[c-nsp] Syslog Solutions

Brian Spade bitkraft at gmail.com
Thu Oct 22 17:01:13 EDT 2009 

Hi,

Sorry for the late follow-up... been a little burdened with work. :-)

Here is the feedback I received from cisco-nsp'ers:

General Syslog/Traps:

1.  syslog-ng was recommended by many folks for syslog
2.  use snmp-tt to convert SNMP traps into syslog format
3.  OpenNMS, supports both syslog/snmptraps:  http://www.opennms.org
4.  Zenoss, supports both syslog/snmptraps:  http://www.zenoss.com

Data correlation solutions:

1.  Splunk (recommended the most):  http://www.splunk.com
2.  Also, Splunk's Cisco plug-in:  http://www.splunk.com/apps/cisco
3.  Sawmill:  http://www.sawmill.net
4.  Paglo:  http://paglo.com
5.  Cisco CS-MARS:  http://www.cisco.com/en/US/products/ps6241/index.html
6.  Q1 Labs (offers free VM version):  http://www.q1labs.com/qradar-slim-fe
7.  ManageEngine with OpManager:  http://www.manageengine.com

Some notes on the data correlation solutions:

Splunk doesn't directly take SNMP traps, but you can use snmptrapd to write
the events to a file and have splunk index it.  MARS does take Syslog, SNMP
traps, Netflow data, various IDS/IPS alerts and various other inputs such as
any Cisco product, Extreme routers, Juniper Netscreen/Checkpoint firewalls,
etc.

And lastly, an FOSS solution:

If you know some regular expression and/or Perl, have a look to SEC Simple
Event Correlator. Simple but powerful IMHO.

For a revue of event correlation, see:

http://www.cs.umb.edu/~rouilj/sec/sec_paper_full.pdf<http://www.cs.umb.edu/%7Erouilj/sec/sec_paper_full.pdf>

it is a paper mainly system oriented but very useful for network too.

Thank you everyone for your feedback.  Now time needs to be sent evaluating
all of the solutions.

Regards,
/bs

On Fri, Sep 4, 2009 at 4:26 PM, Brian Spade <bitkraft at gmail.com> wrote:

> Hi,
>
> Can people recommend a useful solution for syslog, SNMP traps and event
> correlation?  I'm not even sure where to start.  I know about syslog-ng but
> am looking for a syslog/snmp trap collector with future capabilities of
> event correlation.  The event correlation would be able to accept any data
> source / device via SNMP or syslog.
>
> Commercial or open-source is fine with the latter being more preferrable.
>
> Thanks!
> /bs
>

More information about the cisco-nsp mailing list