incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niclas Hedhman <>
Subject Re: [VOTE] ALOIS to enter the incubator
Date Thu, 16 Sep 2010 15:42:39 GMT
I think it is often a sign of "I don't care either way", when no one
responds. At least this is my take on projects; If I don't care, I
won't stop others from embracing, and silently say nothing.


On Thu, Sep 16, 2010 at 7:16 PM, Christian Grobmeier
<> wrote:
> All,
> this vote will fail in three hours because nobody responds to it. Are
> there any objections against this proposal? Or why is this vote
> ignored?
> Best regards,
> Christian
> On Wed, Sep 15, 2010 at 4:06 PM, Urs Lerch <> wrote:
>> Hi everybody out there
>> The vote for ALOIS ends in about 24 hours. Are there any more comments
>> or votes? We would appreciate it to get to know your opinion.
>> Best
>> Urs
>> Am Montag, den 13.09.2010, 11:33 -0400 schrieb Urs Lerch:
>>> Hi
>>> Since the first call a few weeks ago didn't suceed (more mentors were
>>> asked), I would like to call a second vote for accepting the security
>>> information and event management tool "ALOIS" for incubation in the
>>> Apache Incubator. Thanks Christian Grobmeier we now have two mentors at
>>> least. But any additional mentors are still warmly welcome. The full
>>> proposal is available below and on the proposal wiki page
>>> (
>>> Please cast your vote:
>>> [ ] +1, bring ALOIS into Incubator
>>> [ ] +0, I don't care either way,
>>> [ ] -1, do not bring ALOIS into Incubator, because...
>>> This vote will be open for 72 hours and, at least that's the way I
>>> understood, only votes from the Incubator PMC are binding.
>>> Thanks,
>>> Urs
>>> -----------------------------------------------------------------------
>>> = Preface =
>>> ALOIS is a log collection and correlation software with reporting and
>>> alarming functionalities. It has been implemented by the Swiss company
>>> IMSEC for a customer about five years ago. GPL-licenced, implemented in
>>> Ruby and completely based on other OSS-licensed components, it was
>>> designed for the open source community right from the start. Now that
>>> the software has shown its functioning over several years in production
>>> with the one customer and one IMSEC-internal installation, it seems to
>>> be the right time to open it to a wider community.
>>> = Abstract =
>>> ALOIS stands for „Advanced Logging and Intrusion Detection System“ and
>>> is meant to be a fully implemented open source SIEM (security
>>> information and event management) system.
>>> = Proposal =
>>> While almost all other SIEM software, be it closed or open source,
>>> concentrate on the technological part of security monitoring, ALOIS is
>>> aimed to monitor the security of the content. It intends to be
>>> pro-active in the detection of potential loss, theft, mistaken
>>> modification or unauthorized access. ALOIS works on log messages and
>>> thus contains all the basic functionality of a conventional SIEM, as
>>> centralized collecting, normalizing, aggregation, analyzing and
>>> correlating of all log messages, as well as reporting all security
>>> related events. Therefore it can be used as any other SIEM.
>>> ALOIS consists of five modules interacting to ensure a scaleable
>>> functionality of a SIEM:
>>>   * Insink is the message sink, which is the receiving entry point for
>>> all the different log messages into ALOIS. It is partly based on the
>>> syslog-ng software. Insink listens for messages (UDP), waits for
>>> messages (TCP), receives message collections (files, emails) and
>>> pre-filters them to prevent from message flow overload.
>>>   * Pumpy is the incoming FIFO buffer, implemented as a relational
>>> database tables. which contain the incoming original messages (in raw
>>> format). In a complex system setup, there may be several insink
>>> instances, e.g. for a group of hosts, for specific types of messages, or
>>> for high-avaliablity.
>>>   * Prisma contains logic to split up the text of log messages into
>>> separate fields, based on regular expressions. Actually, "prisma" is a
>>> set of "prismi", each one prisma for one type of log message (apache,
>>> cisco etc. Several prismi can be applied to the same message. This
>>> allows for stacked messages, i.e. forwarded log messages contained in
>>> compressed files contained in e-mail messages. The data retrieved form
>>> the log messages is stored in a database called Dobby. Due to prisma
>>> being written in Ruby, prismi can be applied interactively (when having
>>> system access).
>>>   * Dobby is the central log database. It should be separated from the
>>> Pumpy database for availability and performance reasons. The current
>>> implementation is based on MySQL.
>>>   * The Analyzer contains the two sub-systems Lizard and Reptor. Lizard
>>> is the analysis engine and user interface of ALOIS, implemented in Ruby
>>> on Rails using AJAX. It allows for interactive browsing through the
>>> collected data, exclusion/inclusion/selection of data, data sorting,
>>> data filtering, creation of views, ad-hoc textual and graphical
>>> reporting. Reptor allows for automatic activation of views and
>>> comparison of these views' results to a predefined result (pattern
>>> matching). In case of mismatch, Reptor sends the result to predefined
>>> e-mail addresses.
>>> Its modular design guarantees ALOIS to scale from little to large
>>> organizations. Since there exists a Debian package, it's easy to build a
>>> test system or even a productive system for small environments.
>>> Although the software has been in productive use for a few years, there
>>> is still a lot of desired functionality missing. The plugability of new
>>> connected systems is given, but needs some revision. It is a given goal
>>> of the project to allow modules in other programming language.
>>> Furthermore, it has been discussed if parts of the existing
>>> implementation may be replaced with other proven open source software,
>>> e.g. the correlation engine or the web frontend. The other way round, it
>>> has been discussed that the filter creation engine would make a good
>>> tool for any kind of structured data, and thus could be separated from
>>> ALOIS and standardized as a stand-alone tool.
>>> = Background =
>>> It's not simple to know what happens in a bigger network. There's a
>>> multitude of applications, services and appliances working together.
>>> Many of them provide some kind of events or state information. The
>>> network administrator needs to get hands on all of them. But they come
>>> in many different flavors and multiple canals. Therefore, it's hard to
>>> get the big picture. Furthermore, we have learned that it's impossible
>>> to protect a system against all malicious attacks and to keep all the
>>> possible faulty handling away. A monitoring of the systems to guarantee
>>> a pro-active handling is therefore needed..
>>> Therefore, more and more organizations collect and analyze all logfiles
>>> in a centralized system, called a SIEM (security information and event
>>> management). The technology provides two major functions for security
>>> events from networks, systems and applications: log management and
>>> compliance reporting (SIM – security information management) and
>>> real-time monitoring and incident management (SEM – security event
>>> management).
>>> = Rationale =
>>> Why another security information and event management system? It's true,
>>> there's already plenty of them. While the proprietary software is way
>>> too expensive for smaller to mid-sized companies, we find that the open
>>> source solutions are either too simple or not completely open. For
>>> example, behind each of the well known systems “OSSIM” and “Prelude”,
>>> there is a company that either closes central functionality for its own
>>> business or has dual licensing and therefore asks the full copyright for
>>> all contributed code.
>>> ALOIS is aimed to be totally free and open for all contributions. The
>>> openness provided for other programming languages is certainly proof of
>>> this. The plug-ability - yet to be further developed - is meant to
>>> guarantee that individual needs can be realized without stressing the
>>> whole system too much. In our opinion, the Linux kernel is a good
>>> example that this can work very well.
>>> Since we are in accordance with „the Apache way“, we would be very
>>> pleased if ALOIS could become part of the Apache community. In Addition,
>>> the Apache Logging Services would be a perfect home for the software.
>>> Furthermore, it's not the intention to compete with the already existing
>>> log viewer and analyzing tool „Chainsaw“. Since Chainsaw is a relatively
>>> easy tool, it meets a rather different need. Nevertheless, if the two
>>> projects use synergies, both can profit.
>>> = Initial Goals =
>>> When this project started ins 2005, there was no proven SIEM open source
>>> software and the commercial tools were way too expensive for the needed
>>> environment. Therefore, we decided together with a customer of ours to
>>> implement an open source SIEM tool from scratch. Now the software has
>>> run in a production environment for several years and has proven its
>>> functionality and reliabilty.
>>> = Current Status =
>>> == Meritocracy ==
>>> As already mentioned, ALOIS is already in production use in two
>>> organizations. All the code has been written by two persons of the same
>>> company in a paid employment relationship. It is obvious that this is
>>> way different from the open source approach within Apache. But
>>> nevertheless, the two developers have always worked as a team and the
>>> decisions were made in consensus whenever possible. But it is no secret,
>>> that these developers have to learn to behave in an open community.
>>> Understanding this potential problem, they already got support by a
>>> freelance consulter, who has the corresponding experience and knowledge.
>>> == Community ==
>>> Until today there is no real community, because the project hasn't been
>>> published officially, although it had been completely published on the
>>> web site for a couple of months (until a server relaunch). Convinced by
>>> the concept and design of the software, we are open and hope to reach
>>> many contributors and users. We think that it is realistic, because the
>>> SIEM issue has yet not been resolved in the OSS space.
>>> == Core Developers ==
>>> ALOIS was developed by Simon Hürliman and Flavio Pellanda, both employed
>>> by the company IMSEC. Concerning Design and Architecture, Marcus
>>> Holthaus, owner of IMSEC, gave his input as security specialist. Since
>>> the beginning of this year, Urs Lerch, a doctorate on the subject of
>>> commercial open source software development, supports the team with his
>>> knowledge. Simon Hürlimann has left the company three years ago, but is
>>> still active in the OSS environment (although not for ALOIS). Current
>>> employee Daniel Lutz (a Debian Developer) has also contributed to the
>>> project.
>>> == Alignment ==
>>> Besides that we strongly believe in the „Apache way“, we think that
>>> although that Apache hosts the Logging Services and different security
>>> projects, there is a gap when it comes to a superordinate security view.
>>> We therefore think it a good idea to add our SIEM project to the Apache
>>> repository. On the other side, Apache would become an even more complete
>>> software repository.
>>> = Known Risks =
>>> == Orphaned products ==
>>> Since the software is only maintained by employers of one company, there
>>> is a severe risk of being orphaned. But, on the one hand, the company
>>> has a sustained interest in keeping the project alive, because there are
>>> plans to offer services on top of ALOIS, and IMSEC uses the software for
>>> SIEM on their own systems. For this reason there exists a budget for the
>>> development and support of ALOIS. On the other hand, we believe that
>>> ALOIS is of great interest for other people and companies tied to IT
>>> security. Therefore, our step to the Apache incubator is also a step to
>>> a bigger community.
>>> == Inexperience with Open Source ==
>>> While ALOIS has always been licenced under the GPL, access to the source
>>> code, bug tracker and version control system has been restricted to
>>> internal users for most of the time. But the company has a strong
>>> believe in the open source movement and therefore engages its employees
>>> to take part in the community. Furthermore, it is also a strategic
>>> decision to build services on top of linux.
>>> We understand that the Apache Incubator is a great opportunity for us to
>>> get assistance, when it comes to specific questions on the open source
>>> development. Even more, the company has created a part time position for
>>> the open source community work.
>>> == Homogenous Developers ==
>>> Although ALOIS has been developed by employees of only one company,
>>> there is a thorough openness. The company is designed to stay small and
>>> therefore works with several independent partners. Furthermore, its
>>> employees work in geographically different parts of the country.
>>> Therefore, it is no new experience for the developers to work in a
>>> distributed environment and argue rather than to command. Already today
>>> the employees are enforced to document all face-to-face communication in
>>> the internal wiki. Sketches are photographed and stored in the project's
>>> digital folder.
>>> == Reliance on Salaried Developers ==
>>> Until today all the development of ALOIS has been made in a paid
>>> emplyoment. Therefore we know that this brings a significant danger.
>>> Since it is our stated aim to encourage participation and recruit
>>> commiters, we hope to eliminate this risk as soon as possible.
>>> Furthermore, the employees of IMSEC are all open source enthusiasts and
>>> are in one way or another active in the community. Although we have no
>>> certainty, there is good indication that the current commiters would
>>> continue their work on ALOIS, even if they wouldn't be paid for it.
>>> == Relationships with Other Apache Products ==
>>> The Apache Logging Service would be a perfect home for ALOIS as a
>>> centralized logging collection and analyzing tool. Furthermore, we think
>>> that we could share part of the code with the Chainsaw subproject, since
>>> both need similar functionality in the web frontend. Since it is our
>>> statet aim to replace our own code with proofen open source libraries,
>>> we are open for any collaboration with other projects. For example, the
>>> replacement of the MySQL with a NoSQL database might be useful for
>>> performance reasons; therefore HBase is a good candidate.
>>> == An Excessive Fascination with the Apache Brand ==
>>> The Apache brand is in fact for its own a very good reason to join the
>>> Incubator. But much more our desire to become part of the Apache
>>> Incubator is our strong believe in open source software in general and
>>> in the „Apache way“ in particular. We would love to learn from the
>>> experience and knowledge of the foundation's members and participants,
>>> which is an important part of the brand as well. The foundation has
>>> shown many times, that it has the processes and people to succeed in
>>> launching a project. We would be very proud to be part of this success
>>> story.
>>> = Documentation =
>>> The documentation is rather weak and scattered. It has mainly been
>>> maintained on a wiki and is open to improvement. Since we are totally
>>> aware that this is a killer for a successfull open source project, we
>>> have already started an internal project with its own budget to improve
>>> this shortcomming. Once the project has been launched, writing a blog or
>>> open a forum are other possibilities we already thought of.
>>> Furthermore, as the employees are used to work in a geographycally
>>> distributed environment, a lot of the internal communication happens in
>>> a chat. Thus, opening a new chat channel for the community is scheduled.
>>> (To document the discussions for all those who were off-line, we would
>>> send the logs daily to the mailing list.)
>>> = Initial Source =
>>> Although the initial source comes from a project for a customer. it has
>>> an open source licence since the beginning. Therefore it doesn't have
>>> any propriatary code in it. A thorough revision before releasing it to a
>>> public repository is recommend and is also in planning.
>>> The initial source will be a snapshot of the version control system,
>>> accompanied by a related debian package.
>>> = Source and Intellectual Property Submission Plan =
>>> ALOIS is currently under a GPL licence. Since there are only two
>>> contributors so far, both from the same company, there is no problem to
>>> re-licence the code and contribute it to Apache. The commitment of the
>>> company's owner has been granted.
>>> = External Dependencies =
>>> So far, no external dependencies are known. As mentioned before, a
>>> thorough revision of the codebase is in planning. There it can be
>>> controlled, that no other licence is affected by the code.
>>> = Cryptography =
>>> ALOIS does not involve cryptographic code.
>>> = Required Resources =
>>> == Mailing lists ==
>>> The following mailing lists will be required:
>>>   * alois-private
>>>   * alois-dev
>>>   * alois-commits
>>>   * alois-users
>>> == Subversion Directory ==
>>> == Issue Tracking ==
>>> == Other Resources ==
>>> We would like to open a chat channel. If this isn't possible within the
>>> infrastructure of Apache, we would love to do this in our own already
>>> existing infrastructure.
>>> = Initial Commiters =
>>>   * NAME             EMAIL                              AFFILIATION
>>>   * Flavio Pellanda  flavio.pellanda at logintas dot ch IMSEC        no
>>>   * Urs Lerch        mail at ulerch dot net             IMSEC    
>>>   * Daniel Lutz      daniel.lutz at logintas dot ch     IMSEC      
>>>   * Marcus Holthaus  marcus.holthaus at imsec dot ch    IMSEC        no
>>> = Sponsors =
>>> == Champion ==
>>>   * Scott Deboy <sdeboy at apache dot org>
>>> == Nominated Mentors ==
>>>   * Scott Deboy <sdeboy at apache dot org>
>>>   * Christian Grobmeier <grobmeier at apache dot org>
>>> == Sponsoring Entity ==
>>> The Incubator PMC (requested)
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Niclas Hedhman, Software Developer - New Energy for Java

I  live here;
I  work here;
I relax here;

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message