Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 5517 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Looking for an recommendation: Logfile management / SIEM

seroal

Hi all,

 

to make it short: Im looking for a alternative solution to splunk. From time to time we have to create rulesets, based on captured traffic. As a result we often have huge logfiles and need to analyse them or to have to create a ruleset from them. We have textfiles up to 3GB and excel and access are not working with these filesizes. Normally Excel would be sufficient for me, if it could handle alle the data....

Are there any (simple) products (preferable opensource) that can be used to import and analyse textfiles? It would also be good, if the tool could simplyfy the data (remove duplicates etc) and create sth. like a connection overview with custom selects.

 

 

 

Best Regards

Sebastian



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to darrellr

    Hi darrellr,

     

    basically I want to create a (simplyfied) connection overview, to be able to see what connection are there and then finally to decide from out of these connections, which should be part of a ruleset. But of course I don´t need to see the same type of connection, for example, client request to dns server.

    It should also be possible to filter for specific data, like specific destination port and ip address etc etc...

     

    I have splunk running now for in a test version.... I will make some test, how it works.


    Thank you.

  • 0 in reply to seroal

    It sounds like you might want a flow viewer rather than logging solution, in my opinion.  I have not personally used any of these with Sophos, but they may work for you (IPFix and NetFlow are supported in many flow analyzers):

    Solarwinds - http://www.solarwinds.com/free-tools/real-time-netflow-analyzer

    ntopng - http://www.ntop.org/products/traffic-analysis/ntop/

    Also, definitely look at the Firewall Analyzer in my last post.

    npview - http://www.network-perception.com/software/  NOTE:  I have not used this under this product name (previously NetAPT) but it was good before it was commercialized.

  • 0 in reply to darrellr

    Hi,

    I would say, it doesn´t matter what kind of product to use. I think it could be either a product that can handle netflow information or syslogs. Netflow also adds the amount of data, but for my purpose, to define firewall rules, both options would be sufficient. Afaik one benefit with netflow is, that you can immediately see, wheter it is a finished connection and if it is a connection start or teardown.

     

    We already use solarwinds, but I think it is pretty lazy and not really responsive. As you log quite a huge amount of data, it becomes even more slowly. It is also not easy to export the logged data, when we speak about a timeframe that is more than 10 minutes.

     

    I think I will need to make some tests with different products to get an impression, what I need.