Open Source Search Server. Open-Source Security Tools: Fighting APT with Open-source Software, Part 1: Logging. Just because Advanced Persistent Threats (FUD) is a marketing buzzword doesn't mean that it isn't a problem.
The Cisco Security Blog had a fantastic post detailing what APT is, what it is not, and what it takes to defend against it. From the post: “The state of the art in response to APT does not involve new magic software hardware solution divining for APT, but relies more on asking the right questions and being able to effectively use the existing detection tools (logging, netflow, IDS and DPI).” The article then goes on to detail exactly what you need to combat APT.
As they stated, it is in fact NOT a product. It is a collection of information and tools which provides a capability utilized by a team in a perpetual investigatory process. A comprehensive collection of logs and the ability to search and alert on them. I'm going to add another requirement of my own: The ability to quickly view prior network traffic to gain context for a network event and collect network forensic data. Quickstart - enterprise-log-search-and-archive - ELSA Quickstart - Enterprise log search and archive (ELSA) is an industrial-strength solution for centralized log management. Tested on: Ubuntu 10.04 openSUSE 12.1 CentOS 6.0 Final FreeBSD 8.2 Will probably work with: Debian RHEL, Fedora SLES FreeBSD > 8.2 Grab the auto-installer: wget " Edit the top of the script and change directory locations and passwords as necessary.
The defaults will work with the default settings that shipped with the OS. Deploy either as a log node, a web frontend, or both sudo sh -c "sh install.sh node && sh install.sh web" Go get some coffee, check your email, install eventlog-to-syslog on servers, etc. Enjoy! To add log nodes, repeat the "sudo install.sh node" step on each node you want, then edit the /etc/elsa_web.conf file on the web frontend server to point to the new nodes under the "nodes" configuration directive and restart apache2.
Enterprise-log-search-and-archive - Enterprise log search and archive (ELSA) is an industrial-strength solution for centralized log management. ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search.
It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. It also includes tools for assigning permissions for viewing the logs as well as email based alerts, scheduled queries, and graphing. Features: High-volume receiving/indexing (a single node can receive > 30k logs/sec, sustained) Full Active Directory/LDAP integration for authentication, authorization, email settings Instant ad-hoc reports/graphs on arbitrary queries even on enormous data sets Dashboards using Google Visualizations Email alerting, scheduled reports Plugin architecture for web interface Distributed architecture for clusters Ships with normalization for some Cisco logs, Snort/Suricata, Bro, and Windows via Eventlog-to-Syslog or Snare Getting started is easy now with the quickstart script found in the wiki section.