Recalling a past life, I implemented a mid-tier SEIM tool which I orginally deployed as a centralized log consolidation and archival platform which, over time, evolved with the vendor's software to a full-fledged SEIM solution.

We had approximately 250+ Windows (NT, 2K, 2K3) servers, some linux and a 4 firewall clusters (Crossbeam, Nokia, Pix) and some IDP reporting via various conduits: LEA, Syslog, SNMP, and Windows Events. This did not make up the entire enterprise, but rather things that provided critical control or were high-value assets.

On average we hit over 3700 events per second with the bulk of the log entries coming from the rather noisy FW/IDP devices as well as the steady state Windows stuff.

Yes, the reporting tended to be slow(er than we would have liked) and we began to look at other alternatives as they came to market such as SenSage and LogLogic for the archival and fast search capabilities.

We used the dashboard for threshold notification (as realtime as it got for us) which triggered based upon device input and certain combinations/correlation of various abstracted/linked patterns indicating "anomalous" and potentially "bad" traffic.

Chris

Like or Dislike: 0  0