk more about your use- cases, I am happy to have a chat with you.
On a serious note, I think you should try it. And it is free up to 500MB/day! That's quite a bit. After that it's fairly reasonably priced! One other thing that you might want to take into consideration is that other log management solutions don't cope with configuration files or multi-line information very well, if at all. I could list you a few very interesting use-cases around that: configuration management comes to mind. Also have a look at my blog where I talk a bit about the difference between IT Search (splunk) and the log management tools: blogs.splunk.com/raffy.
Seisch, wenn'd irgendwelchi Frogae hesch!
Raffy
-- Raffael Marty Chief Security Strategist @ Splunk> Security Visualization: http://secviz.org raffy.ch/blog
On Jan 20, 2008, at 11:52 PM, Olivier Beytrison wrote:
Hello,
Maybe have a look at splunk. It's not free, but it seems to do what you're looking for.
I'd like to ask at the same time if anyone here is using it. Because I thinking about installing it on our network. So some feedbacks would be great.
www.splunk.com
Regards, Olivier B.
Marcel Prisi a écrit :
Hi all, I am looking for a good log centralisation / alerting / mining solution. I know about syslog-ng / rsyslog+phpLogCon, I'd like something more complete ... Something with a bit of realtime analysis (regexp ?) and correlation ... and a nice interface where you could get some useful details fast ... What solution do swinoggers use ?? Thanks ! _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Too bad that Splunk does not run on Windows :(
We are a Windows Company and if i tell them that we want to run a Linux Server, our Management would kill me ;)
Is there anything out in the Net for Log management witch is Windows Based?
Regards Capo
-----Ursprüngliche Nachricht----- Von: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch] Im Auftrag von Raffael Marty Gesendet: Montag, 21. Januar 2008 09:07 An: swinog@swinog.ch Betreff: Re: [swinog] Log centralisation / mining
Splunk. Definitely Splunk ;)
If you have any questions or you want to talk more about your use- cases, I am happy to have a chat with you.
On a serious note, I think you should try it. And it is free up to 500MB/day! That's quite a bit. After that it's fairly reasonably priced! One other thing that you might want to take into consideration is that other log management solutions don't cope with configuration files or multi-line information very well, if at all. I could list you a few very interesting use-cases around that: configuration management comes to mind. Also have a look at my blog where I talk a bit about the difference between IT Search (splunk) and the log management tools: blogs.splunk.com/raffy.
Seisch, wenn'd irgendwelchi Frogae hesch!
Raffy
-- Raffael Marty Chief Security Strategist @ Splunk> Security Visualization: http://secviz.org raffy.ch/blog
On Jan 20, 2008, at 11:52 PM, Olivier Beytrison wrote:
Hello,
Maybe have a look at splunk. It's not free, but it seems to do what you're looking for.
I'd like to ask at the same time if anyone here is using it. Because I thinking about installing it on our network. So some feedbacks would be great.
www.splunk.com
Regards, Olivier B.
Marcel Prisi a écrit :
Hi all, I am looking for a good log centralisation / alerting / mining solution. I know about syslog-ng / rsyslog+phpLogCon, I'd like something more complete ... Something with a bit of realtime analysis (regexp ?) and correlation ... and a nice interface where you could get some useful details fast ... What solution do swinoggers use ?? Thanks ! _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Too bad that Splunk does not run on Windows :(
Not yet! There is a preview version out that runs on Windows, but it's still a bit unstable. By the end of the month, we should have something that is releasable! Hang tight or try the preview!
Cheers
-raffy
We are a Windows Company and if i tell them that we want to run a Linux Server, our Management would kill me ;)
Is there anything out in the Net for Log management witch is Windows Based?
Regards Capo
-----Ursprüngliche Nachricht----- Von: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch ] Im Auftrag von Raffael Marty Gesendet: Montag, 21. Januar 2008 09:07 An: swinog@swinog.ch Betreff: Re: [swinog] Log centralisation / mining
Splunk. Definitely Splunk ;)
If you have any questions or you want to talk more about your use- cases, I am happy to have a chat with you.
On a serious note, I think you should try it. And it is free up to 500MB/day! That's quite a bit. After that it's fairly reasonably priced! One other thing that you might want to take into consideration is that other log management solutions don't cope with configuration files or multi-line information very well, if at all. I could list you a few very interesting use-cases around that: configuration management comes to mind. Also have a look at my blog where I talk a bit about the difference between IT Search (splunk) and the log management tools: blogs.splunk.com/raffy.
Seisch, wenn'd irgendwelchi Frogae hesch!
Raffy
-- Raffael Marty Chief Security Strategist @ Splunk> Security Visualization: http://secviz.org raffy.ch/blog
On Jan 20, 2008, at 11:52 PM, Olivier Beytrison wrote:
Hello,
Maybe have a look at splunk. It's not free, but it seems to do what you're looking for.
I'd like to ask at the same time if anyone here is using it. Because I thinking about installing it on our network. So some feedbacks would be great.
www.splunk.com
Regards, Olivier B.
Marcel Prisi a écrit :
Hi all, I am looking for a good log centralisation / alerting / mining solution. I know about syslog-ng / rsyslog+phpLogCon, I'd like something more complete ... Something with a bit of realtime analysis (regexp ?) and correlation ... and a nice interface where you could get some useful details fast ... What solution do swinoggers use ?? Thanks ! _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Michele Capobianco schrieb:
Too bad that Splunk does not run on Windows :(
We are a Windows Company and if i tell them that we want to run a Linux Server, our Management would kill me ;)
Then, don't expect a free (OSS) solution ;-) I'd look into some of the UTM (Unified Threat Management) or (specialized) IDS solutions. I haven't tried it, but if I'd have a budget, I'd take a look at Tenable's log-correlation products: http://www.tenablesecurity.com/ They actually don't run on Windows, either, but they can analyze Windows-logs.
See these links: http://www.networkintrusion.co.uk/consoles.htm
BTW: I'd be interested to hear from people running one of those.
Is there anything out in the Net for Log management witch is Windows Based?
I guess there is a system-management solution from MSFT, too. Call your MSFT-sales rep ;-)
cheers, Rainer
Hello Raffy
Splunk. Definitely Splunk ;)
Raffael Marty Chief Security Strategist @ Splunk> Security Visualization: http://secviz.org raffy.ch/blog
I see. A totally unbiased position. ;)
Hi!
Give us more details...
What is your log volume? How many systems?
Are you looking for a opensource solution or a commercial one?
-----Original Message----- From: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch] On Behalf Of Marcel Prisi Sent: Montag, 21. Januar 2008 08:48 To: swinog@swinog.ch Subject: [swinog] Log centralisation / mining
Hi all,
I am looking for a good log centralisation / alerting / mining solution. I know about syslog-ng / rsyslog+phpLogCon, I'd like something more complete ...
Something with a bit of realtime analysis (regexp ?) and correlation ... and a nice interface where you could get some useful details fast ...
What solution do swinoggers use ??
Thanks !
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Le lundi 21 janvier 2008 à 08:56 +0100, Reza Kordi a écrit :
Hi!
Give us more details...
What is your log volume? How many systems?
For now, 20-30 systems (growing), and we also use syslog from some of our applications.
Are you looking for a opensource solution or a commercial one?
I would of course better like an opensource one, but I will evaluate every interesting solution.
Thanks.
On Mon, 2008-01-21 at 08:47 +0100, Marcel Prisi wrote:
Hi all,
I am looking for a good log centralisation / alerting / mining solution. I know about syslog-ng / rsyslog+phpLogCon, I'd like something more complete ...
Hi,
If you need a commercial solution and need to be compliant (SOX, Basel II etc.) I was working the last week with RSA enVision. It supports all kind of log-interfaces and got very good reporting/alarming/reporting functions.
I also like the opensource solutions but I couldn't find any solution yet for a good reporting and alarming.
If you need to know more about enVision you can contact me directly.
Peter
The most professional solution on market is surely EMC/RSA envision, if you see it you won't want to bother with anything else.
If you wanna a demo let me know of list.
Best Regards Mit freundlichen Grüssen
Reza Kordi Managing Director
Clue AG Blegistrasse 9 CH - 6340 Baar/Zug tel. +41 41 240'49'49 fax. +41 41 240'49'59 mob. +41 78 870'02'30
www.clue.ch - On with Virtualization
-----Original Message----- From: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch] On Behalf Of Marcel Prisi Sent: Montag, 21. Januar 2008 08:48 To: swinog@swinog.ch Subject: [swinog] Log centralisation / mining
Hi all,
I am looking for a good log centralisation / alerting / mining solution. I know about syslog-ng / rsyslog+phpLogCon, I'd like something more complete ...
Something with a bit of realtime analysis (regexp ?) and correlation ... and a nice interface where you could get some useful details fast ...
What solution do swinoggers use ??
Thanks !
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
On Jan 21, 2008, at 3:45 AM, Roman Hochuli wrote:
Hello Raffy
Splunk. Definitely Splunk ;)
Raffael Marty Chief Security Strategist @ Splunk> Security Visualization: http://secviz.org raffy.ch/blog
I see. A totally unbiased position. ;)
I assumed that was obvious... That's why I also said:
On a serious note, I ...
Reza wrote:
The most professional solution on market is surely EMC/RSA envision, if you see it you won't want to bother with anything else.
I would totally disagree. If you really want to go down that route, ArcSight is the one you want to go for. But again, be clear on what you are trying to do. All of these solutions are slightly different and should match your use.
-raffy
Raffy, What do you like about ArcSight? The policy engine? Compliance?
Which version of Arcsight did you look at?
Cheers, Reza
-----Original Message----- From: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch] On Behalf Of Raffael Marty Sent: Montag, 21. Januar 2008 18:17 To: swinog@swinog.ch Subject: Re: [swinog] Log centralisation / mining
On Jan 21, 2008, at 3:45 AM, Roman Hochuli wrote:
Hello Raffy
Splunk. Definitely Splunk ;)
Raffael Marty Chief Security Strategist @ Splunk> Security Visualization: http://secviz.org raffy.ch/blog
I see. A totally unbiased position. ;)
I assumed that was obvious... That's why I also said:
On a serious note, I ...
Reza wrote:
The most professional solution on market is surely EMC/RSA envision, if you see it you won't want to bother with anything else.
I would totally disagree. If you really want to go down that route, ArcSight is the one you want to go for. But again, be clear on what you are trying to do. All of these solutions are slightly different and should match your use.
-raffy
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Well... I used to lead the solutions team at ArcSight. I was responsible for building all the compliance and "other" solutions. I have worked with up to ESM version 4.0.
There is no policy engine. It's a rules-engine. And yes, it's one of the best out there, if you want to do real time correlation.
In terms of compliance, it's what they sell as solutions. I am not going to comment on them here. It's what I built in my prior life. They are obviously stellar *grins*.
Sorry for being sparse on details, but I think you understand based on my bias.
-raffy
-- Raffael Marty Chief Security Strategist @ Splunk> Security Visualization: http://secviz.org raffy.ch/blog
On Jan 28, 2008, at 12:19 AM, Reza Kordi wrote:
Raffy, What do you like about ArcSight? The policy engine? Compliance?
Which version of Arcsight did you look at?
Cheers, Reza
-----Original Message----- From: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch ] On Behalf Of Raffael Marty Sent: Montag, 21. Januar 2008 18:17 To: swinog@swinog.ch Subject: Re: [swinog] Log centralisation / mining
On Jan 21, 2008, at 3:45 AM, Roman Hochuli wrote:
Hello Raffy
Splunk. Definitely Splunk ;)
Raffael Marty Chief Security Strategist @ Splunk> Security Visualization: http://secviz.org raffy.ch/blog
I see. A totally unbiased position. ;)
I assumed that was obvious... That's why I also said:
On a serious note, I ...
Reza wrote:
The most professional solution on market is surely EMC/RSA envision, if you see it you won't want to bother with anything else.
I would totally disagree. If you really want to go down that route, ArcSight is the one you want to go for. But again, be clear on what you are trying to do. All of these solutions are slightly different and should match your use.
-raffy
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
-
Marcel Prisi -
Michele Capobianco -
Olivier Beytrison -
Peter Baumann -
Raffael Marty -
Rainer Duffner -
Reza Kordi -
Roman Hochuli -
Tobias Koenig