AlienVault: A SIEM That's Out of this World
October 18, 2016
AlienVault: A SIEM That's Out of this World
Score 9 out of 10
Vetted Review
Verified User
Overall Satisfaction with AlienVault Unified Security Management
We deployed AlienVault to be used by our technical operations groups to log mainly infrastructure components of the company. This includes servers, firewalls, routers, switches, etc. and aggregating logs, then doing some cursory built-in correlation and alarms. Now that we've adapted to the product and my team is expanding, I'm looking to move to providing logging as a service to the rest of the company, such as application and debug-level logging for production and QA dev environments.
- Centralizing and aggregating logs from sources of all types
- Searching through real-time and long-term events
- Flexibility and customization (Linux OS with open source tools, open for whatever hacking you desire)
- Performance is not great at more than 300 EPS; bottleneck appears to be the MySQL disk I/O
- Dashboards are decent to customize, but are lacking
- UI and services aren't always stable or predictable; when adding a new plugin it sometimes takes things like a reconfig command at CLI in order for the change to stick
I looked into Splunk, QRadar, but they were way too expensive and the reviews weren't always great. I used McAfee ESM extensively at my prior job and the product is probably the worst in the SIEM space. We moved to AlienVault from ELK which, while a cool product, didn't do any security event correlation and has a terrible search and log review and export. AlienVault is the only major SIEM comprised of over 200 open source tools I'd want to use anyway, so it does more than any SIEM with its HIDS agents, vulnerability scanning, asset discovery, etc. The included Open Threat Exchange subscription is also a major plus.