Graylog as an SIEM Solution
What is SIEM and why do we need it
In the tech world, acronyms abound, but this particular one is of prime importance and should be a mantra for almost any security and administration team; SIEM stands for Security Information and Event Management and is one of the cornerstones of sound system management and monitoring. In a previous article, I wrote about realtime system monitoring and visualization, and in it, I also touched on the issue of data correlation with events that take place on systems; having a centralized and robust SIEM solution allows all this information to be gathered analyzed, aggregated and correlated and visualized in context, providing a 360 view of your infrastructure when properly setup, as well as instant alerting and providing deep insight to incidents that will arise.
Enter Graylog
Many SIEM solutions have been developed over the past decade such as Splunk and QRadar, have usually been the domain of large enterprises with deep pockets and massive infrastructure requirements to run them. Although any SIEM solution would require enough processing and storage resources to properly run and operate, smart log retention and rotation can go a long way in helping keeping searches fast, while not losing events and data resolution.
For the past five years, we’ve been looking for a serious SIEM with Open Source roots that is enterprise ready, easily deployable, scalable and adaptable in terms of data source ingestion, manipulation and output. Enter Graylog!
Over the past few years we’ve been testing and tweaking Graylog in our test environment trying to get the most out of its many features. The community version comes with a rich feature set, and the Enterprise version adds a lot of key features that simplify reporting or data retention among other things.
When working with Graylog, I tend to look at it first and foremost as a large stream manipulation engine (you can blame my developer background for that) the flexibility of working with practically any incoming log stream, manipulating and converting it, presenting it and also outputting it to other sources is a boon for most SIEM managers, as it allows fine tweaking, aggregation and correlation of on-the-fly data, which can be incorporated in the log entry itself to augment it and make it more understandable.
Add to the above, the fact that Graylog comes pre-bundled with a threat intelligence engine and an events and alerts component that can trigger alerts under specified conditions, a feature which has seen much improvement in the 3.1 release, as well as graphical dashboards that allow the visualization of aggregate data, you end up with an enterprise grade SIEM feature set.
Log ingestion in Graylog supports multiple ingress sources, be it remote syslog or even through it’s sidecar agent, which is managed directly via its web interface. This versatility coupled with first rate stream scripting and manipulation capabilities (think GROK on steroids) and you end up with a very versatile and customizable log management system.
The underlying elasticsearch engine provides the necessary scalability and search versatility other enterprise grade SIEMs enjoy. A robust web interface and built-in user management and access control also enhances the experience. From a scalability standpoint, Graylog can be deployed asa single node or in a cluster configuration to spread the load in large systems and provide redundancy.
Overall, our experience with Graylog has been extremely positive and the out-of-the-box features of the community edition were well balanced to hit the ground running with an enterprise level SIEM system. Can’t wait to see the future enhancements and features coming to Graylog. A big shoutout to the Graylog for all their hard work and their contributions back to the Open Source community.
