incubator-alois-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <>
Subject [Alois Wiki] Update of "IMF2011" by UrsLerch
Date Fri, 14 Jan 2011 22:17:40 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Alois Wiki" for change notification.

The "IMF2011" page has been changed by UrsLerch.
The comment on this change is: added the chapter Architecture of Apache ALOIS.


  The term Security Information Event Management (SIEM) describes the capabilities of gathering,
analyzing and presenting information from very different sources as network and security devices,
identity and access management applications, operating system, database and application logs
and even external threat data. While the sources are at least partly very different from those
of computer forensics, the capabilities are almost the same!
+ == Architecture of Apache ALOIS ==
+ Apache ALOIS consists of five modules interacting to ensure a scaleable functionality of
+  * Insink is the message sink, which is the receiving entry point  for all the different
log messages into Apache ALOIS. It is partly  based on the syslog-ng software. Insink listens
for messages (UDP),  waits for messages (TCP), receives message collections (files, emails)
 and pre-filters them to prevent from message flow overload.
+  * Pumpy is the incoming FIFO buffer, implemented as a relational  database tables. which
contain the incoming original messages (in raw  format). In a complex system setup, there
may be several insink  instances, e.g. for a group of hosts, for specific types of messages,
or  for high-avaliablity.
+  * Prisma contains logic to split up the text of log messages  into separate fields, based
on regular expressions. Actually, "prisma"  is a set of "prismi", each one prisma for one
type of log message  (apache, cisco etc. Several prismi can be applied to the same message.
 This allows for stacked messages, i.e. forwarded log messages contained  in compressed files
contained in e-mail messages. The data retrieved  form the log messages is stored in a database
called Dobby. Due to  prisma being written in Ruby, prismi can be applied interactively (when
 having system access).
+  * Dobby is the central log database. It should be separated from  the Pumpy database for
availability and performance reasons. The  current implementation is based on MySQL.
+  * The Analyzer contains the two sub-systems Lizard and Reptor.  Lizard is the analysis
engine and user interface of Apache ALOIS,  implemented in Ruby on Rails using AJAX. It allows
for interactive  browsing through the collected data, exclusion/inclusion/selection of  data,
data sorting, data filtering, creation of views, ad-hoc textual  and graphical reporting.
Reptor allows for automatic activation of views  and comparison of these views' results to
a predefined result (pattern  matching). In case of mismatch, Reptor sends the result to predefined
 e-mail addresses.
+ Since an image explains more than a thousand words, here is an overview of the data flow
through the different modules:
+ {{}}
+ Up to now, the creation of the input is not part of Apache ALOIS. On the one hand, the logs
are generated by the the different systems itself. On the other hand, by using the standard
interface SYSLOG, there was no need to care too much on this part so far. Other SIEM software
do include so called "agents", which create, collect and/or prepare information for the tool.
By using the technology of agents, Apache ALOIS could easily be extended for completly new
use cases.
- == Apache ALOIS as a platform for computer forensics ==
+ == Extending Apache ALOIS to a platform for computer forensics ==
  [Apache ALOIS vision]
  == Conclusions ==

View raw message