Tuesday, December 21, 2010

On Free Log Management Tools

The open source log management tools are:
  1. OSSEC (ossec.net) an open source tool for analysis of real-time log data from Unix systems, Windows servers and network devices. It includes a set of useful default alerting rules as well as a web-based graphical user interface. This is THE tool to use, if you are starting up your log review program. It even has a book written about it.
  2. Snare agent (intersectalliance.com/projects/index.html) and ProjectLasso remote collector (sourceforge.net/projects/lassolog) are used to convert Windows Event Logs into syslog, a key component of any log management infrastructure today (at least until Visa/W7 log aggregation tools become mainstream).
  3. syslog-ng (balabit.com/network-security/syslog-ng/) is a replacement and improvement of classic syslog service - it also has a Windows version that can be used the same way as Snare
  4. Among the somewhat dated tools, Logwatch (logwatch.org), Lire (logreport.org) and LogSurfer (crypt.gen.nz/logsurfer) can all still be used to summarize logs into readable reports
  5. sec (simple-evcorr.sourceforge.net) can be used for correlating logs, even though most people will likely find OSSEC correlation a bit easier to use (or even use OSSIM below)
  6. LogHound (ristov.users.sourceforge.net/loghound) and slct (ristov.users.sourceforge.net/slct) are more "research-grade" tools, that are still very useful for going thru a large pool of barely-structured log data.
  7. Log2timeline (log2timeline.net/) is a useful tool for investigative review of logs; it can create a timeline view out of raw log data.
  8. LogZilla (aka php-syslog-ng) (code.google.com/p/php-syslog-ng) is a simple PHP-based visual front-end for a syslog server to do searches, reports, etc
The next list is a list of "honorable mentions" list which includes logging tools that don't quite fit the definition above:
  • Splunk is neither free nor open source, but is has a free version usable for searching up to 500MB of log data per day - think of it as a smart search engine for logs.
  • OSSIM is not just for logs and also includes OSSEC; it is an open source SIEM tool and can be used much the same way as commercial Security Information and Event Management tools are used (SIEM use cases)
  • Microsoft Log Parser is a handy free tool to cut thru various Windows logs, not just Windows Event Logs. A somewhat similar tool for Windows Event log analysis is Mandiant Highlighter (mandiant.com/products/free_software/highlighter)
  • Sguil is not a log analysis tools, but a network security monitoring (NSM) tool – it does use logs in its analysis.
For a list of commercial log management tools go to Security Scoreboard site. A few of the commercial tools offer free trials for up to 30 days.Feel free to suggest your favorite tools and I will update the list!

Possibly related posts:

1 comment:

  1. ArcSight Logger is another one that surely deserves an honorable mention. There is a $49 version you can download from www.arcsight.com/logger

    I have heard sometimes they also give out promotional codes that can get you discounts of up to 100%.