roadmap

[Urs Lerch <ma...@ulerch.net>]

Hi,

Marcus recently asked me to take a closer look on the new version of
syslog-ng, and if it could possibly be integrated in ALOIS or if it is
even getting a competitor to ALOIS. Here are my findings in short:

  - syslog-ng still only contents part of the functionality of ALOIS,
    but might head towards a fully implemented SIEM
  - furthermore, some of the (interesting) functionality is proprietary
  - syslog-ng therefor is dual-licenced, patches are filtered by the
    company behind syslog-ng
  - if any, I would prefer rsyslog

We still have the issue of a roadmap open. I think we already agreed to
first discuss where we are heading to before to become more concrete.
Therefor I present "my vision" for discussion:

<vision>

I see Apache ALOIS as a "best of breeds" pot. Therefor, ALOIS contains a
core which is (or at least kind of) a message bus. This message bus is
the interface for all of these tools to work together. I am not talking
of a general message bus (but we might take one as a base), but one
which is specially for this case and can and will contain some
application logic. To have a fully functional SIEM without legal
incompatiblity there is for every interface an own tool, which
implements the basic functionality. These tools could be the actual
moduls of ALOIS.

I see the following basic functionality (and therefor interfaces):

  1. Collectors or agents, which collect the logs of a system or
     application
  2. Data server, which collects all logs from agents, stores it and
     does maybe some filtering
  3. Data mining, which correlates the data
  4. Reporting
  5. Frontend for display

This basic functionality should be implemented independently and
therefor such a tool (or group of tools) can be replaced rather easy, if
there is found a better one. To allow this independence we need a
message bus.

</vision>

Please give your input, be it comments on my vision or be it your own.

Best,
Urs

Re: roadmap

[Urs Lerch <ma...@ulerch.net>]

Hi Christian,

thanks for your input and suggestions. Actually, I'm almost finished
with the project page creation and hope to publish it today, certainly
tomorrow.

I believe that the next step is to actively build a community, too. Do
you have any suggestions how to proceed best? I'll add this point in our
board report. But in my opinion, we should keep the roadmap on our site
on a technical level.

Best,
Urs


Am Mittwoch, den 08.12.2010, 12:27 +0100 schrieb Christian Grobmeier:
> Urs,
> even when I have not a deep insight in ALOIS, your roadmap looks good.
> I would like to add to the discussion the following: ALOIS should get
> a community as soon as possible. The project should start immediately
> with webpage, "how to get involved" articles and of course publish the
> roadmap below. The tasks you mentioned sound like tons of work and i
> believe helping hands are crucial for success.
> 
> That being said, I would like to see this community aspects on the
> roadmap, even when the roadmap was meant more on a technical level.
> 
> Additionally I might be able to help a little bit with project page creation.
> 
> Cheers
> Christian
> 
> On Tue, Dec 7, 2010 at 7:06 PM, Urs Lerch <ma...@ulerch.net> wrote:
> > Hi,
> >
> > Marcus recently asked me to take a closer look on the new version of
> > syslog-ng, and if it could possibly be integrated in ALOIS or if it is
> > even getting a competitor to ALOIS. Here are my findings in short:
> >
> >  - syslog-ng still only contents part of the functionality of ALOIS,
> >    but might head towards a fully implemented SIEM
> >  - furthermore, some of the (interesting) functionality is proprietary
> >  - syslog-ng therefor is dual-licenced, patches are filtered by the
> >    company behind syslog-ng
> >  - if any, I would prefer rsyslog
> >
> > We still have the issue of a roadmap open. I think we already agreed to
> > first discuss where we are heading to before to become more concrete.
> > Therefor I present "my vision" for discussion:
> >
> > <vision>
> >
> > I see Apache ALOIS as a "best of breeds" pot. Therefor, ALOIS contains a
> > core which is (or at least kind of) a message bus. This message bus is
> > the interface for all of these tools to work together. I am not talking
> > of a general message bus (but we might take one as a base), but one
> > which is specially for this case and can and will contain some
> > application logic. To have a fully functional SIEM without legal
> > incompatiblity there is for every interface an own tool, which
> > implements the basic functionality. These tools could be the actual
> > moduls of ALOIS.
> >
> > I see the following basic functionality (and therefor interfaces):
> >
> >  1. Collectors or agents, which collect the logs of a system or
> >     application
> >  2. Data server, which collects all logs from agents, stores it and
> >     does maybe some filtering
> >  3. Data mining, which correlates the data
> >  4. Reporting
> >  5. Frontend for display
> >
> > This basic functionality should be implemented independently and
> > therefor such a tool (or group of tools) can be replaced rather easy, if
> > there is found a better one. To allow this independence we need a
> > message bus.
> >
> > </vision>
> >
> > Please give your input, be it comments on my vision or be it your own.
> >
> > Best,
> > Urs
> >
> 
> 
> 

Re: roadmap

[Christian Grobmeier <gr...@gmail.com>]

Urs,
even when I have not a deep insight in ALOIS, your roadmap looks good.
I would like to add to the discussion the following: ALOIS should get
a community as soon as possible. The project should start immediately
with webpage, "how to get involved" articles and of course publish the
roadmap below. The tasks you mentioned sound like tons of work and i
believe helping hands are crucial for success.

That being said, I would like to see this community aspects on the
roadmap, even when the roadmap was meant more on a technical level.

Additionally I might be able to help a little bit with project page creation.

Cheers
Christian

On Tue, Dec 7, 2010 at 7:06 PM, Urs Lerch <ma...@ulerch.net> wrote:
> Hi,
>
> Marcus recently asked me to take a closer look on the new version of
> syslog-ng, and if it could possibly be integrated in ALOIS or if it is
> even getting a competitor to ALOIS. Here are my findings in short:
>
>  - syslog-ng still only contents part of the functionality of ALOIS,
>    but might head towards a fully implemented SIEM
>  - furthermore, some of the (interesting) functionality is proprietary
>  - syslog-ng therefor is dual-licenced, patches are filtered by the
>    company behind syslog-ng
>  - if any, I would prefer rsyslog
>
> We still have the issue of a roadmap open. I think we already agreed to
> first discuss where we are heading to before to become more concrete.
> Therefor I present "my vision" for discussion:
>
> <vision>
>
> I see Apache ALOIS as a "best of breeds" pot. Therefor, ALOIS contains a
> core which is (or at least kind of) a message bus. This message bus is
> the interface for all of these tools to work together. I am not talking
> of a general message bus (but we might take one as a base), but one
> which is specially for this case and can and will contain some
> application logic. To have a fully functional SIEM without legal
> incompatiblity there is for every interface an own tool, which
> implements the basic functionality. These tools could be the actual
> moduls of ALOIS.
>
> I see the following basic functionality (and therefor interfaces):
>
>  1. Collectors or agents, which collect the logs of a system or
>     application
>  2. Data server, which collects all logs from agents, stores it and
>     does maybe some filtering
>  3. Data mining, which correlates the data
>  4. Reporting
>  5. Frontend for display
>
> This basic functionality should be implemented independently and
> therefor such a tool (or group of tools) can be replaced rather easy, if
> there is found a better one. To allow this independence we need a
> message bus.
>
> </vision>
>
> Please give your input, be it comments on my vision or be it your own.
>
> Best,
> Urs
>



-- 
http://www.grobmeier.de