AlienVault OSSIM vs Elasticsearch

• Asset discovery. Once installed in a centric, network-accessible server, OSSIM can poll all your endpoints with common protocols (SSH, SNMP, WMI) to detect and discover site-wide assets to monitor. You only need to group them by your own criteria once added to the product.
• SIEM Event Correlation. You can define quite complex correlation rules to detect possible suspicious or malicious actions or attempts in your network, in order to categorize them as real threats or as false positives, thus streamlining your risk assessment and management.
• Ease of installation. The entire AlienVault OSSIM is self-contained in an ISO file, which can be burned into a DVD or just mounted in your server of choice (physical or virtual) for deployment. The installation process is automated and quote verbosed, with options for static IP, email messaging and others.
• Ease of access. Being AlienVault OSSIM a self-contained appliance, it can be accessed via web by any device that supports a web browser, being that desktops, workstation, mobile devices, etc. The OSSIM dashboard and other features are automatically rearranged to adapt to the particular device being in use.

Read full review

• Elasticsearch has a great ecosystem and user base.
• Elasticsearch is easy to use and set up (once you have the basic training).
• The document/searching focused feature of the database is perfect for log management (or any searching) application.

Read full review

• OSSIM, being an open source solution, lacks log management (a treat that the full USM has). Perhaps a feature to include a lightweight version inside the SIEM Correlation engine can be appreciated.
• The appliance also lacks support for Cloud-based servers and apps. This feature is also present in USM, so it's unlikely this will appear in OSSIM, but I'd suggest also a reduced version of it included in this appliance.
• More integration with third-party solutions such as BMC Remedy and ServiceNow, although this can be emulated through email alerts, as most ITSM solutions have the ability of converting incoming email messages into tickets.

Read full review

• At my previous job with a simple 3 node cluster, Elasticsearch did not do a good job in electing a new master, when the master node went down. Many times, I had to stop and restart all the nodes to make it function again. I have heard implementation models where customers had dedicated multiple nodes just for master.

Read full review

• The ROI of OSSIM itself is, obviously, immediate, being that it's a free, open-source product. However, you must take into account other inherent investments to cover up for the lack of official support, such as certified agents or consultants that take care of the management and maintenance of the product once in production.
• On the other hand, the potential loss of information and interruption of operativity due to malware and other threats is really unmeasurable. The implicit savings in OSSIM as a SIEM (Security Information and Event Management) are really the major positive impact on your organization's revenue.
• Finally, and from a reseller's point of view, reselling OSSIM has the big plus of being a professional services-only asset, given that the appliance itself is free of charge. The only thing to consider is the initial investment in team members with the required capacitation and knowledge to address such professional services to potential customers.

Read full review

• Apart from the operational issue that I mentioned previously, the business users have been extremely happy with the results as well as the short time taken to perform the search.

Read full review