After experiencing the deployment of enterprise level SIEM (Security Information Event Manager) applications within a couple large organizations … I have come to the conclusion that these are beasts to administer and maintain. Corporations can afford to have a team of operators, administrators, and developer support for these commercial SIEMs. Even OSSIM (a popular open-source SIEM) is a beast to deploy.
So what solution does someone like myself have for a SIEM? For those of you who haven’t been following my blog, I maintain a small personal network consisting of 5 linux servers, 2 windows servers, 1 linux based firewall, and 1 border router. The current state of logging within my network is a centralized syslog server with absolutely no filtering/parsing of events. Without counting logs from Apache, IIS, Exchange, MySQL … I receive approximately 100 events per minute. The majority of these events are common and should not be alerted on. But there are some (failed logons, port scans, etc) that I need to see immediately.
And just seeing the event still requires manual human correlation of various events to put build the big picture. A basic example of this would be multiple failed logons to more than 1 host.
So.. back to the question here, what SIEM solution does a small time network administrator like myself do?
Answer: Build my own SIEM. Which I shall call: SimpleSIEM.
Expect v0.1 to be posted by next weekend.