Jump to content

What Are Good Event Correlation Systems?


Recommended Posts

I'm looking for a good event correlation device/software. Something that can help reduce the standard information overload you get from the tons of log messages from firewalls, IPS devices, servers, etc. Security oriented correlation.

I've had experience with Cisco's MARS:


Which is a great idea, that works well in a lab. But in the real world, ummmm, not so much. Not to mention you have to have pretty much all Cisco gear for it to be of any value. And, like everything else they make, it's ridiculously expensive.

I've also messed with Splunk, which I think is awesome, but doesn't really put any intelligent correlation to the information. It just seems to be a better way to sort information.


Has anyone used something that they like? The only other ones I know of, which are both really expensive, are RSA enVision and Q1.

Link to comment
Share on other sites

Don't know if you have heard of checkpoint, but seems to be a good cadidate.


Link to comment
Share on other sites

  • 2 years later...

Hi SupaRice,

You most likely will have this sorted now, but for anybody else who has a similar idea I shall answer anyway.

For products such as RSA EnVision, ArcSight, Huntsman, Q1 etc they do not offer any OpenSource stuff, or offer any demos / trial due to the fact they take a lot of time to setup and will only supply with recommended hardware etc

A good starting point that I would suggest, as in fact I did also, First of all I would download and install Security Onion which is a Linux distro the comes with SNORT / BroIDS / OSSEC and many other OpenSource software packages are installed, and for the majority are already configured. I am also a big fan of Splunk also and in fact a Security Onion app has already been created for Splunk, so with little effort you can get some nice graphs and information etc from your network. No matter what IDS/IPS that you use you will have to think out and create your own correlation rules (which will take time), due to every environment being different.

So depending how you setup your lab you can have an SIEM on a shoe string


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...