Solved

Real-Time Monitoring Tools

Posted on 2014-02-18
12
585 Views
Last Modified: 2014-03-11
i have to evaluate such a tool and im stuck between various products: Splunk,Nagios and Groundwork. We need a Tool that collects logs,warnings,alerts,etc. from our firewalls,IDS, proxies,stc. and displays them clearly arranged in a GUI,divided in chapters. from there,it should be also possible to easily extract that info into a *.xls file, to show that to our management.
0
Comment
Question by:DukewillNukem
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 250 total points
Comment Utility
Nagios in my opinion is the more powerful tool. It can cover all your monitoring needs. Splunk collects logs and displays them in a nice readable format but thats about it. Lastly Cacti is also very good. Especially for reporting. I use cacti in combination with nagios to cover all my monitoring and reporting needs.
0
 

Author Comment

by:DukewillNukem
Comment Utility
thx for the reply. how about alerts and warnings? i also need something that can display me statistics,say for the last 6 months how many threats we had,etc.
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
Nagios for sure. It can send email alerts and warning and can even be configured to send SMS if you have the sms text message gateway setup. It store statistics until your hard drive gets full. My nagios on a 40GB data drive had 3 years worth of logs before I have to clear space. I monitor about 40 locations and 2 data centers so its probably 250 to 300 unique hosts that I monitor
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Nagios is not a SIIEM, while it can be configured to alert on so many things, log input is one of those things but that doesn't make it a correlation engine like other SIEM products.

Nagios sounds more like what you want, and it costs sooo much less than anything else.
-rich
0
 

Author Comment

by:DukewillNukem
Comment Utility
thx for the tip. however,we need a tool with SIEM capabilities. does nagios fulfill that?
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
It does not. Splunk, LogRythm or AlienVault would be SIEM. AlienVault is closest to Nagios with it's roots in Opensource. SIEM's aren't all that great in themselves, most end up only being used as log search engines, being more retroactive than proactive. If you get one make sure you use it proactively. I have 12 clients that don't and they spend too much money to just have a log aggregation+search. They are all capable of much much more, and you are going to pay for it, so use it as best you can!
-rich
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Author Comment

by:DukewillNukem
Comment Utility
so,is Splunk then SIEM or not? if yes,where is this proved? i need 100% sure proof,otherwise we will not be using it
0
 
LVL 34

Accepted Solution

by:
Dan Craciun earned 250 total points
Comment Utility
You can read what the Splunk people say about it: https://www.splunk.com/web_assets/pdfs/secure/Splunk_as_a_SIEM_Tech_Brief.pdf

HTH,
Dan
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
It is a SIEM, but you should never use anything until you get a Proof of Concept going. The Vendors will give you a license for free to use the product for a few days, weeks or months, you have to contact their sales staff to get the details. Also note you need to know your logs before you go with a vendor or SIEM. Splunk hates binary logs, so you could have trouble using them against SQL-Trace logs for example. There aren't that many binary logs out there, but you need to make sure the product can digest them if you have them.

As for the Dashboard or setup of the GUI, you have to customize most yourself, either by making saved quries or by editing a few items of html. Customization tends to be extra when dealing with most monitoring products, get the details of that up front.
-rich
0
 

Author Comment

by:DukewillNukem
Comment Utility
we would use it for security alerts and warnings our network-devices (cisco,sourcefire,ISA,etc.) do produce.
instead of having just a mail which will be rarely not readen at all, i want to have alerts nicely displayed in a GUI
0
 

Author Comment

by:DukewillNukem
Comment Utility
so,bettween all those tools, Splunk would fulfill all our needs,incl. SIEM capabilities?
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Kinda... make sure you get a PoC for anything you want to try, you will be choosing between the lesser of the evils here. Not one tool here does everything you are asking for out of the box, they will all need to be customized.
Also note that if you are using Snort or Suricata for your IDS, and the logs contain hex encodings, Splunk will be useless at displaying packet payloads. You need to have Barnyard2 export the logs to ASCII only, and then splunk can digest and display the alerts, but the payload will be missing.
You won't spot that until you Demo or PoC these tools. While Nagios can search logs just fine, that isn't the only thing a SIEM does. Also SIEM's often don't come with alert's pre-made, you have to make them or pay for them. Bottom line is to get each product tested and see what fits best for you needs, you may need more than one, most of us do.
-rich
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now