incubator-alois-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Urs Lerch <m...@ulerch.net>
Subject roadmap
Date Tue, 07 Dec 2010 18:06:13 GMT
Hi,

Marcus recently asked me to take a closer look on the new version of
syslog-ng, and if it could possibly be integrated in ALOIS or if it is
even getting a competitor to ALOIS. Here are my findings in short:

  - syslog-ng still only contents part of the functionality of ALOIS,
    but might head towards a fully implemented SIEM
  - furthermore, some of the (interesting) functionality is proprietary
  - syslog-ng therefor is dual-licenced, patches are filtered by the
    company behind syslog-ng
  - if any, I would prefer rsyslog

We still have the issue of a roadmap open. I think we already agreed to
first discuss where we are heading to before to become more concrete.
Therefor I present "my vision" for discussion:

<vision>

I see Apache ALOIS as a "best of breeds" pot. Therefor, ALOIS contains a
core which is (or at least kind of) a message bus. This message bus is
the interface for all of these tools to work together. I am not talking
of a general message bus (but we might take one as a base), but one
which is specially for this case and can and will contain some
application logic. To have a fully functional SIEM without legal
incompatiblity there is for every interface an own tool, which
implements the basic functionality. These tools could be the actual
moduls of ALOIS.

I see the following basic functionality (and therefor interfaces):

  1. Collectors or agents, which collect the logs of a system or
     application
  2. Data server, which collects all logs from agents, stores it and
     does maybe some filtering
  3. Data mining, which correlates the data
  4. Reporting
  5. Frontend for display

This basic functionality should be implemented independently and
therefor such a tool (or group of tools) can be replaced rather easy, if
there is found a better one. To allow this independence we need a
message bus.

</vision>

Please give your input, be it comments on my vision or be it your own.

Best,
Urs

Mime
View raw message