Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 669
  • Last Modified:

Real-Time Monitoring Tools

i have to evaluate such a tool and im stuck between various products: Splunk,Nagios and Groundwork. We need a Tool that collects logs,warnings,alerts,etc. from our firewalls,IDS, proxies,stc. and displays them clearly arranged in a GUI,divided in chapters. from there,it should be also possible to easily extract that info into a *.xls file, to show that to our management.
0
DukewillNukem
Asked:
DukewillNukem
  • 5
  • 4
  • 2
  • +1
2 Solutions
 
Sanga CollinsSystems AdminCommented:
Nagios in my opinion is the more powerful tool. It can cover all your monitoring needs. Splunk collects logs and displays them in a nice readable format but thats about it. Lastly Cacti is also very good. Especially for reporting. I use cacti in combination with nagios to cover all my monitoring and reporting needs.
0
 
DukewillNukemAuthor Commented:
thx for the reply. how about alerts and warnings? i also need something that can display me statistics,say for the last 6 months how many threats we had,etc.
0
 
Sanga CollinsSystems AdminCommented:
Nagios for sure. It can send email alerts and warning and can even be configured to send SMS if you have the sms text message gateway setup. It store statistics until your hard drive gets full. My nagios on a 40GB data drive had 3 years worth of logs before I have to clear space. I monitor about 40 locations and 2 data centers so its probably 250 to 300 unique hosts that I monitor
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
Rich RumbleSecurity SamuraiCommented:
Nagios is not a SIIEM, while it can be configured to alert on so many things, log input is one of those things but that doesn't make it a correlation engine like other SIEM products.

Nagios sounds more like what you want, and it costs sooo much less than anything else.
-rich
0
 
DukewillNukemAuthor Commented:
thx for the tip. however,we need a tool with SIEM capabilities. does nagios fulfill that?
0
 
Rich RumbleSecurity SamuraiCommented:
It does not. Splunk, LogRythm or AlienVault would be SIEM. AlienVault is closest to Nagios with it's roots in Opensource. SIEM's aren't all that great in themselves, most end up only being used as log search engines, being more retroactive than proactive. If you get one make sure you use it proactively. I have 12 clients that don't and they spend too much money to just have a log aggregation+search. They are all capable of much much more, and you are going to pay for it, so use it as best you can!
-rich
0
 
DukewillNukemAuthor Commented:
so,is Splunk then SIEM or not? if yes,where is this proved? i need 100% sure proof,otherwise we will not be using it
0
 
Dan CraciunIT ConsultantCommented:
You can read what the Splunk people say about it: https://www.splunk.com/web_assets/pdfs/secure/Splunk_as_a_SIEM_Tech_Brief.pdf

HTH,
Dan
0
 
Rich RumbleSecurity SamuraiCommented:
It is a SIEM, but you should never use anything until you get a Proof of Concept going. The Vendors will give you a license for free to use the product for a few days, weeks or months, you have to contact their sales staff to get the details. Also note you need to know your logs before you go with a vendor or SIEM. Splunk hates binary logs, so you could have trouble using them against SQL-Trace logs for example. There aren't that many binary logs out there, but you need to make sure the product can digest them if you have them.

As for the Dashboard or setup of the GUI, you have to customize most yourself, either by making saved quries or by editing a few items of html. Customization tends to be extra when dealing with most monitoring products, get the details of that up front.
-rich
0
 
DukewillNukemAuthor Commented:
we would use it for security alerts and warnings our network-devices (cisco,sourcefire,ISA,etc.) do produce.
instead of having just a mail which will be rarely not readen at all, i want to have alerts nicely displayed in a GUI
0
 
DukewillNukemAuthor Commented:
so,bettween all those tools, Splunk would fulfill all our needs,incl. SIEM capabilities?
0
 
Rich RumbleSecurity SamuraiCommented:
Kinda... make sure you get a PoC for anything you want to try, you will be choosing between the lesser of the evils here. Not one tool here does everything you are asking for out of the box, they will all need to be customized.
Also note that if you are using Snort or Suricata for your IDS, and the logs contain hex encodings, Splunk will be useless at displaying packet payloads. You need to have Barnyard2 export the logs to ASCII only, and then splunk can digest and display the alerts, but the payload will be missing.
You won't spot that until you Demo or PoC these tools. While Nagios can search logs just fine, that isn't the only thing a SIEM does. Also SIEM's often don't come with alert's pre-made, you have to make them or pay for them. Bottom line is to get each product tested and see what fits best for you needs, you may need more than one, most of us do.
-rich
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now