Open Source Log Management Tools List

Friday, April 08, 2011

Anton Chuvakin

Ebb72d4bfba370aecb29bc7519c9dac2

FYI, I have updated my list of free log analysis and log management on my consulting site. Here it is, reposted:

This page lists a few popular free open-source log management and log analysis tools. The page is a supplement to "Critical Log Review Checklist for Security Incidents" that can be found here or as PDF or DOC (feel free to modify it for your own purposes or for internal distribution - but please keep the attribution).

The log cheat sheet presents a checklist for reviewing critical system, network and security logs when responding to a security incident. It can also be used for routine periodic log review. It was authored by Dr. Anton Chuvakin and Lenny Zeltser.

The open source log management tools are:

  • OSSEC (ossec.net)  an open source tool for  analysis of real-time log data from Unix systems, Windows servers and network devices. It includes a set of useful default alerting rules as well as a web-based graphical user interface. This is THE tool to use, if you are starting up your log review program. It even has a book written about it.
  • rsyslog (rsyslog.com) is another notable replacement and improvement of syslog service that uses traditional (rather than ng-style) format for syslog.conf configuration files. No Windows version, but it has an associated front-end called phpLogCon
  • sec (simple-evcorr.sourceforge.net) can be used for correlating logs, even though most people will likely find OSSEC correlation a bit easier to use
  • Log2timeline (log2timeline.net/) is a useful tool for investigative review of logs; it can create a timeline view out of raw log data
The next list is "honorable mentions" list which includes logging tools that don't quite fit the definition above:

  • Splunk is neither free nor open source, but is has a free version usable for searching up to 500MB of log data per day - think of it as a smart search engine for logs. Splunk includes a tool to extracting parameters out of log data
  • Offering both fast index searches and parsed data reports, Novell Sentinel Log Manager 25 is not open source, but can be used for free forever as long as your log data volume does not exceed 25 log messages/second (25 EPS). Unlike splunk above, it includes log data parsing for select log formats and thus can be used for running reports out of the box, not just searching
  • Q1Labs is also neither free nor open source, but is has a free version usable for managing up to 50EPS (roughly 2GB/day). It can be downloaded as a virtual appliance
  • OSSIM  is not just for logs and also includes OSSEC; it  is an open source SIEM tool and can be used much the same way as commercial Security Information and Event Management tools are used (SIEM use cases)
  • Sguil is not a log analysis tools, but a  network security monitoring (NSM) tool, but it uses logs in its analysis
  • Loggly cloud logging service now offers free developer accounts (at loggly.com/signup) for their cloud log management service. The volume limitation is 200MB/day and retention time limitation is 7 days. If you'd like to collect and search your logs without running any software, this is for you
For a list of commercial log management tools go to Security Scoreboard site. A few of the commercial tools offer free trials for up to 30 days or longer.

P.S. I’d love to finally test GrayLog in my lab since it looks very promising, but – sorry – I was not able to get it to work. Too much Ruby and Java for my Linux box… BTW, I got a couple more of fun new tools that I plan to test and then possibly add to this list.

P.P.S. Comment response will be slow, I am away from computers.

Cross-posted from Security Warrior

Possibly Related Articles:
28425
Network Access Control
Information Security
Tools Log Management SIEM Event Logging Monitoring Analysis
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.