After experiencing the deployment of enterprise level SIEM (Security Information Event Manager) applications within a couple large organizations … I have come to the conclusion that these are beasts to administer and maintain. Corporations can afford to have a team of operators, administrators, and developer support for these commercial SIEMs. Even OSSIM (a popular open-source SIEM) is a beast to deploy.

So what solution does someone like myself have for a SIEM? For those of you who haven’t been following my blog, I maintain a small personal network consisting of 5 linux servers, 2 windows servers, 1 linux based firewall, and 1 border router. The current state of logging within my network is a centralized syslog server with absolutely no filtering/parsing of events. Without counting logs from Apache, IIS, Exchange, MySQL … I receive approximately 100 events per minute. The majority of these events are common and should not be alerted on. But there are some (failed logons, port scans, etc) that I need to see immediately.

And just seeing the event still requires manual human correlation of various events to put build the big picture. A basic example of this would be multiple failed logons to more than 1 host.

So.. back to the question here, what SIEM solution does a small time network administrator like myself do?

Answer: Build my own SIEM. Which I shall call: SimpleSIEM.

You can expect this project to be 100% open-source (not sure of the license yet, have to do some research on the current licensing stuff, GPL or BSD are possibilities). I have already begun designing the basic framework. The backend will use Perl for all filtering, correlation, and alerting. The data will be stored in a MySQL database. The frontend will be a combination of Perl CGI, PHP, and JavaScript. I plan to build SimpleSIEM to meet my specific personal needs, but will attempt to develop it in a modular and reusable fashion so others will be able to use it and customize it to suit their environment.

Expect v0.1 to be posted by next weekend.