It looks as though my comments on OSSIM did not fall on deaf ears. They have, in fact, caused my comments to be lumped in with Anton Chuvakin‘s and massaged into something that reads as “OSSIM is not a SIEM” and “OSSIM is too difficult for S/MB and not reliable enough for the Enterprise”. Ummm….alright. Let’s clarify a few things here:
I have never said that OSSIM was not a SIEM.
In fact I was a big supporter of it early on but fell out of love with it when there was no visible progress over a 2 year period. I’m not blaming the developers, and I totally understand the Open Source ideals, but you can’t argue that a product is as good or better than a commercial alternative just because it is free and Open Source. To quote a Southern friend of mine – that dog won’t hunt.
Is it an Enterprise SIEM?
No, I don’t believe it is (but am willing to be corrected). I see it as a great SIEM solution if you’re feeding it data from other Open Source products. Looking at the “collector” page, that lists the supported data sources, shows me that either the integration points are very generalized or the marketing material needs updating (for example it looks as though OSSIM can collect data from Microsoft Office and Netscape based on the logos). If I were in the market for a SIEM solution and saw the “collector” page I’d be just as confused as when I started looking.
When I last tried to use OSSIM I deduced it wasn’t user friendly enough for a SMB to use.
When I install a product, I don’t want to have to jump through numerous hoops to get it up and running. Back when I tried to install OSSIM I was sent all over hell and creation to find the required packages to get it up and running. This is not user friendly. Maybe I’m lazy…maybe I’m just too busy to screw around with a product to poke and prod it into working for me. Maybe this has changed since I last tried it but I’d need some serious convincing to go back.
Am I willing to give it a second chance?
Sure! I’m a big proponent of all SIEM technologies and would certainly open my mind to trying it again. I would, however, want to run it along side of a couple of enterprise SIEM solutions to see how it stacks up. I wouldn’t want to just evaluate the technology but would also like to see how the paid support stacks up against enterprise SIEM support channels.
Dom, If you’re up for the challenge, let me know 🙂