Real-Time Monitoring Tools

i have to evaluate such a tool and im stuck between various products: Splunk,Nagios and Groundwork. We need a Tool that collects logs,warnings,alerts,etc. from our firewalls,IDS, proxies,stc. and displays them clearly arranged in a GUI,divided in chapters. from there,it should be also possible to easily extract that info into a *.xls file, to show that to our management.
DukewillNukemAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Dan CraciunConnect With a Mentor IT ConsultantCommented:
You can read what the Splunk people say about it: https://www.splunk.com/web_assets/pdfs/secure/Splunk_as_a_SIEM_Tech_Brief.pdf

HTH,
Dan
0
 
Sanga CollinsConnect With a Mentor Systems AdminCommented:
Nagios in my opinion is the more powerful tool. It can cover all your monitoring needs. Splunk collects logs and displays them in a nice readable format but thats about it. Lastly Cacti is also very good. Especially for reporting. I use cacti in combination with nagios to cover all my monitoring and reporting needs.
0
 
DukewillNukemAuthor Commented:
thx for the reply. how about alerts and warnings? i also need something that can display me statistics,say for the last 6 months how many threats we had,etc.
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
Sanga CollinsSystems AdminCommented:
Nagios for sure. It can send email alerts and warning and can even be configured to send SMS if you have the sms text message gateway setup. It store statistics until your hard drive gets full. My nagios on a 40GB data drive had 3 years worth of logs before I have to clear space. I monitor about 40 locations and 2 data centers so its probably 250 to 300 unique hosts that I monitor
0
 
Rich RumbleSecurity SamuraiCommented:
Nagios is not a SIIEM, while it can be configured to alert on so many things, log input is one of those things but that doesn't make it a correlation engine like other SIEM products.

Nagios sounds more like what you want, and it costs sooo much less than anything else.
-rich
0
 
DukewillNukemAuthor Commented:
thx for the tip. however,we need a tool with SIEM capabilities. does nagios fulfill that?
0
 
Rich RumbleSecurity SamuraiCommented:
It does not. Splunk, LogRythm or AlienVault would be SIEM. AlienVault is closest to Nagios with it's roots in Opensource. SIEM's aren't all that great in themselves, most end up only being used as log search engines, being more retroactive than proactive. If you get one make sure you use it proactively. I have 12 clients that don't and they spend too much money to just have a log aggregation+search. They are all capable of much much more, and you are going to pay for it, so use it as best you can!
-rich
0
 
DukewillNukemAuthor Commented:
so,is Splunk then SIEM or not? if yes,where is this proved? i need 100% sure proof,otherwise we will not be using it
0
 
Rich RumbleSecurity SamuraiCommented:
It is a SIEM, but you should never use anything until you get a Proof of Concept going. The Vendors will give you a license for free to use the product for a few days, weeks or months, you have to contact their sales staff to get the details. Also note you need to know your logs before you go with a vendor or SIEM. Splunk hates binary logs, so you could have trouble using them against SQL-Trace logs for example. There aren't that many binary logs out there, but you need to make sure the product can digest them if you have them.

As for the Dashboard or setup of the GUI, you have to customize most yourself, either by making saved quries or by editing a few items of html. Customization tends to be extra when dealing with most monitoring products, get the details of that up front.
-rich
0
 
DukewillNukemAuthor Commented:
we would use it for security alerts and warnings our network-devices (cisco,sourcefire,ISA,etc.) do produce.
instead of having just a mail which will be rarely not readen at all, i want to have alerts nicely displayed in a GUI
0
 
DukewillNukemAuthor Commented:
so,bettween all those tools, Splunk would fulfill all our needs,incl. SIEM capabilities?
0
 
Rich RumbleSecurity SamuraiCommented:
Kinda... make sure you get a PoC for anything you want to try, you will be choosing between the lesser of the evils here. Not one tool here does everything you are asking for out of the box, they will all need to be customized.
Also note that if you are using Snort or Suricata for your IDS, and the logs contain hex encodings, Splunk will be useless at displaying packet payloads. You need to have Barnyard2 export the logs to ASCII only, and then splunk can digest and display the alerts, but the payload will be missing.
You won't spot that until you Demo or PoC these tools. While Nagios can search logs just fine, that isn't the only thing a SIEM does. Also SIEM's often don't come with alert's pre-made, you have to make them or pay for them. Bottom line is to get each product tested and see what fits best for you needs, you may need more than one, most of us do.
-rich
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.