Alienvault or other SIEM integration with ElasticSearch (ELK)

We currently ELK in place and we want to add a SIEM (AlienVault, LogRhythm etc.)

Do some of you are already set up a SIEM with ELK?

Should I send the log to a SIEM and then ELK, or vice versa?

Suggestion, Idea?

Jean-Sebastien
jeansebgrenonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
if cost is a factor ELK to be straightoff otherwise each are on same playing ground. Depending on the use case but most of the time, the log aggregation and correlation is pertaining to security incident handling and situation awareness accuracy and effectiveness. So below are some inputs

ELK is very scaleable so should you want to add more log sources -  get another machine and add it to the cluster to scale out. Since with more sources, the various log format need to be well understood too and ELK does it well just that you need to spend some time to create “filters” inside logstash that normalize the data and later add in configuration of these filters to make these feeds sensible to ELK. This is quite on par with SIEMS like ArcSight's smart connector doing almost all the parsing of the (many kind of) logs - some say ELK is simple to do it. I am neutral as it is a matter to getting savvy and used...in fact we do not want to do it so often if the log format is well standard supported...

ELK is really to get hands-on as you can script to automate searches based on indicator of compromise on those normalised log feeds and even have adds ‘context’ for the analysis of IDS alerts
(set up Kibana to query and automate and have custom build dashboards). E.g. do a query to see all hosts hitting a certain domain over past period (like days) from the those host logs sent into ElasticSearch.

As of now, we need to under all these are doable even via SIEMS (but with more money) esp if you just want to be end user, otherwise another key point is getting quality log feeds. Gardage in Gargae out - log quality is important, Logstash play a big role here. E.g. run Logstash agent on device sources so that they can pipe logs to the central server. You can easily and open to configure syslog using rsyslog, syslog-ng, or other syslog tools to send syslog to the central server or better still use Lumberjack to send over those logs over secure channel for confidentiality - no one to read plain log even intercepting the wire.

In short, SIEMS can do likewise but rather you spend more time grappling over the licensing model and pricey deployment of remote site log agent as well as getting professional service cost for any customisation for not out of the box SIEMS capability. It is safe but long run building competency is over-reliant to principals. ELK trys to make you more involved and on the ground - solve the problem as you deemed fit but need more time and can have some learning curve.

...to confess I (or we) do use SIEMS as this is not necessary the core focus (as always for multiple hat wearing) ...

Just few cents worth..
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jeansebgrenonAuthor Commented:
Thank's btan!

My principale concerne is threat detection for PCI DSS, and alerting. ELK dosen't provide notofication or threat detection (log correlation).

What kind of SIEM you use?

JS
0
btanExec ConsultantCommented:
Not that I can share openly but it something with netwitness :) In fact, SIEMS does not do compliance and probably it is to full the security monitoring (not storage) if running some SOC services...regardless, you like need to go into GRC to interface with SIEMS to get those PCI report - straight off (from oven) as compared to ELK. The SIEM experience has been bullet biting too...

This has a snapshot listing that can be useful (including costing and feature summary) though I take it with binge of salt when comparing. You just need to see whether ELK or SIEMS, the auditor just want to see some verifiable evidence but they judge the quality (unless missing or incomplete) since you are more aware of your environment - not them.
0
jeansebgrenonAuthor Commented:
Thank for sharing information, and take time to explain!

Have a nice sysadminday!

JS
0
btanExec ConsultantCommented:
my pleasures :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.