Results 1 to 6 of 6
  1. #1
    Master Untangler dmor's Avatar
    Join Date
    Jun 2009
    Posts
    686

    Default Is anyone using SIEM with Untangle?

    I'm wondering if there is a single Untangle NG deployment that is actually sending log data to a SIEM which in turn is processing that data in a meaningful and useful way.

    We have multiple clients who have to have SIEM. SIEM by nature wants to correlate events from multiple points/systems on your network to help identify anomalies/concerns, and in identifying a breach and even researching it after-the-fact.

    If Untangle NG can't be easily integrated into a SIEM solution, it hurts the positioning of UT NG in scenarios requiring SIEM.

    There are popular commercial SIEM solutions with out-of-the-box support for other firewalls. But not UT.

    We are really happy with UT and would prefer to use it for 99% of customer networks. But if we can't get a SIEM solution that works well with UT NG, we may have to start to use a different firewall when SIEM is required.

    This topic has been touched on only lightly in the forums over the years with @hitman probably showing the most effort (but without any sign of him showing any successes here).

    So I ask the question, is anyone actually using a SIEM solution with Untangle NG?

    Thanks,
    -
    Doug

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,228

    Default

    I haven't touched it, but given it's at its root a log aggregator I would assume that SNMP is the tool you're going to want to start with.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Master Untangler dmor's Avatar
    Join Date
    Jun 2009
    Posts
    686

    Default

    Quote Originally Posted by sky-knight View Post
    I haven't touched it, but given it's at its root a log aggregator I would assume that SNMP is the tool you're going to want to start with.
    I thought UT NG isn't exposing any UVM data/events via SNMP. I thought the only current UT NG SNMP data being exposed is what happens at the linux OS level on the NG. Am I wrong on that?

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,228

    Default

    I have no idea honestly. And, to be blunt this SIEM thing is a pipe dream. People have been talking about centralized log aggregation for years, it's always expensive, always limited, and never works very well. The closest you'll get is a vendor homogenous solution. So all the hardware is Cisco, all the servers are Microsoft, etc.
    f1assistance likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangle Ninja
    Join Date
    Jan 2009
    Posts
    1,187

    Default

    Are you just trying to complete a checklist?

    Or do you expect your siem to send an alarm if there's an indication of compromise of the Untangle?

    I run Alienvault alongside Untangle in a number of locations, but I've yet to envision a use case, for my clients, where there was real value in the time spent setting up agent or agentless monitoring of the Untangle, certainly it would be fun, but I haven't had the free time for that.
    It's not particularly difficult but tuning is time consuming and Untangle will either block, in which case it's in the reports, or pass, in which case your siem tap will pick up the traffic and correlate.

    Note, I'm responding to your meaningful and useful def, and my comments are only my opinion from my use cases.

  6. #6
    Master Untangler
    Join Date
    Apr 2010
    Posts
    116

    Default

    NOT being supported by SIEM systems is definitely a problem. What SIEM system helps you to do is to trace back any malicious activity. There are plenty of great firewall log analyzers or full-blown SIEM systems out there but none of them support unfortunately Untangle.

    I'm currently implementing an OSSIM setup and it definitely helps a lot with visibility into what's going on in the network. I haven't figured out yet how to properly integrate Untangle syslog into it (probably have to write a plugin for this) so it's pretty annoying when you need to look something out and have to dig in Untangle syslogs with text editor.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2