2

Being new to the security and logging and after reading a lot about the terms used, I am pretty sure I neither need an IDS/IPS nor a WAF.

I am mostly interested in automating the "monitoring" of my application logs and enforcing some things whem certain events under certain conditions take place. Is there any open source tool that can help with this kind of detection and automation (some powerful rules/condition engine with alerting to call a script or http point) or should I build it on top of the logging management platform?

Maybe this thing I am describing is called SIEM but I am not sure, or it is already doable using ELK or Graylog etc.

Thanks

Nikos
  • 121
  • 2
  • Sounds like you need a Log Aggregator. Here's a quick list I found. https://blog.overops.com/6-log-management-tools-you-need-to-know-and-how-to-use-them/ I've only used Splunk myself, but it worked out well. How many instances of the application are you looking to monitor? – Daisetsu Apr 09 '19 at 04:06
  • less than 10 services, but I would like free solution for now – Nikos Apr 09 '19 at 15:43

1 Answers1

1

Graylog allows you to define alert triggers/Conditions and Actions/Notifications.

Out of the box it can do an HTTP POST to a nominated URL. I am not sure if parameterisation is available, but this might be enough to do what you need. The graylog marketplace (https://marketplace.graylog.org/) will have some more options which may allow more complex actions - so something may already be available.*

*(Depending on how much hair you have on your chest you can develop your own alert/notification plugin)

I am 99% sure ELK would offer this and even more than Graylog. My ELK experience is limited, but I suspect that Graylog is closest to the Logstash service in the ELK stack. Both use Elasticsearch, but Kibana provides a lot of features not really available in Graylog.

Defining a Notice in Graylog

SIEM may also be able to do this, but SIEM's include a lot of pre-defined rule-sets to track anomalies across various sources and correlate and automatically raise security alerts. They generally allow extension of existing rule-sets and/or creating your own. They are almost always goliath systems with a strong learning curve. From what you're saying it seems like overkill.

If you go with SIEM or Centralised Logging - these things need a lot of "juice" (CPU, RAM and IO). If you simply want to deploy application logging, monitoring and alerting, Graylog would likely be the best option. Grab the OVA from the graylog site and have a play, move on to ELK if Graylog falls short and then look at the SIEM options.

Frank Jackson
  • 27
  • 3
  • Thank you. I can see that Graylog has alerting capabilities but I don't know if it is capable of more complex rules on alerts. – Nikos Apr 09 '19 at 15:44
  • VMware Player + Graylog OVA and you are up and running in 10 minutes. (it monitors the internal Nginx server by default - (used to) so you dont even need to send any logs - just fire it up and check out the alert rules available. – Frank Jackson Apr 12 '19 at 04:02