Evaluating Open-source SIEM Solutions
-
Hi All,
We are evaluating a SIEM for an SMB with a lot of client-facing infrastructure on AWS. A colleague of mine suggested giving SIEMonster a go but I am not completely convinced. There was a separate thread here on centralised log management where @stacksofplates and others suggested trying ElasticSearch with some Grafana dashboards on AWS. Ideally, we need to find a solution that is not very time-consuming to deploy, works with endpoints anywhere and is easy to maintain. Our resources are quite stretched out ATM but they might hire a new person or outsource it to a third-party SOC to manage it.
All suggestions are very much welcome.
Thanks.
-
I'd looked at SIEMonster a couple of times over the years and while the idea seemed interesting the execution and setup struck me as a bit over the top and gimicky.
Wazuh might fit the bill but any SIEM or log management / aggregation / alerting setup is going to take a while to get up and running.... not necessarily to stand-up the server(s) and start collecting data, but to tune the alerts, dashboards etc so that there's value in the data that you're collecting.
What kind of information / monitoring are you looking to get?
-
@notverypunny Wazuh is what crossed my mind too. I'd start there.
-
@scottalanmiller Yeah, it all depends on what kind of effort is going to be put into setup / maintenance / use.... also might be just a regulatory checkmark that has to be satisfied.... The comment about graphing is what got me thinking about the "why" and that a monitoring solution like Zabbix might be more in line with what would actually be appropriate.
-
@notverypunny said in Evaluating Open-source SIEM Solutions:
@scottalanmiller Yeah, it all depends on what kind of effort is going to be put into setup / maintenance / use.... also might be just a regulatory checkmark that has to be satisfied.... The comment about graphing is what got me thinking about the "why" and that a monitoring solution like Zabbix might be more in line with what would actually be appropriate.
That's what we do. Zabbix and Grafana but no SIEM currently.
-
@notverypunny said in Evaluating Open-source SIEM Solutions:
I'd looked at SIEMonster a couple of times
The community edition is pretty limited, but likely enought for a single SMB
Where to get it: https://go.siemonster.com/Community-EditionEdition Comparison chart: https://siemonster.com/download-community-edition/
-
@notverypunny @scottalanmiller @JaredBusch thank you for your replies. We want to monitor databases, network devices, admin-level logins, etc. both on-prem and hosted for some suspicious activities or outages. I just thought that a SIEM would take care of the analytics/response part better than a monitoring solution like Elk, Greylog, OpenSearch, Zabbix, etc. which need a lot of fine-tuning to make them work in a similar fashion as a SIEM. We will check out Wazuh and compare it to SIEMmonster Community Edition, thanks.
-
@taurex said in Evaluating Open-source SIEM Solutions:
@notverypunny @scottalanmiller @JaredBusch thank you for your replies. We want to monitor databases, network devices, admin-level logins, etc. both on-prem and hosted for some suspicious activities or outages. I just thought that a SIEM would take care of the analytics/response part better than a monitoring solution like Elk, Greylog, OpenSearch, Zabbix, etc. which need a lot of fine-tuning to make them work in a similar fashion as a SIEM. We will check out Wazuh and compare it to SIEMmonster Community Edition, thanks.
SIEMs are often built on top of those.
