Hi all!
I am having a difficult time identifying a cost-effective SIEM tool for my clients. Does anyone have any suggestions? I know there are many solutions out there in the marketplace, but they are typically very expensive, too expensive for SMB.
Thanks.
Matt
Thanks so much! This looks perfect!
As I’ve gotten further into this solution, it appears that it needs to be placed on a Linux VM at a minimum.
What do you all do for those small business clients who may not be running any virtualization or Linux boxes? I was looking at possibly installing this onto a micro PC with Ubunto and placing it on my client’s network? Ever tried that before?
Thanks.
Yes, that is the solution for clients that don’t have a virtualization stack.
what micro PCs would be recommended in that scenario? raspberry pi?
Blumira does not support ARM chips so I believe this would disqualify RP. I am testing it on an Intel NUC and it seems like this is an option that would be good for some circumstances.
Thanks.
Matt
Hey all, sorry to bump an old thread but I just signed up here so I wanted to chime in. I am an SE at Blumira, this question has come up a few times lately so I wanted to add some ideas in terms of hardware as a logging device.
Indeed as it has been suggested, ARM is out, and likely we would wreck the SD card anyways unless you set up an external SSD to boot from, either way one of our packages does not have an ARM option available.
I have tested a few different devices, a reasonably modern i3 CPU should be fine, 4-8GB of RAM is plenty, RAM is so cheap might as well go with 8. 100+GB of storage, on an SSD (this is important). This should definitely handle firewall logs plus some Windows devices as well. Hard to say on how many devices, both firewall logging and Windows logging can be kind of inconsistent in how much log volume you get, but you could at the least be running a firewall and at least 10 Windows PCs through something like this.
My recommendation to look at using virtualization on the hardware, gives you more options without needing to go on site somewhere. I like proxmox for this purpose, often times on these micro-PCs you have issues with the HCL if you use VMware, customizing the ESXi ISO is a pain and really not worth it in most cases. Proxmox will install on pretty much anything without issue.
I have not tested it yet, but I suspect that in a very small environment, a Intel N5105 or similar might be enough CPU. There are a lot of neat embedded-type micro-PCs out there now with these type of chips in them. Again, I have not tested this yet but its an interesting idea to look at. The N5105 benchmarks a little more than half the performance of an i3-8100.
One of my home servers is an old Datto S3X2, it does a heck of a lot for an i3-7100 with 32GB of RAM, I run a small sensor on that host as well as Home Assistant and a bunch of other stuff. I think this is some rebranded generic PC, there are a lot like this out there.
Happy to answer any other questions on this in regards to standalone log collectors with Blumira. We do also have a Windows agent now that sends logs straight to cloud without needing to go through the sensor. Firewall logs would still need to go through the sensor at this time.
What about using Graylog as a SIEM?
Yes you can do that but that is not part of the free Graylog offering and it would require that you manage it, maintain the feeds, and do the investigations.
Security Onion is another option but that is even more of a manual process.