Looking for an recommendation: Logfile management / SIEM

Elk/Elastic search - https://www.elastic.co/webinars/introduction-elk-stack

ELSA - https://github.com/mcholste/elsa

Firewall Analyzer - https://www.manageengine.com/products/firewall/

All depends on exactly what you want.  I use Splunk myself, but it can get rather expensive.  You could log to syslog-ng first, then parse out important messages and have those sent to Splunk to save on license usage.

Hi darrellr,

basically I want to create a (simplyfied) connection overview, to be able to see what connection are there and then finally to decide from out of these connections, which should be part of a ruleset. But of course I don´t need to see the same type of connection, for example, client request to dns server.

It should also be possible to filter for specific data, like specific destination port and ip address etc etc...

I have splunk running now for in a test version.... I will make some test, how it works.

Thank you.

Hi darrellr,

basically I want to create a (simplyfied) connection overview, to be able to see what connection are there and then finally to decide from out of these connections, which should be part of a ruleset. But of course I don´t need to see the same type of connection, for example, client request to dns server.

It should also be possible to filter for specific data, like specific destination port and ip address etc etc...

I have splunk running now for in a test version.... I will make some test, how it works.

Thank you.

Try Graylog

It sounds like you might want a flow viewer rather than logging solution, in my opinion.  I have not personally used any of these with Sophos, but they may work for you (IPFix and NetFlow are supported in many flow analyzers):

Solarwinds - http://www.solarwinds.com/free-tools/real-time-netflow-analyzer

ntopng - http://www.ntop.org/products/traffic-analysis/ntop/

Also, definitely look at the Firewall Analyzer in my last post.

npview - http://www.network-perception.com/software/  NOTE:  I have not used this under this product name (previously NetAPT) but it was good before it was commercialized.

Hi,

I would say, it doesn´t matter what kind of product to use. I think it could be either a product that can handle netflow information or syslogs. Netflow also adds the amount of data, but for my purpose, to define firewall rules, both options would be sufficient. Afaik one benefit with netflow is, that you can immediately see, wheter it is a finished connection and if it is a connection start or teardown.

We already use solarwinds, but I think it is pretty lazy and not really responsive. As you log quite a huge amount of data, it becomes even more slowly. It is also not easy to export the logged data, when we speak about a timeframe that is more than 10 minutes.

I think I will need to make some tests with different products to get an impression, what I need.