Log Correlation and Events Management tool

[Mohammed Sahib]

Hello,
Could you please advice for a tool that works with Elsa as a syslog, so i can do log correlation and event management?

Regards,
Mo

[Lee Sharp]

On 12/02/2014 09:12 AM, Mohammed Sahib wrote:
> Hello,
> Could you please advice for a tool that works with Elsa as a syslog, so i can do log correlation and event management?

Not sure what you are asking. ELSA is a very good log search and
analysis tool, and syslog is already enabled on SO. What are you trying
to do, and what is the problem you are having?

Lee

[Mohammed Sahib]

Elsa is for log only, but i can not do log correlation or event management.

so you have many logs but the log correlation find the relation between them in case of attack or something like that.

Event management, you can send an alerts to another monitoring tool like SCOM for a specific event policy that you define.

[Lee Sharp]

On 12/02/2014 09:33 AM, Mohammed Sahib wrote:
> so you have many logs but the log correlation find the relation between them in case of attack or something like that.

Actually, yes you can, but it is not as easy. Say you notice an attack
from 12.34.56.78 on one server. You search ELSA for that IP and it
shows where it shows up in every log. Or you can search all logs by
time. It is extremely powerful, but a bit of a learning curve.

> Event management, you can send an alerts to another monitoring tool like SCOM for a specific event policy that you define.

You can use ELSA to look for Bro events. Howto videos are all over
Youtube. As for Sguil events, the other tools are better suited.

Lee

[Mohammed Sahib]

Yes its hard, i did try what and its not easy as you said, also the management would like to have some reports, and that also not easy as well.

Thanks for the info.

[DefensiveDepth]

On Tuesday, December 2, 2014 11:31:56 AM UTC-5, Mohammed Sahib wrote:
> Yes its hard, i did try what and its not easy as you said, also the management would like to have some reports, and that also not easy as well.
>
> Thanks for the info.

For correlation, there is alot that can be done with subsearches & transforms + alerting & reporting (http://ossectools.blogspot.com/2012/01/hunting-with-elsa-transforms.html for instance) I will be publishing a paper in the next 4-5 months that will get a bit more in-depth on what can be done in this area, specifically with data generated by Sysmon and parsed + correlated with ELSA.

For events management, you can certainly use the Connectors framework to email/post etc an "event" to whatever event manager you are using...

-Josh

[Brian Kellogg]

Look into OSSEC to shove syslogs to and to collect server logs. You can write log decoders and automated chained rules with it for correlation and alerting. Using both ELSA to deep dive logs along with the automated correlation with OSSEC is the way to go.

https://ossec-docs.readthedocs.org/en/latest/

[Mohammed Sahib]

Thank you very much for the info.